[RESOLVED] Hijacked browser

[Broni]

I hope, we got the sucker...

1. Please download The Avenger to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the Avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Code:

Begin copying here:
Files to move:
C:\SwSetup\HDD\iastor.sys | C:\WINDOWS\System32\drivers\iaStor.sys

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command windowon your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also back up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply

[704_Skate]

Hopefully. Access denied! I also checked when the file was created, back in 2007, could that still be the virus?!


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\SwSetup\HDD\iastor.sys"
File move operation "C:\SwSetup\HDD\iastor.sys|C:\WINDOWS\System32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

[Broni]

the file was created, back in 2007

It doesn't matter. It was created back then, but modified recently.
OTL couldn't obtain md5 for it either. I didn't notice that at first, only after GMER pointed to it.

Re-run Avenger with little bit different code:

Code:

Begin copying here:
Files to move:
C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys | C:\WINDOWS\System32\drivers\iaStor.sys

[704_Skate]

hmmmm.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not move file "C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys"
File move operation "C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys|C:\WINDOWS\System32\drivers\iaStor.sys" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

[Broni]

Try to run it again, but this time open The Avenger by right clicking on it and clicking on "Run As Administrator".

[704_Skate]

Still getting the same thing:/

[Broni]

OK. Let's use something stronger....

Please download OTM

• Save it to your desktop.
• Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes

:Services
      
:Reg

:Files
C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys|C:\WINDOWS\System32\drivers\iaStor.sys /replace

:Commands
[purity]
[emptytemp]
[Reboot]

• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

[704_Skate]

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
Unable to replace file: C:\WINDOWS\System32\DriverStore\FileRepository\iaahci.inf_3a63e5a6\iaStor.sys with C:\WINDOWS\System32\drivers\iaStor.sys without a reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Mcx1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Mcx2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Public
->Temp folder emptied: 0 bytes

User: User
->Temp folder emptied: 1718 bytes
->Temporary Internet Files folder emptied: 5158466 bytes
->Java cache emptied: 30735595 bytes
->FireFox cache emptied: 111740597 bytes
->Apple Safari cache emptied: 42749701 bytes
->Opera cache emptied: 378484 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 118936 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 182.00 mb


OTM by OldTimer - Version 3.1.8.0 log created on 02082010_200910

Files moved on Reboot...
File C:\Windows\temp\_avast4_\Webshlock.txt not found!

Registry entries deleted on Reboot...

[Broni]

It looks like it was moved on reboot.
How is redirection?
Please, give me fresh GMER log.

[704_Skate]

Still redirecting, will do so now!

[Broni]

OK.

[704_Skate]

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-08 21:54:19
Windows 6.0.6000
Running: 6xe97uek.exe; Driver: C:\Users\User\AppData\Local\Temp\pxrdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x8D18714C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x8D18708C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x8D1870F0]

---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\DRIVERS\iaStor.sys entry point in ".rsrc" section [0x87BFD000]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00600002
IAT C:\Windows\system32\services.exe[608] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00600000

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\iaStor \Device\Ide\iaStor0 [87B7D6C8] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [87B7D6C8] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 14422
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0x18 0x5A 0x48 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x42 0x18 0x5A 0x48 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\DRIVERS\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

[Broni]

This is still no good.
I'd like to see fresh OTL log.

[704_Skate]

Should I run it like I did before? (copy and paste that text)?

[Broni]

Like in my reply #27.