[SOLVED] Malware download from Dailykeys.com

[cchapline]

I recently downloaded a file from dailykeys.com and believe my computer has been infected with malware.

I have a Sony Vaio VGC-RB30 and run the symantec internet security.
After the file was downloaded I was able to still run system scan and I think that helped. After that it would not allow me to open Norton again till I removed and reinstalled it. The virus also made it so I was not able to do things like view Folder Options in the Control Panel, run regedit, and I am now getting a stop: C000021A fatal system error upon shutdown. I have been able to fix most of the issues I've found except the stop error.

When my Norton would not open I ran the Microsoft Live OneCare, and the file that it keeps pointing to is C:\WINDOWS\system32\winrvc32.dll, but no matter what I try it will not delete.

Hopefully the attached info will lead you to my problem.

Please HELP!!!


DDS (Version 1.0) - NTFSx86
Run by Craig Chapline at 19:22:27.85 on Mon 12/01/2008
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.137 [GMT -8:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\UTSCSI.EXE
C:\Program Files\Sony\VAIO Media Integrated Server\VMISrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
C:\Program Files\Common Files\AOL\1175477631\ee\AOLSoftware.exe
C:\Program Files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Craig Chapline\Desktop\dds.com

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.sony.com/vaiopeople
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.hotkobs.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [HostManager] c:\program files\common files\aol\1175477631\ee\AOLSoftware.exe
mRun: [VMConsole.exe] "c:\program files\sony\vaio media integrated server\platform\VMConsole.exe" /windowmin
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [eFax 4.2] "c:\program files\efax messenger 4.2\J2GDllCmd.exe" /R
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SM1BG] c:\windows\SM1BG.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton internet security\osCheck.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\efax42~1.lnk - c:\program files\efax messenger 4.2\J2GTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpqthb08.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: igfxcui - igfxsrvc.dll
Notify: winrvc32 - winrvc32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2006-9-3 105632]
R2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2006-9-3 105632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-11-30 99376]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081201.006\NAVENG.SYS [2008-12-1 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081201.006\NAVEX15.SYS [2008-12-1 876112]
S1 f391e39d;f391e39d;c:\windows\system32\drivers\f391e39d.sys []
S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" [2008-11-30 1251720]

=============== Created Last 30 ================

2008-12-01 19:03 250 a------- c:\windows\gmer.ini
2008-11-30 22:45 <DIR> --d----- c:\program files\Norton Internet Security
2008-11-30 22:44 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-30 22:44 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-11-30 22:43 <DIR> --d----- c:\program files\Symantec
2008-11-30 18:26 4,946 a------- c:\windows\system32\tmp.reg
2008-11-30 18:20 <DIR> --d----- C:\!KillBox
2008-11-30 18:09 <DIR> --d----- c:\program files\Trend Micro
2008-11-30 16:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PrevxCSI
2008-11-29 23:12 <DIR> --d----- C:\Autoruns
2008-11-28 23:32 <DIR> --d----- c:\docume~1\craigc~1\applic~1\AdwareAlert
2008-11-28 22:38 <DIR> --d----- c:\program files\Microsoft Windows OneCare Live
2008-11-28 09:55 39,424 -------- c:\windows\system32\winrvc32.dll
2008-11-11 18:21 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:20 1,106,944 -c------ c:\windows\system32\dllcache\msxml3.dll
2008-11-10 13:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SonicStage
2008-11-10 12:55 <DIR> --d----- c:\program files\Pricedex Software Inc

==================== Find3M ====================

2008-12-01 19:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2008-12-01 19:00 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-28 20:59 <DIR> --d----- c:\docume~1\craigc~1\applic~1\RipIt4Me
2008-11-28 11:42 <DIR> --d----- c:\docume~1\craigc~1\applic~1\Vso
2008-11-10 13:06 <DIR> --d----- c:\docume~1\craigc~1\applic~1\Sony Corporation
2008-10-19 19:18 <DIR> --d----- c:\program files\AVS4YOU
2008-10-19 19:18 <DIR> --d----- c:\program files\common files\AVSMedia
2008-10-19 18:44 <DIR> --d----- c:\docume~1\craigc~1\applic~1\AVS4YOU
2008-10-19 18:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2008-10-19 17:44 <DIR> --d----- c:\program files\WinAVI Video Converter
2008-10-19 10:36 <DIR> --d----- c:\program files\Xvid
2008-10-03 14:34 625,032 a------- c:\windows\system32\SymNeti.dll
2008-10-03 14:34 242,056 a------- c:\windows\system32\SymRedir.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-09 17:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-04 09:15 1,106,944 a------- c:\windows\system32\msxml3.dll
2008-05-22 19:29 <DIR> --d----- c:\docume~1\craigc~1\applic~1\Viewpoint
2008-04-19 15:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\vsosdk
2008-02-05 17:50 <DIR> --d----- c:\docume~1\craigc~1\applic~1\ESS
2006-10-18 17:39 <DIR> --d----- c:\docume~1\craigc~1\applic~1\eFax Messenger
2006-10-18 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\eFax Messenger 4.2 Setup
2005-10-16 09:36 <DIR> --d----- c:\docume~1\craigc~1\applic~1\DeepBurner
2005-10-16 09:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Napster
2005-10-14 19:05 <DIR> --d----- c:\docume~1\craigc~1\applic~1\vlc
2005-08-08 15:59 <DIR> --d----- c:\docume~1\craigc~1\applic~1\FaxCtr
2005-06-27 20:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Innotech Solutions
2005-02-26 00:02 <DIR> --d----- c:\docume~1\craigc~1\applic~1\AOL
2005-02-26 00:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2004-11-16 19:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\VAIO Media Platform
2004-11-16 19:04 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2004-11-16 19:04 <DIR> --d----- c:\docume~1\craigc~1\applic~1\Intuit
2004-11-16 18:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sony Corporation
2004-11-15 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI

============= FINISH: 19:22:56.76 ===============

[chemist]

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please uninstall the following via Start->(or My Computer)->Control Panel->Add or Remove Programs if it still exists:

Viewpoint Media Player<<This is considered foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". Please read here and here

If you decide to uninstall it, also delete the following Folders if they still exist:

C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint

------------------------------------------------------

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

[cchapline]

Thank you for the quick response. I did remove viewpoint media player and made sure that no other antvirus and antimalware were running before downloading the comboFix. Attached is the file.

ComboFix 08-12-01.03 - Craig Chapline 2008-12-02 18:56:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.164 [GMT -8:00]
Running from: c:\documents and settings\Craig Chapline\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Craig Chapline\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Craig Chapline\Application Data\inst.exe
c:\windows\jestertb.dll
c:\windows\setup.exe
c:\windows\system32\winrvc32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-11-03 to 2008-12-03 )))))))))))))))))))))))))))))))
.

2008-12-01 19:03 . 2008-12-01 19:04 250 --a------ c:\windows\gmer.ini
2008-11-30 22:45 . 2008-12-01 18:52 <DIR> d-------- c:\program files\Norton Internet Security
2008-11-30 22:44 . 2008-11-30 23:12 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-30 22:44 . 2008-11-30 23:12 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2008-11-30 22:43 . 2008-11-30 23:12 <DIR> d-------- c:\program files\Symantec
2008-11-30 18:26 . 2008-11-30 18:30 4,946 --a------ c:\windows\system32\tmp.reg
2008-11-30 18:20 . 2008-11-30 22:02 <DIR> d-------- C:\!KillBox
2008-11-30 18:09 . 2008-11-30 18:09 <DIR> d-------- c:\program files\Trend Micro
2008-11-29 23:12 . 2008-11-29 23:20 <DIR> d-------- C:\Autoruns
2008-11-29 17:11 . 2004-11-16 19:08 <DIR> d-------- c:\documents and settings\Administrator.SONY\Application Data\Symantec
2008-11-29 17:11 . 2004-11-16 19:04 <DIR> d-------- c:\documents and settings\Administrator.SONY\Application Data\Intuit
2008-11-29 17:11 . 2008-11-29 17:11 <DIR> d-------- c:\documents and settings\Administrator.SONY
2008-11-28 23:32 . 2008-11-28 23:32 <DIR> d-------- c:\documents and settings\Craig Chapline\Application Data\AdwareAlert
2008-11-28 22:49 . 2008-11-30 20:33 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-28 22:38 . 2008-11-28 22:38 <DIR> d-------- c:\program files\Microsoft Windows OneCare Live
2008-11-28 12:40 . 2008-11-30 15:51 <DIR> d-------- c:\program files\Windows Live Safety Center
2008-11-11 18:21 . 2008-10-24 03:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 18:20 . 2008-09-04 09:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 13:05 . 2008-11-10 13:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\SonicStage
2008-11-10 12:55 . 2008-11-10 12:55 <DIR> d-------- c:\program files\Pricedex Software Inc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-03 02:59 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-03 02:05 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-12-01 07:12 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-12-01 07:12 10,671 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-29 05:01 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-29 04:59 --------- d-----w c:\documents and settings\Craig Chapline\Application Data\RipIt4Me
2008-11-28 19:42 --------- d-----w c:\documents and settings\Craig Chapline\Application Data\Vso
2008-11-28 19:41 47,360 ----a-w c:\documents and settings\Craig Chapline\Application Data\pcouffin.sys
2008-11-26 06:37 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2008-11-10 21:06 --------- d-----w c:\documents and settings\Craig Chapline\Application Data\Sony Corporation
2008-11-07 01:45 --------- d-----w c:\program files\Common Files\Adobe
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-20 03:18 --------- d-----w c:\program files\Common Files\AVSMedia
2008-10-20 03:18 --------- d-----w c:\program files\AVS4YOU
2008-10-20 02:44 --------- d-----w c:\documents and settings\Craig Chapline\Application Data\AVS4YOU
2008-10-20 02:44 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-10-20 01:44 --------- d-----w c:\program files\WinAVI Video Converter
2008-10-19 18:36 --------- d-----w c:\program files\Xvid
2008-10-03 22:14 39,984 ----a-w c:\windows\system32\drivers\symids.sys
2008-10-03 22:14 37,936 ----a-w c:\windows\system32\drivers\symndisv.sys
2008-10-03 22:14 35,120 ----a-w c:\windows\system32\drivers\symndis.sys
2008-10-03 22:14 27,696 ----a-w c:\windows\system32\drivers\symredrv.sys
2008-10-03 22:14 187,952 ----a-w c:\windows\system32\drivers\symtdi.sys
2008-10-03 22:14 146,096 ----a-w c:\windows\system32\drivers\symfw.sys
2008-10-03 22:14 12,848 ----a-w c:\windows\system32\drivers\symdns.sys
2008-10-03 22:14 10,804 ----a-w c:\windows\system32\drivers\SymRedir.cat
2008-10-03 22:14 1,358 ----a-w c:\windows\system32\drivers\SymRedir.inf
2006-07-24 23:04 26,780 ----a-w c:\documents and settings\Craig Chapline\Application Data\ViewerApp.dat
2003-08-27 21:19 36,963 ----a-r c:\program files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-10 68856]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HostManager"="c:\program files\Common Files\AOL\1175477631\ee\AOLSoftware.exe" [2006-09-25 50736]
"VMConsole.exe"="c:\program files\Sony\VAIO Media Integrated Server\Platform\VMConsole.exe" [2004-06-23 557056]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-02-26 26112]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-10-08 155648]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-12-04 176128]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-10-08 126976]
"eFax 4.2"="c:\program files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 107008]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-09 344064]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"VAIO Recovery"="c:\windows\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 28672]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 84640]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2006-09-05 26248]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SoundMan"="SOUNDMAN.EXE" [2004-10-21 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-21 c:\windows\ALCWZRD.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0\aoltray.exe [2005-02-26 156784]
eFax 4.2.lnk - c:\program files\eFax Messenger 4.2\J2GTray.exe [2006-10-18 612352]
HP Digital Imaging Monitor.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\AOL\\1175477631\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 Cinemsup;Cinemsup;c:\windows\system32\drivers\Cinemsup.sys [2003-12-19 6656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-30 99376]
S1 f391e39d;f391e39d;c:\windows\system32\drivers\f391e39d.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2008-12-02 c:\windows\Tasks\HP Usg Daily.job
- c:\program files\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe [2004-01-06 10:05]

2008-12-01 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Craig Chapline.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2006-09-06 22:38]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-02 19:15:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\UTSCSI.EXE
c:\program files\Sony\VAIO Media Integrated Server\VMISrv.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\windows\wanmpsvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqste08.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-12-02 19:22:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-03 03:21:49

Pre-Run: 124,604,878,848 bytes free
Post-Run: 125,539,393,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

206 --- E O F --- 2008-11-12 05:25:42

[chemist]

Hello again, cchapline. Please tell us how your machine is behaving.

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc stop f391e39d

A DOS window will open and close again, this is normal.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete f391e39d

A DOS window will open and close again, this is normal.

------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 Update 11 and Save it to your Desktop.
• Scroll down to where it says Java Runtime Environment (JRE) 6 Update 11 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
• Click the Download button to the right.
• Select the Windows platform from the dropdown menu.
• Please decline the offer to install the Yahoo toolbar, unless you want it.
• Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 License Agreement.
• Click Continue
• Click on the link to download Windows Offline Installation and Save the file to your Desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start(or My Computer) > Control Panel and click on Add or Remove Programs
• Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

• After the install is complete, go back to your Control Panel and click the Java icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button.
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window.
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
  • Click OK to leave the Temporary Files Window.
  • Click OK to leave the Java Control Panel.
  • Delete jre-6u11-windows-i586-p.exe from your desktop.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at any Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior

[cchapline]

Thanks again Chemist. Overall my computer is working well. The stop error at shut down has stopped and my computer is not taking as long during it's startup. Attached is the Kopersky Report. Please advise if further action is needed.

[chemist]

Hello again, cchapline. You can delete the SmitfraudFix folder from your desktop.

------------------------------------------------------

Congratulations. Well done! Your logs appear clean. You should be good to go.

Go to Start >> Run and Copy/Paste the following single-line command into the Run box and click OK:

combofix /u

This will uninstall ComboFix and delete ComboFix's quarantine folder. It will also implement some cleanup procedures, remove old System Restore points which contain previous infections, and create a fresh, clean System Restore point.

Please re-enable your antivirus program and any other antispyware programs disabled earlier if you haven't already.

You can safely delete any tools downloaded or any logs, files, and any shortcuts on your desktop that were created during this fix.

------------------------------------------------------

MICROSOFT UPDATES
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SPYWARE PREVENTION
This is a good time to set up protection against further attacks. In light of your recent problem, I'm sure you'd like to avoid any future infections. Please read these well written articles:

• How Did I Get Infected In The First Place? by TonyKlein
• PC Safety and Security--What Do I Need?

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

• SpywareBlaster prevents the installation of ActiveX-based malware, blocks cookies, and restricts the actions of "bad" sites in Internet Explorer. See tutorial here
  
• IE-Spyad is another excellent program that places over 5000 dubious websites and domains in the IE Restricted list, which will help prevent attempts to infect your system. It basically prevents any downloads from the sites listed, although you will still be able to connect to the site. See tutorial here
  
• MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. It basically prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is the IP of your local computer. See guide here and for Windows Vista here
  
• Spybot - Search & Destroy is an excellent spyware remover and also offers real-time protection against critical registry changes. Don't use the Immunize feature in Spybot if you use SpywareBlaster. See tutorial here

Keep your antivirus program and antispyware programs updated and scan with them on a regular basis.

Please respond to this thread one more time so we can mark this thread as resolved.

[cchapline]

Thanks again for all your help. I will definetly take your advice on the added security.

[chemist]

You're very welcome! Glad to have helped.