[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Worm_Autorun.mcs found and quarantined, but system is still hijacked

Posted on 2008-11-07
5
Medium Priority
?
544 Views
Last Modified: 2013-12-06
I have a computer that got a virus - Worm_Autorun.mcs.  We use TrendMicro OfficeScan and it found and quarantined the file.  I have followed the instructions from Trend and the virus cannot be detected any longer.  However, I'm finding that her web browser is still hijacked.  Search results point to re-directed pages rather than the intended location.  I've attached the HJT log file to see if anyone out there can tell me what items to repair.  I appreciate any assistance!
hijackthis.11.7.log
0
Comment
Question by:troypar90
  • 3
5 Comments
 
LVL 27

Expert Comment

by:David-Howard
ID: 22905628
I recommend downloading and updating malwarebytes.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
http://www.merijn.org/programs.php
Once you run the utility save the log file.
You can post it for free analysis here or at
www.hijackthis.de
You are looking for items marked with red X's primarily.
David
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 22910868

Fix the entries below in Hijackthis:
O2 - BHO: 890166 helper - {A48FE9AC-DD02-4FF7-9211-B7BA9A2C8BF2} - C:\WINDOWS\system32\890166\890166.dll
O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe

Fixing the entries and deleting the files should take care of it.
C:\Program Files\tinyproxy <-- you need to delete this folder in Safe Mode as the service is active in normal mode, or disable the service first.

C:\WINDOWS\system32\890166 <-- and this folder

If problem persists, run combofix.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 1000 total points
ID: 22910901
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
Also fix the above if not using proxy.
And In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again if you had set it previoiusly
 For the deletion of Service, instead of fixing the o23 entry which only idsableds it, you can do this;
Delete this service --> "DNS Client (Dnscache) "

Go to Start Menu > Run > type

cmd

Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line: (there is a space between the close parenthesis and the end quote, --->    ) space "

sc stop "DNS Client (Dnscache) "
sc delete "DNS Client (Dnscache) "

exit  
NOTE: Do not delete  "Dnscache", that is a legit service.
This is the bad service --> DNS Client (Dnscache)
0
 

Author Closing Comment

by:troypar90
ID: 31514400
Thank you rpggamergirl - problem solved. I followed your instructions in both posts and it worked perfectly. There was no need to run Combofix.exe, the HJT fixes along with the DNScache service suggestions worked fine.  Thanks again!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 22920877
You're welcome!
Glad to know it's resolved.

Sorry for the typo in my second post ( I just noticed it.)
Thanks for the points and the grade!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Malware seems to be getting smarter and smarter. If you are having trouble being able to launch your malware removal tools such as (and recommended): MalwareBytes, HiJackThis, ComboFix, etc. you can try some of the workarounds listed below. 1. Ma…
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question