• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 984
  • Last Modified:

Malware/Virus has beaten me!

I've got a laptop that will not let me install/run any spyware/malware programs, will not let me go to their webpages, UBCD's virus/spyware tools found no issues.

I have used HiJackThis to clean up enough so that I can finally download Malwarebytes Anti-Malware and got it installed.  Usesd the http://www.hijackthis.de too.  But when i try to run it, it just freezes up and never gets into the app.

Anytime I search google for Malwarebytes, Housecall, TrendMicro, etc; I get a page called www.pieceofcakesearch.com/.  So I've obviously got something going on, but can't find any info on that either???

Any clues/suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:09 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarah Bates\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231454876178&h=9bc1e829d726e6e24bd028bb59040062/&filename=jinstall-6u11-windows-i586-jc.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

End of file - 5036 bytes

  • 5
  • 2
  • 2
  • +6
3 Solutions
I don't see anything glaring in this log. However, it does appear that you're suffering from some kind of infection. Do you have your OS media (XP CD)? If so, put it in your drive, and see if you can do the following:

In Windows, go to Start | Run

Type CMD

Press Enter

At the prompt,

Type SFC /pugecache

Press Enter

Once that's done,

Type SFC /scannow

Press Enter

Once that's done, reboot and report back.
That first SFC command should be

SFC /purgecache

This is a long shot, but it fixes another search hijacking script.

Find this file:


and delete it.
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

I would backup your neccessary files and then reformat and reinstall windows on your computer. It will get rid of whatever you've got, and youre computer will function alot better after as well. But yes, it does take quite alot of time, However, i have seen viruses take hours, only to find out that they are unremovable.
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
You can fix the above entry too.
C:\WINDOWS\system32\0.exe <-- this one is bad but might be easier to delete it using a tool like MBAM or Combofix.
Have you checked your Hosts file also if it's blocking security sites?

Use either one of these links to download MBAM and rename the file before saving to your desktop.


Or download combofix using another pc into a USB and rename the file before you run it. Try running from your desktop if you can.

Please download ComboFix by sUBs:(show us the resulting log please)

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Have you ran any of your scans in Safe Mode or perhaps logged on as a different user (profile) and attempted to run scans?
I think the above advice on removal programs should work but you may need to be in Safe Mode.
You may also need to turn off System Restore before running the scans.

Steps to turn off System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
Click OK.
When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.

Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.
Steps to turn on System Restore
Click Start, right-click My Computer, and then click Properties.
In the System Properties dialog box, click the System Restore tab.
Click to clear the Turn off System Restore check box. Or, click the Turn off System Restore on all drives check box.
Click OK.
After a few moments, the System Properties dialog box closes.
Hmm.. you might have a Conficker infection or another anti-Microsoft bug in there.... do a scan with Microsoft Malicious Software Removal Tool at:


Hope it helps.
fishin33Author Commented:
So here's an update:

"SFC /purge" cache AND "SFC /scannow" both return:
"Windows File Protection could not purge the file cace. The specific error code is 0x000006ba..."

As for everyone else's suggestions I have tried  before even posting here to EE.  One huge issue is that I cannot install ANY programs.  I can double-click an exe file, but then nothing happens and I just have a hung process in task manager.

I checked the hosts file as well and the only thing that shows is localhost

I have tried installing these apps in Windows as a user account, and then also in safe mode logged in as admnistrator.  Nothing will allow me to install the said program.  SOMEHOW - I got MBAM installed, but it I click on the exe to run the program I get the same hung process in tatsk manager.  

Windows Malicous Tool came up with nothing.  ComboFix would not install, I also tried running superantispyware and Dr.Web Cureit in the Ultimate Boot CD 4 Windows; as well as the virus scanner built into PortableApps.com and nothing has returned a virus.

I'm not out of disk space, have run disk cleanup/disk defrag....nothing!  I can understand what Thomas 4019 is saying, but if everyone just reinstalled the OS everytime then why would there be an Experts-Exchange Virus & Spyware Forum!
fishin33Author Commented:
Wow...sorry for the poor grammar and misspellings.  Didn't proof until AFTER I hit submit.
>>>ComboFix would not install, <<<

Even a renamed combofix would not install? Did you rename it before the file got in contact with the infected pc? And rename to a very different name(no combo nor combofix strings)

Try this one, this tool might not have been blocked by nasties.

Download OTScanit2 to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All Users
Check the Radio button for Rootkit check YES
Under Additional Scans check the following:
 * File - Lop Check
 * File - Purity Scan
 * Evnt - EventViewer Errors/Warnings (last 10)

Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.
If you CANNOT go here:
And run the: "FULL SERVICE SCAN"
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(I troubleshoot: both, English OS & Japanese OS)

fishin33Author Commented:
Boss man wanted a new laptop so that was the ultimate solution.  Looks like I'll be wiping this one clean after all!
fishin33Author Commented:
Thanks everyone for the input...but not worth the time to troubleshoot anymore.
We all spent our time trying to help, thus deserve some thanks.
We had the same problem here.  You have a Rootkit that is stopping the antivirus apps.  There is a program called avenger that I used to scan and disable the rootkit.  Then I was able to run malwarebytes and other virus tools to remove it.  Here is the link.


fishin33Author Commented:
As stated a long time ago, after much troubleshooting and time spent on this, I was unsuccessful in removing the worm/virus.  Ended up re-installing the OS to start anew.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 5
  • 2
  • 2
  • +6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now