NetSky-AD Worm

Discussion in 'Malware Help (A Specialist Will Reply)' started by carl_tapp_775, Apr 24, 2005.

  1. carl_tapp_775

    carl_tapp_775 Private First Class

    Hey Chas, well I'm still at it with that old pc. I knew if I kept trying I'd find the bugger.
    1. SpyBot S&D shows me under startup tools that NetSky-AD had added msnmsngers.exe to my startup. gave info to stop messenger at windows startup. But thats all.
    2. my question is after not finding info in my search of this forum. "Is the AD version of this worm still going to be removed if the Symantech tool doesn't list it under the tools names".
    3. It showed many variances of the worm and removal tools for those, but this one wasn't listed specifically.
    4. When I run Avast now after turning off Messengers at startup, it shuts down the pc after scanning about 10,000 files, so it did change something in shutting down the startup of Messenger.
    Any help now will be of great value. Thanks Carl
     
    carl_tapp_775, Apr 24, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Hi Carl,

    Are sure that msnmsngers.exe was the exact file name!
    Running the Symantec Removal tool will not hurt anything so you could just run it and see what happens. You should try running Avast and possible the Symantec tool after booting to safe mode.

    You could run the below too:
    avast! Virus Cleaner Tool
    McAfee AVERT Stinger

    If you still have problems after that, you know the drill!

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Apr 24, 2005
    #2
  3. carl_tapp_775

    carl_tapp_775 Private First Class

    Hi Chas, exact file name is "MsnMsgrs.exe", this is exactly what "SpyBot" reads.
    1. Current filename:
    "C:\Program Files\MSN Messenger\msnmsgr.exe"/background

    Database status:
    Not Reguired-virus-spyware-malware or other resource hog

    Value:
    MsnMsgr

    Filename:
    MsnMsgrs.exe

    Discription:
    Added by the NETSKY-AD WORM! (with NetSky-AD underscored)

    2. I still have all the same software we ran before on the pc, updated everything including XP. Except I can't seem to get the Malware Tool from Windows Update to run. If I am reading correctly it says it runs automatically upon installation, but it doesn't because I never see any sign of it at all.
    3. Safe Mode scans with "Avast" and "a2" result the same way, shutting down pc after brief scan. Never completes either one.
    4. Ad-aware SE Plus, PestPatrol, nor SpyBot S&D show the worm when scan completes with them, not even in safe mode.
    5. Cannot connect to Net under safe mode on that pc either.

    6. I am running SpywareBlaster, and CCleaner also, updated both as well. Also, Stinger doesn't support NetSky either, at least not the version we ran before. Will remove this version and try a newer download for that.
    7. I am going to try to run BitdDefended scan online, haven't tried that one yet currently. Avast online shut down pc also.
    I'll let you know what happens ...... Thanks Chas CT
     
    carl_tapp_775, Apr 24, 2005
    #3
  4. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    If you are unable to disinfect your computer, while in Windows Normal Mode or Safe mode. To disinfect your computer you will have to scan in DOS/CMD mode.

    1. Get F-prot Anti-Virus for DOS -Home Edition (it is free)

    2. Download the latest AV Defs for F-prot.

    3. Install F-prot for DOS and unzip defs (fp-def.zip &macrdef2.zip) in f-prot folder (C:\fsi)

    Follow instructions for your OS:
    Windows 95
    Windows 98
    Windows ME
    Windows NT
    Windows 2000/2003
    Windows XP Home/Pro
     
    Shadow_Puter_Dude, Apr 25, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Carl already has an antivirus program.

    In addition F-Prot (windows versions) are available from Majorgeeks. See the Anti-Virus directory: http://www.majorgeeks.com/downloads29.html
     
    Last edited: Apr 25, 2005
    chaslang, Apr 25, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This file in not a virus. It is the normal MSN Messenger file. If it were running from someplace else like c:\windows then it would be suspect. You do not have the Netsky-AD one. See this link: http://www.sophos.com/virusinfo/analyses/w32netskyad.html
    You will see it would be running from c:\windows (they say %WINDOWS%\MsnMsgrs.exe).

    What version of Spybot do you have and what detections date.

    Maybe all you need to think about from what Spybot was saying is:
    The key items for you are Not Reguired and other resource hog

    Work thru the rest of the READ ME steps make sure you verify that you have the current versions. Things change constantly and you could be out of date. Then if necessary post your HijackThis log as requested.
     
    chaslang, Apr 25, 2005
    #6
  7. carl_tapp_775

    carl_tapp_775 Private First Class

    What got me was it said, "Added by the Worm ! "

    2. I got the new Stinger application, it scaned for a few minutes then shut down my pc like Avast and a2 had done. The Avast scan tool ran perfectly with no detection nor did it shut down the system.
    3. Not too sure about "dos" , have little, very little experience with it. That was before I got into this pc world. But I'll give it a shot.

    4. There is one more thing that I have noticed and I am not certain if it belongs on the pc or not. When I go to system and click on advanced, under user profiles I see an unknown account, has 884kb used. But I never created this account, and have no idea where it came from. Is this something that Windows has done, or the pc Manufacturer? Does this sound correct to have this account and it be unknown ?
    5. I am waiting to hear from you Chas on weather to try the dos/cmd scanner.
    6. The Ad-aware VX2 scanner comes back "clean".
    7. What gets me is that my main virus scanners shut down the pc when used, every time. And in safe mode even. While all startup items seem to be normal.
    8. I was wondering about the SpyBot issue, because it was the only application that showed that. PestPatrol's startup list didn't.
    9. SpyBot S&D is updated according to the application, Version is 1.3 , last update 4-8-05 , and just ran update again as I did a couple days ago, says no new updates available. Will check the downloads now to see if this is the latest version.
    Waiting for your instructions Chas .....
     
    carl_tapp_775, Apr 26, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Don't worry about the command line scanner just yet. It could be of some use later if we still have problems but let's follow normal procedures to start.

    You need to complete the other steps from the READ ME FIRST. Any step that you run into problems with (like the scans shutting down) just note it and continue with the next step. Eventually you will get to the HijackThis log posting if you still have problems when finished with the READ ME.

    You must check for updates and click on all the links in the READ ME. You are not using the current version of Spybot. It is up to 1.4RC1. This may mean that you have other tools that are out of date too. You must always check that you have the versions reflected in the links of the READ ME. Just click the update button in the software is not sufficient. There are no more detections updates to version 1.3 because the software itself has been changed to 1.4.

    As far as the other user account. Click Start and open Control Panel. Then select User Accounts. Find the unknow account and click it once. Then select Delete the account.
     
    chaslang, Apr 26, 2005
    #8
  9. carl_tapp_775

    carl_tapp_775 Private First Class

    I agree Chas, I'll run down all the new versions of the software, and go from there. I'll let you know what happens. And if nothing works like I need, then will post log for HIJackthis.
    I did get the New version of SpyBot upon discovering it had one.
    Thanks Again....... Carl
     
    carl_tapp_775, Apr 29, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Spybot just updated again to 1.4 RC2b, so check again.

    Let me know your results.
     
    chaslang, Apr 29, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds