Warning while running DDS.com

[Skipperme]

Ran it. Went very quickly and said non problem...

Here's log:
2011/05/21 17:55:55.0014 4888 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/21 17:55:55.0467 4888 ================================================================================
2011/05/21 17:55:55.0467 4888 SystemInfo:
2011/05/21 17:55:55.0467 4888
2011/05/21 17:55:55.0467 4888 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/21 17:55:55.0467 4888 Product type: Workstation
2011/05/21 17:55:55.0467 4888 ComputerName: FINGERS
2011/05/21 17:55:55.0467 4888 UserName: Don
2011/05/21 17:55:55.0467 4888 Windows directory: C:\WINDOWS
2011/05/21 17:55:55.0467 4888 System windows directory: C:\WINDOWS
2011/05/21 17:55:55.0467 4888 Processor architecture: Intel x86
2011/05/21 17:55:55.0467 4888 Number of processors: 2
2011/05/21 17:55:55.0467 4888 Page size: 0x1000
2011/05/21 17:55:55.0467 4888 Boot type: Normal boot
2011/05/21 17:55:55.0467 4888 ================================================================================
2011/05/21 17:55:55.0608 4888 Initialize success
2011/05/21 17:56:08.0796 5960 ================================================================================
2011/05/21 17:56:08.0796 5960 Scan started
2011/05/21 17:56:08.0796 5960 Mode: Manual;
2011/05/21 17:56:08.0796 5960 ================================================================================
2011/05/21 17:56:10.0827 5960 ================================================================================
2011/05/21 17:56:10.0827 5960 Scan finished
2011/05/21 17:56:10.0827 5960 ================================================================================

[shelf life]

ok thats good news. HJT log looks ok. Have you tried updating malwarebytes from within the software?

[Skipperme]

Hi,

Downloaded ComboFix and read through the docs. Disabled CA and ran the program. The startup sequenced didn't follow the descriptions exactly. First there was a small dlg with a progress bar for a few seconds, then a large dialog that listed 3 websites that do try to sell ComboFix and to try to get your money back if you bought it.

Then it gives the disclaimer statement and says go ahead if you agree..

I go ahead.

Dialog pops up saying CA is installed and must be UNINSTALLED?

Seems suspicious, but let me know.

[Skipperme]

Overlapped messages, I guess. I'm still wondering about Combofix and CA uninstall. In the meantime, tried to update Malwarebytes from w/in program, got the same error as before. System call buffer too small.

However, I just did some searches in FF via Yahoo and Google and clicked through to destination links with no redirect. Brief test, but it had been pretty consistent.

There was another keyboard grab going on where anytime a fairly long word containing the consecutive letters 'us' would end up with the 'us' being raplaced by ' google'.
Miscellaneous, for instance. And that didn't get hooked, so that's looking good. (It would do the substitution displayed text (no input necessary) as well. Garbled stuff. Not seeing any now.

Let me know if I need to proceed with ComboFix.. and about the request to uninstall CA
thanks

[shelf life]

Combofix will not run with certain AV installed. One is AVG. The AV sees some of the files as threats. Malwarebytes log looks pretty clean, HJT log looks ok, CA good and tdsskiller log is ok. As far as malware goes everything looks good from what i have seen.

For Malwarebytes I would try removing it via the add/remove programs panel, reboot your computer then run this clean tool for MBAM. Download
MBAM again and reinstall. You will have to allow outbound in your firewall for the .exe(s) to get it updated. I dont know if its firewall related or your CA suite thats causing the updating problem. You could as a experiment disable them before updating MBAM, I woudnt recommend it as a long term solution though.

You can uninstall CA via the add/remove programs panel, reboot and run combofix if you want to. Make sure you have any license key etc that may be needed to reinstall it back on to your machine.

[Skipperme]

I did the uninstall, clean and reinstall for MBAM, and selected update and start from the confirmation dialog after install.
"An error has occurred. Please report this error code to our support team.
PROGRAM_ERROR_UPDATING(122,0,MultiByteToWideChar)
The data area passed to a system call is too small"

as before.

I had had CA disabled for the most recent fix attempts, but enabled it again before trying the reinstall..

I supposed I should report this to the MalwareByte guys, since it asks me to.

Advice?

[Skipperme]

Just been testing the browsing behavior that started this whole thing. Still happening. Google searches getting redirected to miscellaneous sites.

I found a post in the google help search web forum about the redirect virus, including the post that led me to you guys initially. Someone in there also posted that they had gone through a series of fixes as well:
"MalwareBytes, Adaware, McAfee, and SuperAntiSpyware aren't picking it up either".

Have you had success with anyone else getting rid of this?

As of this point I haven't had any keystroke hijacking activity, but I'm getting a bit gun-shy of doing anything. I've been doing much of my communication on a different computer and only on the sick machine when trying to fix it.

Thanks.

[shelf life]

Thanks for the info. Hold off on the MBAM problem for now, it may be malware related.

MalwareBytes, Adaware, McAfee, and SuperAntiSpyware aren't picking it up either".

True, you have a rootkit on board. Sometimes they can show in a DDS log which you cant run. Combofix can remove some of them but that wont run with your CA suite installed.
Try running tdskiller once more, also we will get another download to use:

Please download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply. Click the exit button to exit.

I've been doing much of my communication on a different computer and only on the sick machine when trying to fix it.

Good. Also when not in use make sure it has no connectivity. If your not sure how to stop this then just power it off. Why? rootkit technology can continue to use your connection easily without you noticing it, firewall or no firewall, browser running or not.

[Skipperme]

One thing I've been worried about is if this thing can jump the bridge, so to speak, and infect the OS X side of my mac. i.e. This is running in my XP side of my iMac. You probably know that already, but it's been worrying me a bit, and now that you say this thing can root around even if the firewall is there I'm concerned it may be evil enough to worm it's way through.

I'm on the mac side of the boot right now, but I'll head over to XP side now to try the new fixes..

[Skipperme]

I'm in the infected land again.

I downloaded the aswMBR.exe, but haven't run it yet. From your message I wasn't sure whether you were saying to run tdsskiller again first..