xp virus problem

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
J

jyoti1313

Thread Starter
Joined
Oct 15, 2011
Messages
8
i have intel p4 pc.i formatted it.when i connect broadband IE works fine for the first time but then IE got corrputed.i format all drive and install a fresh xp.after it i installed LAN CARD DRIVER from a cd.But again IE worked only one time then again corrupted.Now i tried to install avast ,avira,avg ,kasperasy but none of them got installed.There is no data in my xp.plz tell How to overcome this ?

i have run hijack.exe,dds.scr,GMER.exe

contents of hijackthis.log


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:12:25 PM, on 11/2/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
F:\0y8uduo5.exe
F:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Windows Hosts Controller - Unknown owner - C:\WINDOWS\Fonts\uninstall_.exe

--
End of file - 1683 bytes


the contents of the DDS.txt file.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by jyoti at 17:12:57 on 2011-11-02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.228.79 [GMT 5.5:30]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
F:\0y8uduo5.exe
.
============== Pseudo HJT Report ===============
.
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
============= SERVICES / DRIVERS ===============
.
R2 Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\uninstall_.exe [2011-10-31 184320]
R3 amsint32;amsint32;\??\c:\windows\system32\drivers\lpjvjn.sys --> c:\windows\system32\drivers\lpjvjn.sys [?]
.
=============== Created Last 30 ================
.
2011-11-01 11:51:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-11-01 11:50:50 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-11-01 10:52:35 -------- d-----w- c:\windows\SxsCaPendDel
.
==================== Find3M ====================
.
2011-10-31 15:31:41 103140 --sh--r- C:\juyuh.exe
2011-10-31 15:30:46 184320 --sh--r- c:\windows\fonts\uninstall_.exe
.
============= FINISH: 17:13:20.92 ===============



the contents of the ark.txt file.


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-11-02 17:11:37
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST380011A rev.8.01
Running: 0y8uduo5.exe; Driver: C:\DOCUME~1\jyoti\LOCALS~1\Temp\fflcafog.sys


---- Processes - GMER 1.0.15 ----

Process C:\WINDOWS\Fonts\uninstall_.exe (*** hidden *** ) 1684

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\lpjvjn.sys The system cannot find the file specified. !

---- EOF - GMER 1.0.15 ----



I have attached "attach.txt" with this post


After running GMER.exWARNING
GMER has found system modification caused by ROOTKIT activitye i got WARNING
 

Attachments

oldman960

oldman960

Joined
Apr 7, 2010
Messages
166
Hi jyoti1313, welcome to the forum.

Bad news I'm afraid. You are infected with a file infector called Virut.

Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\uninstall_.exe
http://www.threatexpert.com/report.aspx?md5=22fa144b70bab8dc0e87fa961da88546


This infection can and will infect all the machine's executable files .exe, .scr plus .html and .htm. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Recent variants also modify asp and php files.

More information can be found here and here and here.



A Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .hlm, .html files.
  • Backup all your documents and important items only, data/documents/pictures/movies/songs/etc..
  • DO NOT backup any executable files (,exe .scr .html or .htm)
  • All programs should be downloaded afresh, not reinstalled from backup copies
  • Any security programs should be downloaded on a clean computer before hand and installed before connecting the newly formatted system to the internet.
  • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
  • Reformat and Reinstall as outlined HERE
  • or HERE
A CD would be best, but a blank USB device will work. Make sure there aren't any executable on it.
If you are going to use a USB device, I suggest you use a freshly formated one. After formatting it, use FDD on it before attaching it to the infected computer.

Be further advised that these infections may have backdoor capabilities.


I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
Feel free to ask any questions, but keep in mind a Reformat is the only way to clean this computer.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Total: 375 (members: 4, guests: 371)
Top