View Full Version : Warning while running DDS.com
Skipperme
2011-05-13, 07:07
I'm running XP Pro on the Windows Bootcamp partition of my iMac. Having virus trouble, that's why I'm here..
Following your instructions, I'm running DDS.com, after doing the ERUNT reg backup, and I have CA Internet Security Suite running, configured to fire alerts when "attempts to access monitored items are detected", which I believe is the case here.
I get this alert
"1 Program has been blocked"
C:\Documents and Settings\MyName\Local Settings\Temp\2f.tmp\MBR.D AT
Wants access to:
HKLM\System\CurrentControlSet\Services\mbr.
Is this DDS asking for something, or bad guys?
http://forums.spybot.info/showthread.php?p=404221#post404221
shelf life
2011-05-18, 02:33
hi Skipperme,
Try disabling CA Internet Security Suite first and any other "anti this or that" you may have running then run DDS. After you get a DDS log, reboot machine to start your CA Suite back up.
Skipperme
2011-05-18, 05:42
Hi, I just recently posted in the Waiting Room because of the 4 day wait and gave the sequence of actions I went through after I posted about the Filter warning you are responding to. I did disable the CA stuff, then tried 3 more times through the ERUNT/DDS sequence. Didn't get anymore warnings, but each time DDS died before it completed, completely killing the machine. No mouse or keyboard response, had to hard reboot. So I haven't gotten a DDS dump yet and await word on much more frigged up things are when DDS won't even run...
I don't want to get too confused with posts all over the place, so let me know what to expect next. As I said, the latest info (basically what I said here) is also in a post in the Waiting Room.
Thanks.
----------------------------
Edit
Please post to shelf life in this topic.
shelf life
2011-05-19, 03:10
Ive never had DDS not be able to produce a log but that dosnt mean its malware related. Do you have Malwarebytes installed? if not:
Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
You could also try running DDS in safe mode. After a reboot and before Windows starts, tap the f8 key and from the list chose the first option: safe mode, log into your usual account, once at the safe mode desktop try running DDS.
Is CA telling you you have a virus or are you experiencing any signs (http://www.malwarevault.com/signs.html) of malware?
Skipperme
2011-05-19, 23:48
Did a scan with CA first, got nothing.
While downloading or installing MWB (don't remember which...)
Got a CA notification badge popup intrusion warning for "daily drivers update" wanting access. I checked the CA logs and they had trapped some, but not all of some hits from update-drivers.in(80,87,199,48) and some from ebay.com (66.135.200.181) ??
Earlier in the list were about 5 malwarebytes accesses that were all blocked..
dunno what that is, but if it helps..
so,
installed Malwarebytes
When I ran it, I immediately got an error message dlg with the error
PROGRAM_ERROR_UPDATING(122,0,MultiByteToWideChar) data buffer too small for system call " paraphrased..
The update dialog had already shown, and this popped up in front.
clicked okay, the update dialog failed, another malware dlg popped saying things were out of date by 140 days, update?, to which I said yes and got the same error dialog box.
Dismissed that one and the MWB UI came up.
Ran the scan, got 2 infections.
Here's the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5363
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/19/2011 4:18:46 PM
mbam-log-2011-05-19 (16-18-46).txt
Scan type: Full scan (C:\|)
Objects scanned: 245806
Time elapsed: 54 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\system volume information\_restore{9d7957d3-95e5-42ab-b935-ca291739717a}\RP9\A0004710.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\documents and settings\Don\local settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Didn't run DDS yet.
Let me know..
Thanks.
shelf life
2011-05-20, 03:38
If malwarebytes is out of date by 140 days it wont do you a whole lot of good.Sometimes malware can cause these type of problems. Can you successfully update your CA suite and any other software you have installed? Can you get to certain websites ok, try going to Windows Update or Avast, AVG etc.
There is a current data base you can manually download and install to MBAM here (http://malwarebytes.gt500.org/)
Those other messages must be from your CA suite's firewall. You would have to give MBAM the ok to "go out" and get the updates if that whats the prompts are about.
The MBAM log is really of little help being so outdated. See if you can post a traditional HJT log so we have something to go on;
Version 2.0.4 is here (http://free.antivirus.com/hijackthis/)
Skipperme
2011-05-21, 23:31
Checked my CA suite and it's up to date. While trying to find out how to check the update status, I did a help search and got a "bad script..." error.
Tried Windows Update. Didn't fly. Tried by doing a search via the Chrome universal wonderful address bar, which took me to Google results, first of which was the link to windowsupdate..etc. Clicked the link and got redirected (which is what got me here in the first place). After a couple of more attempts at it, Chrome crashed, which has been part of the pattern. I've seen other posts of people reporting google redirect and Chrome crashing as well.
Tried directly accessing windowsupdate.microsoft.com via address bar in both IE(8) and FF(3.6.16), got a blank page in both cases.
I was able to go directly to both avast.com and avg.com typing directly to the address bar. Searches via google and yahoo got redirected.
Downloaded the MBAM offline database and ran the installer. Ran MalWareBytes and got "out of date by 15 days" this time. Ran full scan anyway, and it caught 3 things. I said 'fix' and here's the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 6516
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
5/21/2011 3:54:51 PM
mbam-log-2011-05-21 (15-54-51).txt
Scan type: Full scan (C:\|)
Objects scanned: 253122
Time elapsed: 51 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\messenger.exe (Malware.Gen) -> Value: messenger.exe -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\program files\common files\microsoft shared\web components\messenger.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\messenger.exe (Malware.Gen) -> Quarantined and deleted successfully.
Also ran HJT scan, and got this log. I haven't said "analyze this" or "fix" yet. I await your instructions for the next step.
HJT log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:15:09 PM, on 5/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\IRW.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2504091
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CA Anti-Phishing Toolbar Helper - {45011CF5-E4A9-4F13-9093-F30A784EB9B2} - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Phishing\Toolbar\caIEToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Phishing\Toolbar\caIEToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Don\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Don\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAAMSvc - CA - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: WeFi Engine Service (WefiEngSvc) - WeFi - C:\Program Files\WeFi\WefiEngSvc.exe
O23 - Service: WinSock Extention Manager (WinExtManager) - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe
--
End of file - 9872 bytes
shelf life
2011-05-22, 00:41
ok. Lets try tdsskiller first and see if it digs up anything:
Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. Vista and Windows 7 right click as "run as admin.." After it initializes click the start scan button.
"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
Next you can use combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) Post the log in your reply
Skipperme
2011-05-22, 00:46
Thanks.. First want to check. I left HJT running after I sent the log. It's still at post scan "analyze this/fix that" decision point. Should I just close it out and move on? From what you say to do next, I'm thinking so, but I want to check before moving on.
thanks
shelf life
2011-05-22, 00:55
Yes you can just close it out.
Skipperme
2011-05-22, 00:57
Ran it. Went very quickly and said non problem...
Here's log:
2011/05/21 17:55:55.0014 4888 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/21 17:55:55.0467 4888 ================================================================================
2011/05/21 17:55:55.0467 4888 SystemInfo:
2011/05/21 17:55:55.0467 4888
2011/05/21 17:55:55.0467 4888 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/21 17:55:55.0467 4888 Product type: Workstation
2011/05/21 17:55:55.0467 4888 ComputerName: FINGERS
2011/05/21 17:55:55.0467 4888 UserName: Don
2011/05/21 17:55:55.0467 4888 Windows directory: C:\WINDOWS
2011/05/21 17:55:55.0467 4888 System windows directory: C:\WINDOWS
2011/05/21 17:55:55.0467 4888 Processor architecture: Intel x86
2011/05/21 17:55:55.0467 4888 Number of processors: 2
2011/05/21 17:55:55.0467 4888 Page size: 0x1000
2011/05/21 17:55:55.0467 4888 Boot type: Normal boot
2011/05/21 17:55:55.0467 4888 ================================================================================
2011/05/21 17:55:55.0608 4888 Initialize success
2011/05/21 17:56:08.0796 5960 ================================================================================
2011/05/21 17:56:08.0796 5960 Scan started
2011/05/21 17:56:08.0796 5960 Mode: Manual;
2011/05/21 17:56:08.0796 5960 ================================================================================
2011/05/21 17:56:10.0827 5960 ================================================================================
2011/05/21 17:56:10.0827 5960 Scan finished
2011/05/21 17:56:10.0827 5960 ================================================================================
shelf life
2011-05-22, 01:54
ok thats good news. HJT log looks ok. Have you tried updating malwarebytes from within the software?
Skipperme
2011-05-22, 02:00
Hi,
Downloaded ComboFix and read through the docs. Disabled CA and ran the program. The startup sequenced didn't follow the descriptions exactly. First there was a small dlg with a progress bar for a few seconds, then a large dialog that listed 3 websites that do try to sell ComboFix and to try to get your money back if you bought it.
Then it gives the disclaimer statement and says go ahead if you agree..
I go ahead.
Dialog pops up saying CA is installed and must be UNINSTALLED?
Seems suspicious, but let me know.
Skipperme
2011-05-22, 03:06
Overlapped messages, I guess. I'm still wondering about Combofix and CA uninstall. In the meantime, tried to update Malwarebytes from w/in program, got the same error as before. System call buffer too small.
However, I just did some searches in FF via Yahoo and Google and clicked through to destination links with no redirect. Brief test, but it had been pretty consistent.
There was another keyboard grab going on where anytime a fairly long word containing the consecutive letters 'us' would end up with the 'us' being raplaced by ' google'.
Miscellaneous, for instance. And that didn't get hooked, so that's looking good. (It would do the substitution displayed text (no input necessary) as well. Garbled stuff. Not seeing any now.
Let me know if I need to proceed with ComboFix.. and about the request to uninstall CA
thanks
shelf life
2011-05-22, 04:56
Combofix will not run with certain AV installed. One is AVG. The AV sees some of the files as threats. Malwarebytes log looks pretty clean, HJT log looks ok, CA good and tdsskiller log is ok. As far as malware goes everything looks good from what i have seen.
For Malwarebytes I would try removing it via the add/remove programs panel, reboot your computer then run this clean (http://www.malwarebytes.org/mbam-clean.exe) tool for MBAM. Download
MBAM (http://www.malwarebytes.org/products/malwarebytes_free) again and reinstall. You will have to allow outbound in your firewall for the .exe(s) to get it updated. I dont know if its firewall related or your CA suite thats causing the updating problem. You could as a experiment disable them before updating MBAM, I woudnt recommend it as a long term solution though.
You can uninstall CA via the add/remove programs panel, reboot and run combofix if you want to. Make sure you have any license key etc that may be needed to reinstall it back on to your machine.
Skipperme
2011-05-22, 17:42
I did the uninstall, clean and reinstall for MBAM, and selected update and start from the confirmation dialog after install.
"An error has occurred. Please report this error code to our support team.
PROGRAM_ERROR_UPDATING(122,0,MultiByteToWideChar)
The data area passed to a system call is too small"
as before.
I had had CA disabled for the most recent fix attempts, but enabled it again before trying the reinstall..
I supposed I should report this to the MalwareByte guys, since it asks me to.
Advice?
Skipperme
2011-05-22, 20:42
Just been testing the browsing behavior that started this whole thing. Still happening. Google searches getting redirected to miscellaneous sites.
I found a post in the google help search web forum about the redirect virus, including the post that led me to you guys initially. Someone in there also posted that they had gone through a series of fixes as well:
"MalwareBytes, Adaware, McAfee, and SuperAntiSpyware aren't picking it up either".
Have you had success with anyone else getting rid of this?
As of this point I haven't had any keystroke hijacking activity, but I'm getting a bit gun-shy of doing anything. I've been doing much of my communication on a different computer and only on the sick machine when trying to fix it.
Thanks.
shelf life
2011-05-23, 00:30
Thanks for the info. Hold off on the MBAM problem for now, it may be malware related.
MalwareBytes, Adaware, McAfee, and SuperAntiSpyware aren't picking it up either".
True, you have a rootkit on board. Sometimes they can show in a DDS log which you cant run. Combofix can remove some of them but that wont run with your CA suite installed.
Try running tdskiller once more, also we will get another download to use:
Please download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe).exe to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply. Click the exit button to exit.
I've been doing much of my communication on a different computer and only on the sick machine when trying to fix it.
Good. Also when not in use make sure it has no connectivity. If your not sure how to stop this then just power it off. Why? rootkit technology can continue to use your connection easily without you noticing it, firewall or no firewall, browser running or not.
Skipperme
2011-05-23, 00:43
One thing I've been worried about is if this thing can jump the bridge, so to speak, and infect the OS X side of my mac. i.e. This is running in my XP side of my iMac. You probably know that already, but it's been worrying me a bit, and now that you say this thing can root around even if the firewall is there I'm concerned it may be evil enough to worm it's way through.
I'm on the mac side of the boot right now, but I'll head over to XP side now to try the new fixes..
Skipperme
2011-05-23, 00:55
I'm in the infected land again.
I downloaded the aswMBR.exe, but haven't run it yet. From your message I wasn't sure whether you were saying to run tdsskiller again first..
shelf life
2011-05-23, 02:42
Dont worry about the MAC side. Its all about Windows. Try running tdsskiller once more then aswMBR.
I forgot you had a MAC partition. I wouldnt leave the machine with any connectivity when Windows is running. Your fine when your running the MAC side.
Skipperme
2011-05-23, 03:40
TDSS ran quickly, nothing found. Here's the log:
2011/05/22 20:32:46.0046 1748 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/22 20:32:46.0405 1748 ================================================================================
2011/05/22 20:32:46.0405 1748 SystemInfo:
2011/05/22 20:32:46.0405 1748
2011/05/22 20:32:46.0405 1748 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/22 20:32:46.0405 1748 Product type: Workstation
2011/05/22 20:32:46.0405 1748 ComputerName: FINGERS
2011/05/22 20:32:46.0405 1748 UserName: Don
2011/05/22 20:32:46.0405 1748 Windows directory: C:\WINDOWS
2011/05/22 20:32:46.0405 1748 System windows directory: C:\WINDOWS
2011/05/22 20:32:46.0405 1748 Processor architecture: Intel x86
2011/05/22 20:32:46.0405 1748 Number of processors: 2
2011/05/22 20:32:46.0405 1748 Page size: 0x1000
2011/05/22 20:32:46.0405 1748 Boot type: Normal boot
2011/05/22 20:32:46.0405 1748 ================================================================================
2011/05/22 20:32:46.0530 1748 Initialize success
2011/05/22 20:34:14.0405 3760 ================================================================================
2011/05/22 20:34:14.0405 3760 Scan started
2011/05/22 20:34:14.0405 3760 Mode: Manual;
2011/05/22 20:34:14.0405 3760 ================================================================================
2011/05/22 20:34:16.0436 3760 ================================================================================
2011/05/22 20:34:16.0436 3760 Scan finished
2011/05/22 20:34:16.0436 3760 ================================================================================
aswMBR log:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-22 20:37:08
-----------------------------
20:37:08.952 OS Version: Windows 5.1.2600 Service Pack 3
20:37:08.952 Number of processors: 2 586 0x1706
20:37:08.952 ComputerName: FINGERS UserName: Don
20:37:09.171 Initialize success
20:38:34.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
20:38:34.796 Disk 0 Vendor: Hitachi_HDP725032GLA380 GM0KA59A Size: 305245MB BusType: 3
20:38:36.827 Disk 0 MBR read successfully
20:38:36.827 Disk 0 MBR scan
20:38:36.827 Disk 0 Windows XP default MBR code
20:38:38.827 Disk 0 scanning sectors +625142408
20:38:38.827 Disk 0 scanning C:\WINDOWS\system32\drivers
20:38:44.280 Service scanning
20:38:45.186 Disk 0 trace - called modules:
20:38:45.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:38:45.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89e29ab8]
20:38:45.218 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000070[0x89e2b9e8]
20:38:45.218 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-10[0x89d59d98]
20:38:45.218 Scan finished successfully
20:39:06.983 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Don\Desktop\MBR.dat"
20:39:06.983 The log file has been saved successfully to "C:\Documents and Settings\Don\Desktop\aswMBR.txt"
shelf life
2011-05-24, 00:07
The good news: nothing there in the logs. The bad news is your still getting redirected. I would run combofix after uninstalling your CA suite and rebooting.
At least you appear not to have a tdss rootkit. I was starting to wonder what writing a new MBR might do to your partitions, having a duel boot machine, maybe nothing, at the worst Windows wouldnt boot up. Do you want to run combofix?
Skipperme
2011-05-24, 05:32
hi,
Glad we didn't mess with the MBR and risk the full monty. Windows side I can deal with losing if there is no other hope, Mac side, not so much. Much more invested over there right now. I use windows sparingly on this machine and haven't committed a lot of resources of personal data to it.
Are you asking about combo fix because of some particular risk of damage? I'll run what you think is safe if I can get rid of this friggin thing.
I'll wait before I proceed. I'm communicating via my Win7 laptop, XP Mac is disconnected from internet right now.
I really appreciate this help.
shelf life
2011-05-24, 23:26
Not worried about damage, its just theres really nothing else left to run. We are still looking for the source of the redirects. Everything so far as I can tell is drawing a blank
As a precaution you could pull of any content on the mac side, stuff you created like documents, video, photos etc. Software and the OS can always be reinstalled. Its a precaution only.
Ive had loads of people successfully use combofix with out any problems. The difference is yours is a duel boot and a Mac to boot. I dont know anything about macs. Linux and Windows only, thats why the extra precaution. If I had a Mac i would try it myself, dont mind messing my machine up but i dont want to mess up somebody else's. Lets hope the malware shows up in combofix. Read the combofix guide first if you havent yet.
Skipperme
2011-05-26, 19:14
Hi,
I have been backing up my Mac side data and found the Sophos anti-virus freeware to scan with. My Intego database has been out of date for quite a while (I know...) because of lack of $$ lately. Living dangerously, I know. But I scanned with Sophos on the Mac side and it found/reported a malware file in the Windows volume:
/volumes/Untitled/WINDOWS/Temp/16b56a.exe
what they label as "Mal/generic-L"
tried to automatically clean up, and was informed it had to be done manually. Tried to delete it from the Mac side, figured I wouldn't be able to and that was the case. Switched to the windows side and deleted it.
Still getting redirected.
I just saw in a forum on the web a mention that Sophos can get a false positive.
Have you talked to anyone else who has come across google redirect on a Mac Windows partition?
I'm on my Win7 laptop now, and I'll go back to the Mac/XP, get offline and uninstall CA.
I'll go back to the Mac and keep backing things up, then run combofix in XP, unless you think I should wait or do something else..
Skipperme
2011-05-26, 21:02
So, I tried to uninstall CA, was unable to do it through the control panel, followed the error report links to the CA site, from which I was directed to download and run a special uninstall program from IE, did so, rebooted as requested, then got bad diagnostics on XP startup (the second, VGA resolution screen with the blue background and logo) listing a ton of bad file messages and index entries and such. Then it ran CHKDSK to fix stuff, then rebooted unannounced instead of starting.
Because I wasn't watching for a few seconds, it rebooted into the Mac side. I restarted to XP, and it has started up with these symptoms.
1. odd, but noticeable, prior to this reboot, the audio on the 'startup tune' when XP booted was choppy and distorted. This time, clear as a bell. ???
2. two dialogs have popped up:
"Data Execution Prevention - Microsoft Windows"
To help protect your computer, windows has cosed this program:
Generic Host process for Win32 Services
publisher: Microsoft Corp.
and
Win Explorer:
"<path to CA suite> unavailable, etc."
..Seems like the auto run is still set and is looking for CA that is now gone..
I said okay to the dialog, got the prompt to report the crash, said no.
Running IE and FF, both still getting redirected.
Another symptom that seems to be part of it, images will often not load on web pages.
I've seen some forum posts here and there (other sites) mentioning all the tools we've tried, and some people have said combofix was the only thing that really killed it.
I'll wait for a response before running combofix.
thanks, Don
shelf life
2011-05-26, 23:49
Try running combofix in safe mode and see how it goes. To reach safe mode once Windows is starting to boot tap the f8 key. Chose the first option from the list: safe mode, log into your usual account. Once at the safe mode desktop run combofix.
Skipperme
2011-05-27, 04:40
When I booted into safe mode, the first option was "Safe Mode", the next was "Safe Mode with Network" (or something like). I chose door number 1. Now running combofix I get to the "install recovery console if you don't have it" step and it needs to connect to the internet to download it. There is no connection, and I'm having a hard time creating one.. Am I missing something or do I have to do Safe Mode with Networking to make this happen?
shelf life
2011-05-27, 05:19
You can install it manually or have combofix install it. To install in safe mode you would have to be in safe mode with networking. Either way you want to do it. Normally I have people run it while in a normal start up, not safe mode. But because of your problems in Windows I thought safe mode may be better. If it all goes good then you can reboot normally and run it again.
Manual (http://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery) Install
Skipperme
2011-05-27, 05:38
Combofix asked me very politely to connect to the internet, but I couldn't, and the only dialog options after that were ok, then ok and now it is scanning without the console installed.. Is there a way for me to stop it, install the console and restart, or should I just let it run its course now?
Skipperme
2011-05-27, 06:20
Combofix is still running, I think. The only activity is a blinking cursor after the lines
"[the scan] typically doesn't take more than 10 minutes.."
"However, scan times for badly infected machines may easily double.."
It's been 40 minutes now, no progress indicator, just the flashing cursor and I don't hear any disk activity.
what next?
shelf life
2011-05-27, 17:30
I would just reboot the machine if its been thats long. You can install the recovery console manually via the link i posted. you would need a internet connection. If you have a Windows CD/DVD look here (http://support.microsoft.com/kb/307654) to install the recovery console off the CD.
It may just be easier to reformat and reinstall your Windows installation. We really arent making any progress as far as the malware goes.
Skipperme
2011-05-27, 20:15
Okay, let's try one more time, then I'll punt and reinstall XP..
I appreciate your patience with me and all your help. It seems that no matter what instructions there are for any software any time, what looks like it will be straightforward usually isn't. Seems that's been the case for me.
I installed the Recovery Console from my installation CD. When it restarted, I ran combofix again and got a dialog saying my demo had expired (?) and it would only use a limited amount of resources to do the job. It started up and proceeded to do things. i.e. did the registry backup, then got the "scanning for infected files..." notifications, then some other activity such as "completed stage_n". Then got to the screen saying 'preparing log report". It stayed there for quite a long time. The instructions say it takes a while, but not sure how long that is..
So I rebooted, hard reboot again. Started in unsafe mode, downloaded combofix again, restarted in safe mode, ran combofix again (install sequence, registry backup, and now it is once again stuck on the "scan times may easily double.." with no activity, as it was last night.
Any suggestions how to approach this one more time? Do you know anyone else who may have worked on a Mac/Win situation?
Again, I appreciate your help.
shelf life
2011-05-27, 22:22
ok, your welcome, no problem.
dialog saying my demo had expired (?)
This was a combofix pop up? Ive never seen nor heard of it. Theres only one version, there is no 'demo" version. Using explorer take a look in your Local Disk (C) for a Combofix.txt, maybe its there.
The fact you have a duel boot really dosnt have much to do with it. My only concern with that was if you wrote a new MBR to disk and messed up one of your partitions and couldnt boot up into one of them or both.
Your not being able to successfully run the tools is not unique either, many people have this problem. Malware is getting much more sophisticated and going deeper into the OS, becoming increasingly difficult to remove.
Skipperme
2011-05-28, 22:18
I've done a hard reset at least twice now after starting combofix and getting nowhere..
Today when I started up in normal mode I checked for the combofix.txt file you mentioned (on the C:\ drive). Didn't find it, but found a Combofix item in the listing that had a monitor icon next to it and was labeled as "Folder". Same icon as for "My Computer" and "Folder" instead of "File Folder".
I popped open the subtree item under it and it showed the resources as if it were a mirror of the MyComputer tree. i.e. disk drives, usb drive, etc.
Seemed like that was probably not right, but at this point I can't tell black from white.
I went back to bleepingcomputer.com and downloaded combofix directly from there. I thought I had gone to the correct location before, but I now know it was definitely not and I guess I gave someone else a key to the vault as well. All the weird stuff that happened when I ran the spoof version must have really screwed things up.
So I've now restarted in Safe Mode, ran the install with the Combofix.exe that I know I downloaded from Bleeping..., it went through the as-documented startup sequence, has arrived at the "Scanning for files..." initial 3 text lines, and is once again hanging. Didn't reset the clock, and is not showing any Completion stage progress.
When I ran what i presume was the malware version prior to this (with all the odd messages), it did show a completion stage item, I believe it did reset the clock as well, and got to the stage of "writing the log". I maybe was too impatient at this point and did a hard reset again. This is where I started from today.
I'm going to watch a movie or something (on another computer!) while this combofix command window sits and blinks. If nothing is happening by the time the credits roll, I'm going to reformat the partition and start clean. This is getting really really messy and I'm not really comfortable with the state of my system now.
If you have any final words or advice about something else to try, or have any more questions about the stuff I tried and what happened, let me know.
Again, I do appreciate the time you've put in on this. Very frustrating for you as well, I'm sure.
shelf life
2011-05-29, 00:33
Hey your welcome. Combofix is in my opinion the best tool to run for finding and removing malware. It really shouldnt take to long to run. You should also see the progress in the window as it happens. If all you get is a blinking cursor after 15 minutes or so, its probably hung up.
Do you happen to have the URL where you got the fake combofix from, or the .exe itself.?
I would like to get a copy myself. You have have reformatted by now.
You have some nasty malware, a reformat may be the best way to go. Some say that a computer can no longer be trusted once a rootkit as been found and removed, no telling what may have been modified. Malware is constantly being updated also, to escape detection/removal from all the software.
Skipperme
2011-05-29, 01:00
I'm getting ready to wipe the slate clean and reinstall. Enough is enough. I haven't reinstalled yet, so I'll see if I can retrace my steps to the bad download. I think it started with me going to combofix.com or .org... Then got sent to a page with a whole bunch of scareware crap on it. Click here, click there. Finally found one that seemed to be the right thing. I should have backed off as soon as I got there. But there's no going back now..
...
I just checked combofix.org and that seems to be set up to spoof all of the stuff you've been recommending. They credit everyone, but completely control the download. I don't think that's where I started, though.
I traced my history back, and I think the problem started at majorgeeks.com. It also gives proper attribution, it seems, but it sends you to suspicious download locations. I'm gun shy of everything now..
Just to be sure of what you last said, you mentioned that a computer can't be trusted once a rootkit gets it and is removed. I presume you mean just removed, but not OS reformat/reinstall? I would hope the OS reinstall would do it, but I know there are multiple levels of formatting, so my paranoia runs deep.
Thanks. Go help others.
shelf life
2011-05-29, 06:05
Thanks but dont worry about trying to find it. Go ahead and reformat. Yes I meant couldn't be trusted after removal only. A reformatting reinstall of the OS will do the trick.
Dont forget to get "patched" via Windows update afterwards. And of course install a AV, there are several free good ones. And antimalware. Then you should be all set again.
Normally I post these tips at close, but we didnt really resolve anything as far as malware goes but I will post them anyway:
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes ,browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.
8) Install and understand the *limitations* of a software firewall.
9) Securing IE for safer Browsing. (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) How to harden FireFox (http://threatpost.com/en_us/slideshow/How-to-configure-Mozilla-Firefox-for-secure-surfing?utm_source=Second+Sidebar&utm_medium=Featured+Slideshows&utm_campaign=Configure+Mozilla+Firefox) for safer surfing.
10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?
More info/tips with pictures in links below.
Happy Safe Surfing.
Skipperme
2011-05-30, 07:58
I'll follow the list faithfully.