Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help needed with infected PC, here´s the HiJackThis Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help needed with infected PC, here´s the HiJackThis Log

Unread postby bgoehringer » November 18th, 2008, 1:39 pm

Hi there!
I´ve got a problem with my dad´s PC which has been attacked by some virus(es). The PC is already a few years old and runs on Win XP SP 1. It has some ETrust Anti-Virus-Software on it, which is a little out of date, because the slow internet connection doesn´t allow regular updates. We´ll change this after we have cleaned the PC from the malware, but that´s another point.
Ok, the symptoms are as follows:
Immediately after booting the PC, the message box "svchost.exe - Fehler in Anwendung" (something like "error in application") appears. When I click "OK", the next box comes up: "Generic host process for Win32 Services hat ein Problem festgestellt und muß beendet werden." (something like "...has detected a problem and has to be terminated."). This window continues to show up again and again no matter how often I click OK. When I move this window aside and leave it open, I can work as usual, the only thing that´s strange is that IE keeps opening totally different websites from what I have typed in or clicked on. Not always, but in most cases some ad-, sex-, game-, whatever-website is opened.
so, the first thing I tried was the Kaspersky online scan, which found some infected files, 3 of which I moved to c:\windows\temp\virusscan an renamed them (one was in temp IE files, which I deleted completely, and two dlls: c:\windows\system32\AppCert\wnl32.dll and wsil32.dll). The fourth one (c:\windows\system32\dx8vbf.dll) is always in use and can not be moved or deleted. The names of the viruses found are

So here´s the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:34:16, on 18.11.2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programme\CA\eTrust Antivirus\InoRpc.exe
C:\Programme\CA\eTrust Antivirus\InoRT.exe
C:\Programme\CA\eTrust Antivirus\InoTask.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.de/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programme\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programme\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {E8B0FCD0-1CB7-4A2B-B82B-016B5DF6168C} - C:\WINDOWS\System32\dx8vbf.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Programme\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programme\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [wiuip169] C:\WINDOWS\system32\wiuip169.exe
O4 - HKLM\..\Run: [WindowsHive] C:\WINDOWS\System32\rpcc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [EPSON Stylus SX200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEFE.EXE /FU "C:\WINDOWS\TEMP\E_S61.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [wiuip169] C:\WINDOWS\system32\wiuip169.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Recherchieren - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.de/
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache - Unknown owner - D:\bg_test\Apache\Apache.exe
O23 - Service: CA-Lizenz-Client (CA_LIC_CLNT) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA-Lizenzserver (CA_LIC_SRVR) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programme\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Programme\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programme\Java\jre6\bin\jqs.exe
O23 - Service: Ereignisprotokoll-Überwachung (LogWatch) - Computer Associates - C:\Programme\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: MySql - Unknown owner - D:\bg_test\mysql\bin\mysqld (file missing)

End of file - 5872 bytes

I´d really apprechiate some help! Thanks!
Active Member
Posts: 5
Joined: November 18th, 2008, 1:17 pm
Register to Remove

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby Rodav » November 21st, 2008, 5:12 pm

Hello! :hello2: and welcome to the Malware Removal forums.
I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research so please be patient while I work on your log and I will post back here with any recommendations.

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
User avatar
MRU Master Emeritus
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby Rodav » November 21st, 2008, 5:16 pm

Hello Björn,

Step 1:
  • Please download this tool from Microsoft.
  • Double click on MGADiag.exe to run it.
  • Click Continue.
  • The program will run. It takes a while to finish the diagnosis, please be patient.
  • Once done, click on Copy.
  • Open Notepad and paste the contents in. Save this file and post it in your next reply.
User avatar
MRU Master Emeritus
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby bgoehringer » November 23rd, 2008, 11:15 am

Thanks for your reply!
Here´s the log file from MGADiag:

Diagnostic Report (1.7.0110.1):
WGA Data-->
Validation Status: Validation Control not Installed
Validation Code: 0
Online Validation Code: N/A
Cached Validation Code: N/A
Windows Product Key: *****-*****-QYQR8-24PPB-W8PDT
Windows Product Key Hash: 4Jyu+H69GKz/nWhSZYL3vjcsgX8=
Windows Product ID: 55372-OEM-2111907-00126
Windows Product ID Type: 2
Windows License Type: OEM SLP
Windows OS version: 5.1.2600.2.00010300.1.0.hom
ID: {E2BA52A1-0814-45EF-B898-96E3999AB318}(1)
Is Admin: Yes
TestCab: 0x0
WGA Version: N/A, hr = 0x80070002
Signed By: N/A, hr = 0x80070002
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-171-1_E2AD56EA-761-d003_E2AD56EA-762-0_E2AD56EA-134-80004005_E2AD56EA-761-8009_E2AD56EA-762-2ee7_E2AD56EA-148-80004005_16E0B333-89-80004005_78155E4D-221-80004005
Resolution Status: N/A

WgaER Data-->
ThreatID(s): N/A
Version: N/A

WGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
File Exists: No
Version: N/A, hr = 0x80070002
WgaTray.exe Signed By: N/A, hr = 0x80070002
WgaLogon.dll Signed By: N/A, hr = 0x80070002

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: N/A, hr = 0x80070002
WGATray.exe Signed By: N/A, hr = 0x80070002
OGAAddin.dll Signed By: N/A, hr = 0x80070002

OGA Data-->
Office Status: 101 Not Activated
Microsoft Office Standard Edition 2003 - 101 Not Activated
OGA Version: N/A, 0x80070002
Signed By: N/A, hr = 0x80070002
Office Diagnostics: 025D1FF3-171-1_3E121E02-115-80004005_FA827CE6-153-8007007e_FA827CE6-180-8007007e

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Default Browser: C:\PROGRA~1\MOZILL~1\FIREFOX.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Prompt
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Prompt
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{E2BA52A1-0814-45EF-B898-96E3999AB318}</UGUID><Version>1.7.0110.1</Version><OS>5.1.2600.2.00010300.1.0.hom</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-W8PDT</PKey><PID>55372-OEM-2111907-00126</PID><PIDType>2</PIDType><SID>S-1-5-21-4054019494-2842927422-1991281701</SID><SYSTEM><Manufacturer>Medion AG</Manufacturer><Model>Medion PC MT5 MED MT 268</Model></SYSTEM><BIOS><Manufacturer>Phoenix Technologies, LTD</Manufacturer><Version>IHD22MDP</Version><SMBIOSVersion major="2" minor="3"/><Date>20040723******.******+***</Date><SLPBIOS>MEDIONPC,MEDIONNB</SLPBIOS></BIOS><HWID>26443B4F01842042</HWID><UserLCID>0407</UserLCID><SystemLCID>0407</SystemLCID><TimeZone>Westeuropäische Normalzeit(GMT+01:00)</TimeZone><iJoin>0</iJoin><SBID><stat>2</stat><msppid></msppid><name>microstar</name><model>Professional Computer</model></SBID><OEM/><BRT/></MachineData> <Software><Office><Result>101</Result><Products><Product GUID="{91120407-6000-11D3-8CFE-0150048383C9}"><LegitResult>101</LegitResult><Name>Microsoft Office Standard Edition 2003</Name><Ver>11</Ver><Val>AA90C64D1E50864</Val><Hash>uDi2PGNml1z+8+AuvZmgc4hOJBg=</Hash><Pid>72873-050-1799207-56384</Pid><PidType>1</PidType></Product></Products><Applications><App Id="16" Version="11" Result="101"/><App Id="18" Version="11" Result="101"/><App Id="1A" Version="11" Result="101"/><App Id="1B" Version="11" Result="101"/></Applications></Office></Software></GenuineResults>

Licensing Data-->

HWID Data-->

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1D280:Medion AG|1D280:Medion AG

OEM Activation 2.0 Data-->
Active Member
Posts: 5
Joined: November 18th, 2008, 1:17 pm

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby Rodav » November 23rd, 2008, 6:34 pm

Hi bgoehringer,

You will need to validate your copy of Windows, please use Internet Explorer for the next step (Step 1).

Step 1:
  • Click here to visit Microsoft website.
  • Click on the Validate Windows button on the top right hand corner to validate your Windows.
  • Click on Continue.
  • You will be prompted to install an ActiveX. Please install it.
  • Please copy and paste the results of the validation in your next reply.

Step 2:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply along with the validation results.
User avatar
MRU Master Emeritus
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby bgoehringer » November 23rd, 2008, 6:55 pm

I validated my windows copy, but there was no result in form of a log or something I could have copied and pasted here, so I made a screenshot of the final page that confirmed I have a genuine windows copy.
Here is the uninstall list:

ABBYY FineReader 6.0 Sprint
Adobe Acrobat - Reader 6.0.2 Update
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 6.0.1 - Deutsch
Adobe Stock Photos 1.0
Agere Systems PCI Soft Modem
Apache HTTP Server 1.3.27
Apple Software Update
CA eTrust Antivirus
Camera RAW Plug-In for EPSON Creativity Suite
Canon Utilities PhotoStitch 3.1
DirectX 9 Hotfix - KB839643
DirectX Hotfix - KB825116
EPSON Attach To Email
EPSON Easy Photo Print
EPSON File Manager
EPSON Scan Assistant
EPSON Stylus SX200 Series Printer Uninstall
EPSON Stylus SX200_SX400_TX200_TX400 Handbuch
EPSON Web-To-Page
eTrust Antivirus Registration
HighMAT-Erweiterung für den Microsoft Windows XP-Assistenten zum Schreiben von CDs
HijackThis 2.0.2
HP Software Update
Informationen über Ihren PC
Intel(R) Extreme Graphics Driver
Internet Explorer Q831167
Java(TM) 6 Update 10
Learn2 Player (Uninstall Only)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 German Language Pack
Microsoft Data Access Components KB870669
Microsoft Office Standard Edition 2003
Microsoft Windows-Journal-Viewer
Microsoft Works 7.0
MSN Messenger 6.2
muvee autoProducer 3.5 magicMoments_CE - Medion
MySQL Connector/ODBC 3.51
MySQL Servers and Clients 4.0.12
Nero OEM
Outlook Express Q823353
Picasa 2
Realtek AC'97 Audio
REALTEK Gigabit and Fast Ethernet NIC Driver
Viewpoint Media Player
Windows Media Player-Hotfix [Weitere Informationen finden Sie in KB837272]
Windows Media Player-Hotfix [Weitere Informationen finden Sie in Q828026]
Windows XP-Hotfix - KB820291
Windows XP-Hotfix - KB821253
Windows XP-Hotfix - KB822603
Windows XP-Hotfix - KB823182
Windows XP-Hotfix - KB824105
Windows XP-Hotfix - KB824141
Windows XP-Hotfix - KB825119
Windows XP-Hotfix - KB826939
Windows XP-Hotfix - KB826942
Windows XP-Hotfix - KB828035
Windows XP-Hotfix - KB828741
Windows XP-Hotfix - KB833407
Windows XP-Hotfix - KB833998
Windows XP-Hotfix - KB835732
Windows XP-Hotfix - KB837001
Windows XP-Hotfix - KB839645
Windows XP-Hotfix - KB840315
Windows XP-Hotfix - KB840374
Windows XP-Hotfix - KB841873
Windows XP-Hotfix - KB842773
Windows XP-Hotfix (SP2) Q322011
Windows XP-Hotfix (SP2) Q327979
Windows XP-Hotfix (SP2) Q331695
Windows XP-Hotfix (SP2) Q814995
Windows XP-Hotfix (SP2) Q815485
You do not have the required permissions to view the files attached to this post.
Active Member
Posts: 5
Joined: November 18th, 2008, 1:17 pm

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby Rodav » November 23rd, 2008, 7:56 pm


It appears your copy of Windows is not genuine and as per our rules I can no longer assist you: http://www.malwareremoval.com/rules.php

If you purchased this computer and genuinely did not realise it was pirated you should contact Microsoft directly with as much information as possible, they may be able to assist you.

I would however suggest you reformat your computer and install a distribution of Linux on it. If you have a slow internet connection, you can even request a copy of Ubuntu delivered to you free of charge. https://shipit.ubuntu.com/
User avatar
MRU Master Emeritus
Posts: 1480
Joined: April 19th, 2007, 6:44 am
Location: Here, there and yonder.

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby bgoehringer » November 24th, 2008, 4:40 am

What??? If that was the case, I could understand that, but this is a PC that was bought with Windows and everything else pre-installed. How can it be that this is not a genuine windows copy? And, what makes you think that? After the validation I was confirmed that it is a genuine windows, as one can see on the screenshot.
Active Member
Posts: 5
Joined: November 18th, 2008, 1:17 pm

Re: Help needed with infected PC, here´s the HiJackThis Log

Unread postby NonSuch » November 24th, 2008, 2:37 pm


We are very sorry, but there are indications that something is amiss regarding the validity of the Windows operating system on this computer. If you believe the operating system is valid, then you should contact Microsoft and have them help you resolve the issue so you can then receive help in removing the malware infections. Microsoft has provided a forum where Windows users can address operating system validity issues:

http://forums.microsoft.com/genuine/def ... ?siteid=25

However, please be aware that even if the operating system were valid, this computer is without Service Pack 2 for Windows XP and has, therefore, been without Windows updates since October 2006. (Windows updates are now only provided for XP systems with at least Service Pack 2 installed). That has made the system vulnerable and a magnet for malware infections every time it has been connected to the internet. Service Pack 2, however, cannot be installed on an infected computer. Once infected, a system must be kept off the internet and cleared of all infections, or reformatted and the operating system reinstalled, prior to installation of Service Pack 2.

In addition, Microsoft Office 2003 has never been activated nor updated, therefore, this has created further vulnerabilities to malware infections. This is also an issue that needs to be addressed.

As we are unable to assist you at this time, due to software on this system that is not in compliance with MRU guidelines, this topic is now closed.

You can help support this site from this link :
Donations For Malware Removal
User avatar
Posts: 27257
Joined: February 23rd, 2005, 7:08 am
Location: California
Register to Remove

  • Similar Topics
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!

Who is online

Users browsing this forum: No registered users and 17 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware