[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Malware/Virus has beaten me!

Posted on 2009-03-31
Medium Priority
Last Modified: 2013-12-06
I've got a laptop that will not let me install/run any spyware/malware programs, will not let me go to their webpages, UBCD's virus/spyware tools found no issues.

I have used HiJackThis to clean up enough so that I can finally download Malwarebytes Anti-Malware and got it installed.  Usesd the http://www.hijackthis.de too.  But when i try to run it, it just freezes up and never gets into the app.

Anytime I search google for Malwarebytes, Housecall, TrendMicro, etc; I get a page called www.pieceofcakesearch.com/.  So I've obviously got something going on, but can't find any info on that either???

Any clues/suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:09 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarah Bates\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231454876178&h=9bc1e829d726e6e24bd028bb59040062/&filename=jinstall-6u11-windows-i586-jc.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

End of file - 5036 bytes

Question by:fishin33
  • 5
  • 2
  • 2
  • +6
LVL 26

Expert Comment

ID: 24034589
I don't see anything glaring in this log. However, it does appear that you're suffering from some kind of infection. Do you have your OS media (XP CD)? If so, put it in your drive, and see if you can do the following:

In Windows, go to Start | Run

Type CMD

Press Enter

At the prompt,

Type SFC /pugecache

Press Enter

Once that's done,

Type SFC /scannow

Press Enter

Once that's done, reboot and report back.
LVL 26

Expert Comment

ID: 24034643
That first SFC command should be

SFC /purgecache


Expert Comment

ID: 24034960
This is a long shot, but it fixes another search hijacking script.

Find this file:


and delete it.
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

LVL 17

Accepted Solution

Thomas4019 earned 334 total points
ID: 24034971
I would backup your neccessary files and then reformat and reinstall windows on your computer. It will get rid of whatever you've got, and youre computer will function alot better after as well. But yes, it does take quite alot of time, However, i have seen viruses take hours, only to find out that they are unremovable.
LVL 47

Expert Comment

ID: 24035231
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
You can fix the above entry too.
C:\WINDOWS\system32\0.exe <-- this one is bad but might be easier to delete it using a tool like MBAM or Combofix.
Have you checked your Hosts file also if it's blocking security sites?

Use either one of these links to download MBAM and rename the file before saving to your desktop.


Or download combofix using another pc into a USB and rename the file before you run it. Try running from your desktop if you can.

Please download ComboFix by sUBs:(show us the resulting log please)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
LVL 27

Assisted Solution

David-Howard earned 332 total points
ID: 24035548
Have you ran any of your scans in Safe Mode or perhaps logged on as a different user (profile) and attempted to run scans?
I think the above advice on removal programs should work but you may need to be in Safe Mode.
You may also need to turn off System Restore before running the scans.

Steps to turn off System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Steps to turn on System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
After a few moments, the System Properties dialog box closes.
LVL 16

Expert Comment

ID: 24037180
Hmm.. you might have a Conficker infection or another anti-Microsoft bug in there.... do a scan with Microsoft Malicious Software Removal Tool at:


Hope it helps.

Author Comment

ID: 24044565
So here's an update:

"SFC /purge" cache AND "SFC /scannow" both return:
"Windows File Protection could not purge the file cace. The specific error code is 0x000006ba..."

As for everyone else's suggestions I have tried  before even posting here to EE.  One huge issue is that I cannot install ANY programs.  I can double-click an exe file, but then nothing happens and I just have a hung process in task manager.

I checked the hosts file as well and the only thing that shows is localhost

I have tried installing these apps in Windows as a user account, and then also in safe mode logged in as admnistrator.  Nothing will allow me to install the said program.  SOMEHOW - I got MBAM installed, but it I click on the exe to run the program I get the same hung process in tatsk manager.  

Windows Malicous Tool came up with nothing.  ComboFix would not install, I also tried running superantispyware and Dr.Web Cureit in the Ultimate Boot CD 4 Windows; as well as the virus scanner built into PortableApps.com and nothing has returned a virus.

I'm not out of disk space, have run disk cleanup/disk defrag....nothing!  I can understand what Thomas 4019 is saying, but if everyone just reinstalled the OS everytime then why would there be an Experts-Exchange Virus & Spyware Forum!

Author Comment

ID: 24044578
Wow...sorry for the poor grammar and misspellings.  Didn't proof until AFTER I hit submit.
LVL 47

Assisted Solution

rpggamergirl earned 334 total points
ID: 24045475
>>>ComboFix would not install, <<<

Even a renamed combofix would not install? Did you rename it before the file got in contact with the infected pc? And rename to a very different name(no combo nor combofix strings)

Try this one, this tool might not have been blocked by nasties.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All Users
Check the Radio button for Rootkit check YES
Under Additional Scans check the following:
 * File - Lop Check
 * File - Purity Scan
 * Evnt - EventViewer Errors/Warnings (last 10)

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
LVL 34

Expert Comment

ID: 24047483
If you CANNOT go here:
And run the: "FULL SERVICE SCAN"
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(I troubleshoot: both, English OS & Japanese OS)


Author Comment

ID: 24144138
Boss man wanted a new laptop so that was the ultimate solution.  Looks like I'll be wiping this one clean after all!

Author Comment

ID: 24144149
Thanks everyone for the input...but not worth the time to troubleshoot anymore.
LVL 34

Expert Comment

ID: 24156898
We all spent our time trying to help, thus deserve some thanks.

Expert Comment

ID: 24156951
We had the same problem here.  You have a Rootkit that is stopping the antivirus apps.  There is a program called avenger that I used to scan and disable the rootkit.  Then I was able to run malwarebytes and other virus tools to remove it.  Here is the link.



Author Closing Comment

ID: 31565086
As stated a long time ago, after much troubleshooting and time spent on this, I was unsuccessful in removing the worm/virus.  Ended up re-installing the OS to start anew.

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
It started not too long ago. It was at first annoying. My keystrokes seemed to be randomly generated, not the ones I typed on the keyboard. For some reason this only happened in certain applications (especially browsers such as IE11, Firefox and Chr…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question