Free Malware Removal Forum

[James L Peacock]

Hello all,

First let me point out that I am not very computer literate. My wife's computer has become infected with "Security Tool" and "Antivirus System Pro" malwares. They may be one and the same, I don't know.

I read you directions:
Download HJTInstall.exe and save to your Desktop.
Double-click HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Click on "Install."
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the "Do a system scan and save a log file" button. It will scan and a text file will open in Notepad.
Make sure Notepad's Format Menu has Word Wrap unchecked.
Copy/Paste the entire log in your Post.
No matter what it says in the QuickStart Guide or elsewhere, DON'T USE the "ANALYZE THIS" button. Its Findings can be Dangerous for your machine.
DO NOT have Hijackthis fix anything yet. Most of the entries shown in the log are legitimate and are necessary for the operation of your computer.


However the virus will not let me install "HijackThis" (I make it to the licence agreement part of the install and then the process is interupted). So I cannot include the notepad file. Last night before I discovered your site I tried in vain to install Malwarebytes and the virus would stop the software from installing completely. Once or twice I was able to start the scan process only to have the scan terminated by the virus. Also I have been trying to use a program (dos?) called "rkill" to stop or end the virus process before installing "Malwarebytes". The "rkill" program seemed to work a little last night but does not seem work very well today. Also I can sometimes find and end the process named a seeming random set of numbers (ex. 04972530) and that helps for a little while.

I am communicating with you from my computer as my wifes is useless. The internet explorer is not controllable (directs or redirects to site of virus's choice) and very slow. We both use a wire router.

Thank in advance for any help you may provide.
James L. Peacock
Edited to remove what looks like a phone number - Admin

edit - p.s. I can not run computer in "safe mode".

[James L Peacock]

Hello again,

Finally I was able to load, run and save "HijackThis". The results as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:17 PM, on 11/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\PDF Complete\pdfsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://welcome.bellsouth.net/asp/dsl_welcome.asp
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 osawarepro2009.microsoft.com
O1 - Hosts: 91.212.127.227 osawarepro2009.com
O1 - Hosts: 91.212.127.227 http://www.osawarepro2009.com
O2 - BHO: C:\WINDOWS\system32\t2xuzhw908.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\t2xuzhw908.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [pibqbsnc] C:\Documents and Settings\Administrator\Local Settings\Application Data\dctvjl\yvjvsysguard.exe
O4 - HKLM\..\Run: [48072728] C:\DOCUME~1\ALLUSE~1\APPLIC~1\48072728\48072728.exe
O4 - HKLM\..\Run: [vunusatih] Rundll32.exe "c:\windows\system32\soziredo.dll",a
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [91861126] C:\Documents and Settings\All Users\Application Data\91861126\91861126.exe
O4 - HKLM\..\Run: [59414831] C:\DOCUME~1\ALLUSE~1\APPLIC~1\59414831\59414831.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00FCEAF50.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FCEAF50.exe
O4 - HKCU\..\Run: [A00F8D1D0F.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F8D1D0F.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [A00FC49215.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FC49215.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [streamsp60] rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\streamsp60\streamsp60.dll", DllInit
O4 - HKCU\..\Run: [jsh87r3huiehf89esiudgd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\x2bnuk8.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [pibqbsnc] C:\Documents and Settings\Administrator\Local Settings\Application Data\dctvjl\yvjvsysguard.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/stunt-driver/en/"
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\mdm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\mdm.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommon/do ... gctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4959171109
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Stan ... _4-2-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1540F201-ADE6-4689-9699-020EA2D6BA7B}: NameServer = 77.74.48.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{72201C63-3B6B-4146-A9B9-4BF9C0FE4D0F}: NameServer = 77.74.48.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{1540F201-ADE6-4689-9699-020EA2D6BA7B}: NameServer = 77.74.48.113
O17 - HKLM\System\CS2\Services\Tcpip\..\{1540F201-ADE6-4689-9699-020EA2D6BA7B}: NameServer = 77.74.48.113
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter hijack: text/html - {254fc5b0-f81c-45a0-a518-4fef37aac39d} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: c:\windows\system32\soziredo.dll,bofofevu.dll
O20 - Winlogon Notify: __c007BAB9 - C:\WINDOWS\system32\__c007BAB9.dat (file missing)
O20 - Winlogon Notify: __c00B3FC5 - C:\WINDOWS\system32\__c00B3FC5.dat
O21 - SSODL: wogirukep - {32b4e0f9-eac6-4290-9851-77b080be565d} - c:\windows\system32\rudajeki.dll (file missing)
O21 - SSODL: sojadozin - {1a7edc2f-19c6-4876-aa07-4428b5aa6f7e} - c:\windows\system32\soziredo.dll
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\t2xuzhw908.dll
O22 - SharedTaskScheduler: jugezatag - {32b4e0f9-eac6-4290-9851-77b080be565d} - c:\windows\system32\rudajeki.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {1a7edc2f-19c6-4876-aa07-4428b5aa6f7e} - c:\windows\system32\soziredo.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O24 - Desktop Component 0: (no name) - http://i.pbase.com/t6/21/571721/4/71473965.1YtZC2HD.jpg
O24 - Desktop Component 1: (no name) - http://www.johnnydeppfan.com/people9152008thumb.jpg
O24 - Desktop Component 2: (no name) - http://www.horse-races.net/horsecard/hialeahls.jpg

--
End of file - 10055 bytes


Clearly I have no idea what any of this means or what I need to do next. Help please.

James L. Peacock

[Gary R]

We're sorry, but it is necessary to close your topic because you have replied to it prior to receiving a response from a helper.

Due to adding on to your topic with your second post it is highly unlikely that you would have received a response. Our helpers are looking for topics with zero responses. When you post replies to your own topic, it no longer has zero responses, and so it appears that you have received help when in fact, you have not.

If you still require help, please open a new thread in the Malware Removal forum and wait for assistance. Please do not run additional programs and/or post additional logs. Just your HijackThis log to start with is adequate. Your helper will ask for additional logs as needed. DO NOT reply to your own topic until you have received a response from a helper. Be patient. There are others who have been waiting longer than you, so do not expect an immediate reply.

Thank you for your cooperation.

PS. Please do not put your phone number below your name, it is not secure. I have removed them from your earlier posts.