Virus won't allow me to run programs

Theblackoutow

Theblackoutow

Member
Hey guys, I need some help, I was recently infected with some sort of virus that won't let me run any program (except FF) and I really need help getting rid of this. Fast reply's please, this computer has to be functional by tomorrow.
 
deanj20

deanj20

New Member
Hey Theblackoutow,

Try running one of the versions of rkill in safe mode - try the exe first, and if that doesn't work, try the .com, the .scr and the .pif - one is bound to work.

Then, still in safe mode, run Malwarebytes Antimalware. Remove whatever it finds.

Then run HijackThis! and post your log here. :D
 
Theblackoutow

Theblackoutow

Member
Thanks a lot dude, I ran the RKIll and that aloud me to run System Restore so I restored and everything is running fine but I'm running Malewarebytes now so I can make sure it's clean then I'll post the HiJack log.
 
Theblackoutow

Theblackoutow

Member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:50 PM, on 4/18/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
--
End of file - 2919 bytes
Anything not look right?
 
johnb35

johnb35

Administrator
Staff member
Can you post your malwarebytes log please? As far as your hijackthis log goes you can place a check next to these entries

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: cru629.dat

Then click on fix checked and post a fresh hijackthis log.
 
Theblackoutow

Theblackoutow

Member
Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan.
 
deanj20

deanj20

New Member
Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan.
Click to expand...

Yes.
From www.file.net
CFSServ.exe file information

The process ConfigFree(TM) Search for Wireless Devices Version belongs to the software TOSHIBA ConfigFree or ConfigFree(TM) or Remote Administrator v2.1 KWC by TOSHIBA CORPORATION (www.toshiba.com).

Description: File CFSServ.exe is located in a subfolder of "C:\Program Files". Known file sizes on Windows XP are 798,720 bytes (47% of all occurrence), 794,624 bytes, 544,768 bytes, 548,864 bytes.
The program has a visible window. The process starts upon Windows startup (see Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run). File CFSServ.exe is not a Windows core file. Program listens for or sends data on open ports to LAN or Internet. Therefore the technical security rating is 28% dangerous, however also read the users reviews.
Click to expand...
cru629.dat file information

The process belongs to the software cru629.dat by unknown.

Description: cru629.dat is located in the folder C:\Windows\System32 or sometimes in the folder C:\Windows. Known file sizes on Windows XP are 6,144 bytes (86% of all occurrence), 5,632 bytes, 10,240 bytes.
The program has a visible window. It is a file without information about the maker of this file. The process is loaded during the Windows boot process (see Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs). cru629.dat is not a Windows core file. cru629.dat seems to be a compressed file. Therefore the technical security rating is 42% dangerous, however also read the users reviews.
Click to expand...
 
Theblackoutow

Theblackoutow

Member
Okay, I deleted those files these files
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: cru629.dat
 
You must log in or register to reply here.
Top