Hi Spybot,
I have been infected by Windowsxp Restore. It has crippled my machine. Please Help.

.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by John at 13:27:07 on 2011-06-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.214 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MDM.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [kPrmtXlWDpgPMUD] c:\documents and settings\all users\application data\kPrmtXlWDpgPMUD.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com\b.mail
Trusted Zone: google.com\mail
Trusted Zone: google.com\www
Trusted Zone: landrecordsonline.com\sussex
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
TCP: Interfaces\{D85F83D1-9A69-47B5-9808-00BC05D6E4E1} : DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\amsntw2b.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
S0 nhvx;nhvx;c:\windows\system32\drivers\splk.sys --> c:\windows\system32\drivers\splk.sys [?]
S1 SASDIFSV;SASDIFSV;c:\docume~1\john\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\docume~1\john\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\savrtpel.sys [2005-12-19 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-10 366640]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-28 105592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-1-11 16968]
S3 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;"e:\hitmanpro35.exe" /crusader --> e:\HitmanPro35.exe [?]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\naveng.sys [2011-6-10 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\navex15.sys [2011-6-10 1542392]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
.
=============== Created Last 30 ================
.
2011-06-11 00:05:23 -------- d-----w- c:\documents and settings\john\application data\SUPERAntiSpyware.com
2011-06-10 15:43:03 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-10 15:42:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 13:28:17.81 ===============
Thank you
John Chambers

Hi John,

Please post fresh dds.txt & attach.txt contents.

Hi Balde ,
Thanks for picking this situation up. I see you have been really busy at safer networking. My problem is that now I cannot get on line . I have avery small HP mini that I am using right now. I am running Malwarebytes to see if I can clean my machine up so I can send DDs and attach.txt.
I will let you know if I am successful. It is redirecting to scour.com.
Any thoughts?
Thank you
John

Hi Blade ,
My first partial scan showed rogue.agent.sa in my registry. I tried going online and again was reidirected. I am now being redirected to shopica.com. I am now running fullscan on Malwarebytes.
I am going to remove

Hi Blade,
I ran a full scan on maleware and nothing showed. I updated and ran a scan on Spybot and got an all clear. when I try to bring the search from IE to safer networking I am redirected to scour and other sites. So I am stuck right now.
Thank you
John

Hi,

Could you transfer DDS to affected system from this other system?

Hi Blade,
Thank you I never thought of that.
Please fin both files
Thanks
John

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Hi Blade,
My question is should I run and save combo fix ( can I do that with combo fix) on a thumb drive from my mini hp and transfer it to the infected computer.
Thanks
John

Hi,

Just transfer the ComboFix.exe file to the affected system. Don't run it on the non affected one.

Hi Blade,
I dowloaed combo fix from the mini to thumb drive na dinstalled it but it is hung in the install at about 60% at out put folder c:\32788R22FWJFW
What to do?
Thanks
John

Previous to the install I disabled Malewarebytes Spy bot and Norton
John

Hi Blade,
I am hung up at output folder C:\32788R22FWJFW and it will not complete install
John

Hi Blade,
This virus is defeating me every way I turn. I had to download this from the thumb drive because it is still redirecting me.
Thank you
John

Hi,

Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

Hi Blade,
Avast scan
Thank you
John

Hi,

Does redirecting happen with both Internet Explorer and Firefox?

Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Hi Blade,
It is redirecting in IE and Firefox has been hidden with icons and removed from programs. So I can't access.
GMER attached zipped.
Thank you
John

Hi,

Please run this (http://download.bleepingcomputer.com/grinler/unhide.exe) tool. See if that helps with hidden items issue.



Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:


:filefind
VolSnap.sys


Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

Hi Blade,
I ran unhide and it restored the missing files- icons with IE icons. The system look .exe will not run. Error says "this application has failed to start because the application configuration is incorrect"
Thank
John

Hi,

Did you try to run SystemLook in both normal and safe mode? If not please try it in the one you didn't try yet.

Hi Blade,
I did run systemlook in different modes including different users. Nothing came of it but the same warning as before.
Thank you
John

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
PEV -filelook %windir%\VolSnap.sys >LogIt.txt
START LogIt.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.

Hi Blade,
I just got off the road and I am leaving my office to head home, the infected computer is my home desktop and as soon as I get there I will run that.
Thanks
John

Ok, thanks for the heads up :)

Hi Blade,
This was tricky moving from one machine to the other . At first it would not take then it changed the name from fix.bat to logit.txt. I think it is what you want.
Thank you
John

Hi,

Following instructions assume you have recovery console installed (there should be microsoft recovery console option selectable when you boot the system). Please print/save these so you have access to them while system is not online.


1. Restart your computer
2. Before Windows loads, you will be prompted to choose which Operating System to start
3. Use the up and down arrow key to select Microsoft Windows Recovery Console
4. You must enter which Windows installation to log onto. Type 1 and press enter.
5. At the C:\Windows prompt, type the following bolded text, and press Enter:

copy C:\WINDOWS\system32\drivers\volsnap.sys C:\WINDOWS\system32\drivers\volsnap_old.sys

You should see "1 file(s) copied." message as an output. Let me know if something else happened.

6. At the next prompt, type the following bolded text, and press Enter (allow overwriting when prompted):

copy C:\WINDOWS\system32\dllcache\volsnap.sys C:\WINDOWS\system32\drivers\volsnap.sys

Again, the same thing should happen as after the previous step.

7. If no issues with that then at the next prompt, type the following bolded text, and press Enter:

exit

Windows will now begin loading. Please run GMER again and post back its report.

Hi Blade,
I am there and I typed as directed, there is a space between copy C:WINDOWS or is copy not typed please advise also is there a space between commands
I am sorry this is new to me
Thank you
John

Hi,

Bolded commands should be typed as written there. Copy word is part of the command there.

Hi Blade,
I have finished commands and nothing except as you mentioned . I am at gmer any special setting to run
Thank
John

Hi,

The same steps like on earlier GMER run (http://forums.spybot.info/showpost.php?p=407900&postcount=17).

I see why not to run files. I am still waiting for it to scan.
John

Hi Blade,
Please find gemer post
Thanks
John

Please post fresh dds.txt log.

Hi Blade,
Please find dds 6-25 and zip attach.
Thanks
John

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DIR /s/a %windir%\volsnap_old.sys >LogIt.txt
START LogIt.txt
DEL %0

Double-click on fixes.bat file to execute it. Notepad should open up. Post back its contents, please.

Hi Blade,
I could not do this last night, had a family function.
I am sending from the infected computer as it is not redirecting. It seems a lot better.
Thank you
John

I could not do this last night, had a family function.
No problem. It's a weekend anyway :)

Please see if you're able to make ComboFix run (let it update itself if prompted). Post back the report.

Hi Blade,
Please find combo fix log as requested.
I noticed that my entertainment ,system files and communication files on the start up menu are gone. Can I get that back?
The icon for Widows xp restore is still on my machine. Should I send to trash? Things are running much better.
Thank you
John

Hi,

You may try this (http://download.bleepingcomputer.com/grinler/unhide.exe) tool to get missing start menu items back. If it doesn't restore them then only option (if reformat is not included) is to manually add missing items to start menu. Instructions here (http://support.microsoft.com/kb/152122).


The icon for Widows xp restore is still on my machine. Should I send to trash?
Yes and empty the trash can after that.

Hi Blade,
The tool provided did not restore sytem tools.
That link for manually restoring the system tools, entertainment, games, communication is not for my machine (as per Windows).
Any other way to do this manually or with a program?
Am I completed in the repair of this windows xp restore?
Thank you for all your help in this process.
Can I improve the security on my machine- any advise?
I will make a donation to Safer Networking.
I can't Thank you enough.
John

Hi,


The tool provided did not restore sytem tools.
That link for manually restoring the system tools, entertainment, games, communication is not for my machine (as per Windows).
Any other way to do this manually or with a program?
Unfortunately, there's no other way to do it manually. All those system tools etc should physically exist there. Just shortcut links in start menu have to be rebuilt. If you have another system with XP on it you could use it as an example and then add new menu items by following that instructions I linked in my previous post.



Some steps to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:

Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


Download and run Secunia Personal Software Inspector (PSI) (http://secunia.com/vulnerability_scanning/personal/) and fix its findings. Leave the program installed so you'll stay alarmed about vulnerable components in future too.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

HI Blade,
Thanks again for all your help. A donation is on the way.
So far I have been cleaning the machine from all you mention combo-fix and all the logs txt. and attach and scans that you used.
I used cc cleaner to get rid of a lot of junk that was installed- cookies that would not go away.
I have downloaded seconia and it seems my biggest problem is outdated MS office suite. I am going to change to MS 10.
My computer is very slow when starting and for my security to load takes forever.
I am going to reload spy bot as I had to remove when we were scanning.
All the best
John

Hi,

To find some hints about improving performance please read this article (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).

Hi Blade,
I am sorry to be a PIA but I belive my machine is still infected. It is slowing down to a crawl and symantics is running in the background as an auto scan and it showed from a scan that bloodhound was in the machine and that it partially fixed it. Backdoor.tideserv.int and rootpatch kit show up in malwarebytes. It seems to show that area where you were working C:\systemvolume. and I missed the rest of the file
Thanks
John

Hi,


It seems to show that area where you were working C:\systemvolume. and I missed the rest of the file
Did you reset the system restore as instructed? If bad items are still found after that post fresh dds logs.

Hi Blade ,
Please check I apologize to keep bothering you. I did turn off system restore and then turn on again as you told me to do.
Thank you
John

Hi Blade,
This is from earlier in the day. I thought it might help
John

Hi,

That MBAM finding is a backup of the file I made you to do earlier. Please delete c:\WINDOWS\system32\drivers\volsnap_old.sys.

Are there any other issues remaining? I'd try some lighter antivirus solution than Symantec AntiVirus or alternatively add some more RAM.

Hi Blade,
How do I delete this file that you mentioned.
Thnaks
John

Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@ECHO OFF
DEL /Q c:\WINDOWS\system32\drivers\volsnap_old.sys
DEL %0

Double-click on fixes.bat file to execute it. That should take care of the file :)

Hi Blade ,
I deleted the file as per your instruction. Symatic will not run or update. Does the machine appear to be clean at this point ?
john

Logs look good. In case you may want to try other antivirus solution instead of Symantec Antivirus I included a few options below.

Good free antivirus programs are:
Antivir (http://free-av.com/en/download/1/download_avira_antivir_personal__free_antivirus.html) and
Avast! (http://www.avast.com/eng/download-avast-home.html)

Good commercial ones are from:
Kaspersky (http://www.kaspersky.com/homeuser) and
ESET (http://www.eset.com/products/index.php)

Hi,

Were you able to get antivirus protection running?

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread.

If it has been less than three days since your last response and you need the thread re-opened, please send me or other MOD a private message (pm). A valid, working link to the closed topic is required.