Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet browser redirects search results to bogus sites


  • Please log in to reply
17 replies to this topic

#1 bushbaby13

bushbaby13

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 01 May 2010 - 11:10 AM

After years of more or less unprotected browsing, I got nailed finally. I am not even sure what I clicked but all of a sudden I got a ton of bogus balloon warnings of viruses on my PC (XP Home sp2 – Firefox 3.6). Every exe I pressed was prevented from running and it took a lot of research and downloading to finally get Malwarebytes Antimalware (MBAM) on the PC. It quarantined the following: WORM: prolaco.m; TROJANS: vundo, packer, inject, fraudpack, dropper, downloader, dnschanger, BHO; ROOTKIT: TDSS; ROGUES: Paladin Antivirus, antimalware doctor; malware suite; etc; MALWARE: trace, packer; HIJACK: start menu; task manager. I thought I was out of the woods. The next day I was using Firefox and I got search results which were redirected to other (harmless) ad search sites. The browser behaves otherwise normally and I can’t see any other issues, only that Firefox and IE search results are usually (not always) redirected to some other sites. I am not sure if this is a residual issue from my first awful infection, or if I have picked up something new entirely, but I sure would like to have my laptop back again!


DDS (Ver_10-03-17.01) - NTFSx86
Run by 1 at 10:38:46.76 on Sat 05/01/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.440 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Vidalia Bundle\Vidalia\vidalia.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\1\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Vidalia Bundle\Tor\tor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cobian Backup 10\Cobian.exe
C:\Program Files\Cobian Backup 10\cbInterface.exe
C:\Documents and Settings\1\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [Vidalia] "c:\program files\vidalia bundle\vidalia\vidalia.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SansaDispatch] c:\documents and settings\1\application data\sandisk\sansa updater\SansaDispatch.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [EM_EXEC] c:\progra~1\logitech\mousew~1\system\EM_EXEC.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [WD Drive Manager] c:\program files\western digital\wd drive manager\WDBtnMgrUI.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35[2].exe" /scan:boot
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanu

Attached Files



BC AdBot (Login to Remove)

 


#2 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 01 May 2010 - 11:32 AM

Man, I just want to say how sorry I am about all the exact same posts! Every time I sent the post to be uploaded I got an error message and thought it was just another problem with the PC. I really don't know what was going on and I can't figure out a way to remove the duplicate posts. Sorry. Hopefully I will get a response on this thread.


EDIT: I will remove the duplicate topics, please be patient until a Team member replies to this topic (may take a few days) ~ Elise

Edited by elise025, 01 May 2010 - 12:56 PM.


#3 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 03 May 2010 - 05:52 PM

hi,

Your log is a few days old. If you still need help reply to my post and let me know if anything has changed.

How Can I Reduce My Risk to Malware?


#4 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 03 May 2010 - 05:59 PM

Nothing has change. Still same problem and I was just getting ready to reformat.

#5 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 03 May 2010 - 08:08 PM

QUOTE
this is a residual issue
It is.

ok. We will get a download to use. Its called Combofix. There is a short guide to read first. Read through the guide and follow the directions.
Post the combofix log in your reply.

Guide to using Combofix

How Can I Reduce My Risk to Malware?


#6 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 03 May 2010 - 10:34 PM

I received this during installation: ComboFix has detected the presence of rootkit activity and needs to reboot the machine

All loaded and ran normally. I have attached the report. I should note that while trying to access the bleepingcomputer website on the notebook it appears that IE opened itself up and is telling me "Congratulations Doubleclick.net visitor! You are the winner for May 3rd, 2010! Please select a prize and enter your email on the next page to claim." I guess this plague is alive and well for the moment.

ComboFix 10-05-03.03 - 1 05/04/2010 8:00.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.751 [GMT -7:00]
Running from: c:\documents and settings\1\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\1\Application Data\CCommander
c:\documents and settings\1\Application Data\CCommander\ccagent.exe
c:\program files\WindowsUpdate
c:\program files\WindowsUpdate\V4\iuhist.xml

Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-04-04 to 2010-05-04 )))))))))))))))))))))))))))))))
.

2010-05-04 11:12 . 2010-05-04 11:12 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ServiceTest
2010-05-04 11:12 . 2010-05-04 11:12 -------- d-----w- c:\program files\Common Files\eSellerate
2010-05-04 11:12 . 2010-05-04 11:12 -------- d-----w- c:\program files\WD
2010-05-02 16:48 . 2010-05-02 16:48 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-05-01 17:34 . 2010-05-01 17:37 -------- d-----w- C:\Cobian Backup
2010-05-01 17:12 . 2010-05-01 17:12 -------- d-----w- c:\documents and settings\1\Local Settings\Application Data\Safe mirror
2010-05-01 17:11 . 2010-05-01 17:11 -------- d-----w- c:\program files\Cobian Backup 10
2010-05-01 04:25 . 2010-05-01 04:25 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-01 03:57 . 2010-05-02 16:28 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-01 03:57 . 2010-05-01 04:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-01 03:57 . 2010-05-01 03:57 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-30 21:09 . 2010-04-30 21:09 -------- d-s---w- c:\documents and settings\LocalService\UserData
2010-04-30 19:14 . 2010-04-30 19:14 6153352 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-29 16:42 . 2010-04-29 16:42 -------- d-----w- c:\program files\TeaTimer (Spybot - Search & Destroy)
2010-04-29 16:42 . 2010-04-29 16:42 -------- d-----w- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2010-04-29 16:42 . 2010-04-29 16:42 -------- d-----w- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2010-04-29 16:42 . 2010-04-29 16:42 -------- d-----w- c:\program files\SDHelper (Spybot - Search & Destroy)
2010-04-29 14:27 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:27 . 2010-04-30 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-29 14:27 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 04:52 . 2010-04-29 04:52 -------- d-----w- c:\documents and settings\1\Application Data\Malwarebytes
2010-04-28 18:26 . 2010-04-29 07:57 -------- d-----w- c:\program files\old_malbyte_software
2010-04-28 18:26 . 2010-04-28 18:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-28 17:20 . 2010-04-29 15:31 -------- d-----w- c:\documents and settings\1\Local Settings\Application Data\btusafaij

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-04 11:12 . 2009-05-20 05:26 -------- d-----w- c:\program files\Western Digital
2010-05-04 11:07 . 2009-08-29 07:22 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-04 10:58 . 2007-10-19 04:12 -------- d-----w- c:\documents and settings\1\Application Data\tor
2010-05-04 10:58 . 2007-10-19 04:12 -------- d-----w- c:\documents and settings\1\Application Data\Vidalia
2010-05-03 15:49 . 2008-12-03 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-01 04:49 . 2009-11-22 17:48 -------- d-----r- c:\program files\Skype
2010-04-30 18:52 . 2010-01-02 07:31 -------- d-----w- c:\documents and settings\1\Application Data\vlc
2010-04-28 18:44 . 2007-06-06 16:11 -------- d-----w- c:\program files\Google
2010-04-28 17:20 . 2004-09-27 13:59 31776 ----a-w- c:\documents and settings\1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-22 16:40 . 2006-09-10 02:58 -------- d-----w- c:\documents and settings\1\Application Data\dvdcss
2010-04-19 04:26 . 2009-10-11 16:42 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-04-19 04:26 . 2009-10-11 16:40 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-04-10 04:45 . 2007-09-06 03:33 -------- d-----w- c:\program files\WBid
2010-03-27 06:50 . 2009-11-23 17:58 79488 ----a-w- c:\documents and settings\1\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2004-01-05 23:55 . 2004-01-14 17:45 40960 ----a-w- c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Vidalia"="c:\program files\Vidalia Bundle\Vidalia\vidalia.exe" [2007-08-26 11852288]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-03 39408]
"SansaDispatch"="c:\documents and settings\1\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe" [2009-05-24 79872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-04-24 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-04-24 610304]
"EM_EXEC"="c:\progra~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2001-12-20 35328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-24 282624]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-09-25 229952]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"WD Drive Manager"="c:\program files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe" [2008-07-24 450560]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"WD Anywhere Backup"="c:\program files\WD\WD Anywhere Backup\MemeoLauncher2.exe" [2008-11-07 197856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Logitech Desktop Messenger.lnk - c:\program files\Desktop Messenger\8876480\Program\LDMConf.exe [2004-10-18 156160]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Logitech\\Logitech Vid\\Vid.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1700:TCP"= 1700:TCP:MioNet Remote Drive Access 0
"1701:TCP"= 1701:TCP:MioNet Remote Drive Access 1
"1702:TCP"= 1702:TCP:MioNet Remote Drive Access 2
"1703:TCP"= 1703:TCP:MioNet Remote Drive Access 3
"1704:TCP"= 1704:TCP:MioNet Remote Drive Access 4
"1705:TCP"= 1705:TCP:MioNet Remote Drive Access 5
"1706:TCP"= 1706:TCP:MioNet Remote Drive Access 6
"1707:TCP"= 1707:TCP:MioNet Remote Drive Access 7
"1708:TCP"= 1708:TCP:MioNet Remote Drive Access 8
"1709:TCP"= 1709:TCP:MioNet Remote Drive Access 9
"1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
"1647:TCP"= 1647:TCP:MioNet Storage Device Configuration
"5432:UDP"= 5432:UDP:MioNet Storage Device Discovery

R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys [6/3/2004 5:20 PM 20992]
R2 Dev_UNIDRV;Dev_UNIDRV;c:\windows\system32\drivers\UNIDRV.SYS [6/3/2004 5:20 PM 6080]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\WD\WD Anywhere Backup\MemeoBackgroundService.exe [11/7/2008 12:20 PM 25824]
R2 WDBtnMgrSvc.exe;WD Drive Manager Service;c:\program files\Western Digital\WD Drive Manager\WDBtnMgrSvc.exe [7/24/2008 3:22 PM 102400]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/8/2010 2:09 PM 135664]
S3 HwIOctl;HwIOctl;\??\c:\averatec\BIOS\HwIOctl.sys --> c:\averatec\BIOS\HwIOctl.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder

2010-05-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-06-06 17:55]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 21:09]

2010-05-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-08 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://yahoo.sbc.com/dsl
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
Trusted Zone: click2cbt.com\www
Trusted Zone: click4cbt.com\www
Trusted Zone: cpat.com\www
Trusted Zone: cpatswcbt.com\www
Trusted Zone: skywestonline.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\1\Application Data\Mozilla\Firefox\Profiles\gpr7i79l.default\
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-04 08:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
SansaDispatch = c:\documents and settings\1\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe?????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ADDEE4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7653fc3
\Driver\ACPI -> ACPI.sys @ 0xf75c6cb8
\Driver\atapi -> atapi.sys @ 0xf75607b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059c876
ParseProcedure -> ntoskrnl.exe @ 0x8057016c
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059c876
ParseProcedure -> ntoskrnl.exe @ 0x8057016c
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-752251346-3451540006-1751115645-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2010-05-04 08:17:28
ComboFix-quarantined-files.txt 2010-05-04 15:17
ComboFix2.txt 2010-04-30 17:36

Pre-Run: 1,863,712,768 bytes free
Post-Run: 1,863,749,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 5C06449F1606A120F89569D519626A6F



#7 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 04 May 2010 - 08:35 PM

ok we will get another download to use. link and directions:

Please download TDSS Killer.zip and save it to your desktop
Extract the zip file to your desktop. double click to launch the utility. follow the prompts.
If prompted please reboot your computer.

Please post the report.txt that can be found in your root drive Local Disk C:

labeled:
TDSSKiller verison_date_time_log.txt

How Can I Reduce My Risk to Malware?


#8 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 04 May 2010 - 10:42 PM

I ran and rebooted per TDSS_Killer program. It indicated that the TDSS rootkit was removed from my atapi file in the system32 directory. Here is the log file. The problem seems to be alive and well at the moment.


20:31:53:553 3244 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
20:31:53:553 3244 ================================================================================
20:31:53:553 3244 SystemInfo:

20:31:53:553 3244 OS Version: 5.1.2600 ServicePack: 2.0
20:31:53:553 3244 Product type: Workstation
20:31:53:553 3244 ComputerName: AVERATEC
20:31:53:553 3244 UserName: 1
20:31:53:553 3244 Windows directory: C:\WINDOWS
20:31:53:553 3244 Processor architecture: Intel x86
20:31:53:553 3244 Number of processors: 1
20:31:53:553 3244 Page size: 0x1000
20:31:53:553 3244 Boot type: Normal boot
20:31:53:553 3244 ================================================================================
20:31:53:563 3244 UnloadDriverW: NtUnloadDriver error 2
20:31:53:563 3244 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
20:31:53:583 3244 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
20:31:53:583 3244 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:31:53:583 3244 wfopen_ex: Trying to KLMD file open
20:31:53:583 3244 wfopen_ex: File opened ok (Flags 2)
20:31:53:583 3244 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
20:31:53:583 3244 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
20:31:53:583 3244 wfopen_ex: Trying to KLMD file open
20:31:53:583 3244 wfopen_ex: File opened ok (Flags 2)
20:31:53:583 3244 Initialize success
20:31:53:583 3244
20:31:53:583 3244 Scanning Services ...
20:31:54:374 3244 Raw services enum returned 347 services
20:31:54:384 3244
20:31:54:384 3244 Scanning Kernel memory ...
20:31:54:384 3244 Devices to scan: 2
20:31:54:384 3244
20:31:54:384 3244 Driver Name: Disk
20:31:54:384 3244 IRP_MJ_CREATE : F7655C30
20:31:54:384 3244 IRP_MJ_CREATE_NAMED_PIPE : 805031BE
20:31:54:384 3244 IRP_MJ_CLOSE : F7655C30
20:31:54:384 3244 IRP_MJ_READ : F764FD9B
20:31:54:384 3244 IRP_MJ_WRITE : F764FD9B
20:31:54:384 3244 IRP_MJ_QUERY_INFORMATION : 805031BE
20:31:54:384 3244 IRP_MJ_SET_INFORMATION : 805031BE
20:31:54:384 3244 IRP_MJ_QUERY_EA : 805031BE
20:31:54:384 3244 IRP_MJ_SET_EA : 805031BE
20:31:54:384 3244 IRP_MJ_FLUSH_BUFFERS : F7650366
20:31:54:384 3244 IRP_MJ_QUERY_VOLUME_INFORMATION : 805031BE
20:31:54:384 3244 IRP_MJ_SET_VOLUME_INFORMATION : 805031BE
20:31:54:384 3244 IRP_MJ_DIRECTORY_CONTROL : 805031BE
20:31:54:384 3244 IRP_MJ_FILE_SYSTEM_CONTROL : 805031BE
20:31:54:384 3244 IRP_MJ_DEVICE_CONTROL : F765044D
20:31:54:384 3244 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7653FC3
20:31:54:384 3244 IRP_MJ_SHUTDOWN : F7650366
20:31:54:384 3244 IRP_MJ_LOCK_CONTROL : 805031BE
20:31:54:384 3244 IRP_MJ_CLEANUP : 805031BE
20:31:54:384 3244 IRP_MJ_CREATE_MAILSLOT : 805031BE
20:31:54:384 3244 IRP_MJ_QUERY_SECURITY : 805031BE
20:31:54:384 3244 IRP_MJ_SET_SECURITY : 805031BE
20:31:54:384 3244 IRP_MJ_POWER : F7651EF3
20:31:54:384 3244 IRP_MJ_SYSTEM_CONTROL : F7656A24
20:31:54:384 3244 IRP_MJ_DEVICE_CHANGE : 805031BE
20:31:54:384 3244 IRP_MJ_QUERY_QUOTA : 805031BE
20:31:54:384 3244 IRP_MJ_SET_QUOTA : 805031BE
20:31:54:414 3244 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
20:31:54:414 3244
20:31:54:414 3244 Driver Name: atapi
20:31:54:414 3244 IRP_MJ_CREATE : 86ADDEE4
20:31:54:414 3244 IRP_MJ_CREATE_NAMED_PIPE : 86ADDEE4
20:31:54:414 3244 IRP_MJ_CLOSE : 86ADDEE4
20:31:54:414 3244 IRP_MJ_READ : 86ADDEE4
20:31:54:414 3244 IRP_MJ_WRITE : 86ADDEE4
20:31:54:414 3244 IRP_MJ_QUERY_INFORMATION : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SET_INFORMATION : 86ADDEE4
20:31:54:414 3244 IRP_MJ_QUERY_EA : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SET_EA : 86ADDEE4
20:31:54:414 3244 IRP_MJ_FLUSH_BUFFERS : 86ADDEE4
20:31:54:414 3244 IRP_MJ_QUERY_VOLUME_INFORMATION : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SET_VOLUME_INFORMATION : 86ADDEE4
20:31:54:414 3244 IRP_MJ_DIRECTORY_CONTROL : 86ADDEE4
20:31:54:414 3244 IRP_MJ_FILE_SYSTEM_CONTROL : 86ADDEE4
20:31:54:414 3244 IRP_MJ_DEVICE_CONTROL : 86ADDEE4
20:31:54:414 3244 IRP_MJ_INTERNAL_DEVICE_CONTROL : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SHUTDOWN : 86ADDEE4
20:31:54:414 3244 IRP_MJ_LOCK_CONTROL : 86ADDEE4
20:31:54:414 3244 IRP_MJ_CLEANUP : 86ADDEE4
20:31:54:414 3244 IRP_MJ_CREATE_MAILSLOT : 86ADDEE4
20:31:54:414 3244 IRP_MJ_QUERY_SECURITY : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SET_SECURITY : 86ADDEE4
20:31:54:414 3244 IRP_MJ_POWER : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SYSTEM_CONTROL : 86ADDEE4
20:31:54:414 3244 IRP_MJ_DEVICE_CHANGE : 86ADDEE4
20:31:54:414 3244 IRP_MJ_QUERY_QUOTA : 86ADDEE4
20:31:54:414 3244 IRP_MJ_SET_QUOTA : 86ADDEE4
20:31:54:414 3244 Driver "atapi" infected by TDSS rootkit!
20:31:54:494 3244 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
20:31:54:494 3244 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 20:31:54:494 3244 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
20:31:54:494 3244 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
20:31:56:097 3244 vfvi6
20:31:56:557 3244 !dsvbh1
20:32:00:353 3244 dsvbh2
20:32:00:363 3244 fdfb2
20:32:00:363 3244 Backup copy found, using it..
20:32:00:373 3244 will be cured on next reboot
20:32:00:373 3244 Reboot required for cure complete..
20:32:00:373 3244 Cure on reboot scheduled successfully
20:32:00:373 3244
20:32:00:373 3244 Completed
20:32:00:373 3244
20:32:00:373 3244 Results:
20:32:00:373 3244 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
20:32:00:373 3244 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
20:32:00:373 3244 File objects infected / cured / cured on reboot: 1 / 0 / 1
20:32:00:383 3244
20:32:00:383 3244 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
20:32:00:383 3244 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
20:32:00:383 3244 UnloadDriverW: NtUnloadDriver error 1
20:32:00:383 3244 KLMD(ARK) unloaded successfully

Edited by bushbaby13, 04 May 2010 - 10:44 PM.


#9 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 06 May 2010 - 06:13 PM

QUOTE
The problem seems to be alive and well at the moment.


You are still getting the re-directs? Root kits can be difficult to remove. they are getting more and more nastier.

Is this a file related to your computer;
c:\averatec\BIOS\HwIOctl.sys



How Can I Reduce My Risk to Malware?


#10 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 06 May 2010 - 08:02 PM

Well, the redirects did happen at first, but now, after a day and a reboot, no redirects. That file in your post is not on my drive. I guess I am saved. Thank you for your help. I am in the process of creating a dual boot to run Ubuntu for most of the time when I don't need a Windows application. Thank you for your help.

#11 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 07 May 2010 - 08:55 PM

ok your welcome. You will find lots of software to use in Linux and your chances of getting malware will drop off big time, malware is written for the Windows platform. This might help. also. I would also visit the Ubuntu forum for installation info.

http://linuxappfinder.com/alternatives

Back to Windows:

there is a tool you can download to remove Combofix:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


you can delete the TDSSkiller icon from your desktop.
You can make a new restore point, the how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

If all is good, some tips for you:

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS,(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there version status here.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. There is no reason why you can not stay malware free.

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem.

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Set up and use limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in windows vista and W7 attempts to address.

8) Install and understand the *limitations* of a software firewall. A firewall is not a solution for attempting to control or catch malware sneaking out.

9) A tool for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Do you really trust the source of the file? Do you really need another malware source?

How Can I Reduce My Risk to Malware?


#12 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 07 May 2010 - 10:06 PM

I went and double checked the PC and I am still having redirects. Bummer. I have not removed anything per your new instructions yet. I suppose there is more. I may run combofix again because my patience is running out this this. Next step is just a GD reinstall because I have to partition for Ubuntu anyway and this is only a 40 GB drive. Any suggestions?

Edited by bushbaby13, 07 May 2010 - 10:26 PM.


#13 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 07 May 2010 - 11:26 PM

I ran TDSSKiller.exe again and it supposedly eliminated a rootkit. It says Results:

Memory objects infected / cured / cured on reboot: 1/0/0
Registry objects infected / cured / cured on reboot: 0/0/0
File objects infected / cured / cured on reboot: 1/0/1

I reboot and get the same results. The first line indicates that I have a memory object infected and it is not cured on reboot. Ideas?

#14 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:02:04 PM

Posted 08 May 2010 - 06:45 AM

We can try to find and remove the root kit process, which means starting over with some logs to find the infected driver. Or since you plan on installing linux you could just pull off content you created that you want to keep and format the entire drive then reinstall. I would split the drive with 20GB for each OS, or 25 windows 15 linux if you plan to install a lot of Windows software.
You might check out linux mint which is based on ubuntu. You can use a 'live cd' to run any linux distro just to try it out, before installing it to the hd. It may seem to be 'slow and lagging' but its because it accessing everything off the CD. Once installed to the HD it will be much better.



How Can I Reduce My Risk to Malware?


#15 bushbaby13

bushbaby13
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:11:04 AM

Posted 08 May 2010 - 01:14 PM

Yeah, I think I will just reformat and move on. I appreciate all your help thus far. The laptop is a little bloated with Windows programs that I don't even use much, so my plan was to go with the Ubuntu for Internet browsing, email (POP), and some basic word processing/spreasheets/image adjusting/file viewing/ (mostly PDF)/movies (rented DVDs). I'd reload XP for those programs that need Windows, but hopefully migrate away from Windows. My only experience with Linux is loading Mythbuntu/Ubuntu on a PVR/DVR. This was NOT an easy process, but the Ubuntu platform seems about as user friendly as anything else. I have reservations about my command line prowess. Is Mint a good distro to use space-wise? Does it use GNOME? The other thing is that I have used Windows since 3.0. XP is really the best, most stable version (I have no experience with Vista or 7.0) and I am reluctant to migrate away. Nonetheless, the malware issues with the Internet give me great pause with Windows now. [edit: disregard my question about Mint vs. Ubuntu, there is plenty online for me to discover this myself. It looks like Mint is pretty much Ubuntu but with a lot of the non-open source stuff preloaded for user ease - Falsh/Java/DVD codecs etc.]

On my non-infected desktop I have partitioned my HD into a C drive for the OS (60 GB) and D drive for the data and other programs (440 GB) to allow for a reinstall of the OS if there is a major problem. Perhaps with the laptop I should do this as well? The other thing I am not certain about is common OS-accessed files. I believe it is possible, but not sure: can a spreadsheet be accessed in XP and Linux from their respective OS installed drives? E.g., a MS Excel (xls) spreadsheet accessed from the XP partition by Ubuntu, or an OGG Vorbis (ogg) music file on the Ubuntu drive accessed by XP? Do the files have to reside on a third formatted partition?

Anyway, I'll stumble my way through this. Thanks again for all your useful help.

Edited by bushbaby13, 08 May 2010 - 01:37 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users