Hi there, I wonder if anyone can help, I was using my memory stick in the Uni computer room recently and somehow managed to bring a virus back onto my laptop, it has also spread to all of my USB sticks. With the memory sticks it creates a hidden folder called 'recycler' which I cannot access or delete, it also makes the USB sticks appear as folders instead of drives and the only way to access them is to right click and explore. When I did a scan of the laptop it said I had a 'W32.Ircbot' virus; I have since tried a load of different anti-virus software and none of them can find a problem when there obviously is one. I ran Hijackthis and have attached a copy of the log report - if anyone has any advice on how I can fix my laptop and memory sticks it would be much appreciated. Thank you. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:36:57, on 26/06/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\windows\System32\smss.exe C:\windows\system32\winlogon.exe C:\windows\system32\services.exe C:\windows\system32\lsass.exe C:\windows\System32\Ati2evxx.exe C:\windows\system32\svchost.exe C:\windows\System32\svchost.exe C:\windows\system32\spoolsv.exe C:\WINDOWS\System32\basfipm.exe C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe C:\WINDOWS\system32\cisvc.exe C:\windows\system32\crypserv.exe C:\windows\system32\GS30s.exe C:\windows\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Spyware Terminator\sp_rsser.exe C:\windows\Explorer.EXE C:\windows\System32\svchost.exe C:\windows\System32\WLTRYSVC.EXE C:\windows\system32\ctfmon.exe C:\windows\System32\bcmwltry.exe F:\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = : R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file) O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\windows\System32\shdocvw.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\windows\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\windows\System32\shdocvw.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Wash N' Go - {B8A01A8F-6FE9-11db-9125-00105AA09764} - C:\Program Files\RedLeg\Wash N' Go\WashN'Go.exe O9 - Extra 'Tools' menuitem: Wash N' Go - {B8A01A8F-6FE9-11db-9125-00105AA09764} - C:\Program Files\RedLeg\Wash N' Go\WashN'Go.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\windows\System32\shdocvw.dll O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\windows\System32\shdocvw.dll O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - C:\Program Files\Yahoo!\Common\yinsthelper.dll O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = A2 O17 - HKLM\Software\..\Telephony: DomainName = A2 O20 - AppInit_DLLs: secuload.dll O23 - Service: Ati HotKey Poller - Unknown owner - C:\windows\System32\Ati2evxx.exe O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\windows\SYSTEM32\crypserv.exe O23 - Service: GS30s - Unknown owner - C:\windows\SYSTEM32\GS30s.exe O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing) O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe O23 - Service: WLTRYSVC - Unknown owner - C:\windows\System32\WLTRYSVC.EXE -- End of file - 4815 bytes
Download trial version of "nod32-antivirus" and "counterspy". Make sure you get all definition files prior to doing full system scans. I can 99% say that these two programs will fix your problems.
Try these detailed options 1. “Disable System Restore” on all drives. http://download.nai.com/products/mcafee-avert/SystemHelpDocs/DisableSysRestore.htm 2. Backup any sensitive data to an external drive, cd, dvd, separate partition or flash drive etc. 3. Download CCleaner and save the file to your desktop. http://download.piriform.com/ccsetup209.exe a. Double click the install file b. Select the language and click OK c. Click next d. Click “I Agree” e. Click Next f. Untick the bottom checkbox and click install g. Click Finish h. You can delete the install file now or save it for future installations i. Open CCleaner from the desktop shortcut j. Click on the “Applications” tab and make sure all are ticked k. Click on “Analyze” at bottom l. Once finished scan click on run cleaner, bottom right m. Click on thr “Registry” button on the left panel n. Select “Scan for Issues” o. Click “Fix selected Issues” When asked to make a backup click YES and save the file somewhere safe p. Click on “Fix All Selected Issues” q. Click OK, Click close r. Repeat steps from letter “K” to “Q” s. Close the program. 4. Download all three files to a folder on your desktop. Extract both zip files to the same folder. double click the sysclean file and follow the prompt. Click on the advanced button underneath for more options prior to scanning. SystemClean http://www.trendmicro.com/ftp/products/tsc/sysclean.com Virus Patten File http://www.trendmicro.com/ftp/products/pattern/lpt383.zip Malware Patten File http://www.trendmicro.com/ftp/products/pattern/spyware/ssapi/ssapiptn663.zip 5. Download CWShredder and scan your system for “CoolWebSearch” malware. http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe While trying all these different programs make sure you limit Real-time Anti-Virus programs to one per system at any time. If you decide to try a different anti-virus make sure to uninstall the current one. Try and use the same rule for Anti-Spyware programs with real-time functuality aswell. Otherwise you will compromise your system resources. After completing steps, restart your system and use CCleaner again once restarted. Then carry on to next task. 6. Download Trial version of Nod32 Anti-Virus 3.0 for Windows XP/2000/Vista (32-bit) http://download1.eset.com/eval/win/eav/eav_nt32_enu.msi for Windows XP/2000/Vista (64-bit ONLY) http://download1.eset.com/eval/win/eav/eav_nt64_enu.msi Installation mode: Typical Enable threatsense early warning system Enable Detection of potentially unwanted applications You have now finished the install. Restart the computer and then right click on the Nod32 bottom toolbar icon and select “update”. Now you can scan your pc so again right click on the toolbar icon and select “computer scan”. Select “My Computer” and then select “Scan” at the bottom right. Wait for scan to finish to review results making sure any Bad files are Quarantined. 7. Download and install Counterspy v2 trial version for 15 day fully functional. http://go.sunbelt-software.com/?linkid=410 a. Click Next b. Agree to the license agreement c. Click Next d. Click Next again e. Click Install f. Click Finish – The check box above should be ticked to open the program. g. Click next – Getting Started h. Click next if using demo version i. Click next to enable automatic updates j. Select “YES” and Select “CAUTIOUS” then Next k. Select “YES” then Finish l. Select “Enter Counterspy Now” To update the CounterSpy application and security risk definitions Click Updates on the toolbar or select File - Check for updates... from the menu bar. The Update Services window opens and downloads the available updates. After it is complete, click Close. m. Now you are ready for a full system scan n. Select “System Scan” from the left menu o. Select “Full System” p. Select “Low Risk Programs” q. Select “Cookies” r. Select “Save Options” s. Above Select “Scan Now” Please wait for scan to complete. To be on the safe side “Quarantine All Objects”. Now click on “System Tools” and click “My PC Checkup” and Click “Start”. Click Continue and “OK”. Now go back into “System Tools” and select “PC Explorer”. Here you can check startup programs, ActiveX controls, BHO files, and much more. If unsure how to use leave as is for now. 8. Restart your PC. 9. You can do a scan with CCleaner again. 10. Next you can do a quick Spyware Audit which won’t actually install any program but just check the system for infection to see where we are in the fight against Spyware/Viruses a. Go here and follow the prompts. If you have no internet, skip this step. http://www.webroot.com/services/entaudit/auditbegin.php b. Click on the link and save the file to your “Desktop” c. Run the file and wait for all 5 steps to finish d. View the displayed results. If your system only shows cookies then you’re OK. If your system has any other one of three groups then more work needs to be done. 11. Now if you’re using Windows XP let’s make sure you have the latest Service Pack. a. Open CCleaner and in the top Heading is a System Spec List. b. Where is says “MS Windows XP SP 1, 2 or 3. c. If you have anything below SP3 you should download the following file: http://download.windowsupdate.com/m..._c81472f7eeea2eca421e116cd4c03e2300ebfde4.exe d. Save the file to your desktop and then install by following the prompts. e. You will probably need to restart your system after the install. 12. Now we want to check what internet explorer you currently use. The latest is “Internet Explorer 7”. a. Open internet explorer and click on “help” in the top toolbar. b. Click on “About Internet Explorer”. If you have version 6 or below you need to upgrade to version 7. c. Download it here: http://www.microsoft.com/downloads/...BE-3385-447C-8A30-081805B2F90B&displaylang=en d. Click the download button and save the file to your desktop. e. Open the file and follow the prompt. 13. Now we are going to check your firewall security. If you currently run a software firewall other than the windows system firewall then I would suggest uninstalling it and replacing it with a network router which supports NAT (network address translation). If you cannot afford one straight away then leave it installed for the time being. You may already have a router or it maybe built into your Broadband Modem. A router makes your PC merely invisible to the outside world by displaying dummy IP Addresses. a. Go to this website https://www.grc.com/x/ne.dll?bh0bkyd2 b. Please have a short read prior to taking first test. c. Click on “Proceed” d. Click on each test option in the table File Sharing, Common Ports, All Service Ports, Message Spam and Browser Headers. e. Read your results after each test. The tests in Red are the most important. If your results do not come back as stealth and you are using a software firewall then it’s not really working for you. If your results do not come back as stealth and you have a network router then it is not configured correctly or the firmware needs updating. (see your hardware manufacturers website for this) If you have a router and a software firewall other than windows firewall then I would uninstall it and run the tests again. Software firewalls can be a major drag to your system and are too much work to maintain let alone configure. If you are not sure about an application wanting permission to access the outside world then the wrong decision could easily be made causing a security issue or your operating system functioning incorrectly. Watch the attached video: http://youtube.com/watch?v=1rsUefv-nlk If your windows firewall is disabled I would suggest tuning it back on. 14. Carry out a “disk cleanup” on your hard drives at least once per week. 15. Make sure you use “Defragmenter” at least once a month to keep files at a faster access rate. The more you do this the less amount of time is taken. 16. After all this and your system is still compromised/infected, Start your PC in "Safe Mode" http://www.computerhope.com/issues/chsafe.htm a. Do a full system scan with all mentioned software in this article. b. Please note that some programs don’t support safe mode and will not function.
