Search engine redirects after virus removal

[rstev3]

The Hiren download site seems to be down, unless I have an issue at this end. I thought I had a boot CD around here from a previous adventure but I can't find it. Is there another site to try?

[miekiemoes]

Hiren site is up again, just tested it.

Or, you can use BartPE instead or Ultimate Boot CD:

http://www.nu2.nu/pebuilder/ <== bart PE

For BartPE, when you boot with it and get: "The file iaStor.sys could not be found, press any key to continue"

If you use a DELL OEM CD, before you "burn" it, you must download and extract the "fix dell" plugin, http://www.nu2.nu/pebuilder/files/fixdellxp.cab, to the plugin folder, then find and select to add the "fix dell" plugin on the configuration menu in pebuilder. That is supposed to avoid that boot error.

http://www.ubcd4win.com/howto.htm <== urltimate boot cd

It works a bit the same as Hiren and also has a file manager.

[rstev3]

OK, the Hiren site was back up today. I completed all the steps...what's next?

[miekiemoes]

So, you did this?

In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

2) Rename it to IASTOR.SYS.BAD

3) Then copy the file from - C:\WINDOWS\IASTOR.SYS to C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

or you can also use the one from C:\drivers\storage\R130118\iastor.sys or C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys to copy to your C:\WINDOWS\SYSTEM32\DRIVERS folder.

When finsihed, restart the machine & boot back to your normal OS

Let me know how that went.

If so, then run systemlook again as you've done here:

http://www.malwarebytes.org/forums/index.p...st&p=163837

Then post the result of systemlook in your next reply.

Btw, please save your hiren boot cd somewhere so you can always use if for future problems

[rstev3]

Mieke,

Yes, I completed those steps. Here is the new result:

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 10:26 on 30/11/2009 by Bob (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\drivers\storage\R130118\iastor.sys --a--- 246784 bytes [21:43 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A

C:\i386\iaStor.sys --a--c 246784 bytes [16:32 01/07/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A

C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 484864 bytes [22:02 22/06/2007] [11:01 06/07/2006] 6A3C354BFC163B81F6EF2FC421280DB5

C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [10:59 06/07/2006] 019CF5F31C67030841233C545A0E217A

C:\WINDOWS\iastor.sys --a--- 246784 bytes [20:44 29/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A

C:\WINDOWS\system32\drivers\iastor.sys --a--- 246784 bytes [09:32 30/11/2009] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A

C:\WINDOWS\system32\drivers\iaStor.sys.bad --a--- 246784 bytes [21:43 22/06/2007] [10:59 06/07/2006] 40B0DDEC8AA55004C92A20A20C03C410

C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\iaStor.sys --a--- 246784 bytes [22:02 22/06/2007] [17:03 10/10/2006] 019CF5F31C67030841233C545A0E217A

-=End Of File=-

[miekiemoes]

Great! It's replaced correctly.

Can you upload me the file C:\WINDOWS\system32\drivers\iaStor.sys.bad (the bad one)

Upload it here: http://www.bleepingcomputer.com/submit-malware.php?channel=8

Then delete that bad one after you have uploaded it.

Then, I want you to clean your temp files, so no leftovers are present there as well (because that's where McAfee was flagging it previously).

We can do this with the Microsoft cleanup manager (cleanmgr), but I actually prefer Ccleaner instead:

Download CCleaner

1. During the install uncheck to install the Yahoo Toolbar

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies.

• Clean all the entries in the "Windows Explorer" section.

• Clean all entries in the "System" section.

• Clean all entries in the "Advanced" section.

• Clean any others that you choose.

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.

• Clean all in the Opera section if you use it.

• Clean Sun Java in the Internet Section.

• Clean any others that you choose.

4. Click the "Run Cleaner" button.

5. A pop up box will appear advising this process will permanently delete files from your system.

6. Click "OK" and it will scan and clean your system.

7. Click "exit" when done.

Then reboot.

Let me know after reboot how things are now.

[miekiemoes]

Thanks for the file.

Btw, for your reference: http://www.virustotal.com/nl/analisis/bead...a75e-1259595796

(that's your file)

[rstev3]

OK, that was completed. Things look good , but how can we tell if we're finished?

[miekiemoes]

but how can we tell if we're finished?

I guess Combofix never really replaced/restored the file previously which explains why the problem came back. This also since we have used The Avenger to replace the file (which is as powerful as Combofix) and it failed there as well. So that's why, since you have replaced the file manually, we now have a guarantee that it was done properly (no better guarantee if you do it manually ) and we've doublechecked afterwards again, to make sure.

So yes, I guess we are done here now...

[rstev3]

Mieke -- Wonderful. Thank you again for all your help! -- Bob

[miekiemoes]

You're most welcome Bob

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.