Virus: autorun.inf and csrxx.exe (Worm:Win32/Hamweq.BW)

One computer got this virus the other day from a USB drive.

We got autorun.inf in the flash drive and c:\recycler\s-1-5-21-1482476501-1644491937-682003330-1013\csrxx.exe which are created by the virus.

More details about this virus could be read here: http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FHamweq.BW

We tried the Norton Antivirus with latest database, Symentec Endpoint Protection with latest database. Norton found the virus and tried to remove it, but it showed “Quarantine Failed”, “Clean failed”.

Then I tried Kapersky, it did the work.

30 day trial is fine.

Advertisements

Kaspersky AntiVirus Blocks Internet (IE and Firefox)

I installed Kaspersky on one computer. I didn’t have any problem browsing internet. But with another computer, I can’t go to any website with either IE or firefox.

The solution is the following:
Go to “Settings” -> “Options” -> “Network”, choose “Monitor selected ports only” then click “Select” and In the list to “Monitor all ports for specified applications”, uncheck IE and firefox. Or if you want, you can also uncheck “Monitor all ports for specified applications”. Click OK. That’s it.

Solutions: Window Explorer problem after Data Execution Prevention problem

I first got error message at startup.

“Data Execution Prevention – Windows has encountered a problem and needs to close.”

I turned off DEP for explorer.exe by going to:

System Properties->Advanced->Performance: Settings->Data Execution Prevention->”select Turn on DEP for all programs and services except those I select“, then add “explorer.exe” by browsing to C:\windows\ and select it.

Then I got another error message at startup: “Windows has encountered a problem and needs to close.” If I go to event viewer, I saw details as:

AppName: explorer.exe AppVer: 6.0.2900.5512 ModName: unknown
ModVer: 0.0.0.0 Offset: 71ab6a55

I tried many things, including virus scanning and spyware removal and run “sfc /scannow“. But none seemed to work. Later the error became:

AppName: explorer.exe AppVer: 6.0.2900.5512 ModName: ws2_32.dll
ModVer: 5.1.2600.5512 Offset: 00006a55

Then I searched again. A lot “solutions” again. This is a win socket problem. I tried winsockfix 1.2from “http://www.softpedia.com/get/System/OS-Enhancements/WinSock-XP-Fix.shtml”. It still didn’t work. But the error message seems to change a little bit from one to another. But they are all windows explorer.exe error message.

One blog says most of windows explorer problems are due to registry problem. So I download RegCure and used RegCure v1.5.2.7   Crack by Computer Angelzz. It found some problems and fixed it. But it didn’t help me fix the windows explorer problem.

Actually, the same problem has been happening in another computer of mine. So I have a feeling that this is still a virus/malware/spyware problem. But of Norton, spybot search and destroy, Ad-Aware etc, none worked. From somewhere, I read something about the W32/Autorun worm. That seems more possible. I found an application called cleanautorun and tried that. Unfortunately, it didn’t work either.

Because of the same problem in two of my computers happening at the same time, I belived it was a malware problem. I want to try more. So I searched for all top antivirus software: bitdefender, vipre, kaspersky etc. Norton, MCafee seems not the best in the list. I decided to try kaspersky since I tried it before.

Voila!!! Finally, windows explorer crash problem was fixed. Kaspersky found some kinf of w32/autorun worm.

view.atdmt.com spyware removal

I kept getting ‘Sorry, we couldn’t find http://view.atdmt.com/MSR/iview/yhxxxlam0010000079msr/direct%3Bwi.728%3Bhi.90/01/%3Ftime”  with IE7.

I found a few solutions. Check which one works for you.

1. Run regedit, search for atlassolutions. Remove it and that will fix the problem.

2. IE->Tools->Manage Add-ons->Enable or Disable Add-ons

Find CBrowserHelper under names and highlight it (the publisher should be Dell). Then select “disable” in the “Settings” box on the bottom left side. OK and close IE.

3. Window Key + E to oepn file browser -> Tools->Folder Options->Tab View->Show hidden files and folders. Then go to C:\Documents and Settings\User Name\Local Settings\Temp, delete all files. You can also go to the current user temp folder by run  %temp%.

4. Create a .reg file with the following content and run:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Do404Search”=hex:01,00,00,00
“Search Page”=”http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”
“Search Bar”=”http://search.msn.com/spbasic.htm”
“Use Custom Search URL”= dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
“{CFBFAE00-17A6-11D0-99CB-00C04FD64497}”=””

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
“”=”http://home.microsoft.com/access/autosearch.asp?p=%s”
“provider”=””
” “=”+”
“&”=”%26”
“+”=”%2B”
“#”=”%23”
“?”=”%3F”
“=”=”%3D”

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
“Search Page”=”http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”
“Search Bar”=”http://search.msn.com/spbasic.htm”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
“SearchAssistant”=”http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm”
“CustomizeSearch”=”http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm”
“Default_Search_URL”=”http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
“Default_Search_URL”=”http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”
“Search Page”=”http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch”

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@=”http://”

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
“ftp”=”ftp://”
“gopher”=”gopher://”
“home”=”http://”
“mosaic”=”http://”
“www”=”http://”

Source:

http://forums.techguy.org/malware-removal-hijackthis-logs/432534-view-atdmt-com-spyware-removal.html
http://forums.majorgeeks.com/showthread.php?t=62461

The 2nd solution for CBrowserHelper fixed my problem.