Remote user has trojan/rootkit

I have a remote user that started complaining about a virus he obtained 2 weeks ago - McAfee would detect and erase a svchost.exe in a temporary folder but the issue would remain with constant pop-up alerts from McAfee re-detecting it.

I then told him to scan with SuperAntiSpyware and GMER - GMER apparently did find it - It was a hidden application (dragwait.exe) in a hidden folder, but the problem (or another) has since returned.

So with it besting an anti-virus/anti-spyware/anti-rootkit I think I'm left asking for help by a combo-fix scripter.  I have attached a log file from Hi-jack This (is this all that's required?)

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


1. Run GMER again and show us the log...
2. If it gives you a warning about rootkit activity and asks if you want to run a full on NO, then use the following settings for a more complete scan..
3. In the right panel, you will see several boxes that have been checked.

Make sure that the "Sections" box is checked.
Ensure the following are UNCHECKED ...
 Drives/Partition other than Systemdrive (typically C:\)
 Show All (don't miss this one)

If you scan with ComboFix make sure its updated or download a fresh copy.
ComboFix terminates connection during the scan but resumes connection straight after. Attach the log. 
Fritch84Author Commented:
I was hoping to grab your attention - please allow for some time while I contact him in a different timezone.  Thanks
What about using DrWeb live CD?
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Mohammed HamadaSenior IT ConsultantCommented:
Download OTL by OldTimer

OTL is a flexible, multipurpose, diagnostic, and malware removal tool. It also has some curative ability.

Once downloaded, Place OTL to desktop and run it from there, Make sure you select "Scan All Users" on middle top of the Program's UI then Click Run Scan.

When done 2 logs will be generated, Please attach them both here.

Thomas Zucker-ScharffSolution GuideCommented:
The McAfee false positive problem was a week and a half ago (approx) and it did delete svchost.exe.
Fritch84Author Commented:

I asked him to do as you requested but he failed to attach the logfile (I've asked him again for it) - I have copied his email response below though in hopes that it will shed more light on the problem;

"Running GMER I found it said;

Windows\system32\drivers\iastor.sys – suspicious modification.

I believe this is the virus file. I have a good copy of this file in windows.old directory.  I tried to rename / delete the file but it automatically adds the file back when I do this, even in safe mode.  I even tried using autoruns to stop this driver from loading in the first place, but then windows wont start, again even in safe mode.

Tomorrow I will try to start the computer from the startup disk and hopefully then I can replace the virus file with the good copy.  If you have any other suggestions let me know."

Is iastor.sys the only file that Gmer finds as having "suspicious modification"?
Is there any line under "Kernel code sections" which says "entry point in..."
Usually Gmer also flag a driver that's only patched in memory but not the physical file... but if that is the only file it flags then replace that file.

It's active in safe mode also, but you should be able to via Recovery Console.

Is the user having ComboFix installed? ComboFix can fix it too using its script function which is easier.

It would be nice to see the whole Gmer log.
Fritch84Author Commented:
I would assume so as he appears so sure that its' the culprit, surely he would mention another 'suspicious modification' result.  Nevertheless I've asked him to attach the log, but am now fearful that he won't as he seems like the user that wants to 'do it all themselves'.  I hope to hear from him soon.  
Fritch84Author Commented:
I'm sorry he's complaining that GMER keeps crashing and he can't post the logs.  If it is just that one file could you please assist with the appropriate combo-fix script to restore a safe version?
If Gmers hangs, tell him to uncheck the "Files" box in Gmer often works.

If Gmer still hangs,
Let him download and run ComboFix... as it is not advisable to use CFscript as a frontliner when we have no idea what other infection is present in the system.
I'll post the script once he'd done the initial Combofix run.
It would be great if he can give you the ComboFix.txt.
Fritch84Author Commented:
OK - I've asked him to do so.  Unfortunately he's busy at the moment and there's little computer redundancy (none) so he needs to use it for work (it is isolated though), so there will be a delay for uanattended scan results.

There's little symptoms to speak of - McAfee gives him a prompt every 5 minutes that it's found a new virus pointing to a C:\windows\temp\***.tmp\ location of a svchost.exe file and that's all he notices.  It identifies it as a 'Downloader-CHF' virus, which was added to the McAfee database on April 10th 2010.  He's tried running CCleaner on his temporary files as well.  
Fritch84Author Commented:
Attached GMER log - doesn't appear to show much? He assures that all the things requested were checked/unchecked.  
In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime: 
What I like is that there are just some pesky items that can't be removed while in Windows. I run from a bootable source first, then go into Windows and see what's left over and then deal with it after. The bootable CD sometimes will take care of 80-100% of the infected items; making it that much easier. Best of luck to you.
Thanks for the Gmer log..... not what I was expecting to show up in the log, was expecting other entries there.
I'm not so sure that the iastor.sys file is patched, just patched in memory.
Try running ComboFix and well see what shows in the log....
I think what tzucker suggested(McAfee false positive) might be the culprit here....check out his link.
If not the McAfee then we can replace that iastor.sys file it can't hurt... but I really doubt iastor.sys needs replacing(but I could be wrong).
Fritch84Author Commented:
Thanks I had considered that (McAfee issue) but he's running Vista Pro and I think the problem started before that outbreak, which I should have mentioned earlier.  

I will ask him to run the combofix scan on Monday.  
After he run ComboFix we can use it to replace that iastor.sys file infected or not.

Also ask him to run OTL that moh10ly suggested, but use a custom scan to scan more locations in particular. OTL is a diagnostic scanner, it won't delete anything without a script.

Download OTL to your Desktop 
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Under the "Custom Scan" box paste below bolded text in:
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /90

•Click the Quick Scan button. Do not change any settings.
The scan wont take long.
¿When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Fritch84Author Commented:
Sorry for the delay - attached OTL logs below.
I just had a quick glanced on the OTL log and it also flagged iastor.sys, so that might really been patched we'll see.
If it is, then ComboFix should be able to fix it.

Has he run comboFix already?
Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:


3. Save the above as CFScript.txt in the same location as Combofix.exe.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.
I'll review the log more thoroughly when I come back, sorry.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Fritch84Author Commented:
Thanks so much for your help :)
No worries, :)

How's the pc going?
Fritch84Author Commented:
Yeah great - I had received an email from him with big bold lettering with the word 'SUCCESS' so it looks to be running fine for him.  I've attached the log - it looks like it found many things that the OTL scan didn't pick up as well as Malware Bytes and GMER.

That sounds great.
Thanks for the log.

Yes, ComboFix is an excellent tool.. In this case it found and disinfected/replaced 3 patched files(iastor.sys, explorer.exe and autochk.exe).
This is the worst I've seen so far having 3 patched files, usually only one.

If everything's okay now, ask him to uninstall ComboFix.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

Or simply rename ComboFix.exe to Uninstall.exe and double click it.

Thank you for using Experts-Exchange!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.