1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

xp virus problem

Discussion in 'Virus & Other Malware Removal' started by jyoti1313, Nov 2, 2011.

Thread Status:
Not open for further replies.
  1. jyoti1313

    jyoti1313 Thread Starter

    Joined:
    Oct 15, 2011
    Messages:
    8
    i have intel p4 pc.i formatted it.when i connect broadband IE works fine for the first time but then IE got corrputed.i format all drive and install a fresh xp.after it i installed LAN CARD DRIVER from a cd.But again IE worked only one time then again corrupted.Now i tried to install avast ,avira,avg ,kasperasy but none of them got installed.There is no data in my xp.plz tell How to overcome this ?

    i have run hijack.exe,dds.scr,GMER.exe

    contents of hijackthis.log


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:12:25 PM, on 11/2/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    F:\0y8uduo5.exe
    F:\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Windows Hosts Controller - Unknown owner - C:\WINDOWS\Fonts\uninstall_.exe

    --
    End of file - 1683 bytes


    the contents of the DDS.txt file.

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.13
    Run by jyoti at 17:12:57 on 2011-11-02
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.228.79 [GMT 5.5:30]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    F:\0y8uduo5.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\uninstall_.exe [2011-10-31 184320]
    R3 amsint32;amsint32;\??\c:\windows\system32\drivers\lpjvjn.sys --> c:\windows\system32\drivers\lpjvjn.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-11-01 11:51:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-11-01 11:50:50 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-11-01 10:52:35 -------- d-----w- c:\windows\SxsCaPendDel
    .
    ==================== Find3M ====================
    .
    2011-10-31 15:31:41 103140 --sh--r- C:\juyuh.exe
    2011-10-31 15:30:46 184320 --sh--r- c:\windows\fonts\uninstall_.exe
    .
    ============= FINISH: 17:13:20.92 ===============



    the contents of the ark.txt file.


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2011-11-02 17:11:37
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST380011A rev.8.01
    Running: 0y8uduo5.exe; Driver: C:\DOCUME~1\jyoti\LOCALS~1\Temp\fflcafog.sys


    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\Fonts\uninstall_.exe (*** hidden *** ) 1684

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\drivers\lpjvjn.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----



    I have attached "attach.txt" with this post


    After running GMER.exWARNING
    GMER has found system modification caused by ROOTKIT activitye i got WARNING
     

    Attached Files:

  2. oldman960

    oldman960

    Joined:
    Apr 7, 2010
    Messages:
    166
    Hi jyoti1313, welcome to the forum.

    Bad news I'm afraid. You are infected with a file infector called Virut.

    Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\uninstall_.exe
    http://www.threatexpert.com/report.aspx?md5=22fa144b70bab8dc0e87fa961da88546


    This infection can and will infect all the machine's executable files .exe, .scr plus .html and .htm. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Recent variants also modify asp and php files.

    More information can be found here and here and here.



    A Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .hlm, .html files.
    • Backup all your documents and important items only, data/documents/pictures/movies/songs/etc..
    • DO NOT backup any executable files (,exe .scr .html or .htm)
    • All programs should be downloaded afresh, not reinstalled from backup copies
    • Any security programs should be downloaded on a clean computer before hand and installed before connecting the newly formatted system to the internet.
    • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
    • Reformat and Reinstall as outlined HERE
    • or HERE
    A CD would be best, but a blank USB device will work. Make sure there aren't any executable on it.
    If you are going to use a USB device, I suggest you use a freshly formated one. After formatting it, use FDD on it before attaching it to the infected computer.

    Be further advised that these infections may have backdoor capabilities.


    I suggest you do the following immediately:
    • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
    Feel free to ask any questions, but keep in mind a Reformat is the only way to clean this computer.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1025090

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice