Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Was infected with Agent_r.CS, had a play, now can't boot...


  • Please log in to reply
2 replies to this topic

#1 Kootraw

Kootraw

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria, Australia
  • Local time:10:10 AM

Posted 10 April 2010 - 06:05 PM

Hi Forum,

INFECTED LAPTOP: Dell XPS 1330, running Vista Ultimate Business / Norton Internet Security (and AVG Antivirus Free).
WORKING LAPTOP: Acer 8204 WLMi, running XP Pro SP3 / AVG Antivirus Free.

Right... it all started yesterday after I plugged in an external drive. I don't think the drive is infected in anyway since it is brand new. I had a browser open and I (actually not sure where I was) clicked on a "Vista" looking view of Windows Explorer. I thought it was Norton running a scan over the external drive, so I clicked on "Update".

Cutting a long story short, I ended up downloading a file to my computer. I scanned it via Norton Internet Security 2009 (useless) to which it found no viruses. It did warn me that not many Norton Community users had encountered this file, but I still ran it only to see it popup a DOS window and run the following two scripts before I could CTRL-C it:
1. dialer.exe
2. cleaner.exe

I then started to receive Norton Firewall messages stating that "A recent attempt to attack your computer was blocked" (or similar message). On displaying the information, it was coming from "iexplore.exe" and sometimes "svchost.dll". I have done the following:
1. Run a virus check - Norton Internet Security 2009 - found nothing.
2. I'd used hijackThis several years ago on a friend's computer so installed that - saw nothing unusual.
3. Searched the internet and found references to "Combofix" and "OTL". I've since learned that I should have renamed these to something else before downloading. That's the problem with inconsistent or incomplete information. Doh!
4. Was advised by "Combofix" that I had a rootkit infection (iaStor.sys or was it iaStor.dll??) and that it would fix it at next boot - no luck.
5. I downloaded AVG and ran a full scan only to find I had an infected "C:\Windows\Explorer.EXE" and one in memory - unable to remove.
6. I booted in SAFE mode and found "iaStor.sys" and "iaStorV.sys". I deleted the "iaStor.sys" file and rebooted.
7. In SAFE mode again, I found that the file had returned. I ran AVG (command line) from SAFE mode, and it had to skip a locked file "ts<something>.tmp" file in the "C:\Windows\System32\drivers" directory.
8. On closer inspection of the "ts*.tmp" file, it was owned by "TrustedInstaller" to which it had "Full Control". I changed the owner, then removed access to it.
9. On the next reboot, I deleted the "iaStor.sys" file and the "ts*.tmp" file.

* Drum roll *
10. Now when I boot, it flashes up a blue screen (for all options - including SAFE mode) and Windows fails. I selected the "don't reboot on error" option to read the message displayed, and it mentions that I may have a virus infection (duh!) and that I should run chkdsk /f.
11. I have created a "Boot disk" for Vista, so I can access the "C:\" partition ok. But chkdsk doesn't show anything unusual or report any disk issues.

I'm now using a backup laptop to access the web / webmail. I was contemplating rebuilding the Dell XPS, but I need to access all of my data before rebuilding.

Any assistance will be greatly appreciated. *sigh* - I thought I knew what I was doing... alas, these rootkit / malware coders are getting very sneaky!

Thank you, Pete.

Edited by Kootraw, 10 April 2010 - 10:06 PM.


BC AdBot (Login to Remove)

 


#2 Kootraw

Kootraw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria, Australia
  • Local time:10:10 AM

Posted 10 April 2010 - 06:19 PM

I've noticed that this has been posted in the wrong forum - Vista rather than virus related - but I can't seem to find a way of "Moving" the thread. Should I re-post or wait? I think I'll wait... sorry.

Pete.

EDIT: Moved to more appropriate forum (Am I Infected) ~ Hamluis.

Edited by hamluis, 10 April 2010 - 07:43 PM.


#3 Kootraw

Kootraw
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Victoria, Australia
  • Local time:10:10 AM

Posted 11 April 2010 - 05:53 PM

Resolved. Not sure which option worked, but I'd highly recommend using the "Windows Restore Point":
1. I booted using the Vista Boot Disk and ran "bootrec.exe" rewrote the MBR.
2. Restored to a known good state (Restore Point)

Seems fine, but I'm still going to back up all of my data and replace Vista with XP - too many compatibility issues with Vista and it won't run some software (it is a client desktop O/S not a server O/S).

Pete.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users