Warning while running DDS.com

S

Skipperme

New member
I'm running XP Pro on the Windows Bootcamp partition of my iMac. Having virus trouble, that's why I'm here..

Following your instructions, I'm running DDS.com, after doing the ERUNT reg backup, and I have CA Internet Security Suite running, configured to fire alerts when "attempts to access monitored items are detected", which I believe is the case here.
I get this alert
"1 Program has been blocked"
C:\Documents and Settings\MyName\Local Settings\Temp\2f.tmp\MBR.D AT

Wants access to:

HKLM\System\CurrentControlSet\Services\mbr.


Is this DDS asking for something, or bad guys?

http://forums.spybot.info/showthread.php?p=404221#post404221
 
Last edited by a moderator:
hi Skipperme,

Try disabling CA Internet Security Suite first and any other "anti this or that" you may have running then run DDS. After you get a DDS log, reboot machine to start your CA Suite back up.
 
Follow on to DDS warning..

Hi, I just recently posted in the Waiting Room because of the 4 day wait and gave the sequence of actions I went through after I posted about the Filter warning you are responding to. I did disable the CA stuff, then tried 3 more times through the ERUNT/DDS sequence. Didn't get anymore warnings, but each time DDS died before it completed, completely killing the machine. No mouse or keyboard response, had to hard reboot. So I haven't gotten a DDS dump yet and await word on much more frigged up things are when DDS won't even run...

I don't want to get too confused with posts all over the place, so let me know what to expect next. As I said, the latest info (basically what I said here) is also in a post in the Waiting Room.

Thanks.

----------------------------
Edit

Please post to shelf life in this topic.
 
Last edited by a moderator:
Ive never had DDS not be able to produce a log but that dosnt mean its malware related. Do you have Malwarebytes installed? if not:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply.

You could also try running DDS in safe mode. After a reboot and before Windows starts, tap the f8 key and from the list chose the first option: safe mode, log into your usual account, once at the safe mode desktop try running DDS.
Is CA telling you you have a virus or are you experiencing any signs of malware?
 
Malwarebytes story

Did a scan with CA first, got nothing.

While downloading or installing MWB (don't remember which...)
Got a CA notification badge popup intrusion warning for "daily drivers update" wanting access. I checked the CA logs and they had trapped some, but not all of some hits from update-drivers.in(80,87,199,48) and some from ebay.com (66.135.200.181) ??
Earlier in the list were about 5 malwarebytes accesses that were all blocked..
dunno what that is, but if it helps..

so,

installed Malwarebytes
When I ran it, I immediately got an error message dlg with the error
PROGRAM_ERROR_UPDATING(122,0,MultiByteToWideChar) data buffer too small for system call " paraphrased..
The update dialog had already shown, and this popped up in front.
clicked okay, the update dialog failed, another malware dlg popped saying things were out of date by 140 days, update?, to which I said yes and got the same error dialog box.
Dismissed that one and the MWB UI came up.
Ran the scan, got 2 infections.

Here's the log:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5363

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/19/2011 4:18:46 PM
mbam-log-2011-05-19 (16-18-46).txt

Scan type: Full scan (C:\|)
Objects scanned: 245806
Time elapsed: 54 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\system volume information\_restore{9d7957d3-95e5-42ab-b935-ca291739717a}\RP9\A0004710.exe (RiskWare.Tool.CK) -> Quarantined and deleted successfully.
c:\documents and settings\Don\local settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Didn't run DDS yet.
Let me know..
Thanks.
 
If malwarebytes is out of date by 140 days it wont do you a whole lot of good.Sometimes malware can cause these type of problems. Can you successfully update your CA suite and any other software you have installed? Can you get to certain websites ok, try going to Windows Update or Avast, AVG etc.

There is a current data base you can manually download and install to MBAM here

Those other messages must be from your CA suite's firewall. You would have to give MBAM the ok to "go out" and get the updates if that whats the prompts are about.

The MBAM log is really of little help being so outdated. See if you can post a traditional HJT log so we have something to go on;
Version 2.0.4 is here
 
MBAM et al. Logs

Checked my CA suite and it's up to date. While trying to find out how to check the update status, I did a help search and got a "bad script..." error.
Tried Windows Update. Didn't fly. Tried by doing a search via the Chrome universal wonderful address bar, which took me to Google results, first of which was the link to windowsupdate..etc. Clicked the link and got redirected (which is what got me here in the first place). After a couple of more attempts at it, Chrome crashed, which has been part of the pattern. I've seen other posts of people reporting google redirect and Chrome crashing as well.
Tried directly accessing windowsupdate.microsoft.com via address bar in both IE(8) and FF(3.6.16), got a blank page in both cases.
I was able to go directly to both avast.com and avg.com typing directly to the address bar. Searches via google and yahoo got redirected.
Downloaded the MBAM offline database and ran the installer. Ran MalWareBytes and got "out of date by 15 days" this time. Ran full scan anyway, and it caught 3 things. I said 'fix' and here's the log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6516

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/21/2011 3:54:51 PM
mbam-log-2011-05-21 (15-54-51).txt

Scan type: Full scan (C:\|)
Objects scanned: 253122
Time elapsed: 51 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\messenger.exe (Malware.Gen) -> Value: messenger.exe -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\common files\microsoft shared\web components\messenger.exe (Malware.Gen) -> Quarantined and deleted successfully.
c:\messenger.exe (Malware.Gen) -> Quarantined and deleted successfully.


Also ran HJT scan, and got this log. I haven't said "analyze this" or "fix" yet. I await your instructions for the next step.

HJT log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:15:09 PM, on 5/21/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mdmcls32.exe
C:\WINDOWS\system32\svcprs32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\IRW.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\Boot Camp\KbdMgr.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Don\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2504091
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: CA Anti-Phishing Toolbar Helper - {45011CF5-E4A9-4F13-9093-F30A784EB9B2} - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Phishing\Toolbar\caIEToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: CA Anti-Phishing Toolbar - {0123B506-0AD9-43AA-B0CF-916C122AD4C5} - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Phishing\Toolbar\caIEToolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [Apple_KbdMgr] C:\Program Files\Boot Camp\KbdMgr.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\casc.exe"
O4 - HKLM\..\Run: [capfupgrade] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfupgrade.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Don\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dropbox.lnk = C:\Documents and Settings\Don\Application Data\Dropbox\bin\Dropbox.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAAMSvc - CA - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
O23 - Service: CaCCProvSP - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
O23 - Service: CA Common Scheduler Service (ccSchedulerSVC) - Unknown owner - C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe
O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe
O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
O23 - Service: WeFi Engine Service (WefiEngSvc) - WeFi - C:\Program Files\WeFi\WefiEngSvc.exe
O23 - Service: WinSock Extention Manager (WinExtManager) - Unknown owner - C:\WINDOWS\system32\mdmcls32.exe
O23 - Service: WinSock Svchost Manager (WinSvchostManager) - Unknown owner - C:\WINDOWS\system32\svcprs32.exe

--
End of file - 9872 bytes
 
ok. Lets try tdsskiller first and see if it digs up anything:

Please download TDSS Killer.exe and save it to your desktop
Double click to launch the utility. Vista and Windows 7 right click as "run as admin.." After it initializes click the start scan button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."


If an infected file is detected, the default action will be Cure, click on Continue.

If a suspicious file is detected, the default action will be Skip, click on Continue.

It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.

Next you can use combofix. There is a guide to read first. Read through the guide then apply the directions on your own machine.

Guide to using Combofix Post the log in your reply
 
Leftovers of HJT

Thanks.. First want to check. I left HJT running after I sent the log. It's still at post scan "analyze this/fix that" decision point. Should I just close it out and move on? From what you say to do next, I'm thinking so, but I want to check before moving on.

thanks
 
tdsskiller

Ran it. Went very quickly and said non problem...

Here's log:
2011/05/21 17:55:55.0014 4888 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/21 17:55:55.0467 4888 ================================================================================
2011/05/21 17:55:55.0467 4888 SystemInfo:
2011/05/21 17:55:55.0467 4888
2011/05/21 17:55:55.0467 4888 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/21 17:55:55.0467 4888 Product type: Workstation
2011/05/21 17:55:55.0467 4888 ComputerName: FINGERS
2011/05/21 17:55:55.0467 4888 UserName: Don
2011/05/21 17:55:55.0467 4888 Windows directory: C:\WINDOWS
2011/05/21 17:55:55.0467 4888 System windows directory: C:\WINDOWS
2011/05/21 17:55:55.0467 4888 Processor architecture: Intel x86
2011/05/21 17:55:55.0467 4888 Number of processors: 2
2011/05/21 17:55:55.0467 4888 Page size: 0x1000
2011/05/21 17:55:55.0467 4888 Boot type: Normal boot
2011/05/21 17:55:55.0467 4888 ================================================================================
2011/05/21 17:55:55.0608 4888 Initialize success
2011/05/21 17:56:08.0796 5960 ================================================================================
2011/05/21 17:56:08.0796 5960 Scan started
2011/05/21 17:56:08.0796 5960 Mode: Manual;
2011/05/21 17:56:08.0796 5960 ================================================================================
2011/05/21 17:56:10.0827 5960 ================================================================================
2011/05/21 17:56:10.0827 5960 Scan finished
2011/05/21 17:56:10.0827 5960 ================================================================================
 
Combo Fix and CA

Hi,

Downloaded ComboFix and read through the docs. Disabled CA and ran the program. The startup sequenced didn't follow the descriptions exactly. First there was a small dlg with a progress bar for a few seconds, then a large dialog that listed 3 websites that do try to sell ComboFix and to try to get your money back if you bought it.

Then it gives the disclaimer statement and says go ahead if you agree..

I go ahead.

Dialog pops up saying CA is installed and must be UNINSTALLED?

Seems suspicious, but let me know.
 
Combofix v MalwareBytes v MultiByteToWideChar

Overlapped messages, I guess. I'm still wondering about Combofix and CA uninstall. In the meantime, tried to update Malwarebytes from w/in program, got the same error as before. System call buffer too small.

However, I just did some searches in FF via Yahoo and Google and clicked through to destination links with no redirect. Brief test, but it had been pretty consistent.

There was another keyboard grab going on where anytime a fairly long word containing the consecutive letters 'us' would end up with the 'us' being raplaced by ' google'.
Miscellaneous, for instance. And that didn't get hooked, so that's looking good. (It would do the substitution displayed text (no input necessary) as well. Garbled stuff. Not seeing any now.

Let me know if I need to proceed with ComboFix.. and about the request to uninstall CA
thanks
 
Combofix will not run with certain AV installed. One is AVG. The AV sees some of the files as threats. Malwarebytes log looks pretty clean, HJT log looks ok, CA good and tdsskiller log is ok. As far as malware goes everything looks good from what i have seen.

For Malwarebytes I would try removing it via the add/remove programs panel, reboot your computer then run this clean tool for MBAM. Download
MBAM again and reinstall. You will have to allow outbound in your firewall for the .exe(s) to get it updated. I dont know if its firewall related or your CA suite thats causing the updating problem. You could as a experiment disable them before updating MBAM, I woudnt recommend it as a long term solution though.

You can uninstall CA via the add/remove programs panel, reboot and run combofix if you want to. Make sure you have any license key etc that may be needed to reinstall it back on to your machine.
 
MBAM update error continues

I did the uninstall, clean and reinstall for MBAM, and selected update and start from the confirmation dialog after install.
"An error has occurred. Please report this error code to our support team.
PROGRAM_ERROR_UPDATING(122,0,MultiByteToWideChar)
The data area passed to a system call is too small"

as before.

I had had CA disabled for the most recent fix attempts, but enabled it again before trying the reinstall..

I supposed I should report this to the MalwareByte guys, since it asks me to.

Advice?
 
search results still getting hijacked..

Just been testing the browsing behavior that started this whole thing. Still happening. Google searches getting redirected to miscellaneous sites.

I found a post in the google help search web forum about the redirect virus, including the post that led me to you guys initially. Someone in there also posted that they had gone through a series of fixes as well:
"MalwareBytes, Adaware, McAfee, and SuperAntiSpyware aren't picking it up either".

Have you had success with anyone else getting rid of this?

As of this point I haven't had any keystroke hijacking activity, but I'm getting a bit gun-shy of doing anything. I've been doing much of my communication on a different computer and only on the sick machine when trying to fix it.

Thanks.
 
Thanks for the info. Hold off on the MBAM problem for now, it may be malware related.
MalwareBytes, Adaware, McAfee, and SuperAntiSpyware aren't picking it up either".
Click to expand...
True, you have a rootkit on board. Sometimes they can show in a DDS log which you cant run. Combofix can remove some of them but that wont run with your CA suite installed.
Try running tdskiller once more, also we will get another download to use:

Please download aswMBR.exe to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply. Click the exit button to exit.

I've been doing much of my communication on a different computer and only on the sick machine when trying to fix it.
Click to expand...
Good. Also when not in use make sure it has no connectivity. If your not sure how to stop this then just power it off. Why? rootkit technology can continue to use your connection easily without you noticing it, firewall or no firewall, browser running or not.
 
Rootkit and Bootcamp

One thing I've been worried about is if this thing can jump the bridge, so to speak, and infect the OS X side of my mac. i.e. This is running in my XP side of my iMac. You probably know that already, but it's been worrying me a bit, and now that you say this thing can root around even if the firewall is there I'm concerned it may be evil enough to worm it's way through.

I'm on the mac side of the boot right now, but I'll head over to XP side now to try the new fixes..
 
tdss or mbr first?

I'm in the infected land again.

I downloaded the aswMBR.exe, but haven't run it yet. From your message I wasn't sure whether you were saying to run tdsskiller again first..
 
You must log in or register to reply here.
Back
Top