Free Malware Removal Forum

[James L Peacock]

Hello all,

Here is the HijackThis file from my wife's computer. The computer uses a wireless router and is currently inoperable.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:31 PM, on 11/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\PDF Complete\pdfsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Rising\Rav\CCENTER.EXE
C:\Program Files\Rising\Rav\RavTask.exe
C:\Program Files\Rising\Rav\ScanFrm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANToManager.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.att.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://welcome.bellsouth.net/asp/dsl_welcome.asp
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.227 osawarepro2009.com
O1 - Hosts: 91.212.127.227 www.osawarepro2009.com
O2 - BHO: C:\WINDOWS\system32\t2xuzhw908.dll - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\t2xuzhw908.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
O4 - HKLM\..\Run: [pibqbsnc] C:\Documents and Settings\Administrator\Local Settings\Application Data\dctvjl\yvjvsysguard.exe
O4 - HKLM\..\Run: [48072728] C:\DOCUME~1\ALLUSE~1\APPLIC~1\48072728\48072728.exe
O4 - HKLM\..\Run: [vunusatih] Rundll32.exe "c:\windows\system32\soziredo.dll",a
O4 - HKLM\..\Run: [91861126] C:\Documents and Settings\All Users\Application Data\91861126\91861126.exe
O4 - HKLM\..\Run: [59414831] C:\DOCUME~1\ALLUSE~1\APPLIC~1\59414831\59414831.exe
O4 - HKLM\..\Run: [PSUNMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe" /Traybar
O4 - HKLM\..\Run: [RavTray] "C:\Program Files\Rising\Rav\RsTray.exe" -system
O4 - HKLM\..\RunOnce: [PsNAvInstaller] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Pan42.tmp\Setup.exe" /Restart:Pan42.tmp
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Rav] "C:\Program Files\Rising\Rav\Update\setup.exe" /FIRST /ONCE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [A00FCEAF50.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FCEAF50.exe
O4 - HKCU\..\Run: [A00F8D1D0F.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00F8D1D0F.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [OM2_Monitor] "C:\Program Files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe"
O4 - HKCU\..\Run: [A00FC49215.exe] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\_A00FC49215.exe
O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\LOCALS~1\ntuser.dll,_IWMPEvents@0
O4 - HKCU\..\Run: [streamsp60] rundll32.exe "C:\Documents and Settings\Administrator\Local Settings\Application Data\streamsp60\streamsp60.dll", DllInit
O4 - HKCU\..\Run: [jsh87r3huiehf89esiudgd] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\x2bnuk8.exe
O4 - HKCU\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\login.exe
O4 - HKCU\..\Run: [pibqbsnc] C:\Documents and Settings\Administrator\Local Settings\Application Data\dctvjl\yvjvsysguard.exe
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINDOWS\system32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; GTB6; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.miniclip.com/games/stunt-driver/en/"
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\mdm.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\mdm.exe (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: scandisk.dll
O4 - Startup: scandisk.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://echat.bellsouth.net/sdccommon/do ... gctlcm.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4959171109
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/i ... ection.cab
O16 - DPF: {EA7F451B-94DD-4009-A8BF-8F977B0B2696} - http://pbells.broadjump.com/wizlet/Stan ... _4-2-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1540F201-ADE6-4689-9699-020EA2D6BA7B}: NameServer = 77.74.48.113
O17 - HKLM\System\CCS\Services\Tcpip\..\{72201C63-3B6B-4146-A9B9-4BF9C0FE4D0F}: NameServer = 77.74.48.113
O17 - HKLM\System\CS1\Services\Tcpip\..\{1540F201-ADE6-4689-9699-020EA2D6BA7B}: NameServer = 77.74.48.113
O17 - HKLM\System\CS2\Services\Tcpip\..\{1540F201-ADE6-4689-9699-020EA2D6BA7B}: NameServer = 77.74.48.113
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Filter hijack: text/html - {254fc5b0-f81c-45a0-a518-4fef37aac39d} - C:\WINDOWS\batmeter16.dll
O20 - AppInit_DLLs: c:\windows\system32\soziredo.dll,bofofevu.dll
O20 - Winlogon Notify: __c007BAB9 - C:\WINDOWS\system32\__c007BAB9.dat (file missing)
O20 - Winlogon Notify: __c00B3FC5 - C:\WINDOWS\system32\__c00B3FC5.dat
O21 - SSODL: wogirukep - {32b4e0f9-eac6-4290-9851-77b080be565d} - c:\windows\system32\rudajeki.dll (file missing)
O21 - SSODL: sojadozin - {1a7edc2f-19c6-4876-aa07-4428b5aa6f7e} - c:\windows\system32\soziredo.dll
O22 - SharedTaskScheduler: jkshf8a3rudbfa873fudfhbdugf87whjdb - {B45A4B16-23F2-41AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\t2xuzhw908.dll
O22 - SharedTaskScheduler: jugezatag - {32b4e0f9-eac6-4290-9851-77b080be565d} - c:\windows\system32\rudajeki.dll (file missing)
O22 - SharedTaskScheduler: jugezatag - {1a7edc2f-19c6-4876-aa07-4428b5aa6f7e} - c:\windows\system32\soziredo.dll
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NanoServiceMain - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe
O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Program Files\PDF Complete\pdfsvc.exe
O23 - Service: Rav Process Communication Center (RavCCenter) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\CCENTER.EXE
O23 - Service: Rising RavTask Manager (RavTask) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavTask.exe
O23 - Service: Rising RealTime Monitor (RsRavMon) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\RavMonD.exe
O23 - Service: Rising Scan Service (RsScanSrv) - Beijing Rising Information Technology Co., Ltd. - C:\Program Files\Rising\Rav\ScanFrm.exe
O24 - Desktop Component 0: (no name) - http://i.pbase.com/t6/21/571721/4/71473965.1YtZC2HD.jpg
O24 - Desktop Component 1: (no name) - http://www.johnnydeppfan.com/people9152008thumb.jpg
O24 - Desktop Component 2: (no name) - http://www.horse-races.net/horsecard/hialeahls.jpg

--
End of file - 11337 bytes


After running HijackThis I tried to install "Malwarebytes", "Windows malicious software removal tool" and "RavINFree". Now all I get is blue screen. I can't run in safe mode either.

Is there any hope left?
James L. Peacock

[Dakeyras]

Hi,

I have bad news I'm afraid

Unfortunately, one or more of the identified infections on this system is a Backdoor Trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately and keep it disconnected. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

In addition to the backdoor Trojan that has been identified, this system is afflicted with other infections. This machine is obviously seriously infected and, even if it were stable enough to run the programs that would be needed in order to attempt cleaning it, it could never be considered to be truly clean, secure, or trustworthy without a reformat and reinstallation of the operating system. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damage it may possibly have caused to vital system files. Additionally, it is quite possible that changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system would be highly unlikely to regain any semblance of stability or reasonable functionality without a reformat. Therefore, your best and safest course of action is a reformat and reinstallation of the Windows operating system.

I'm sorry I do not have more encouraging news for you.

[chryssi2001]

Due to lack of activity this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.