Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What am I infected with?


  • Please log in to reply
3 replies to this topic

#1 MartinV

MartinV

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 03 May 2010 - 10:34 AM

Running Windows XPPro with all service packs and updates.

Had some problems a few days ago. Got infected with XP Defender and Antispyware XP. I have run Ad-Aware, Spyware Blaster, SpyBot, CC Cleaner, MalwareBytes and HijackThis - most of these have been run several times. I think I've gotten rid of the infections and the computer seems to be running normal now with a couple of significant exceptions.

Here are the issues I'd like some help with to fix:

1. A couple of minutes after a fresh boot-up, there is a period of all-consuming disk activity for about 5 minutes. The disk activity light is on solidly and no program can be started. Then, after this occurs, one of the svchost processes consumes 50% of the CPU time - constantly - it never changes. And, this all happens even if I boot into Safe Mode.

2. I'm getting redirected to advertising sites. This is happening in FF as well as IE. I installed AdBlocker in FF. That seems to have helped but it still occasionaly pops open another tab and loads some advertising stuff.

3. The one that has me most concered is the inability to do a Windows Update. When I try to do this, I get a message (in the browser) that it can't find the update web site. I've even tried manually keying in the update site URL (in both IE and FF) but it still can't find the site (it says there is no connection to the internet).

I just ran "chkdsk c: /r" this morning but it reported no problems.

Help ?

BC AdBot (Login to Remove)

 


#2 MartinV

MartinV
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 03 May 2010 - 01:29 PM

I've read several other posts here on this forum where some similar symptoms are being discussed. A couple of them have mentioned the "rootkit" virus.

I googled around and downloaded a couple of programs that claim to be able to "fix" this. I ran one of them - TDSSKiller from Kasperski - and it said that a file named "iaStor.sys" was infected and that it would be fixed upon re-boot. I re-booted but still had exactly the same symptoms. I went through the process a 2nd time with exactly the same results.

I then downloaded and ran GMER.exe. It also reported that this same iaStor.exe file was infected. But, the GMER program was asking me to tell it what to do - with one of the choices being to delete the file. In my googling around I found reports that deleting this file led to a completely disabled computer. Since I don't want that, I did not allow GMER to do anything.

So, any guidance available here as to whether I can/should delete iaStor.exe?

It appears that iaStor has something to do with a RAID drive setup. The unit I'm having a problem with does NOT have a RAID drive setup (there's just a single, ordinary hard drive in it). Also, FWIW, I have two other very similar computers here that do NOT have iaStor.exe on them.

Thoughts?

Thanks.

#3 MartinV

MartinV
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 03 May 2010 - 05:42 PM

Some further digging into this indicates that this iaStor.exe file is, in fact, the hard disk device driver. If I go into the Device Manager and drill down to the hard drive, it shows this file and a bunch of information about it.

So, my question now is: should I "update" this file? The Device Manager screens have a button that supposedly will find any available update and install it. Do you think this would get rid of the infected file?

Any thoughts / recommednations?

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:09:15 PM

Posted 03 May 2010 - 09:06 PM

Hello,

No, don't "update" the driver which has been corrupted by the rootkit. You may create even more difficulties for yourself. Rootkits require specialized tools to remove. Please follow the instructions in ==>This Guide<== starting from step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include the link to this topic in your new topic and a description of your computer issues.

If you can produce at least some of the logs, then please create the new topic. If you cannot produce any of the logs, then post back here and we will provide you with further instructions.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users