worm.win32.netsky Read me first completed

Hi Major Geeks, On Jan 15 2010 I opened my email on Yahoo and all of a sudden a virus warning came up saying I have the worm.win32.netsky virus and to click here to get the latest download to fix it. Of course I didn't click on it but I did have AVG, Spybot search and Destroy and Malwarebytes on my computer so I first scanned with AVG and it said no problems found, I then scanned it with Spybot S&S and it found a few infected files and I clicked to have them fixed and then I had Malwarebytes do a scan and it found even more files infected. So after all this infection finding and removing the computer seemed to be working fine then the false pop up warnings happened again... I used Malwarebytes again and it found some files once again so I clicked remove and decided to go to your site and get help. After reading the "read me first" I did all the steps. The only problem I had was with Rootrepeal. I was able to download the software but I just could not get it to launch. A windows message would come up during the launching of Rootrepeal saying"Your system is low on virtual memory, windows is increasing memory size of your virtual memory paging file. After clicking ok the computer would just not be responsive and I had to reboot by total power off. I attempted to launch Rootrepeal 3 times but the same message and problem occurred so I moved on to MGtools. So all the other scan tools seemed to work and I have attached the files for review. The only problem I seem to have really right now after going over the Read me instructions is that my desktop has a white background and images are being unable to be seen in many instances. I thought I should have you look at the logs and see if you can determine if all is well and if so how do I get my desltop back to looking normal? Thanks for your help BTW, I changed the file name of mbam to MGmbam as I have some older Mbam logs on my desktop just an fyi... again appreciate all your help

 

Hi TimW,
Really appreciate you getting back. Just an update I think I picked up the worm when going through a Mountain bike forum on bike lights and in one of the posts it said “more info here” and I clicked on it but the location had been deleted or no longer there..etc..anyway seemed suspicious but nothing happened at that time. I guess the virus needed the computer to power off and would activate the next time it was booted up, which happened the next morning. When the virus first hit I used my Malewarebytes and AVG and Spybot S&S to scan and remove what they had found - I have attached the malwarebytes logs as it found the most. After completing the “ read me first” cleaning and procedures nothing showed up in those cleaning scan/logs afterward possibly because of my cleaning before going to your site. But issues/infections have been found in subsequent scans (3 scans in malewarebytes found infections - 2 before cleaning procedures on 01-15-10 and 1 after 01-18-10 - attached logs but Superantispy didn’t find any).. I am worried the virus is still in there but well hidden. I will attach the logs that had the infection found. When this happened I did have Spybot S&S, AVG, Spyware Blaster, and Malwarebytes but deleted all as instructed in the “Read me first”. Since the “ read me first” told me to download the Malwarebytes and SuperAntispy I figured the one Anti Spyware I would keep would be SuperAntiSpyware and is currently on the system but I would exit the program before scans in order to not interfere with the scans (I have since learned that free version is only scanning). I have not done step 4 yet “toggle system restore” so I before I do is there anything you would like me to do as far as scan/logs so we can be pretty sure we are in good shape? Can I assume that the pics and images that I am not seeing on my browser and desktop are due to settings made to run windows in Normal mode? …and will come back after completing step four? Just let me know what you need me to do after looking at the attached logs. I am able to use the computer and it seems to be working well except the image pixs problem mentioned. Lastly, after all is done What do you recommend as far as realtime protection out of the choices listed? I have since downloaded Spyware Blaster again and Spybot S&S… did a scan with Spybot S&S and Malewarebytes today no problems found… but I am still a little skeptical. Let me know what you think of the attached logs and steps I should take…Sorry for the long note but wanted to make sure I got it all to you… BTW, can the software in my wireless router hide a virus? Again thanks for taking your time to help me with my concerns…anxiously looking forward hearing back from you….Henry

 

Hi TimW,
Ok I toggled system restore and the desktop visual issues cleared up but when running scans by Comodo ( i am using it as my realtime firewall and have kept the Mbam and Spybot too.) it keeps detecting threats. It looks like mostly in a restore type file in System volume information. Today it was 33 threats. I exported a portion of the antivirus logs in HTML and saved in word and have attached the file for your review. Should I toggle the system restore again? I should not still be getting all these threats should I? Any ideas on how to get this out of my computer. Seeing these threats detected all the time makes me a bit nervous. Let me know what you think. Thanks Henry

 

Hi TimW I followed step 4 in the cleaning procedures.... pasted below....
............................................
"Step 4: Toggle System Restore

* You only need to Toggle system restore if malware had been found during the cleaning procedures. If no malware was found, there are no infected restore points to worry about, thus you can skip to the next step.
* Once you are sure all malware problems have been removed follow the below steps:
o Disable System Restore ( see Disable And Enable System Restore)
o Now reboot your PC
o Now Enable System Restore using the same link as above

For Windows XP:

1: Right click on the My Computer icon on your desktop and select properties.
2: Click on the system restore tab.
3: Check the box that says "Turn off system restore on all drives". Click OK.
4: Click Yes if you are prompted to restart the computer.
5: To re-enable System Restore, follow steps 1-3, but in step 3, click to clear the Disable System Restore check box.
................................................

Did I not do it correctly? It was pretty straight forward and I thought I followed the steps correctly. When I rebooted the system a warning came up from Comodo saying it detected something.. It indicated what I think was the same/name location indicated in the Comodo logs that I had sent in the previous reply. Comodo asked me what I wanted to do so I quarantined it. The system completed its reboot. So I went back and did the XP steps again but this time unchecked the box so that the system would be re-enabled..... right? Let me know what you want me to do to proceed...thanks Henry

 

Hi TimW, Have been running the computer and things seem to be running normally. Have done a few scans using Mbam and Comodo and no warnings or threats or viruses detected lately just that one time after toggling the system restore. I will run a few more scan periodically this week and let you know the results.. if no more problems I will assume we are out of the woods so to speak... will report back in a few days or if any detections arise will reply immediately...In the meantime just want to say thanks for you help and sticking with me on this process. Look forward to closing the case!! Mtnbkr

 

Hey Tim, Additional scans have detected nothing major so I am assuming we are good to go. Appreciate all your help and just want to say thank you once again for everything. Wishing you and everyone at Major geeks all the best. Henry