I cant open in normal mode and even in safe mode, IE and Firefox hijacked.

[striker332000]

I somehow contracted malware (I think) on my SP3 XP on my laptop. When I start it, it goes black for awhile then automatically opens in Safe mode. Seems I have lost Normal mode. Prior to lost of normal mode, I saw a privacy protection shield that was scanning my computer. It said Trojan and I think something else. I thought it was the blaster worm, however I did tons of stuff other sites and including microsoft, found nothing. Therefore leads me to think its malware instead of a worm. First it would redirect my browser to info.com. Then it hijacked everything. I tried to download Norton which didnt work. How can I get this resolved without wiping my system clean?

I am unable to run DDS.txt and ERUNT not being able to use my laptops internet. Need Help please. Thanks.

I recently saw XP Antispyware 2012 and it said it was trying to remove Worm.Win32.Kelvir.K So I X out of the scanning and bascially shut down the laptop.

[Blade81]

Hi,

You may need to transfer tools to your sick computer until it can access internet again.

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds file to run the tool.

• When done, DDS will open two (2) logs:
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop. Post them back to your topic.

[striker332000]

Hi Blade, Thanks for your response. I have a question. Do I download this to my desktop but how do I send this DDS.txt to my sick laptop?

[striker332000]

Blade, I have downloaded on to my desktop while transferred it to my USB so I can run it on my laptop. Since I can only use safe mode, Do I use my clean adminstrator or My name which is more infected. Either one I cant use the internet. Please let me know.

[striker332000]

Here is the DDS from the administrator side of my laptop safe mode. Do I need to do the same under my name in safe mode too?

DDS.txt attached below:

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18372
Run by Administrator at 23:34:19 on 2011-12-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1150.873 [GMT -5:00]
.
AV: AVG Anti-Virus *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=laptop
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
mSearchAssistant = hxxp://www.google.com
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Accelerator Plugin: {656ec4b7-072b-4698-b504-2a414c1f0037} - c:\progra~1\earthl~2\PRPL_I~1.DLL
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [McAfee Update] c:\docume~1\admini~1\locals~1\temp\mcupdate_1274225305.exe /syncfin c:\docume~1\admini~1\locals~1\temp\mcupdate_1274225305.ini /insfin
uRun: [Norton Download Manager{NAV_prod_1.6.18_18.5.0.125}] c:\documents and settings\all users\documents\norton\{nav_prod_1.6.18_18.5.0.125}\NAVDownloader[1].exe /m
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Privacy Protection] c:\documents and settings\all users\application data\privacy.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
dRunOnce: [RunNarrator] Narrator.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} - hxxps://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISDataManager.CAB
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1176230924734
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{917E4A49-3D65-4740-9856-B1F76151F1E1} : NameServer = 195.242.208.40
TCP: Interfaces\{917E4A49-3D65-4740-9856-B1F76151F1E1} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{A6ACE856-4EA0-4D7E-98D0-5D63DA8B1873} : NameServer = 195.242.208.40
TCP: Interfaces\{B3D167C7-F4D9-4614-98B1-43AC55EF2167} : NameServer = 195.242.208.40
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\2pk78ueq.default\
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0500000.07d\SymDS.sys [2011-12-5 340016]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0500000.07d\SymEFA.sys [2011-12-5 652336]
S1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20101123.003\BHDrvx86.sys [2011-12-5 691248]
S1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-11-4 214664]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0500000.07d\Ironx86.sys [2011-12-5 136312]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S2 N360;Norton 360;c:\program files\norton 360\engine\5.0.0.125\ccSvcHst.exe [2011-12-5 130000]
S2 Norton PC Checkup Application Launcher;Norton PC Checkup Application Launcher;c:\program files\norton pc checkup\engine\2.0.15.87\SymcPCCULaunchSvc.exe [2011-12-5 123320]
S2 PCCUJobMgr;Common Client Job Manager Service;c:\program files\norton pc checkup\engine\2.0.15.87\ccSvcHst.exe [2011-12-5 126392]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-11 102448]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2004-12-15 200192]
S3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20101201.001\IDSXpx86.sys [2011-12-5 341944]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-12-11 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-12-11 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-12-11 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-12-11 40552]
S3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20101201.025\NAVENG.SYS [2011-12-5 86064]
S3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20101201.025\NAVEX15.SYS [2011-12-5 1371184]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]
.
=============== Created Last 30 ================
.
2011-12-05 16:22:03 -------- d-----w- c:\windows\system32\drivers\nortonpccheckup\02000F0.057
2011-12-05 16:22:03 -------- d-----w- c:\windows\system32\drivers\NortonPCCheckup
2011-12-05 16:22:02 -------- d-----w- c:\program files\Norton PC Checkup
2011-12-05 07:21:01 -------- d-----w- c:\windows\LastGood.Tmp
2011-12-05 07:20:21 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-05 07:20:21 126512 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-12-05 07:20:20 -------- d-----w- c:\program files\Symantec
2011-12-05 07:19:52 368248 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\symtdi.sys
2011-12-05 07:19:52 330360 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\symtdiv.sys
2011-12-05 07:19:51 652336 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\SymEFA.sys
2011-12-05 07:19:51 340016 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\SymDS.sys
2011-12-05 07:19:51 295032 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\symnets.sys
2011-12-05 07:19:50 509560 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\srtsp.sys
2011-12-05 07:19:50 50168 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\srtspx.sys
2011-12-05 07:19:50 136312 ----a-r- c:\windows\system32\drivers\n360\0500000.07d\Ironx86.sys
2011-12-05 07:18:07 -------- d-----w- c:\windows\system32\drivers\n360\0500000.07D
2011-12-05 07:18:07 -------- d-----w- c:\windows\system32\drivers\N360
2011-12-05 07:18:02 -------- d-----w- c:\program files\Norton 360
2011-12-05 07:16:12 -------- d-----w- c:\program files\NortonInstaller
2011-12-05 04:01:10 832000 ----a-w- c:\documents and settings\all users\application data\privacy.exe
2011-12-05 03:59:58 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Temp
2011-12-05 03:58:38 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Mozilla
.
==================== Find3M ====================
.
2011-11-15 02:52:27 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
.
============= FINISH: 23:37:07.42 ===============

Blade I have also attached the Zipped Attach.txt for you. I hope I did it correctly. Blade cant tell you how much I really appreciate the fact you making this so much easier for me.

[Blade81]

Hi,

Do I need to do the same under my name in safe mode too?

No need to but do the steps from now on using your own account


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

[striker332000]

Hey Blade, I ran combofix; however, It said it had found rootkit.zeroaccess! inserted on tcp/ipstack. It also tried to set up a folder but said something like storage not enough space. I tried to use internet and it did not work. I reboot to see if it cleared up. I am locked out completely cause the cursor wont move so I tried using tab key but that wont work either.

[Blade81]

Hi,

It also tried to set up a folder but said something like storage not enough space.

You do have pretty low amount of free space there. Is there something you could uninstall to free some more space?

I am locked out completely cause the cursor wont move so I tried using tab key but that wont work either.

Does it work after new reboot?

[striker332000]

Hi Blade. After new reboot, it's still a complete lockout. I cant move the cursor or use the tab key. It does that even in safe mode with or without networking. I still dont have normal mode.

[Blade81]

Hi,

Is there any activity like hard drive light flashing or is it completely frozen? It doesn't look good. Do you have XP installation media around?