Krabby Posted August 3, 2009 ID:105634 Share Posted August 3, 2009 Hi allMy sister gave me her laptop to "disinfect" for her. I have had many problems but eventually have arrived at a point where i can stop it blue screening and not lagging out.I keep getting a pop up saying internet explorer has encountered a problem and needs to close but i am not even running internet explorer!When i first turned it on it seemed there is 1 user but upon restarting in safe mode ther is 2? i cant get my head round it!Explorer.exe uses the cpu constantly!Here is the hijack thisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 21:55:21, on 03/08/2009Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exeC:\Program Files\Synaptics\SynTP\SynTPLpr.exeC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\Program Files\BroadJump\Client Foundation\CFD.exeC:\Program Files\QuickTime\QTTask.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Autorun Eater\oldmcdonald.exeC:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exeC:\WINDOWS\System32\reader_s.exeC:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeC:\WINDOWS\system32\TPSBattM.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Windows Live\Messenger\msnmsgr.exeC:\Program Files\Autorun Eater\billy.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\AnVir Task Manager Pro\AnVir.exeC:\Program Files\FinePixViewer\QuickDCF2.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customi...fo/bt_side.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.live.com/sphome.aspxR1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.adtrgt.com/cpv.jsp?p=113120&...%26b42%3D0.0028R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet accessR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)O2 - BHO: (no name) - {06687c38-bfad-4aa7-82f9-886b552ec0ca} - c:\windows\system32\zfjpbov.dllO2 - BHO: (no name) - {cd50ec40-10b9-5c2b-4418-7e3380cf7e26} - (no file)O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exeO4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exeO4 - HKLM\..\Run: [TPSMain] TPSMain.exeO4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exeO4 - HKLM\..\Run: [bJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exeO4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClientO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Autorun Eater] C:\Program Files\Autorun Eater\oldmcdonald.exeO4 - HKLM\..\Run: [F-PROT Antivirus Tray application] C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exeO4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exeO4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exeO4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - HKCU\..\Run: [AnVir Task Manager Pro] "C:\Program Files\AnVir Task Manager Pro\AnVir.exe" MinimizedO4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\TEMP\reader_s.exeO4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\437779956.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [sYSDLL] SYSDLL (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\k8smev0.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [nzdflkioezncfiunfindiuchiuenfcdc] C:\WINDOWS\TEMP\ptueif0h4.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\WINDOWS\TEMP\k8smev0.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [reader_s] C:\Documents and Settings\TEMP\reader_s.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [ms18_word] C:\WINDOWS\system32\config\systemprofile\ms18_word.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [TEMP] C:\Documents and Settings\TEMP\TEMP.exe /i (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [pridl] "C:\Documents and Settings\TEMP\Application Data\pridl\pridl.exe" 61A847B5BBF72811329B385672FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [cft] C:\Documents and Settings\TEMP\Application Data\cft\cft.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [GetPrimo] C:\Program Files\GetPrimo\GetPrimo.exe (User 'Default user')O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)O11 - Options group: [international] InternationalO14 - IERESET.INF: START_PAGE_URL=http://www.tesco.netO20 - AppInit_DLLs: c c:\progra~1\ThunMail\testabd.dll c:\windows\system32\rinuhani.dll c:\windows\system32\vagivoho.dll c:\windows\system32\wayebomi.dll ,O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: uothhyb - uothhyb.dll (file missing)O20 - Winlogon Notify: wpbjrnho - C:\WINDOWS\SYSTEM32\zfjpbov.dllO23 - Service: Application Layer Gateway Service (ALG) - Unknown owner - C:\WINDOWS\System32\alg.exe (file missing)O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exeO23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exeO23 - Service: Avg7Alrt - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)O23 - Service: Avg7UpdSvc - Unknown owner - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: CFSvcs - Unknown owner - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe (file missing)O23 - Service: CiSvc - Unknown owner - C:\WINDOWS\system32\cisvc.exeO23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (file missing)O23 - Service: F-PROT Antivirus for Windows system (fpavserver) - FRISK Software International - C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: McciCMService - Unknown owner - C:\Program Files\Common Files\Motive\McciCMService.exe (file missing)O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe--End of file - 9086 bytes Link to post Share on other sites More sharing options...
Krabby Posted August 3, 2009 Author ID:105636 Share Posted August 3, 2009 FOROGT ABOUT THISmalwarebytes' Anti-Malware 1.39Database version: 2421Windows 5.1.2600 Service Pack 202/08/2009 19:29:37mbam-log-2009-08-02 (19-29-37).txtScan type: Full Scan (C:\|)Objects scanned: 34504Time elapsed: 43 hour(s), 46 minute(s), 31 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 10Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 2Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06687c38-bfad-4aa7-82f9-886b552ec0ca} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wpbjrnho (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{06687c38-bfad-4aa7-82f9-886b552ec0ca} (Trojan.Vundo.H) -> Delete on reboot.HKEY_CLASSES_ROOT\mjcore.mjcore (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\TypeLib\{e0f01490-dcf3-4357-95aa-169a8c2b2190} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{17e44256-51e0-4d46-a0c8-44e80ab4ba5b} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d88e1558-7c2d-407a-953a-c044f5607cea} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\mjcore.mjcore.1 (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\{80ef304a-b1c4-425c-8535-95ab6f1eefb8} (Trojan.BHO) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:c:\WINDOWS\system32\zfjpbov.dll (Trojan.Vundo.H) -> Delete on reboot.C:\Program Files\Jcore\Jcore2.dll (Trojan.BHO) -> Quarantined and deleted successfully. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 5, 2009 ID:106276 Share Posted August 5, 2009 Welcome to Malwarebytes!!!! Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix**Note: It is important that it is saved directly to your desktop**--------------------------------------------------------------------1. Close any open browsers.2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.--------------------------------------------------------------------Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.Note:Do not mouseclick combofix's window while it's running. That may cause it to stall Link to post Share on other sites More sharing options...
Krabby Posted August 5, 2009 Author ID:106363 Share Posted August 5, 2009 thanks! when i run combofix it says that it has been compromised and to download a fresh copy because i am infected with a patch called "virut". i am downloading it to my desktop btw. Link to post Share on other sites More sharing options...
sjpritch25 Posted August 6, 2009 ID:106493 Share Posted August 6, 2009 Okay i don't recommend fixing this infection because it infects all .exe files. Unfortunatley i recommend a re-install of Windows. That is really your best option.... Sorry.... Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted August 30, 2009 Root Admin ID:117105 Share Posted August 30, 2009 The Virut virus is a file infector infection. Most experts suggest a format/reinstall. Virut File Infector WarningYour system is infected with the Win32.Virut virus. Virus:Win32 VIRUTYour system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr) and also web pages (.html and .htm). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr) or any web pages (*.html or *.htm). It attempts to infect any accessed .exe or .scr or .html/.htm files by appending itself to the executable.Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.Disconnect it from any Network and do not share external USB drives or similar devices with any other computer as it can easily infect them as well if they're not protected from this Virus.Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts