Worm_Autorun.mcs found and quarantined, but system is still hijacked

Posted on 2008-11-07
Last Modified: 2013-12-06
I have a computer that got a virus - Worm_Autorun.mcs.  We use TrendMicro OfficeScan and it found and quarantined the file.  I have followed the instructions from Trend and the virus cannot be detected any longer.  However, I'm finding that her web browser is still hijacked.  Search results point to re-directed pages rather than the intended location.  I've attached the HJT log file to see if anyone out there can tell me what items to repair.  I appreciate any assistance!
Question by:troypar90
    LVL 27

    Expert Comment

    I recommend downloading and updating malwarebytes.
    You can get it free from
    Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
    You should do this with your current antivirus product as well.
    You may also need to download and run HiJackThis from
    Once you run the utility save the log file.
    You can post it for free analysis here or at
    You are looking for items marked with red X's primarily.
    LVL 47

    Accepted Solution


    Fix the entries below in Hijackthis:
    O2 - BHO: 890166 helper - {A48FE9AC-DD02-4FF7-9211-B7BA9A2C8BF2} - C:\WINDOWS\system32\890166\890166.dll
    O23 - Service: DNS Client (Dnscache) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe

    Fixing the entries and deleting the files should take care of it.
    C:\Program Files\tinyproxy <-- you need to delete this folder in Safe Mode as the service is active in normal mode, or disable the service first.

    C:\WINDOWS\system32\890166 <-- and this folder

    If problem persists, run combofix.
    Please download ComboFix by sUBs:
    You must download it to and run it from your Desktop
    Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    Double click combofix.exe & follow the prompts.
    When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
    Re-enable all the programs that were disabled during the running of ComboFix..

    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    LVL 47

    Assisted Solution

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    Also fix the above if not using proxy.
    And In IE: Tools Menu -> Internet Options -> Connections Tab -> Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again if you had set it previoiusly
     For the deletion of Service, instead of fixing the o23 entry which only idsableds it, you can do this;
    Delete this service --> "DNS Client (Dnscache) "

    Go to Start Menu > Run > type


    Press OK then type or copy and paste these commands onto the cmd screen pressing Enter after each line: (there is a space between the close parenthesis and the end quote, --->    ) space "

    sc stop "DNS Client (Dnscache) "
    sc delete "DNS Client (Dnscache) "

    NOTE: Do not delete  "Dnscache", that is a legit service.
    This is the bad service --> DNS Client (Dnscache)

    Author Closing Comment

    Thank you rpggamergirl - problem solved. I followed your instructions in both posts and it worked perfectly. There was no need to run Combofix.exe, the HJT fixes along with the DNScache service suggestions worked fine.  Thanks again!
    LVL 47

    Expert Comment

    You're welcome!
    Glad to know it's resolved.

    Sorry for the typo in my second post ( I just noticed it.)
    Thanks for the points and the grade!

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    PREFACE The purpose of this guide is to explain what the SEPC Status Utility is and how it works. I have written the utility using AutoIt and have included the source code for your review. You are welcome to modify the code to your liking, but I wi…
    There are many reasons malware will stay around and continue to grow as a business.  The biggest reason is the expanding customer base.  More than 40% of people who are infected with ransomware, pay the ransom.  That makes ransomware a multi-million…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now