worm.win32.netbooster - or rootkit

Having looked at the threads involving this ´worm´and also reading a (very) little on your site about rootkits, I am having similar problems on my laptop, which is a Tobshiba running windows xp professional.
Problems are similar to what others have described - shortcuts on the desktop, ´virus alerts´which are not from AVG or other spybot, a browser hijack that is very thorough (can only access pages by going through favourites, not by typing address in the address bar), certain programmes (spybot, firefox) are disabled - this is the same in all accounts; on infected accounts (both of which have administrator privilege) the start menu is missing all of the ´my...´links, although these can be accessed through explorer; also missing are the links to `run`, control panel, help and support and search. I can´t get to the control panel through explorer, it´s missing from there as well.

Because of the difficulty in getting to websites directly from the laptop I will need to download the programmes onto memory stick and then onto the laptop. I am very concerned that I do not infect my desktop computer with this thing as well, so just wanted a bit of advice regarding whether you think it is transmissible through a memory stick before I start at all (probably sounds like a very blond question,but I know from previous experience that you are all angels - many thanks to shadow puter dude going back to 07). Am starting to work through the steps as given, please bear with me

Lorette

 

Thanks for the tip.

I started working through the sticky prior to my post and one of the admin accounts becoming infected, so I think that I have completed everything in the basic housekeeping.

I have just run SAS which caused a crash. Now that I have rebooted, there is a popup from Windows saying that the szstem has recovered froma serious error, and a log has been created. Is the information of any use to you, or should I just close that window. I will wait before continuing incase the SAS crashes again when I run it.

Next question - my laptop does not have a burner, so I am unsure of how to get logs over to my PC safely in order to send them to you. Can I just copy type the information into a notepad file and attach that?

With thanks

Lorette

 

Please don't think I am bumping! I have been able to work thru the rest of the read and run me, and in doing so my browser has got freed up so I am able to post logs directly :wine

At the same time as the problems on the browser appeared, AVG began to give threat messages for backdoor.Ntrootkit, but in a different win32 file each time. The problems started after my partner had used the laptop, so I haven't been able to get to the bottom of what may have caused it (no pun intended - or not much of one)

I copied exe files from D: drive to my hard drive as specified for each, and started to work thru them but the only one that would run this way was MGTools so I went back and tried to install SAS directly from the disc, which worked. However, I had to run without updating because I could not reach the site directly, and the D: drive would not read a further disc I made with the zip files on. First attempt resulted in crash, but second with recommended unchecks completed.

Spybot would not install.

MB installed, the updates downloaded and ran without problem. I then tried spybot again, which then did install, ran, found and fixed additional problems.

I ran Combofix as per the instructions; at stage 31 onwards a dialogue box kept on opening saying that C:\windows\system32\clbdll.dll is not a valid windows image, please check against your installation diskette.

I then ran MGTools (again - sorry for going in the wrong order before)

The problems seem to have resolved themselves, the desktop and browser are back to normal and the warnings have stopped popping up. However, I would very much appreciate it if you could check my logs to make sure that I am in the clear

Yours

Lorette

 

And the remaining log

 

Thanks for such clear instructions.

The regedit got the success message, so it seemed to go through ok.

Logs attached as requested.

The non-admin accounts appear to be working fine, as does the admin account I have been using to run the cleaning procedures and fixes on. The other admin account (which was the one which first showed the virus alert problems) is only half fixed - the disabled programmes are back, and the false warnings have stopped. But the desktop is still only half back - it still says 'virus alert' next to the clock, and the right hand side of the start menu is limited to 'set programme access & defaults, connect to..., & printers and faxes', but the 'all programmes' is back and all drives are showing on windows explorer. Should I work thru the xp cleaning procedures from this account too?

Lorette

 

dostoyevsky was the first account to show problems, then libuse 2 got the same (which I have used to run the removal procedures and it looks like it has worked on that account); libuse had the browser redirect but not the warnings or desktop and start button changes (now also fixed). Will now run removal procedures on dostoyevsky, and also on libuse just to be sure. Something to keep me busy!

lorette

 

Here are the logs from dostoyevsky's account.

SAS didn't find anything, Spybot found and fixed about six different things, a hijack and registry changes, one of which was the disabling of task manager.

How did the fixes go on libuse2 (as attached 2 posts ago)?

Lorette

 

And here are the logs from libuse's account. SAS, spybot and MB were all clear. I temporarily gave admin priviledge in order to run combofix and MGtools.

All three accounts seem to be functioning ok, so I hope the logs put me in the clear. Thank you for your time and patience in looking at so many logs.

Lorette