Internet Security 2010 + other malware

Hello.. am trying to rid a laptop of the malware program Internet Security 2010, plus other problems (browser redirecters, rougeware, etc.). virus has disabled task manager, and other system functins. I am able to do limited things in safe mode. Have downloaded malwarebytes, but it will not open or install. Cannot navigate to antivirus sites, or to your site on infected computer.

Here is a copy of the Hijack this log. thanks in advance for your help, you have pulled me out of a bind in the past, I know you guys will handle this with ease. thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:14 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16945)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\smss32.exe
C:\WINNT\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Documents and Settings\Administrator\Desktop\mbam-setup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yma2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yma2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
F2 - REG:system.ini: UserInit=C:\WINNT\system32\winlogon32.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {97503139-D2B6-481B-81D8-FF4155AED720} - C:\WINNT\system32\cbXOGXOh.dll (file missing)
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [tagojopes] Rundll32.exe "c:\winnt\system32\hidumule.dll",a
O4 - HKLM\..\Run: [smss32.exe] C:\WINNT\system32\smss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Internet Security 2010] C:\Program Files\InternetSecurity2010\IS2010.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\helper32.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\helper32.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - https://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159054299403
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (file missing)
O20 - AppInit_DLLs: zegofuho.dll c:\winnt\system32\zurimusa.dll c:\winnt\system32\hidumule.dll
O20 - Winlogon Notify: ssqOGyvt - ssqOGyvt.dll (file missing)
O21 - SSODL: hukateruf - {86b99dc3-69c4-4275-a47d-fe9e26ca48bf} - c:\winnt\system32\hidumule.dll
O21 - SSODL: gifozafof - {59c77459-4b85-42ba-b3bb-fe55832def20} - c:\winnt\system32\hidumule.dll
O21 - SSODL: nuvenidah - {d7c7492d-fe33-4d35-8841-87448a925bd1} - c:\winnt\system32\hidumule.dll
O21 - SSODL: rumadowat - {2b144af7-7413-4da8-b107-06ddc726aae7} - c:\winnt\system32\hidumule.dll
O21 - SSODL: riluyirer - {daaf16df-e62c-460d-996c-5043e4f4efbe} - c:\winnt\system32\hidumule.dll
O21 - SSODL: tasiwomej - {f1b25228-2166-4539-bbf1-a2245b3b3eb7} - c:\winnt\system32\hidumule.dll
O21 - SSODL: kilozofat - {071baf01-f77c-4951-b86c-8e46ab3b92d4} - c:\winnt\system32\hidumule.dll
O21 - SSODL: denigekeg - {e32ab11f-53c5-4848-92c8-2079c57a1fed} - c:\winnt\system32\hidumule.dll
O21 - SSODL: ponemenoh - {a4b9203d-5f47-4779-80a3-74d5a4b06b98} - c:\winnt\system32\hidumule.dll
O21 - SSODL: hehujojij - {9fe33429-b47d-4467-8a72-4426ca0d8dcb} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: kupuhivus - {86b99dc3-69c4-4275-a47d-fe9e26ca48bf} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: gahurihor - {59c77459-4b85-42ba-b3bb-fe55832def20} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: kupuhivus - {d7c7492d-fe33-4d35-8841-87448a925bd1} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: kupuhivus - {2b144af7-7413-4da8-b107-06ddc726aae7} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: gahurihor - {daaf16df-e62c-460d-996c-5043e4f4efbe} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: tokatiluy - {f1b25228-2166-4539-bbf1-a2245b3b3eb7} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: gahurihor - {071baf01-f77c-4951-b86c-8e46ab3b92d4} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: mujuzedij - {e32ab11f-53c5-4848-92c8-2079c57a1fed} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: jugezatag - {a4b9203d-5f47-4779-80a3-74d5a4b06b98} - c:\winnt\system32\hidumule.dll
O22 - SharedTaskScheduler: mujuzedij - {9fe33429-b47d-4467-8a72-4426ca0d8dcb} - c:\winnt\system32\hidumule.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 10542 bytes

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that.

Thank you for your speedy response. I followed your instructions and downloaded the ComboFix program on another computer, and then copied it to the desktop of the infected computer. The file and icon shows on the desktop, however, when I attempt to open it, i simply get the "busy" hourglass for about 15 seconds, then the cursor returns back to the arrow and nothing happens. The same thing happens with I try to run/install malwarebytes. Attempting to open any other icon on the desktop will work. Downloading and installing a non-virus fixing program (Winrar, for example) works just fine.

I await your instructions. Thank you.

Susan

Download avz4.zip from HERE

1. Unzip it to your desktop to a folder named avz4
   
2. Double click on AVZ.exe to run it.
   
3. Run an update by clicking the Auto Update button on the Right of the Log window:
   
4. Click Start to begin the update
   

Note: If you recieve an error message, chose a different source, then click Start again

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the
   "Advanced System Analysis with malware removal mode enabled" check box.
   
   
3. Click on the Execute selected scripts.
   
4. Automatic scanning, healing and system check will be executed.
   
5. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
   
[*It is necessary to reboot your machine, because AVZ might disturb some
program operations (like antiviruses and firewall) during the system
scan.

6. All applications will work properly after the system restart.
   

When restarted

1. Start AVZ.
   
2. Choose from the menu "File" => "Standard scripts " and mark the Advanced System Analysis" check box.
   
   
3. Click on the "Execute selected scripts".
   
4. A system check will be automatically performed, and the created logfile
   (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory
   as virusinfo_syscheck.zip.
   

Attach both virusinfo_syscure.zip and virusinfo_syscheck.zip to your next post

To attach a file, do the following:

Go to MediaFire.com and upload them, then post the links here to the downloads.

I followed the instructions above . The procedure would not work at first but when i booted up to safe mode i was able to run the scans completely. You can find the logfiles at:

www.mediafire.com/avzlogfiles

thank you so much for your help.
susan

There is a dangerous backdoor trojan on your system. This is a sign of total system compromise.
Backdoor trojans are very dangerous because they compromise system integrity by making changes that allow it to by used by the attacker for malicious purposes. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is send back to the hacker. To learn more about these types of infections, you can refer to: http://www.viruslist.com/en/viruses/glossary?glossid=189208417
I would counsel you to immediately disconnect this PC from the Internet and from your network if it is on a network. Disconnect the infected computer until the computer can be cleaned.
Then, access this information from a non-compromised computer to follow the steps needed.
If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable. Do NOT change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information. (If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.) Banking and credit card institutions should be notified to apprise them of your situation (possible security breach). To protect your information that may have been compromised, I recommend reading these references:

• How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
  
• What Should I Do If I've Become A Victim Of Identity Theft?
  
• Identity Theft Victims Guide - What to do
  

Though the backdoor has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be completely cleaned or repaired so you can never be sure that you have completely removed a backdoor trojan. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove backdoor trojans cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with such a piece of malware, the best course of action would be a reformat and clean reinstall of the OS. This is something I don't like to recommend normally, but in most cases it is the best solution for your safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:

• When should I re-format? How should I reinstall?
  
• Help: I Got Hacked. Now What Do I Do?
  
• Help: I Got Hacked. Now What Do I Do? Part II
  
• Where to draw the line? When to recommend a format and reinstall?
  

Guides for format and reinstall: http://www.GeekPolice.net/tutorials-guides-f13/how-to-reformat-and-reinstall-your-operating-system-t15119.htm#95115

http://www.helpmyos.com/tutorials-software-alternatives-to-proprietary-f19/how-to-reformat-and-reinstall-your-operating-system-the-easy-way-t1307.htm#3143
However, if you do not have the resources to reinstall your computer's OS and would like me to attempt to clean it, I will be happy to do so. But please consider carefully before deciding against a reformat.
If you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful.

Please let me know what you have decided to do in your next post. Should you have any questions, please feel free to ask.

Based on your recommendation, I will reformat and reinstall. Thank you very much for your help and for your concern regarding the safety of the computer, and for all of your assistance.

Sincerely,

Susan

You are welcome.