Attack of windows xp restore- DDS.txt

[johnallanchambers]

Hi Spybot,
I have been infected by Windowsxp Restore. It has crippled my machine. Please Help.

.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by John at 13:27:07 on 2011-06-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.214 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MDM.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [kPrmtXlWDpgPMUD] c:\documents and settings\all users\application data\kPrmtXlWDpgPMUD.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com\b.mail
Trusted Zone: google.com\mail
Trusted Zone: google.com\www
Trusted Zone: landrecordsonline.com\sussex
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
TCP: Interfaces\{D85F83D1-9A69-47B5-9808-00BC05D6E4E1} : DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\amsntw2b.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
S0 nhvx;nhvx;c:\windows\system32\drivers\splk.sys --> c:\windows\system32\drivers\splk.sys [?]
S1 SASDIFSV;SASDIFSV;c:\docume~1\john\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\docume~1\john\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\savrtpel.sys [2005-12-19 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-10 366640]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-28 105592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-1-11 16968]
S3 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;"e:\hitmanpro35.exe" /crusader --> e:\HitmanPro35.exe [?]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\naveng.sys [2011-6-10 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\navex15.sys [2011-6-10 1542392]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
.
=============== Created Last 30 ================
.
2011-06-11 00:05:23 -------- d-----w- c:\documents and settings\john\application data\SUPERAntiSpyware.com
2011-06-10 15:43:03 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-10 15:42:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 13:28:17.81 ===============
Thank you
John Chambers

[Blade81]

Hi John,

Please post fresh dds.txt & attach.txt contents.

[johnallanchambers]

Hi Balde ,
Thanks for picking this situation up. I see you have been really busy at safer networking. My problem is that now I cannot get on line . I have avery small HP mini that I am using right now. I am running Malwarebytes to see if I can clean my machine up so I can send DDs and attach.txt.
I will let you know if I am successful. It is redirecting to scour.com.
Any thoughts?
Thank you
John

[johnallanchambers]

Hi Blade ,
My first partial scan showed rogue.agent.sa in my registry. I tried going online and again was reidirected. I am now being redirected to shopica.com. I am now running fullscan on Malwarebytes.
I am going to remove

[johnallanchambers]

Hi Blade,
I ran a full scan on maleware and nothing showed. I updated and ran a scan on Spybot and got an all clear. when I try to bring the search from IE to safer networking I am redirected to scour and other sites. So I am stuck right now.
Thank you
John

[Blade81]

Hi,

Could you transfer DDS to affected system from this other system?

[johnallanchambers]

Hi Blade,
Thank you I never thought of that.
Please fin both files
Thanks
John

[Blade81]

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[johnallanchambers]

Hi Blade,
My question is should I run and save combo fix ( can I do that with combo fix) on a thumb drive from my mini hp and transfer it to the infected computer.
Thanks
John

[Blade81]

Hi,

Just transfer the ComboFix.exe file to the affected system. Don't run it on the non affected one.