Worm.Win32.Netsky infected

Discussion in 'Malware Help (A Specialist Will Reply)' started by ryanflem, Dec 10, 2007.

  1. ryanflem

    ryanflem Private E-2

    I have become infected with the Worm.Win32.Netsky virus. It seemed to occur on 12/1/07. I’ve been getting pop-ups ever since and my pc is running very slow. Last week I ran Windows Defender, Spybot, AVG, AdAware, etc to try to clean it. At one point, I thought it was gone but then several hours later the pop-ups started again. This past weekend I ran the above mentioned programs again. As of last night the pop-ups have not returned (so far) but the pc is still running very slow. Suggestions?
     
    ryanflem, Dec 10, 2007
    #1
  2. ryanflem

    ryanflem Private E-2

    I've attached my log files for your use. Thanks!
     

    Attached Files:

    ryanflem, Dec 10, 2007
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download and install:
    Java Runtime 6

    Then use add/remove programs to uninstall:
    Viewpoint Media Player

    Please disable all anti-virus and anti-spyware programs( including Defender) while we do the following:

    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 11, 2007
    #3
  4. ryanflem

    ryanflem Private E-2

    Here are the requested log files.
     

    Attached Files:

    ryanflem, Dec 11, 2007
    #4
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Sneaky little devil ....

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    NOTE: HJT may popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this.
     
    TimW, Dec 12, 2007
    #5
  6. ryanflem

    ryanflem Private E-2

    Here's the .zip file you requested.

    The latest is the pop-up's have been gone since yesterday afternoon. However, the spyware desktop items returned last night. I deleted them and they haven't returned so far.

    The PC is running better but is still quite slow at startup. Also, when I go to Start/Run/msconfig it says the file is missing. What could have caused that?

    Thanks for your help.
     

    Attached Files:

    ryanflem, Dec 12, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Msconfig should exist in these two locations:

    C:\WINDOWS\pchealth\helpctr\binaries
    C:\WINDOWS\system32\dllcache

    Are you able to run it by double-clicking either of those icons?

    If it doesn't run, it's possible that there is either some form of malicious software preventing you from running it or both of those files are corrupt. In the case of the latter, you can try extracting a new copy from the XP CD:

    Put the XP CD in the drive and then go to Start Menu > Run and type CMD. At the command prompt, type:
    EXPAND -R D:\I386\MSCONFIG.EX_ C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES
    (Assuming D: is the drive letter of your CD/DVD drive)

    C:\Documents and Settings\Ryan Fleming\Local Settings\Temp\ --> empty it!

    You may wish to use a Startup Manager
     
    TimW, Dec 13, 2007
    #7
  8. ryanflem

    ryanflem Private E-2

    I followed your suggestion with the XP CD and it seems to be working fine now. Odd that it wasn’t working because it did work last week.

    As for my machine, other than a slower than normal start-up and a slightly slower loading of programs, the pop-ups have not returned in several days. Hopefully they’re gone. I guess I’ll leave well enough alone for now and let you know if any of my problems resurface. Thanks for your help.
     
    ryanflem, Dec 13, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Did you install the startup manager....it will allow you to disable things that don't need to run at startup and may speed up the system. If in doubt....post them and we will look at what can be stopped. :)
     
    TimW, Dec 13, 2007
    #9
  10. ryanflem

    ryanflem Private E-2

    I'm not sure what I should disable so I've tried to save my my start-up list using the startup manager but when I try to save the file I have to save it as a .html but then I cannot attach that file to this post. Other suggestions?
     
    ryanflem, Dec 13, 2007
    #10
  11. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Just make note of them with notepad and copy the list to your next post.
     
    TimW, Dec 14, 2007
    #11
  12. ryanflem

    ryanflem Private E-2

    Here's the .txt file. Thanks.
     

    Attached Files:

    ryanflem, Dec 14, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You could safely stop these from loading:
    TkBellExe
    tgcmdprovidersbc (this may be from when we used SBC's DSL. We do not use that anymore.)
    NvCplDaemon
    LogitechVideoRepair
    DVDSentry
    Adobe Photo Downloader
    HP Software Update
    AdaptecDirectCD
    Microsoft Office.Ink
    Windows Desktop Search.Ink
     
    TimW, Dec 14, 2007
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds