Attack of windows xp restore- DDS.txt

[johnallanchambers]

Hi Spybot,
I have been infected by Windowsxp Restore. It has crippled my machine. Please Help.

.
DDS (Ver_2011-06-12.02) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by John at 13:27:07 on 2011-06-13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.503.214 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MDM.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = <local>
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [kPrmtXlWDpgPMUD] c:\documents and settings\all users\application data\kPrmtXlWDpgPMUD.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\john\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.com\b.mail
Trusted Zone: google.com\mail
Trusted Zone: google.com\www
Trusted Zone: landrecordsonline.com\sussex
DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553635000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
TCP: Interfaces\{D85F83D1-9A69-47B5-9808-00BC05D6E4E1} : DhcpNameServer = 24.229.54.212 207.44.96.129 24.229.54.220
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\john\application data\mozilla\firefox\profiles\amsntw2b.default\
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
.
============= SERVICES / DRIVERS ===============
.
S0 nhvx;nhvx;c:\windows\system32\drivers\splk.sys --> c:\windows\system32\drivers\splk.sys [?]
S1 SASDIFSV;SASDIFSV;c:\docume~1\john\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\docume~1\john\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
S1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
S1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\savrtpel.sys [2005-12-19 54968]
S2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
S2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-10 366640]
S2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-28 105592]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-10-28 133104]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro35.sys [2011-1-11 16968]
S3 HitmanPro35Crusader;Hitman Pro 3.5 Crusader;"e:\hitmanpro35.exe" /crusader --> e:\HitmanPro35.exe [?]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\naveng.sys [2011-6-10 86008]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110610.002\navex15.sys [2011-6-10 1542392]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
.
=============== Created Last 30 ================
.
2011-06-11 00:05:23 -------- d-----w- c:\documents and settings\john\application data\SUPERAntiSpyware.com
2011-06-10 15:43:03 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-10 15:42:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
1998-12-09 02:53:54 99840 ----a-w- c:\program files\common files\IRAABOUT.DLL
1998-12-09 02:53:54 70144 ----a-w- c:\program files\common files\IRAMDMTR.DLL
1998-12-09 02:53:54 48640 ----a-w- c:\program files\common files\IRALPTTR.DLL
1998-12-09 02:53:54 31744 ----a-w- c:\program files\common files\IRAWEBTR.DLL
1998-12-09 02:53:54 186368 ----a-w- c:\program files\common files\IRAREG.DLL
1998-12-09 02:53:54 17920 ----a-w- c:\program files\common files\IRASRIAL.DLL
.
============= FINISH: 13:28:17.81 ===============
Thank you
John Chambers

 

[Blade81]

Hi John,

Please post fresh dds.txt & attach.txt contents.

 

[johnallanchambers]

Need Initial Cleaning

Hi Balde ,
Thanks for picking this situation up. I see you have been really busy at safer networking. My problem is that now I cannot get on line . I have avery small HP mini that I am using right now. I am running Malwarebytes to see if I can clean my machine up so I can send DDs and attach.txt.
I will let you know if I am successful. It is redirecting to scour.com.
Any thoughts?
Thank you
John

 

[johnallanchambers]

First scan

Hi Blade ,
My first partial scan showed rogue.agent.sa in my registry. I tried going online and again was reidirected. I am now being redirected to shopica.com. I am now running fullscan on Malwarebytes.
I am going to remove

 

[johnallanchambers]

Scanning

Hi Blade,
I ran a full scan on maleware and nothing showed. I updated and ran a scan on Spybot and got an all clear. when I try to bring the search from IE to safer networking I am redirected to scour and other sites. So I am stuck right now.
Thank you
John

 

[Blade81]

Hi,

Could you transfer DDS to affected system from this other system?

 

[johnallanchambers]

Transfer of dds from infected to uninfected machine

Hi Blade,
Thank you I never thought of that.
Please fin both files
Thanks
John

 

[Blade81]

Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
   Remember to re-enable them afterwards.
   
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

 

[johnallanchambers]

Transfer of Combo Fix

Hi Blade,
My question is should I run and save combo fix ( can I do that with combo fix) on a thumb drive from my mini hp and transfer it to the infected computer.
Thanks
John

 

[Blade81]

Hi,

Just transfer the ComboFix.exe file to the affected system. Don't run it on the non affected one.

 

[johnallanchambers]

Problem with combo fix

Hi Blade,
I dowloaed combo fix from the mini to thumb drive na dinstalled it but it is hung in the install at about 60% at out put folder c:\32788R22FWJFW
What to do?
Thanks
John

 

[johnallanchambers]

Disabled Maleware and Spybot and norton

Previous to the install I disabled Malewarebytes Spy bot and Norton
John

 

[johnallanchambers]

Hung up

Hi Blade,
I am hung up at output folder C:\32788R22FWJFW and it will not complete install
John

 

[johnallanchambers]

Logs for combo fix and dds/attach

Hi Blade,
This virus is defeating me every way I turn. I had to download this from the thumb drive because it is still redirecting me.
Thank you
John

 

[Blade81]

Hi,

Download aswMBR to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

 

[johnallanchambers]

avast scan

Hi Blade,
Avast scan
Thank you
John

 

[Blade81]

Hi,

Does redirecting happen with both Internet Explorer and Firefox?

Download GMER here by clicking download exe -button and then saving it your desktop:

• Double-click .exe that you downloaded
• Click rootkit-tab, uncheck files option and then click scan.
• Don't check
  Show All
  box while scanning in progress!
• When scanning is ready, click Copy.
• This copies log to clipboard
• Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

 

[johnallanchambers]

Gmer

Hi Blade,
It is redirecting in IE and Firefox has been hidden with icons and removed from programs. So I can't access.
GMER attached zipped.
Thank you
John

 

[Blade81]

Hi,

Please run this tool. See if that helps with hidden items issue.



Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  VolSnap.sys

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[johnallanchambers]

System look

Hi Blade,
I ran unhide and it restored the missing files- icons with IE icons. The system look .exe will not run. Error says "this application has failed to start because the application configuration is incorrect"
Thank
John