HELP ME with worm32.netsky

Discussion in 'Malware Help (A Specialist Will Reply)' started by pat52, Jan 20, 2008.

  1. pat52

    pat52 Private E-2

    I downloaded the worm.win32.netsky marked as a video codec. I have no idea how to remove it. I ran HiJack this and attached is the log file. If someone can help me, it would greatly aLogfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:40:02 PM, on 1/20/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal


    ppreciated.
     
    Last edited by a moderator: Jan 20, 2008
    pat52, Jan 20, 2008
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Welcome to Major Geeks!

    Please uninstall HJT as it will be properly installed when you do the following:

    Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

    READ & RUN ME FIRST. Malware Removal Guide
     
    TimW, Jan 20, 2008
    #2
  3. pat52

    pat52 Private E-2

    This problem started when I downloaded a video codec. My computer downloaded a bunch of spyware removal programs to the desk top, my home page was changed to a free spyware removal site, and I kept getting messages from Windows saying it was infected with the worm32.netsky. Prior to going to majorgeeks, I attempted System Respore and none of the points would work. I followed all the XP Cleaning Procedures and all the stuff on the desktop was removed by Combofix.exe. Spybot came up with two Zlob.Downloader files and after completing all the steps my computer was working fine, so I turned off System Restore and rebooted. About an hour later I started getting an error signature message for AppName:explorer.exe AppVer:6.0.2900.3156 ModName:aslpmqk.dll ModVer:1.0.0.1 Offset:00028286 (which was also appearing at the start of this mess). Everytime I hit debug or exit, all my desktop icons would disappear and then reappear and I would get the same error signature.
    Today, I was getting the same error message, so I re-ran the cleaning procedures and Spybot came up with ZlobDownloader.vcd which it removed. I then ran Spybot a second time and it came up free of spyware. What do I do now? My computer seems to be running fine now. Should I turn off System Restore and reboot?
     
    pat52, Jan 21, 2008
    #3
  4. pat52

    pat52 Private E-2

    Just making sure the attachments came thru.
     

    Attached Files:

    pat52, Jan 21, 2008
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    If you haven't already, please disable the Guest account in User accounts.

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0 Update 10"
    J2SE Runtime Environment 5.0 Update 11"
    J2SE Runtime Environment 5.0 Update 2"
    J2SE Runtime Environment 5.0 Update 4"
    J2SE Runtime Environment 5.0 Update 6"
    J2SE Runtime Environment 5.0 Update 8"
    J2SE Runtime Environment 5.0 Update 9
    Java 2 Runtime Environment, SE v1.4.2_03"
    Java 2 Runtime Environment, SE v1.4.2_06"
    Java(TM) 6 Update 2"
    Java(TM) SE Runtime Environment 6 Update 1

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

    Be sure to tell us how things are running.
     
    TimW, Jan 22, 2008
    #5
  6. pat52

    pat52 Private E-2

    Hey Tim thanks for helping. I uninstalled all the Java programs and updates you specified and then ran analyse.exe, then removed the entries per your direction. I saved the fixME.reg as instructed in notepad and I received this message: Cannot import C:/Documents and Settings/Carl LeMarble/Desktop/fixme.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor. It was saved to all files and the code was set to Angi by default. The other choices were Unicode, Unicode big endian, and UTF-8. What do I do now?
     
    pat52, Jan 23, 2008
    #6
  7. pat52

    pat52 Private E-2

    I finally figured out what I was doing wrong. I was attempting to copy/paste the regedit4 from the e-mail notification that I received rather than from the forum (duh). Anyway, I did everything as instructed and here are the MGlogs.zip file and the log from Avenger. Hopefully this fixes everything.
     

    Attached Files:

    pat52, Jan 23, 2008
    #7
  8. pat52

    pat52 Private E-2

    Tim,
    Just to let you know, after doing all the things in your instructions I ran Spybot and I am still getting the Zlob Downloader vcd. file on my computer. I have run Spybot several times and the problem is allegedly fixed and when I reboot it keeps coming back. Any suggestion? Waiting to hear from you.
     
    pat52, Jan 24, 2008
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are reinfected ...please re-run ComboFix and then I want you to go to:
    Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

    Click-on the Detected Problems tab. Then select Click here to export the scan report

    When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

    Attach the Bitdefender log and the ComboFix log.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file.
     
    TimW, Jan 24, 2008
    #9
  10. pat52

    pat52 Private E-2

    Tim I did everything u instructed and here r the log files. Just to let u know sometimes when I run spybot it comes up clean and other times it comes up with zlob downloader vcd.
     

    Attached Files:

    pat52, Jan 25, 2008
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

    IMPORTANT: Do NOT run any other options until you are asked to do so!
    ATTACH THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!!! And then immediately continue on to the below steps.

    A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

    The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

    Now reboot into normal mode and attach this new rapport.txt log here.

    Tell me how things are running.
     
    TimW, Jan 26, 2008
    #11
  12. pat52

    pat52 Private E-2

    Tim,
    My only question is if wininet.dll is infected and a clean version cannot be found, what happens then?
    I ran spybot this morning, as well as my norton antivirus, avg anti-spyware, and a-squared free and my system was allegedly clean.
     
    pat52, Jan 26, 2008
    #12
  13. pat52

    pat52 Private E-2

    Here is the first log from SmitfraudFix you requested.
     

    Attached Files:

    pat52, Jan 26, 2008
    #13
  14. pat52

    pat52 Private E-2

    Tim,
    Attached is the second log after running smitfraudfix.cmd in Safe Mode. Let me know if I need to do anything else. I really appreciate all your help!
     

    Attached Files:

    pat52, Jan 27, 2008
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can run sfc /scannow to check for changes in the system files ...where exactly is spybot reporting the file...the exact path?

    And are you having other issues?
     
    TimW, Jan 27, 2008
    #15

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds