Please Help. Worm.Win32.NetSky

  • Aimee
  • Born
  • Born
  • Aimee
  • Posts: 4
  • Loc: Galway, Ireland

Post 3+ Months Ago

Ok I really need somebodys help. I am a college student, completely computer illiterate which i gather is why I have gotten this virus. I have ran a hijack this scan and have the log. Also i have run a Malicious Software Removal Tool scan. The Malicious Software Removal Tool Scan says that the Win32.NetSky file is not infected.. I believe this to be a lie as i have all the symptoms. My desktop has the scary red and black thing telling me to download stuff that I am in danger.. Decided it was bogus. On my taskbar right now there is a spyware alert folder a confident surf page that is flashing and in the bottom right hand corner a red X which i just know is bad. Also a Windows Security Pop Up keeps doing its job and Popping Up. Also beside the address bar are links that say "remove popups" "scan spyware" "security test" "spam protection" Im assuming that these are bogus, they have also lodged themselves firmly in my favourites between bebo and youtube and i was thoroughly disappointed to see that they have also decided to take up residence on my desktop.. SOMEBODY PLEASE HELP.. I am desperate.
My internet connection is pretty crap but all i know is that i (windows thing popped up again) need to get this sorted in order to finish all my college assignments... what an inopportune time for this to happen to me.

So anyway if anyone feels like giving me really step by step simple instructions i would be eternally grateful.. otherwise i will have to admit to someone in real life in a shop that i am technologically challenged and they will charge me a lot of money and i dont need to tell you that the funds are running low.
PLEASE SOMEBODY HELP ME.. IM AFRAID TO TURN OFF MY COMPUTER IN CASE IT DOESNT TURN BACK ON AGAIN..

The computer has said that this C:\WINDOWS\gormet.dll is dangerous or infected or some scary term as such, I can see this file in the log but i do not know how to delete it.. Please somebody help me.. I'm really beginning to freak out and I need an expert to help..

Heres the hijack this long thingy.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 00:27:32, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Hotkey 1.0.4\FuncKey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MRT.exe
C:\Documents and Settings\user\Desktop\Music\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {E75B284A-D5D0-4F5D-9BD3-59637A85F5D0} - C:\WINDOWS\werbetlsp.dll
O3 - Toolbar: The hdtip - {872F66C1-E394-4545-8843-EDE16648058A} - C:\WINDOWS\hdtip.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [FuncKey] "C:\Program Files\Hotkey 1.0.4\FuncKey.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... 0.15-3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O21 - SSODL: pmkret - {56D24015-9BF9-4A7B-8ABB-C1A8CE8EE252} - C:\WINDOWS\pmkret.dll
O21 - SSODL: gormet - {6ABF3FDB-1B52-4939-B5B8-C2BB6F0BE361} - C:\WINDOWS\gormet.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 4588 bytes

Im also Irish.. Everybody likes the Irish right? Well I'll tell "Seamus" and "Reilly" my good leprechaun buddies to sort you out next time theres a rainbow if you help me..
I really appreciate anything you give me guys..
Aimee.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6251
  • Loc: Seattle, WA

Post 3+ Months Ago

Aimee, fix the following entries using HijackThis. It would be best to boot into Safe Mode first. To do this, restart your computer and hold F8 as it is starting up.
Quote:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: MSVPS System - {E75B284A-D5D0-4F5D-9BD3-59637A85F5D0} - C:\WINDOWS\werbetlsp.dll

O3 - Toolbar: The hdtip - {872F66C1-E394-4545-8843-EDE16648058A} - C:\WINDOWS\hdtip.dll

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocach ... winkyIniti alSetup1.0.0.15-3.cab

O21 - SSODL: pmkret - {56D24015-9BF9-4A7B-8ABB-C1A8CE8EE252} - C:\WINDOWS\pmkret.dll

O21 - SSODL: gormet - {6ABF3FDB-1B52-4939-B5B8-C2BB6F0BE361} - C:\WINDOWS\gormet.dll

O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Once you've done this, restart your computer again and let it start up normally.
  • Aimee
  • Born
  • Born
  • Aimee
  • Posts: 4
  • Loc: Galway, Ireland

Post 3+ Months Ago

Thanks soo much for your help.. You really are a star!
now this is going to sound really stupid but how do i "fix" it.. will it just fix itself by my putting it into safe mode?
Thanks again!
  • Aimee
  • Born
  • Born
  • Aimee
  • Posts: 4
  • Loc: Galway, Ireland

Post 3+ Months Ago

aha its ok.. i think i get it.. i read your post wrong.. i have to go into hijack this to fix it.. in the process of checking and fixing now..
will let you know how i get on..
Thanks again,
Aimee
  • Aimee
  • Born
  • Born
  • Aimee
  • Posts: 4
  • Loc: Galway, Ireland

Post 3+ Months Ago

Hey! I think I'm all cured now. Here is the new Hijack this log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 01:24:41, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Hotkey 1.0.4\FuncKey.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\Music\HiJackThis_v2.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [FuncKey] "C:\Program Files\Hotkey 1.0.4\FuncKey.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3695 bytes


Please tell me im safe to go..
Thanks soo much for your foolproof instructions.. I really do appreciate this you know..
Thanks,
Aimee.. (and i meant that about Seamus and Reilly.. they're really good buds of mine!)
  • spork
  • Brewmaster
  • Silver Member
  • User avatar
  • Posts: 6251
  • Loc: Seattle, WA

Post 3+ Months Ago

The log looks clean; you should be all set.

I'll be waiting for my gold :wink:
  • ThePandaBear
  • Born
  • Born
  • ThePandaBear
  • Posts: 2

Post 3+ Months Ago

So I have gotten this "worm.win32.netsky" virus. And I am in dire need of help. I have tried using Microsoft's malware remover and it always ends up crashing and it finds 1 infected file.

Here is my HiJackThis log. Please help me:

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 2:45:35 PM, on 1/24/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\Avira\AntiVir Desktop\sched.exe
F:\Program Files\Avira\AntiVir Desktop\avguard.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\AskBarDis\bar\bin\AskService.exe
F:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\HPZipm12.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Audio Deck\EnMixCPL.exe
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
F:\Program Files\Brownie\BrstsWnd.exe
F:\Program Files\Logitech\iTouch\iTouch.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\WINDOWS\system32\smss32.exe
F:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
F:\Program Files\play2p\play2p.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Flock\flock.exe
F:\WINDOWS\system32\drwtsn32.exe
F:\WINDOWS\system32\drwtsn32.exe
F:\WINDOWS\system32\drwtsn32.exe
F:\WINDOWS\system32\drwtsn32.exe
F:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
F2 - REG:system.ini: UserInit=F:\WINDOWS\system32\winlogon32.exe
O1 - Hosts: ::1 localhost
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - F:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {2529BAC9-D673-44BA-9F56-701A2A2F405E} - (no file)
O2 - BHO: (no name) - {2EB1463F-DB77-4A7F-835D-A749BA87D4B5} - (no file)
O2 - BHO: (no name) - {4325BAC4-7C92-4C95-8647-87B1462AF426} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - F:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {AC17C2D9-3D35-43A5-B375-ED2D51BECBDd} - (no file)
O2 - BHO: (no name) - {BB426344-0005-4F20-A9B1-D90C010AEE31} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - F:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E2191644-D2BC-4122-9E33-44D67DB090E2} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - F:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NVRaidService] F:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [EnvyHFCPL] F:\Program Files\Audio Deck\EnMixCPL.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [GrooveMonitor] "F:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "F:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "F:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [BrStsWnd] F:\Program Files\Brownie\BrstsWnd.exe Autorun
O4 - HKLM\..\Run: [zBrowser Launcher] F:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [TkBellExe] "F:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [htkwvfii] F:\Documents and Settings\Joseph Tran\Local Settings\Application Data\lykqjm\bttjsysguard.exe
O4 - HKLM\..\Run: [smss32.exe] F:\WINDOWS\system32\smss32.exe
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [rundll32.exe] rundll32.exe "F:\Documents and Settings\Joseph Tran\Application Data\Macromedia\Common\74c2a0241.dll""
O4 - HKCU\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [htkwvfii] F:\Documents and Settings\Joseph Tran\Local Settings\Application Data\lykqjm\bttjsysguard.exe
O4 - HKUS\S-1-5-20\..\Run: [rundll32.exe] rundll32.exe "F:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\74c2a0241.dll"" (User '?')
O4 - HKUS\S-1-5-21-839522115-179605362-2146821571-1002\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-839522115-179605362-2146821571-1002\..\Run: [rundll32.exe] rundll32.exe "F:\Documents and Settings\Joseph Tran\Application Data\Macromedia\Common\74c2a0241.dll"" (User '?')
O4 - HKUS\S-1-5-21-839522115-179605362-2146821571-1002\..\Run: [SpybotSD TeaTimer] F:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-839522115-179605362-2146821571-1002\..\Run: [htkwvfii] F:\Documents and Settings\Joseph Tran\Local Settings\Application Data\lykqjm\bttjsysguard.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [rundll32.exe] rundll32.exe "F:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\74c2a0241.dll"" (User '?')
O4 - HKUS\.DEFAULT\..\Run: [rundll32.exe] rundll32.exe "F:\Documents and Settings\NetworkService\Application Data\Macromedia\Common\74c2a0241.dll"" (User 'Default user')
O4 - Global Startup: play2p.lnk = F:\Program Files\play2p\play2p.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - F:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - F:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: yuroip.dll wzesid.dll elgtjx.dll
O20 - Winlogon Notify: iifedbyA - iifedbyA.dll (file missing)
O20 - Winlogon Notify: nnnoOijj - nnnoOijj.dll (file missing)
O20 - Winlogon Notify: uxmhjzqx - vlgjtcd.dll (file missing)
O20 - Winlogon Notify: yayxxXoo - yayxxXoo.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - F:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - F:\WINDOWS\system32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - F:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - F:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - F:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - F:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour Service - Apple Inc. - F:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - F:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - F:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - F:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - F:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - F:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - F:\Random Backgrounds\Oh, Sleeper.jpg
O24 - Desktop Component 1: (no name) - F:\Random Backgrounds\ETID.jpg
O24 - Desktop Component 2: (no name) - F:\Random Backgrounds\Wallpapers-room_com___The_Dark_Knight_by_LouieMantia_1440x900.jpg

--
End of file - 10302 bytes
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

I don't believe you have Netsky. Looks more to me like you have a bogus anti-spyware program that is telling you you have netsky among other infections in an attempt to get you to buy their useless software. You are probably getting popups for Spyware Protect 2009 or Internet Security 2009 or 2010 or something similar that looks like an anti-virus program.

On a different computer download this program -ComboFix.
http://www.bleepingcomputer.com/combofi ... e-combofix

Only use one of the two links listed to download this program. Don't download it from anywhere other than blippingcomputer or one of these two links
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe

Copy it to a Flash Drive or burn it to a CD and install and run it on the infected computer.

I would suggest doing it in safe mode first, then do it in regular Windows. Follow the instructions in the first link above on how to use it.

After you've done that post a new hijackthis log.
  • ThePandaBear
  • Born
  • Born
  • ThePandaBear
  • Posts: 2

Post 3+ Months Ago

Now I have run into a new problem. I ran a tool from Symantec that says my machine does not have worm.win32.netsky. However now when I turn on my computer it takes me back to the login screen. I click my picture but then it immediately logs me out. I have tried booting up using safe mode, safe mode with command prompt, and safe mode with networking. The login problem still persists.

I have also tried pressing cont+alt+del at the login screen and log in as "Administrator" but it will just log me back out. I have also tried putting the Windows installation disk in and tried going to the Recovery Console but I don't know if I'm doing it correctly.

Is there any way around this or must I reinstall my OS and transfer my files?

Thanks,
ThePandaBear
  • ATNO/TW
  • Super Moderator
  • Super Moderator
  • User avatar
  • Posts: 23456
  • Loc: Woodbridge VA

Post 3+ Months Ago

Try this

Put your winxp cd in your cd drive and reboot your system
When prompted to push any key to boot to cdrom click any key.
Click R to enter recovery console when the option comes up.

Use your Administrator Login to login to the Recovery Console.

Type the following:

expand d:\i386\userinit.ex_ c:\windows\system32
click enter

Once it says 1 file copied type exit and click enter
The system will reboot
Make sure to remove winxp pro cd before it boots up and let it boot fully
Windows should start normally

Then try running combofix as I suggested before.

Post Information

  • Total Posts in this topic: 10 posts
  • Users browsing this forum: No registered users and 58 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.