Virus won't allow me to run programs

Theblackoutow · 04-19-2010, 01:18 AM

Hey guys, I need some help, I was recently infected with some sort of virus that won't let me run any program (except FF) and I really need help getting rid of this. Fast reply's please, this computer has to be functional by tomorrow.

deanj20 · 04-19-2010, 01:46 AM

Hey Theblackoutow,

Try running one of the versions of rkill in safe mode - try the exe first, and if that doesn't work, try the .com, the .scr and the .pif - one is bound to work.

Then, still in safe mode, run Malwarebytes Antimalware. Remove whatever it finds.

Then run HijackThis! and post your log here.

Theblackoutow · 04-19-2010, 02:19 AM

Thanks a lot dude, I ran the RKIll and that aloud me to run System Restore so I restored and everything is running fine but I'm running Malewarebytes now so I can make sure it's clean then I'll post the HiJack log.

Theblackoutow · 04-19-2010, 02:52 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:50 PM, on 4/18/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
--
End of file - 2919 bytes
Anything not look right?

**johnb35** · 04-19-2010, 03:16 AM

Can you post your malwarebytes log please? As far as your hijackthis log goes you can place a check next to these entries

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: cru629.dat

Then click on fix checked and post a fresh hijackthis log.

Theblackoutow · 04-19-2010, 10:38 AM

Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan.

deanj20 · 04-19-2010, 12:19 PM

Quote:

Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan.

Yes.
From www.file.net

Quote:

CFSServ.exe file information

The process ConfigFree(TM) Search for Wireless Devices Version belongs to the software TOSHIBA ConfigFree or ConfigFree(TM) or Remote Administrator v2.1 KWC by TOSHIBA CORPORATION (www.toshiba.com).

Description: File CFSServ.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 798,720 bytes (47% of all occurrence), 794,624 bytes, 544,768 bytes, 548,864 bytes.
The program has a visible window. The process starts upon Windows startup (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run). File CFSServ.exe is not a Windows core file. Program listens for or sends data on open ports to LAN or Internet. Therefore the technical security rating is 28% dangerous, however also read the users reviews.

Quote:

cru629.dat file information

The process belongs to the software cru629.dat by unknown.

Description: cru629.dat is located in the folder C:\Windows\System32 or sometimes in the folder C:\Windows. Known file sizes on Windows XP are 6,144 bytes (86% of all occurrence), 5,632 bytes, 10,240 bytes.
The program has a visible window. It is a file without information about the maker of this file. The process is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs). cru629.dat is not a Windows core file. cru629.dat seems to be a compressed file. Therefore the technical security rating is 42% dangerous, however also read the users reviews.

Theblackoutow · 04-19-2010, 11:23 PM

Okay, I deleted those files these files
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: cru629.dat

04-19-2010, 01:18 AM	#1
Theblackoutow Gigabyte Member Join Date: Dec 2009 Posts: 989	Virus won't allow me to run programs Hey guys, I need some help, I was recently infected with some sort of virus that won't let me run any program (except FF) and I really need help getting rid of this. Fast reply's please, this computer has to be functional by tomorrow. __________________ Top 20 Intel / ATI: 16.) 18269 -- Theblackoutow (i7 860 / 5850) MOBO: Asus P7P55 CPU: Intel i7 860 RAM: 8gb OCZ DDR3 GPU: Asus Radeon 5850 HD: Western Digital Caviar Black 1TB PSU: OCZ 700 watt modxstream CD/DVD: LG Dvd Drive Case: Antec 900 OS: Windows 7 Home Premium

04-19-2010, 01:46 AM	#2
deanj20 Gigabyte Member Join Date: Mar 2010 Location: Corpus Christi, TX Age: 30 Posts: 957	Hey Theblackoutow, Try running one of the versions of rkill in safe mode - try the exe first, and if that doesn't work, try the .com, the .scr and the .pif - one is bound to work. Then, still in safe mode, run Malwarebytes Antimalware. Remove whatever it finds. Then run HijackThis! and post your log here. __________________ *Jeremy Dean Online* deanMachine11 Specs: CPU: Intel Celeron Dual-Core E3300 @ 2.5GHz Mobo: Foxconn G41MXE-V RAM: 4GB Mushkin DDR3 667MHz GPU: 1GB Radeon HD5700 PSU: Cooler Master 450W

04-19-2010, 02:19 AM	#3
Theblackoutow Gigabyte Member Join Date: Dec 2009 Posts: 989	Thanks a lot dude, I ran the RKIll and that aloud me to run System Restore so I restored and everything is running fine but I'm running Malewarebytes now so I can make sure it's clean then I'll post the HiJack log. __________________ Top 20 Intel / ATI: 16.) 18269 -- Theblackoutow (i7 860 / 5850) MOBO: Asus P7P55 CPU: Intel i7 860 RAM: 8gb OCZ DDR3 GPU: Asus Radeon 5850 HD: Western Digital Caviar Black 1TB PSU: OCZ 700 watt modxstream CD/DVD: LG Dvd Drive Case: Antec 900 OS: Windows 7 Home Premium

04-19-2010, 02:52 AM	#4
Theblackoutow Gigabyte Member Join Date: Dec 2009 Posts: 989	Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:51:50 PM, on 4/18/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe C:\Program Files\QuickTime\qttask.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart O20 - AppInit_DLLs: cru629.dat O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe -- End of file - 2919 bytes Anything not look right? __________________ Top 20 Intel / ATI: 16.) 18269 -- Theblackoutow (i7 860 / 5850) MOBO: Asus P7P55 CPU: Intel i7 860 RAM: 8gb OCZ DDR3 GPU: Asus Radeon 5850 HD: Western Digital Caviar Black 1TB PSU: OCZ 700 watt modxstream CD/DVD: LG Dvd Drive Case: Antec 900 OS: Windows 7 Home Premium

04-19-2010, 03:16 AM	#5
johnb35 Malware and Spam Assassin Join Date: Sep 2005 Location: Morris, Illinois Age: 42 Posts: 25,332	Can you post your malwarebytes log please? As far as your hijackthis log goes you can place a check next to these entries O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O20 - AppInit_DLLs: cru629.dat Then click on fix checked and post a fresh hijackthis log. __________________ MB - Gigabyte 970A-UD3 \|\| CPU - FX8350\|\| PSU - Corsair CMPSU-650TX 650W \|\| Memory - Corsair Vengeance 8GB (2 x 4GB) DDR3 1600 \|\| GPU - Sapphire HD6870 1GB \|\| HDD's - 500GB SATA III WD Caviar Black, 64gb SATA III Crucial SSD, 120GB Corsair Force 3 SSD\|\| Monitor - ASUS VE278Q Black 27" 1920x1080 2ms Full HD HDMI LED Backlight \|\| OS - Dual boot XP and 7 \|\| Case - Cooler Master HAF 912 \|\| Cpu cooler - CM Hyper 212 Plus

04-19-2010, 10:38 AM	#6
Theblackoutow Gigabyte Member Join Date: Dec 2009 Posts: 989	Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan. __________________ Top 20 Intel / ATI: 16.) 18269 -- Theblackoutow (i7 860 / 5850) MOBO: Asus P7P55 CPU: Intel i7 860 RAM: 8gb OCZ DDR3 GPU: Asus Radeon 5850 HD: Western Digital Caviar Black 1TB PSU: OCZ 700 watt modxstream CD/DVD: LG Dvd Drive Case: Antec 900 OS: Windows 7 Home Premium

04-19-2010, 11:23 PM	#8
Theblackoutow Gigabyte Member Join Date: Dec 2009 Posts: 989	Okay, I deleted those files these files O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O20 - AppInit_DLLs: cru629.dat __________________ Top 20 Intel / ATI: 16.) 18269 -- Theblackoutow (i7 860 / 5850) MOBO: Asus P7P55 CPU: Intel i7 860 RAM: 8gb OCZ DDR3 GPU: Asus Radeon 5850 HD: Western Digital Caviar Black 1TB PSU: OCZ 700 watt modxstream CD/DVD: LG Dvd Drive Case: Antec 900 OS: Windows 7 Home Premium

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Having troubles with trojans - please help!	yogibeer	Computer Security	17	01-26-2010 01:38 PM
Unable to access internet	seedling	Computer Networking and Servers	18	12-12-2009 04:32 AM
EX tapping into computer	computerillitera	Computer Security	16	09-09-2008 11:23 PM
spyware problem	T34m1nat0r	Computer Security	16	09-05-2008 02:06 PM
Computer Problems - A joke	Darkomen	General Computer Chat	31	10-31-2005 06:37 PM