Solved

Malware/Virus has beaten me!

Posted on 2009-03-31
17
895 Views
Last Modified: 2013-12-06
I've got a laptop that will not let me install/run any spyware/malware programs, will not let me go to their webpages, UBCD's virus/spyware tools found no issues.

I have used HiJackThis to clean up enough so that I can finally download Malwarebytes Anti-Malware and got it installed.  Usesd the http://www.hijackthis.de too.  But when i try to run it, it just freezes up and never gets into the app.

Anytime I search google for Malwarebytes, Housecall, TrendMicro, etc; I get a page called www.pieceofcakesearch.com/.  So I've obviously got something going on, but can't find any info on that either???

Any clues/suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:09 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarah Bates\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231454876178&h=9bc1e829d726e6e24bd028bb59040062/&filename=jinstall-6u11-windows-i586-jc.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5036 bytes


Thanks!
0
Comment
Question by:fishin33
  • 5
  • 2
  • 2
  • +6
17 Comments
 
LVL 26

Expert Comment

by:souseran
ID: 24034589
I don't see anything glaring in this log. However, it does appear that you're suffering from some kind of infection. Do you have your OS media (XP CD)? If so, put it in your drive, and see if you can do the following:

In Windows, go to Start | Run

Type CMD

Press Enter

At the prompt,

Type SFC /pugecache

Press Enter

Once that's done,

Type SFC /scannow

Press Enter

Once that's done, reboot and report back.
0
 
LVL 26

Expert Comment

by:souseran
ID: 24034643
That first SFC command should be

SFC /purgecache

Sorry.
0
 

Expert Comment

by:quixys
ID: 24034960
This is a long shot, but it fixes another search hijacking script.

Find this file:

C:\Windows\system32\wdmaud.sys

and delete it.
0
 
LVL 17

Accepted Solution

by:
Thomas4019 earned 167 total points
ID: 24034971
I would backup your neccessary files and then reformat and reinstall windows on your computer. It will get rid of whatever you've got, and youre computer will function alot better after as well. But yes, it does take quite alot of time, However, i have seen viruses take hours, only to find out that they are unremovable.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24035231
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
You can fix the above entry too.
C:\WINDOWS\system32\0.exe <-- this one is bad but might be easier to delete it using a tool like MBAM or Combofix.
Have you checked your Hosts file also if it's blocking security sites?


Use either one of these links to download MBAM and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

http://projects.securitywonks.net/projects/details.php?file=158



Or download combofix using another pc into a USB and rename the file before you run it. Try running from your desktop if you can.

Please download ComboFix by sUBs:(show us the resulting log please)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
0
 
LVL 27

Assisted Solution

by:David-Howard
David-Howard earned 166 total points
ID: 24035548
Have you ran any of your scans in Safe Mode or perhaps logged on as a different user (profile) and attempted to run scans?
I think the above advice on removal programs should work but you may need to be in Safe Mode.
You may also need to turn off System Restore before running the scans.


Steps to turn off System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Steps to turn on System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
After a few moments, the System Properties dialog box closes.
0
 
LVL 16

Expert Comment

by:warturtle
ID: 24037180
Hmm.. you might have a Conficker infection or another anti-Microsoft bug in there.... do a scan with Microsoft Malicious Software Removal Tool at:

http://www.microsoft.com/security/malwareremove/default.mspx

Hope it helps.
0
 

Author Comment

by:fishin33
ID: 24044565
So here's an update:

"SFC /purge" cache AND "SFC /scannow" both return:
"Windows File Protection could not purge the file cace. The specific error code is 0x000006ba..."

As for everyone else's suggestions I have tried  before even posting here to EE.  One huge issue is that I cannot install ANY programs.  I can double-click an exe file, but then nothing happens and I just have a hung process in task manager.

I checked the hosts file as well and the only thing that shows is localhost 127.0.0.1.

I have tried installing these apps in Windows as a user account, and then also in safe mode logged in as admnistrator.  Nothing will allow me to install the said program.  SOMEHOW - I got MBAM installed, but it I click on the exe to run the program I get the same hung process in tatsk manager.  

Windows Malicous Tool came up with nothing.  ComboFix would not install, I also tried running superantispyware and Dr.Web Cureit in the Ultimate Boot CD 4 Windows; as well as the virus scanner built into PortableApps.com and nothing has returned a virus.

I'm not out of disk space, have run disk cleanup/disk defrag....nothing!  I can understand what Thomas 4019 is saying, but if everyone just reinstalled the OS everytime then why would there be an Experts-Exchange Virus & Spyware Forum!
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:fishin33
ID: 24044578
Wow...sorry for the poor grammar and misspellings.  Didn't proof until AFTER I hit submit.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 167 total points
ID: 24045475
>>>ComboFix would not install, <<<

Even a renamed combofix would not install? Did you rename it before the file got in contact with the infected pc? And rename to a very different name(no combo nor combofix strings)

Try this one, this tool might not have been blocked by nasties.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
http://oldtimer.geekstogo.com/OTScanIt2.exe

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All Users
Check the Radio button for Rootkit check YES
Under Additional Scans check the following:
 * File - Lop Check
 * File - Purity Scan
 * Evnt - EventViewer Errors/Warnings (last 10)

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24047483
Worm?
If you CANNOT go here:
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN"
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
(I troubleshoot: both, English OS & Japanese OS)

0
 

Author Comment

by:fishin33
ID: 24144138
Boss man wanted a new laptop so that was the ultimate solution.  Looks like I'll be wiping this one clean after all!
0
 

Author Comment

by:fishin33
ID: 24144149
Thanks everyone for the input...but not worth the time to troubleshoot anymore.
0
 
LVL 34

Expert Comment

by:Michael-Best
ID: 24156898
We all spent our time trying to help, thus deserve some thanks.
0
 

Expert Comment

by:DSherman_parente
ID: 24156951
We had the same problem here.  You have a Rootkit that is stopping the antivirus apps.  There is a program called avenger that I used to scan and disable the rootkit.  Then I was able to run malwarebytes and other virus tools to remove it.  Here is the link.

http://swandog46.geekstogo.com/

0
 

Author Closing Comment

by:fishin33
ID: 31565086
As stated a long time ago, after much troubleshooting and time spent on this, I was unsuccessful in removing the worm/virus.  Ended up re-installing the OS to start anew.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

HOW TO REMOTELY CLEAN MEROND.O WITH ESET SILENTLY PROBLEM       If you have the fortunate luck to contract the Merond.O virus on your network, it can be quite troublesome to remove as it propagates to network shares on your network. In my case, the …
Operating system developers such as Microsoft (https://www.microsoft.com) and Apple have made incredible strides in virus protection over the past decade. Operating systems come packaged with built in defensive tools such as virus protection and a f…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now