INFECTED LAPTOP: Dell XPS 1330, running Vista Ultimate Business / Norton Internet Security (and AVG Antivirus Free).
WORKING LAPTOP: Acer 8204 WLMi, running XP Pro SP3 / AVG Antivirus Free.
Right... it all started yesterday after I plugged in an external drive. I don't think the drive is infected in anyway since it is brand new. I had a browser open and I (actually not sure where I was) clicked on a "Vista" looking view of Windows Explorer. I thought it was Norton running a scan over the external drive, so I clicked on "Update".
Cutting a long story short, I ended up downloading a file to my computer. I scanned it via Norton Internet Security 2009 (useless) to which it found no viruses. It did warn me that not many Norton Community users had encountered this file, but I still ran it only to see it popup a DOS window and run the following two scripts before I could CTRL-C it:
I then started to receive Norton Firewall messages stating that "A recent attempt to attack your computer was blocked" (or similar message). On displaying the information, it was coming from "iexplore.exe" and sometimes "svchost.dll". I have done the following:
1. Run a virus check - Norton Internet Security 2009 - found nothing.
2. I'd used hijackThis several years ago on a friend's computer so installed that - saw nothing unusual.
3. Searched the internet and found references to "Combofix" and "OTL". I've since learned that I should have renamed these to something else before downloading. That's the problem with inconsistent or incomplete information. Doh!
4. Was advised by "Combofix" that I had a rootkit infection (iaStor.sys or was it iaStor.dll??) and that it would fix it at next boot - no luck.
5. I downloaded AVG and ran a full scan only to find I had an infected "C:\Windows\Explorer.EXE" and one in memory - unable to remove.
6. I booted in SAFE mode and found "iaStor.sys" and "iaStorV.sys". I deleted the "iaStor.sys" file and rebooted.
7. In SAFE mode again, I found that the file had returned. I ran AVG (command line) from SAFE mode, and it had to skip a locked file "ts<something>.tmp" file in the "C:\Windows\System32\drivers" directory.
8. On closer inspection of the "ts*.tmp" file, it was owned by "TrustedInstaller" to which it had "Full Control". I changed the owner, then removed access to it.
9. On the next reboot, I deleted the "iaStor.sys" file and the "ts*.tmp" file.
* Drum roll *
10. Now when I boot, it flashes up a blue screen (for all options - including SAFE mode) and Windows fails. I selected the "don't reboot on error" option to read the message displayed, and it mentions that I may have a virus infection (duh!) and that I should run chkdsk /f.
11. I have created a "Boot disk" for Vista, so I can access the "C:\" partition ok. But chkdsk doesn't show anything unusual or report any disk issues.
I'm now using a backup laptop to access the web / webmail. I was contemplating rebuilding the Dell XPS, but I need to access all of my data before rebuilding.
Any assistance will be greatly appreciated. *sigh* - I thought I knew what I was doing... alas, these rootkit / malware coders are getting very sneaky!
Thank you, Pete.
Edited by Kootraw, 10 April 2010 - 10:06 PM.