Threaded Mode | Linear Mode

missteparker · 08-03-2010, 05:26 PM

When I turn on my computer, the Anti-Virus software notes a fake trojan. After scans, it doesn't seem to destroy or quarentine the virus. The virus does not allow us to get on the internet through IE shortcuts and gives us trouble with every new web page we try to open, suggesting that we the site is unsafe and that we should download their product.

I need help to get rid of it. Thanks so much!

DDS (Ver_09-12-01.01) - NTFSx86
Run by frontdesk at 10:18:01.25 on Mon 03/08/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.512 [GMT -5:00]

AV: *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
c:\windows\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\frontdesk\Local Settings\Temporary Internet Files\Content.IE5\BXXBMEUL\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
mWinlogon: Userinit=c:\windows\system32\Userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellTransferAgent] "c:\documents and settings\all users\application data\dell\transferagent\TransferAgent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://compulink-softwaretraining.webex.com/client/T23L/training/ieatgpc.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-29 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-11-29 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2007-11-29 2177464]
R3 dpK0Bx01;Fingerprint Reader Filter Driver;c:\windows\system32\drivers\dpK0Bx01.sys [2004-8-4 32640]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-9-2 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100307.022\NAVENG.SYS [2010-3-8 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100307.022\NAVEX15.SYS [2010-3-8 1324720]
R3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\UsbdpFP.sys [2004-8-4 34560]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2007-11-29 23888]
S4 vsdatant;vsdatant;a --> a [?]

=============== Created Last 30 ================

2010-03-02 20:20:00 0 d-----w- c:\docume~1\alluse~1\applic~1\PopCap
2010-02-23 16:36:51 0 d-sh--w- c:\documents and settings\frontdesk\PrivacIE
2010-02-23 16:07:30 0 d-sh--w- c:\documents and settings\frontdesk\IETldCache
2010-02-23 16:00:23 0 d-----w- c:\windows\ie8updates
2010-02-23 15:56:44 0 dc-h--w- c:\windows\ie8
2010-02-23 15:54:20 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2010-02-23 15:54:16 594432 ------w- c:\windows\system32\dllcache\msfeeds.dll
2010-02-23 15:54:16 55296 ------w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-02-23 15:54:15 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2010-02-23 15:54:15 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2010-02-23 15:54:14 1985536 ------w- c:\windows\system32\dllcache\iertutil.dll
2010-02-23 15:54:12 11070464 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-19 18:39:26 14 ----a-w- c:\windows\hpmssnpjt.ini
2010-02-19 18:07:24 0 d-----w- C:\HP_CP1510_Default_Install_4.0
2010-02-19 16:56:30 4144 ------w- c:\windows\hppmdl09.dat
2010-02-19 16:56:30 152427 ----a-w- c:\windows\hppins09.dat
2010-02-19 16:56:01 661 ----a-w- c:\windows\hpbvspst.his
2010-02-19 16:56:01 320 ----a-w- c:\windows\hpbvspst.ini
2010-02-19 16:54:03 621 ----a-r- c:\windows\system32\hppapr09.dat
2010-02-19 16:54:03 59928 ----a-w- c:\windows\system32\fxcompchannel.dll
2010-02-19 16:54:03 331776 ----a-w- c:\windows\system32\hppcpr09.dll
2010-02-19 16:53:51 188416 ------w- c:\windows\system32\hppcew09.dll
2010-02-19 16:53:50 26136 ----a-r- c:\windows\system32\drivers\hpfxgen.sys
2010-02-19 16:53:50 17432 ----a-r- c:\windows\system32\drivers\hpfxbulk.sys
2010-02-19 15:07:32 78998 ----a-w- c:\windows\hpfins05.dat
2010-02-19 15:07:32 1395 ------w- c:\windows\hpfmdl05.dat
2010-02-19 15:07:16 45056 ----a-w- c:\windows\system32\hpzll3xu.dll

==================== Find3M ====================

2010-01-12 22:57:06 162048 ----a-w- c:\windows\system32\drivers\WpsHelper.sys
2009-12-31 16:14:12 352640 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-22 05:35:10 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll
2009-12-22 05:35:05 55808 ------w- c:\windows\system32\dllcache\extmgr.dll
2009-12-22 05:35:05 1054208 ------w- c:\windows\system32\dllcache\danim.dll
2009-12-22 05:35:04 151040 ------w- c:\windows\system32\dllcache\cdfview.dll
2009-12-22 05:35:04 1024000 ------w- c:\windows\system32\dllcache\browseui.dll
2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-21 19:14:05 916480 ------w- c:\windows\system32\dllcache\wininet.dll
2009-12-21 19:14:05 1208832 ------w- c:\windows\system32\dllcache\urlmon.dll
2009-12-21 19:14:04 5942784 ------w- c:\windows\system32\dllcache\mshtml.dll
2009-12-21 19:14:04 206848 ------w- c:\windows\system32\dllcache\occache.dll
2009-12-21 19:14:03 25600 ------w- c:\windows\system32\dllcache\jsproxy.dll
2009-12-21 19:14:03 184320 ------w- c:\windows\system32\dllcache\iepeers.dll
2009-12-21 19:14:01 387584 ------w- c:\windows\system32\dllcache\iedkcs32.dll
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 13:35:58 18432 ------w- c:\windows\system32\dllcache\iedw.exe
2009-12-16 12:58:04 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 12:58:04 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:35:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:35:35 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-09 05:53:44 726528 ----a-w- c:\windows\system32\dllcache\jscript.dll
2009-12-08 18:14:02 2185984 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 18:11:44 2142720 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:11:44 2142720 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 17:35:25 2020864 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 17:35:25 2020864 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 17:35:22 2063104 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-05-01 22:40:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 10:19:18.23 ===============

**Kenny94** · 08-03-2010, 08:47 PM

Hi

Your logs has infections.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Next

[Image: mbamicontw5.gif]

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

**Kenny94** · 19-03-2010, 05:29 PM

While we appriciate you are busy it has been 4 days (or more) since we heard from you. Fresh fixes will now have to be given as malware can change during this period.

You can help support this site from this link, Donations are not required. The only advantage to gain from this is that you support TechMonkeys. The support you get from Techmonkeys will not be speeded up as all users are equal.
Donation link is on the front page

Please PM a mod or an admin if you require this thread to be opened or start a new topic. Make sure you include a valid link and the user name used.