Page 3 of 6 FirstFirst 123456 LastLast
Results 21 to 30 of 53

Thread: Infected with malware, IE redirect - DDS hangs system

  1. #21
    Member
    Join Date
    Feb 2012
    Posts
    37

    Default

    ken545,

    Very happy to report that the offline dump of my infected MBR was successful. Finally! Feels good to be making some progress. Attached is the mbr.zip for your review. (Sent from uninfected machine.)

    Many thanks!!
    Jess

  2. #22
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Jess,

    Just looking at the dump file now, it basically looks ok , I do see a hidden partition but that could have been put there by your manufacturer. This looks like a Dell computer

    I have sent that dump file up to VirusTotal to be analysed and it came back as ok.

    I want to have someone else take another look, be back in a bit
    Last edited by ken545; 2012-02-11 at 13:16.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  3. #23
    Member
    Join Date
    Feb 2012
    Posts
    37

    Default

    ken545,
    Yes, it is a Dell computer.
    Thanks for all your efforts on this unusual problem.
    Jess

  4. #24
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Jess,

    This is what we are up against, malware has installed an infected hidden partition within your Master Boot Record and set that partition as active so everytime you boot up your system it boots from the infected partition and the malware is activated.

    aswMBR has been updated to remove the rogue partition, lets give it more more shot , hang on to your usb drive with xPud as if aswMBR wont run than we will need it, first drag aswMBR that you have on your desktop to the trash and download a fresh new copy, when you run it let it update if it asks


    Download aswMBR.exe ( 511KB ) to your desktop.

    Double click the aswMBR.exe to run it

    Click the "Scan" button to start scan


    On completion of the scan click save log, save it to your desktop and post in your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  5. #25
    Member
    Join Date
    Feb 2012
    Posts
    37

    Default

    ken545,

    aswMBR.exe did not run. It did nothing. (I had made sure all monitoring software was turn off.) Double-clicked a second time, nothing.
    Just to make sure, I repeated the procedure with trashing the old, downloading a fresh copy of the new, made sure the monitoring software was off and nothing again.

    Seems this malware really has control over my machine.

    What is the next step in ousting this hostile takeover?

    Thanks much,
    Jess

  6. #26
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    Jess,

    Go to Start > Control Panel> Admistrative Tools> Computer Management > Disk Management, expand the picture , then press ALT. . . .PrtScr ( Print screen ) and paste it into a picture editor ( Paint would do fine ) name the file DiskMange and save the file to your desktop and then attach it to your next reply
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  7. #27
    Member
    Join Date
    Feb 2012
    Posts
    37

    Default

    ken545,
    Here is the screen print of the disk management.
    Thanks,
    Jess

  8. #28
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    You may want to print this out so you can follow along.

    • Download tdl_fix.sh and save it to the xPUD flash drive.
    • Boot into xPUD then click the File tab.
    • Press File
    • Expand mnt
    • Click on the folder under mnt that represents your USB drive (sdb1 ?)
    • You should see the tdl_fix.sh file in the main window.
    • Select Tool from the Menu
    • Choose Open Terminal
    • Type bash tdl_fix.sh then press Enter.
    • Read the warning then type y and press Enter to continue.
    • Type sda then press Enter when prompted.
    • You will be shown a list of partitions to choose marking active.
    • Type 2 then press Enter.
    • If you are presented with a warning about no bootloader files, type n then press Enter to choose another. If this happens, type 2 to select partition 2 then press Enter.
    • When you receive no warning about bootloader files but are presented with another view of the partition structure and asked if it looks correct, type y then press Enter.
    • The script will complete and prompt you to reboot the computer.
    • Close the Terminal window and restart back into Windows.
    • Post the contents of the tdl_fix.txt file that was created on your flash drive and let me know how the computer is behaving.


    Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

    bash tdl_fix.sh -restore

    Make sure to leave a space to either side of tdl_fix.sh in the command.
    This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
    Ok the procedure then restart when complete.
    This is a backup of the original mbr and will restore it to it's current state.
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

  9. #29
    Member
    Join Date
    Feb 2012
    Posts
    37

    Default

    ken545,

    The program worked on the first attempt. The first time through it came back with "Does this look correct?" for the partition. It quickly completed with no issues. I rebooted normally into Windows. The machine is not longer running sluggish. I didn't realize how slow it had become. (Seems like I just upgraded!) I tried the dreaded IE search for "system restore" which was causing the original redirect. It worked!! I was able to navigate through the search results and back with no problems. I also tried other similar "restore" searches with no issues. It seems to be working as it should be.

    Here is the txt file from the program run.

    Is the machine now clean? Do you know what are the security concerns and ramifications from this malware would be?

    I am deeply grateful for your assistance with this problem. I know it is not easy trying to debug from remote control.

    Jess

  10. #30
    Emeritus-Security Expert
    Join Date
    Nov 2005
    Location
    Florida's SpaceCoast
    Posts
    15,208

    Default

    One more step Jess, what we have done was to set the legit partition as active but the rogue partition is still there, just run this and it will remove the bad partition.




    • Boot into xPUD then click the File tab.
    • Press File
    • Expand mnt
    • Click on the folder under mnt that represents your USB drive (sdb1 ?)
    • You should see the tdl_fix.sh file in the main window.
    • Select Tool from the Menu
    • Choose Open Terminal
    • Type bash tdl_fix.sh -delete then press Enter.
    • ** Make sure to leave a space to either side of tdl_fix.sh in the command.
    • You should be notified of a hidden partition found and prompted to delete it.
    • Type y then press Enter.
    • The script will complete and prompt you to reboot the computer.
    • Close the Terminal window and restart back into Windows.
    • Post the contents of the tdl_delete.txt file that was created on your flash drive.


    Note - in the event there is a problem booting the computer normally after running the script, run the tdl_fix.sh script again using the following command.

    bash tdl_fix.sh -restore

    Make sure to leave a space to either side of tdl_fix.sh in the command.
    This will prompt you to use the file tdl_mbr_sda.bin on drive sda.
    Ok the procedure then restart when complete.





    Then go to Disk Management once more and attach a new screenshot
    Microsoft MVP Consumer Security 2007-2008-2009-2010-2011-2012-2013-2014

    ERROR MESSAGE 386
    No KeyBoard Detected
    Press F1 To Continue

    Just a reminder that threads will be closed if no reply in 3 days.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •