Internet Security 2010 + other malware

View previous topic View next topic Go down

Internet Security 2010 + other malware

Post by talks2fst on 17th January 2010, 1:54 am

Hello.. am trying to rid a laptop of the malware program Internet Security 2010, plus other problems (browser redirecters, rougeware, etc.). virus has disabled task manager, and other system functins. I am able to do limited things in safe mode. Have downloaded malwarebytes, but it will not open or install. Cannot navigate to antivirus sites, or to your site on infected computer.

Here is a copy of the Hijack this log. thanks in advance for your help, you have pulled me out of a bind in the past, I know you guys will handle this with ease. thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:14 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\smss32.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
F2 - REG:system.ini: UserInit=C:\WINNT\system32\winlogon32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {97503139-D2B6-481B-81D8-FF4155AED720} - C:\WINNT\system32\cbXOGXOh.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [tagojopes] Rundll32.exe "c:\winnt\system32\hidumule.dll",a
O4 - HKLM\..\Run: [smss32.exe] C:\WINNT\system32\smss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\helper32.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - [You must be registered and logged in to see this link.]
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - [You must be registered and logged in to see this link.]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - [You must be registered and logged in to see this link.]
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - [You must be registered and logged in to see this link.]
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - [You must be registered and logged in to see this link.]
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O20 - AppInit_DLLs: zegofuho.dll c:\winnt\system32\zurimusa.dll c:\winnt\system32\hidumule.dll
O20 - Winlogon Notify: ssqOGyvt - ssqOGyvt.dll (file missing)
O21 - SSODL: hukateruf - {86b99dc3-69c4-4275-a47d-fe9e26ca48bf} - c:\winnt\system32\hidumule.dll
O21 - SSODL: gifozafof - {59c77459-4b85-42ba-b3bb-fe55832def20} - c:\winnt\system32\hidumule.dll
O21 - SSODL: nuvenidah - {d7c7492d-fe33-4d35-8841-87448a925bd1} - c:\winnt\system32\hidumule.dll
O21 - SSODL: rumadowat - {2b144af7-7413-4da8-b107-06ddc726aae7} - c:\winnt\system32\hidumule.dll
O21 - SSODL: riluyirer - {daaf16df-e62c-460d-996c-5043e4f4efbe} - c:\winnt\system32\hidumule.dll
O21 - SSODL: tasiwomej - {f1b25228-2166-4539-bbf1-a2245b3b3eb7} - c:\winnt\system32\hidumule.dll
O21 - SSODL: kilozofat - {071baf01-f77c-4951-b86c-8e46ab3b92d4} - c:\winnt\system32\hidumule.dll
O21 - SSODL: denigekeg - {e32ab11f-53c5-4848-92c8-2079c57a1fed} - c:\winnt\system32\hidumule.dll
O21 - SSODL: ponemenoh - {a4b9203d-5f47-4779-80a3-74d5a4b06b98} - c:\winnt\system32\hidumule.dll
O21 - SSODL: hehujojij - {9fe33429-b47d-4467-8a72-4426ca0d8dcb} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: kupuhivus - {86b99dc3-69c4-4275-a47d-fe9e26ca48bf} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: gahurihor - {59c77459-4b85-42ba-b3bb-fe55832def20} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: kupuhivus - {d7c7492d-fe33-4d35-8841-87448a925bd1} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: kupuhivus - {2b144af7-7413-4da8-b107-06ddc726aae7} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: gahurihor - {daaf16df-e62c-460d-996c-5043e4f4efbe} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: tokatiluy - {f1b25228-2166-4539-bbf1-a2245b3b3eb7} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: gahurihor - {071baf01-f77c-4951-b86c-8e46ab3b92d4} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: mujuzedij - {e32ab11f-53c5-4848-92c8-2079c57a1fed} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: jugezatag - {a4b9203d-5f47-4779-80a3-74d5a4b06b98} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: mujuzedij - {9fe33429-b47d-4467-8a72-4426ca0d8dcb} - c:\winnt\system32\hidumule.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10542 bytes

talks2fst
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-01-17
OS OS : windows xp
Points Points : 25248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by Dr Jay on 17th January 2010, 2:41 am

Please visit this webpage for instructions for downloading and running ComboFix:

[You must be registered and logged in to see this link.]

Post the log from ComboFix when you've accomplished that.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by talks2fst on 17th January 2010, 2:25 pm

Thank you for your speedy response. I followed your instructions and downloaded the ComboFix program on another computer, and then copied it to the desktop of the infected computer. The file and icon shows on the desktop, however, when I attempt to open it, i simply get the "busy" hourglass for about 15 seconds, then the cursor returns back to the arrow and nothing happens. The same thing happens with I try to run/install malwarebytes. Attempting to open any other icon on the desktop will work. Downloading and installing a non-virus fixing program (Winrar, for example) works just fine.

I await your instructions. Thank you.

Susan

talks2fst
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-01-17
OS OS : windows xp
Points Points : 25248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by Dr Jay on 17th January 2010, 9:30 pm

Download avz4.zip from [You must be registered and logged in to see this link.]

  1. Unzip it to your desktop to a folder named avz4
  2. Double click on AVZ.exe to run it.
  3. Run an update by clicking the Auto Update button on the Right of the Log window:
  4. Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again



  1. Start AVZ.
  2. Choose from the menu "File" => "Standard scripts " and mark the
    "Advanced System Analysis with malware removal mode enabled" check box.

  3. Click on the Execute selected scripts.
  4. Automatic scanning, healing and system check will be executed.
  5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
  6. [*It is necessary to reboot your machine, because AVZ might disturb some
    program operations (like antiviruses and firewall) during the system
    scan.
  7. All applications will work properly after the system restart.


When restarted


  1. Start AVZ.
  2. Choose from the menu "File" => "Standard scripts " and mark the Advanced System Analysis" check box.

  3. Click on the "Execute selected scripts".
  4. A system check will be automatically performed, and the created logfile
    (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory
    as virusinfo_syscheck.zip.


Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Go to MediaFire.com and upload them, then post the links here to the downloads.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by talks2fst on 18th January 2010, 6:14 am

I followed the instructions above . The procedure would not work at first but when i booted up to safe mode i was able to run the scans completely. You can find the logfiles at:

[You must be registered and logged in to see this link.]

thank you so much for your help.
susan

talks2fst
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-01-17
OS OS : windows xp
Points Points : 25248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by Dr Jay on 18th January 2010, 6:21 am

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
[You must be registered and logged in to see this link.] are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: [You must be registered and logged in to see this link.]
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
Guides for format and reinstall: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by talks2fst on 19th January 2010, 8:56 pm

Based on your recommendation, I will reformat and reinstall. Thank you very much for your help and for your concern regarding the safety of the computer, and for all of your assistance.

Sincerely,

Susan

talks2fst
Beginner
Beginner

Posts Posts : 4
Joined Joined : 2010-01-17
OS OS : windows xp
Points Points : 25248
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Internet Security 2010 + other malware

Post by Dr Jay on 20th January 2010, 3:21 am

You are welcome. Smile


Dr. Jay (DJ)


[You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.] ~ [You must be registered and logged in to see this link.]

Dr Jay
Head Administrator
Head Administrator

Posts Posts : 14314
Joined Joined : 2009-09-06
Gender Gender : Male
OS OS : Windows 10 Home & Pro
Arch. Arch. : x64 (64-bit)
Protection Protection : Bitdefender Total Security
Points Points : 302999
# Likes # Likes : 10

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum