Futus.exe [Solved/Closed]

Report
Posts
1
Registration date
Wednesday February 17, 2010
Status
Member
Last seen
February 17, 2010
-
Posts
48725
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
June 23, 2020
-
Hello,

I have this futus.exe running on my services and it eats up my CPU usage. It booms to 100% even if I have just turned on the computer and I haven't load any applications yet. I tried removing it in the startup (msconfig) but when it restarts, it creates another futus.exe that eats my CPU usage again.

I tried searching for this file (with "show hidden files/folder" enabled), but it does not show up in search.

I also have this Rgd.exe that is accompanying this futus.exe.


Please do help me. Thanks!

5 replies

Posts
48725
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
June 23, 2020
15,377
Hello,

Very interesting indeed! I am curious to know as to where this futus.exe came from.

The rgd.exe file you have is a virus and has been known to show the following behaviour:

Added as a Registry auto start to load Program on Boot up
Executed as a Process
Copied to multiple locations on the system
Registered as a Dynamic Link Library File
Created as a process on disk
Deleted as a process from disk
Executed from Temporary Folders
Has code inserted into its Virtual Memory space by other programs

The origin is Spain and the UK.

For a start, I suggest you download, install and run a Full scan with Malwarebyte which you can download by following this link.

https://ccm.net/download/download-105-malwarebytes

Before the scan, please update the tool.

Please let me know how successful you were. If the virus was not completely removed, I would appreciate a hyjackthis log. Thank you.

Best regards
1
Thank you

A few words of thanks would be greatly appreciated. Add comment

CCM 2863 users have said thank you to us this month

Thanks a lot. I will try scanning my computer with this app. I have a feeling that this futus.exe is accompanied by Rgd.exe. But I could be wrong.

Anyway, I tried deleting this futus.exe in the Registry but it shows up when I restart. Also, I cannot terminate its processes in the Task Manager. Even if I end it, it does not leave my Processes.

As I am typing this, I am running Malwarebytes in the background.

Here's the HijackThis log of my system:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:24 PM, on 2/18/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Documents and Settings\Dyei\futus.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Dyei\My Documents\Downloads\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.msn.com/fr-fr/?ocid=iehp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [EPSON Stylus C59 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE /FU "C:\WINDOWS\TEMP\E_S8C.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [futus] C:\Documents and Settings\Dyei\futus.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\WEB2~1\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {52A2AAAE-085D-4187-97EA-8C30DB990436} - http://localhost/iishelp/common/i386.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
Posts
48725
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
June 23, 2020
15,377
Hello,

I am anxious to know if Malwarebyte did the tric, it usually does.

As far as I am concerned rgd.exe and futus.exe make a pair, as a matter of a fact it is the rgd.exe that created futus.

Yes, I noticed that, O4 - HKCU\..\Run: [futus] C:\Documents and Settings\Dyei\futus.exe was present. It was possoble to try to remove it with Hyjackthis although Hyjackthis is not omnipotent. Of course Futus is in the processes.

I have not noticed anything else peculiar in the log. Have you?

Looking forward to hear from you.
After trying Malwarebyte, it found some malwares and deleted them. But unfortunately, Futus.exe still remains in my system. D: Gah.
I tried deleting futus.exe in HijackThis and it's gone! :3 No more futus.exe, even on startup after reboot. I think this futus.exe is just a product of the Rgd.exe or another malware.

Will update you if this futus.exe appears again!
Posts
48725
Registration date
Monday February 1, 2010
Status
Moderator
Last seen
June 23, 2020
15,377
You are totally welcome!

Deleting the key with HJT was the next step I was to suggest to you.

Here is my final recommendation:

Now that your computer seems to be clean, juust to be on the safe side,

•Turn off system restore and wait 30 seconds,
•Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.