The Warring States of NPF
Page 1 of 2 1 2
Show 80 post(s) from this thread on one page

The Warring States of NPF (http://www.nuklearforums.com/index.php)
-   Dead threads (http://www.nuklearforums.com/forumdisplay.php?f=91)
-   -   A virus is about to kill my internet. (http://www.nuklearforums.com/showthread.php?t=33231)

Pip Boy 01-20-2009 08:24 AM
A virus is about to kill my internet.
 
Like, any minute now. The virus causes my computers to load user settings from C:/RECYCLER/*gibberish numbers*/*gibberish numbers* every time I boot my computer. This has just started happening on my Laptop, and my desktop computer began doing this 3 days before. The virus started by uninstalling and deleting Norton360. I tried to install AVG to do a quick scan for the virus, but the virus seems to be preventing me from installing it as well. Now the desktop computer cannot access the internet through some programs, including internet browswers (though skype and IM's still work at the moment). Now my laptop has the same virus and I would guess has about 3 days left before I can no longer access the internet.

I've tried both automatic and manual searches of the C: Drive and I can't find any files related to the user information it keeps loading when I boot the computer.

Help?

Nikose Tyris 01-20-2009 08:43 AM
I can't verify anything about this fix, but with the information you've given me, it's worth a shot.

1.Open your Windows Task Manager click Processes Tab

2.Locate CTFMON.EXE select it and click End Task

3.Open your startup menu then locate the CTFMON.EXE and delete it

4.Search it (CTFMON.EXE) using your search tool which is usually resides in the Startup menu not in your %sysdir%\system32 folder then delete it.

5.click start->run and type cmd then go to your root directory by issuing the command cd\

6. type attrib -r -s -h +a *.inf then erase the autorun.inf

7. type attrin -r -s -h +a recycled then erase the content (cd recycled -> delete *.* ->Y -> cd..) and remove the recycled folder (rmdir recycled).

8. then repeat no. 5 to 7 to all your existing drive including your usb.

9. Update your anti virus engines.

EDIT: appearantly your virus seems fairly common and is spread by your USB stick. STOP USING your USB sticks for starts.

Recycler virus

1.-It is spreading through USB storage devices and infects computers by creating a folder Recycler and within it another folder named S-1-5-21-1482476501-1644491937-682003330-1013
and within this folder Desktop.ini creates a file which contains a line:
[. ShellClassInfo]
CLSID = (645FF040-5081-101B-9F08-00AA002F954E)
referring to the folder of the Recycle Bin, so that when the user tries to see what the contents of that folder always opens the Recycle Bin thus concealing the true records of viruses that are ise.exe , Isee.exe. This is a very interesting way of hiding because it tends to make people believe that we are "clean".

2.-Once executed the virus is connected to the Internet at the following page: /snip whose ip is /snip. For packages in the transmission seems to me it was a server type IRC server to which it connects with a user name at random and with a password: trb123trb. This allowed the attacker to take control of the computer and send different commands to the PC, that is why many of the victims of this virus have problems related to Internet outages, crashing unexpected, closed windows, etc..

3.-His form of self each start Windows as well. If you're looking for in MSCONFIG not find it, what it does is to create a autojecutarse enters the record in the following route:
Hkey_local_machine \ software \ Microsoft \ Active Setup \ Installed Components \ (08B0E5C0-4FCB-11CF-AAX5-90401C608512)
Stubpath = "C: \ recycled \ S-1-5-21-1482476501-1644491937-682003330-1013 \ ise.exe"
4.-
It creates a file in all the units autorun whether physical or removable media with the following contents:
[auto]
Recycled open = \ S-1-5-21-1482476501-1644491937-682003330-1013 \ ise.exe
icon =% SystemRoot% \ system32 \ shell32.dll, 4
action = Open folder to view files
Shell \ Open = Open
shell \ open \ command = recycled \ S-1-5-21-1482476501-1644491937-682003330-1013 \ ise.exe
shell \ open \ default = 1
To avoid detection through the task manager and cancellation of their processes, injects its process to explorer.exe.

bluestarultor 01-20-2009 09:41 AM
Not a solution, since Nikose gave you that, but I found Norton to provide inadequate protection years ago. I use AVG, personally, but there are other products out there. I'd suggest looking elsewhere for your protection.

Pip Boy 01-20-2009 10:47 AM
Quote:
Originally Posted by Nikose Tyris (Post 887218)
I can't verify anything about this fix, but with the information you've given me, it's worth a shot.

1.Open your Windows Task Manager click Processes Tab

2.Locate CTFMON.EXE select it and click End Task

3.Open your startup menu then locate the CTFMON.EXE and delete it

4.Search it (CTFMON.EXE) using your search tool which is usually resides in the Startup menu not in your %sysdir%\system32 folder then delete it.

5.click start->run and type cmd then go to your root directory by issuing the command cd\

6. type attrib -r -s -h +a *.inf then erase the autorun.inf

7. type attrin -r -s -h +a recycled then erase the content (cd recycled -> delete *.* ->Y -> cd..) and remove the recycled folder (rmdir recycled).

8. then repeat no. 5 to 7 to all your existing drive including your usb.

9. Update your anti virus engines.
What?

EDIT: I've deleted CTFMON.EXE, but the command prompt step is what is messing me up. I get the command prompt open and try to do what you said, and things end up like this after a few tries.

Code:
C:\Documents and Settings\Owner.YOUR-DCE1B6495E>cd\

C:\>attrib -r -s -h +a *.inf
File not found - *.inf

C:\>attrib -r-s-h+a*.inf
Invalid switch - -r-s-h+a*.inf

C:\>attrib-r-s-h+a*.inf
' attrib-r-s-h+a*.inf' is not recognized as an internal or external command,
operatable command or batch file

C:\>

Nikose Tyris 01-20-2009 10:58 AM
...

Okay I have an easier solution for you.

Unplug your computer, and take it to a computer store, and ask them to fix it.

Pip Boy 01-20-2009 11:15 AM
Look, I did what you told me down to the letter. Also, ever since I deleted CTFMON.EXE Windows Profession 2003 has tried to install itself like 5 times. And I don't think a computer store is a realistic option at this point. Not only do I not have the 200 dollars they'd be so happy to charge, but I also don't know where to find one considering I'm about 100 miles from the nearest thing that could be thought of as "civilization" in any form.

Nikose Tyris 01-20-2009 11:17 AM
Not what I meant- I mean, I'm not finding any other options that would fix your computer online, and now you're probably going to need professional help.

Also, is that a pirated Windows Profession 2003? Since I don't know of any 'windows profession' program.

Eltargrim 01-20-2009 11:22 AM
There's a few other options:

If you have access to a clean computer and flash drive, you can get an antivirus program onto the flash drive, put it in read-only mode, and run the antivirus from there.

If you have backup media available, you can reformat. Clean start. Just be careful about what you back up.

In my brief search it seems to potentially be fixable from inside of a Linux live-cd. You could try making one and running the solution from there.

EDIT: Nikose, he probably means Office Professional.

Nikose Tyris 01-20-2009 11:34 AM
I knew what he probably meant, but I wanted to address it as he was describing the situation.

I was under the assumption he wanted to save his files too, and the linux Live-CD didn't occur to me- but he likely has no source to do it, since all his systems seem infected.

bobfish 01-20-2009 12:22 PM
Magnets. Put them at each corner of your computer and they will suck out the virus. You will also have do do this for your flashdrive(s).
Someone had to suggest magnets.


All times are GMT -5. The time now is 03:15 AM.
Page 1 of 2 1 2
Show 80 post(s) from this thread on one page

Powered by: vBulletin Version 3.8.5
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.