We help IT Professionals succeed at work.

Malware/Virus has beaten me!

fishin33
fishin33 asked
on
1,027 Views
Last Modified: 2013-12-06
I've got a laptop that will not let me install/run any spyware/malware programs, will not let me go to their webpages, UBCD's virus/spyware tools found no issues.

I have used HiJackThis to clean up enough so that I can finally download Malwarebytes Anti-Malware and got it installed.  Usesd the http://www.hijackthis.de too.  But when i try to run it, it just freezes up and never gets into the app.

Anytime I search google for Malwarebytes, Housecall, TrendMicro, etc; I get a page called www.pieceofcakesearch.com/.  So I've obviously got something going on, but can't find any info on that either???

Any clues/suggestions?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:09 PM, on 3/31/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Sarah Bates\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231454876178&h=9bc1e829d726e6e24bd028bb59040062/&filename=jinstall-6u11-windows-i586-jc.cab
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - IntelĀ® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 5036 bytes


Thanks!
Comment
Watch Question

Commented:
I don't see anything glaring in this log. However, it does appear that you're suffering from some kind of infection. Do you have your OS media (XP CD)? If so, put it in your drive, and see if you can do the following:

In Windows, go to Start | Run

Type CMD

Press Enter

At the prompt,

Type SFC /pugecache

Press Enter

Once that's done,

Type SFC /scannow

Press Enter

Once that's done, reboot and report back.

Commented:
That first SFC command should be

SFC /purgecache

Sorry.

Commented:
This is a long shot, but it fixes another search hijacking script.

Find this file:

C:\Windows\system32\wdmaud.sys

and delete it.
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2007

Commented:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\WINDOWS\system32\0.exe",
You can fix the above entry too.
C:\WINDOWS\system32\0.exe <-- this one is bad but might be easier to delete it using a tool like MBAM or Combofix.
Have you checked your Hosts file also if it's blocking security sites?


Use either one of these links to download MBAM and rename the file before saving to your desktop.
http://www.download.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

http://projects.securitywonks.net/projects/details.php?file=158



Or download combofix using another pc into a USB and rename the file before you run it. Try running from your desktop if you can.

Please download ComboFix by sUBs:(show us the resulting log please)
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Hmm.. you might have a Conficker infection or another anti-Microsoft bug in there.... do a scan with Microsoft Malicious Software Removal Tool at:

http://www.microsoft.com/security/malwareremove/default.mspx

Hope it helps.

Author

Commented:
So here's an update:

"SFC /purge" cache AND "SFC /scannow" both return:
"Windows File Protection could not purge the file cace. The specific error code is 0x000006ba..."

As for everyone else's suggestions I have tried  before even posting here to EE.  One huge issue is that I cannot install ANY programs.  I can double-click an exe file, but then nothing happens and I just have a hung process in task manager.

I checked the hosts file as well and the only thing that shows is localhost 127.0.0.1.

I have tried installing these apps in Windows as a user account, and then also in safe mode logged in as admnistrator.  Nothing will allow me to install the said program.  SOMEHOW - I got MBAM installed, but it I click on the exe to run the program I get the same hung process in tatsk manager.  

Windows Malicous Tool came up with nothing.  ComboFix would not install, I also tried running superantispyware and Dr.Web Cureit in the Ultimate Boot CD 4 Windows; as well as the virus scanner built into PortableApps.com and nothing has returned a virus.

I'm not out of disk space, have run disk cleanup/disk defrag....nothing!  I can understand what Thomas 4019 is saying, but if everyone just reinstalled the OS everytime then why would there be an Experts-Exchange Virus & Spyware Forum!

Author

Commented:
Wow...sorry for the poor grammar and misspellings.  Didn't proof until AFTER I hit submit.
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
Worm?
If you CANNOT go here:
http://onecare.live.com/site/en-us/default.htm
And run the: "FULL SERVICE SCAN"
You may have been infected with Worm:Win32/Conficker.B
To protect from Conficker apply an emergency patch that Microsoft issued in October - ahead of Conficker's arrival - for a recently discovered flaw in the Windows operating system that Conficker was designed to exploit.
The patch was originally intended to protect Microsoft's customers against a different piece of malicious code, a data-stealing worm called Gimmev.
Conficker could still activate itself, and it's not the most dangerous piece of malicious code out there
Ways to detect and clean a system that has the Win32/Conficker.B worm
http://support.microsoft.com/kb/962007
I recommend disabling "Password Lockout" policy for the time being, till you are sure the infection has been contained and cleaned in your network.
(http://technet.microsoft.com/en-us/library/cc781491.aspx)
(I troubleshoot: both, English OS & Japanese OS)

Author

Commented:
Boss man wanted a new laptop so that was the ultimate solution.  Looks like I'll be wiping this one clean after all!

Author

Commented:
Thanks everyone for the input...but not worth the time to troubleshoot anymore.
CERTIFIED EXPERT

Commented:
We all spent our time trying to help, thus deserve some thanks.
We had the same problem here.  You have a Rootkit that is stopping the antivirus apps.  There is a program called avenger that I used to scan and disable the rootkit.  Then I was able to run malwarebytes and other virus tools to remove it.  Here is the link.

http://swandog46.geekstogo.com/

Author

Commented:
As stated a long time ago, after much troubleshooting and time spent on this, I was unsuccessful in removing the worm/virus.  Ended up re-installing the OS to start anew.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.