# Virus won't allow me to run programs



## Theblackoutow (Apr 19, 2010)

Hey guys, I need some help, I was recently infected with some sort of virus that won't let me run any program (except FF) and I really need help getting rid of this. Fast reply's please, this computer has to be functional by tomorrow.


----------



## deanj20 (Apr 19, 2010)

Hey Theblackoutow,

Try running one of the versions of *rkill* in *safe mode* - try the exe first, and if that doesn't work, try the .com, the .scr and the .pif - one is bound to work.

Then, still in safe mode, run Malwarebytes Antimalware. Remove whatever it finds. 

Then run HijackThis! and post your log here.


----------



## Theblackoutow (Apr 19, 2010)

Thanks a lot dude, I ran the RKIll and that aloud me to run System Restore so I restored and everything is running fine but I'm running Malewarebytes now so I can make sure it's clean then I'll post the HiJack log.


----------



## Theblackoutow (Apr 19, 2010)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:51:50 PM, on 4/18/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.toshiba.com/search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O20 - AppInit_DLLs: cru629.dat
O20 - Winlogon Notify: GoToAssist Express Customer - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_winlogon.dll
O23 - Service: GoToAssist Express Customer - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist Express Customer\209\g2ax_service.exe
--
End of file - 2919 bytes
Anything not look right?


----------



## johnb35 (Apr 19, 2010)

Can you post your malwarebytes log please?  As far as your hijackthis log goes you can place a check next to these entries 

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: cru629.dat

Then click on fix checked and post a fresh hijackthis log.


----------



## Theblackoutow (Apr 19, 2010)

Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan.


----------



## deanj20 (Apr 19, 2010)

> Are they really that big of a deal, I don't have the laptop anymore and I don't think their will be time to run another virus scan.



Yes. 
From www.file.net


> CFSServ.exe file information
> 
> The process ConfigFree(TM) Search for Wireless Devices Version belongs to the software TOSHIBA ConfigFree or ConfigFree(TM) or Remote Administrator v2.1 KWC by TOSHIBA CORPORATION (www.toshiba.com).
> 
> ...





> cru629.dat file information
> 
> The process belongs to the software cru629.dat by unknown.
> 
> ...


----------



## Theblackoutow (Apr 19, 2010)

Okay, I deleted those files these files
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no  file)
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program  Files\QuickTime\qttask.exe" -atboottime
O20 - AppInit_DLLs: cru629.dat


----------

