Warning while running DDS.com

Dont worry about the MAC side. Its all about Windows. Try running tdsskiller once more then aswMBR.
I forgot you had a MAC partition. I wouldnt leave the machine with any connectivity when Windows is running. Your fine when your running the MAC side.
 
tdss and aswMBR

TDSS ran quickly, nothing found. Here's the log:
2011/05/22 20:32:46.0046 1748 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/22 20:32:46.0405 1748 ================================================================================
2011/05/22 20:32:46.0405 1748 SystemInfo:
2011/05/22 20:32:46.0405 1748
2011/05/22 20:32:46.0405 1748 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/22 20:32:46.0405 1748 Product type: Workstation
2011/05/22 20:32:46.0405 1748 ComputerName: FINGERS
2011/05/22 20:32:46.0405 1748 UserName: Don
2011/05/22 20:32:46.0405 1748 Windows directory: C:\WINDOWS
2011/05/22 20:32:46.0405 1748 System windows directory: C:\WINDOWS
2011/05/22 20:32:46.0405 1748 Processor architecture: Intel x86
2011/05/22 20:32:46.0405 1748 Number of processors: 2
2011/05/22 20:32:46.0405 1748 Page size: 0x1000
2011/05/22 20:32:46.0405 1748 Boot type: Normal boot
2011/05/22 20:32:46.0405 1748 ================================================================================
2011/05/22 20:32:46.0530 1748 Initialize success
2011/05/22 20:34:14.0405 3760 ================================================================================
2011/05/22 20:34:14.0405 3760 Scan started
2011/05/22 20:34:14.0405 3760 Mode: Manual;
2011/05/22 20:34:14.0405 3760 ================================================================================
2011/05/22 20:34:16.0436 3760 ================================================================================
2011/05/22 20:34:16.0436 3760 Scan finished
2011/05/22 20:34:16.0436 3760 ================================================================================

aswMBR log:
aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-22 20:37:08
-----------------------------
20:37:08.952 OS Version: Windows 5.1.2600 Service Pack 3
20:37:08.952 Number of processors: 2 586 0x1706
20:37:08.952 ComputerName: FINGERS UserName: Don
20:37:09.171 Initialize success
20:38:34.796 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10
20:38:34.796 Disk 0 Vendor: Hitachi_HDP725032GLA380 GM0KA59A Size: 305245MB BusType: 3
20:38:36.827 Disk 0 MBR read successfully
20:38:36.827 Disk 0 MBR scan
20:38:36.827 Disk 0 Windows XP default MBR code
20:38:38.827 Disk 0 scanning sectors +625142408
20:38:38.827 Disk 0 scanning C:\WINDOWS\system32\drivers
20:38:44.280 Service scanning
20:38:45.186 Disk 0 trace - called modules:
20:38:45.218 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:38:45.218 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89e29ab8]
20:38:45.218 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000070[0x89e2b9e8]
20:38:45.218 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-10[0x89d59d98]
20:38:45.218 Scan finished successfully
20:39:06.983 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Don\Desktop\MBR.dat"
20:39:06.983 The log file has been saved successfully to "C:\Documents and Settings\Don\Desktop\aswMBR.txt"
 
The good news: nothing there in the logs. The bad news is your still getting redirected. I would run combofix after uninstalling your CA suite and rebooting.

At least you appear not to have a tdss rootkit. I was starting to wonder what writing a new MBR might do to your partitions, having a duel boot machine, maybe nothing, at the worst Windows wouldnt boot up. Do you want to run combofix?
 
combofix

hi,

Glad we didn't mess with the MBR and risk the full monty. Windows side I can deal with losing if there is no other hope, Mac side, not so much. Much more invested over there right now. I use windows sparingly on this machine and haven't committed a lot of resources of personal data to it.

Are you asking about combo fix because of some particular risk of damage? I'll run what you think is safe if I can get rid of this friggin thing.

I'll wait before I proceed. I'm communicating via my Win7 laptop, XP Mac is disconnected from internet right now.

I really appreciate this help.
 
Not worried about damage, its just theres really nothing else left to run. We are still looking for the source of the redirects. Everything so far as I can tell is drawing a blank
As a precaution you could pull of any content on the mac side, stuff you created like documents, video, photos etc. Software and the OS can always be reinstalled. Its a precaution only.

Ive had loads of people successfully use combofix with out any problems. The difference is yours is a duel boot and a Mac to boot. I dont know anything about macs. Linux and Windows only, thats why the extra precaution. If I had a Mac i would try it myself, dont mind messing my machine up but i dont want to mess up somebody else's. Lets hope the malware shows up in combofix. Read the combofix guide first if you havent yet.
 
Sophos from the Mac side,

Hi,

I have been backing up my Mac side data and found the Sophos anti-virus freeware to scan with. My Intego database has been out of date for quite a while (I know...) because of lack of $$ lately. Living dangerously, I know. But I scanned with Sophos on the Mac side and it found/reported a malware file in the Windows volume:
/volumes/Untitled/WINDOWS/Temp/16b56a.exe
what they label as "Mal/generic-L"
tried to automatically clean up, and was informed it had to be done manually. Tried to delete it from the Mac side, figured I wouldn't be able to and that was the case. Switched to the windows side and deleted it.

Still getting redirected.

I just saw in a forum on the web a mention that Sophos can get a false positive.

Have you talked to anyone else who has come across google redirect on a Mac Windows partition?

I'm on my Win7 laptop now, and I'll go back to the Mac/XP, get offline and uninstall CA.

I'll go back to the Mac and keep backing things up, then run combofix in XP, unless you think I should wait or do something else..
 
CA uninstall adventures..

So, I tried to uninstall CA, was unable to do it through the control panel, followed the error report links to the CA site, from which I was directed to download and run a special uninstall program from IE, did so, rebooted as requested, then got bad diagnostics on XP startup (the second, VGA resolution screen with the blue background and logo) listing a ton of bad file messages and index entries and such. Then it ran CHKDSK to fix stuff, then rebooted unannounced instead of starting.
Because I wasn't watching for a few seconds, it rebooted into the Mac side. I restarted to XP, and it has started up with these symptoms.
1. odd, but noticeable, prior to this reboot, the audio on the 'startup tune' when XP booted was choppy and distorted. This time, clear as a bell. ???
2. two dialogs have popped up:

"Data Execution Prevention - Microsoft Windows"
To help protect your computer, windows has cosed this program:
Generic Host process for Win32 Services
publisher: Microsoft Corp.

and
Win Explorer:
"<path to CA suite> unavailable, etc."
..Seems like the auto run is still set and is looking for CA that is now gone..

I said okay to the dialog, got the prompt to report the crash, said no.
Running IE and FF, both still getting redirected.
Another symptom that seems to be part of it, images will often not load on web pages.

I've seen some forum posts here and there (other sites) mentioning all the tools we've tried, and some people have said combofix was the only thing that really killed it.

I'll wait for a response before running combofix.

thanks, Don
 
Try running combofix in safe mode and see how it goes. To reach safe mode once Windows is starting to boot tap the f8 key. Chose the first option from the list: safe mode, log into your usual account. Once at the safe mode desktop run combofix.
 
Safe Mode vs Combo Fix and Recovery Console

When I booted into safe mode, the first option was "Safe Mode", the next was "Safe Mode with Network" (or something like). I chose door number 1. Now running combofix I get to the "install recovery console if you don't have it" step and it needs to connect to the internet to download it. There is no connection, and I'm having a hard time creating one.. Am I missing something or do I have to do Safe Mode with Networking to make this happen?
 
You can install it manually or have combofix install it. To install in safe mode you would have to be in safe mode with networking. Either way you want to do it. Normally I have people run it while in a normal start up, not safe mode. But because of your problems in Windows I thought safe mode may be better. If it all goes good then you can reboot normally and run it again.

Manual Install
 
combofix running without console...

Combofix asked me very politely to connect to the internet, but I couldn't, and the only dialog options after that were ok, then ok and now it is scanning without the console installed.. Is there a way for me to stop it, install the console and restart, or should I just let it run its course now?
 
going and going..

Combofix is still running, I think. The only activity is a blinking cursor after the lines
"[the scan] typically doesn't take more than 10 minutes.."
"However, scan times for badly infected machines may easily double.."

It's been 40 minutes now, no progress indicator, just the flashing cursor and I don't hear any disk activity.

what next?
 
I would just reboot the machine if its been thats long. You can install the recovery console manually via the link i posted. you would need a internet connection. If you have a Windows CD/DVD look here to install the recovery console off the CD.
It may just be easier to reformat and reinstall your Windows installation. We really arent making any progress as far as the malware goes.
 
Last ditch?

Okay, let's try one more time, then I'll punt and reinstall XP..
I appreciate your patience with me and all your help. It seems that no matter what instructions there are for any software any time, what looks like it will be straightforward usually isn't. Seems that's been the case for me.

I installed the Recovery Console from my installation CD. When it restarted, I ran combofix again and got a dialog saying my demo had expired (?) and it would only use a limited amount of resources to do the job. It started up and proceeded to do things. i.e. did the registry backup, then got the "scanning for infected files..." notifications, then some other activity such as "completed stage_n". Then got to the screen saying 'preparing log report". It stayed there for quite a long time. The instructions say it takes a while, but not sure how long that is..
So I rebooted, hard reboot again. Started in unsafe mode, downloaded combofix again, restarted in safe mode, ran combofix again (install sequence, registry backup, and now it is once again stuck on the "scan times may easily double.." with no activity, as it was last night.

Any suggestions how to approach this one more time? Do you know anyone else who may have worked on a Mac/Win situation?

Again, I appreciate your help.
 
ok, your welcome, no problem.
dialog saying my demo had expired (?)
Click to expand...
This was a combofix pop up? Ive never seen nor heard of it. Theres only one version, there is no 'demo" version. Using explorer take a look in your Local Disk (C) for a Combofix.txt, maybe its there.

The fact you have a duel boot really dosnt have much to do with it. My only concern with that was if you wrote a new MBR to disk and messed up one of your partitions and couldnt boot up into one of them or both.

Your not being able to successfully run the tools is not unique either, many people have this problem. Malware is getting much more sophisticated and going deeper into the OS, becoming increasingly difficult to remove.
 
combofix troubles, still

I've done a hard reset at least twice now after starting combofix and getting nowhere..

Today when I started up in normal mode I checked for the combofix.txt file you mentioned (on the C:\ drive). Didn't find it, but found a Combofix item in the listing that had a monitor icon next to it and was labeled as "Folder". Same icon as for "My Computer" and "Folder" instead of "File Folder".
I popped open the subtree item under it and it showed the resources as if it were a mirror of the MyComputer tree. i.e. disk drives, usb drive, etc.
Seemed like that was probably not right, but at this point I can't tell black from white.

I went back to bleepingcomputer.com and downloaded combofix directly from there. I thought I had gone to the correct location before, but I now know it was definitely not and I guess I gave someone else a key to the vault as well. All the weird stuff that happened when I ran the spoof version must have really screwed things up.

So I've now restarted in Safe Mode, ran the install with the Combofix.exe that I know I downloaded from Bleeping..., it went through the as-documented startup sequence, has arrived at the "Scanning for files..." initial 3 text lines, and is once again hanging. Didn't reset the clock, and is not showing any Completion stage progress.

When I ran what i presume was the malware version prior to this (with all the odd messages), it did show a completion stage item, I believe it did reset the clock as well, and got to the stage of "writing the log". I maybe was too impatient at this point and did a hard reset again. This is where I started from today.

I'm going to watch a movie or something (on another computer!) while this combofix command window sits and blinks. If nothing is happening by the time the credits roll, I'm going to reformat the partition and start clean. This is getting really really messy and I'm not really comfortable with the state of my system now.

If you have any final words or advice about something else to try, or have any more questions about the stuff I tried and what happened, let me know.

Again, I do appreciate the time you've put in on this. Very frustrating for you as well, I'm sure.
 
Hey your welcome. Combofix is in my opinion the best tool to run for finding and removing malware. It really shouldnt take to long to run. You should also see the progress in the window as it happens. If all you get is a blinking cursor after 15 minutes or so, its probably hung up.

Do you happen to have the URL where you got the fake combofix from, or the .exe itself.?
I would like to get a copy myself. You have have reformatted by now.

You have some nasty malware, a reformat may be the best way to go. Some say that a computer can no longer be trusted once a rootkit as been found and removed, no telling what may have been modified. Malware is constantly being updated also, to escape detection/removal from all the software.
 
Time to start over

I'm getting ready to wipe the slate clean and reinstall. Enough is enough. I haven't reinstalled yet, so I'll see if I can retrace my steps to the bad download. I think it started with me going to combofix.com or .org... Then got sent to a page with a whole bunch of scareware crap on it. Click here, click there. Finally found one that seemed to be the right thing. I should have backed off as soon as I got there. But there's no going back now..

...

I just checked combofix.org and that seems to be set up to spoof all of the stuff you've been recommending. They credit everyone, but completely control the download. I don't think that's where I started, though.

I traced my history back, and I think the problem started at majorgeeks.com. It also gives proper attribution, it seems, but it sends you to suspicious download locations. I'm gun shy of everything now..

Just to be sure of what you last said, you mentioned that a computer can't be trusted once a rootkit gets it and is removed. I presume you mean just removed, but not OS reformat/reinstall? I would hope the OS reinstall would do it, but I know there are multiple levels of formatting, so my paranoia runs deep.

Thanks. Go help others.
 
Thanks but dont worry about trying to find it. Go ahead and reformat. Yes I meant couldn't be trusted after removal only. A reformatting reinstall of the OS will do the trick.
Dont forget to get "patched" via Windows update afterwards. And of course install a AV, there are several free good ones. And antimalware. Then you should be all set again.
Normally I post these tips at close, but we didnt really resolve anything as far as malware goes but I will post them anyway:

10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.

1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes ,browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) Securing IE for safer Browsing. How to harden FireFox for safer surfing.

10) Warez, cracks etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. Can you really trust the source of the file?


More info/tips with pictures in links below.

Happy Safe Surfing.
 
You must log in or register to reply here.
Back
Top