1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

xp virus problem

Discussion in 'Virus & Other Malware Removal' started by jyoti1313, Nov 2, 2011.

Thread Status:
Not open for further replies.
  1. jyoti1313

    jyoti1313 Thread Starter

    Oct 15, 2011
    i have intel p4 pc.i formatted it.when i connect broadband IE works fine for the first time but then IE got corrputed.i format all drive and install a fresh xp.after it i installed LAN CARD DRIVER from a cd.But again IE worked only one time then again corrupted.Now i tried to install avast ,avira,avg ,kasperasy but none of them got installed.There is no data in my xp.plz tell How to overcome this ?

    i have run hijack.exe,dds.scr,GMER.exe

    contents of hijackthis.log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 5:12:25 PM, on 11/2/2011
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5730.0013)
    Boot mode: Normal

    Running processes:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Windows Hosts Controller - Unknown owner - C:\WINDOWS\Fonts\uninstall_.exe

    End of file - 1683 bytes

    the contents of the DDS.txt file.

    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.5730.13
    Run by jyoti at 17:12:57 on 2011-11-02
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.228.79 [GMT 5.5:30]
    ============== Running Processes ===============
    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    ============== Pseudo HJT Report ===============
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mPolicies-system: EnableLUA = 0 (0x0)
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    ============= SERVICES / DRIVERS ===============
    R2 Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\uninstall_.exe [2011-10-31 184320]
    R3 amsint32;amsint32;\??\c:\windows\system32\drivers\lpjvjn.sys --> c:\windows\system32\drivers\lpjvjn.sys [?]
    =============== Created Last 30 ================
    2011-11-01 11:51:06 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
    2011-11-01 11:50:50 -------- d-----w- c:\documents and settings\all users\application data\MFAData
    2011-11-01 10:52:35 -------- d-----w- c:\windows\SxsCaPendDel
    ==================== Find3M ====================
    2011-10-31 15:31:41 103140 --sh--r- C:\juyuh.exe
    2011-10-31 15:30:46 184320 --sh--r- c:\windows\fonts\uninstall_.exe
    ============= FINISH: 17:13:20.92 ===============

    the contents of the ark.txt file.

    GMER - http://www.gmer.net
    Rootkit scan 2011-11-02 17:11:37
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST380011A rev.8.01
    Running: 0y8uduo5.exe; Driver: C:\DOCUME~1\jyoti\LOCALS~1\Temp\fflcafog.sys

    ---- Processes - GMER 1.0.15 ----

    Process C:\WINDOWS\Fonts\uninstall_.exe (*** hidden *** ) 1684

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\drivers\lpjvjn.sys The system cannot find the file specified. !

    ---- EOF - GMER 1.0.15 ----

    I have attached "attach.txt" with this post

    After running GMER.exWARNING
    GMER has found system modification caused by ROOTKIT activitye i got WARNING

    Attached Files:

  2. oldman960


    Apr 7, 2010
    Hi jyoti1313, welcome to the forum.

    Bad news I'm afraid. You are infected with a file infector called Virut.

    Windows Hosts Controller;Windows Hosts Controller;c:\windows\fonts\uninstall_.exe

    This infection can and will infect all the machine's executable files .exe, .scr plus .html and .htm. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

    Recent variants also modify asp and php files.

    More information can be found here and here and here.

    A Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain .exe, .scr, .hlm, .html files.
    • Backup all your documents and important items only, data/documents/pictures/movies/songs/etc..
    • DO NOT backup any executable files (,exe .scr .html or .htm)
    • All programs should be downloaded afresh, not reinstalled from backup copies
    • Any security programs should be downloaded on a clean computer before hand and installed before connecting the newly formatted system to the internet.
    • Do Not back up compressed files (zip/cab/rar) files that may contain .exe or .scr files
    • Reformat and Reinstall as outlined HERE
    • or HERE
    A CD would be best, but a blank USB device will work. Make sure there aren't any executable on it.
    If you are going to use a USB device, I suggest you use a freshly formated one. After formatting it, use FDD on it before attaching it to the infected computer.

    Be further advised that these infections may have backdoor capabilities.

    I suggest you do the following immediately:
    • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
    • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
    Feel free to ask any questions, but keep in mind a Reformat is the only way to clean this computer.
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1025090

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice