Results 1 to 2 of 2
  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    1
    Points
    0

    Default Please Help! My computer is saying i Have worm.win32.netsky

    Can some one please help me!!! I have a very UGLY virus on my computer.

    First of all, I have constant internet explorer windows opening up randomly pointing to sites such as "xpantiviruspro.com/2008/3/_freescan.php?aid=880028", "MalwareCrush Online", Scanner.adwareremover2007.com, Secure PCCleaner, and safenavweb.com. XPantivirus seems to like to randomly run its own scan and its almost impossible to stop - and it will not go away. I am also warned that I are infected with "worm.win32.netsky"
    There are also constant security warning pop ups that I know are not normal on this computer, as well as three desktop icons to virus scans that just appeared there.

    I desperately need help, and I am not very computer literate, so a simple step by step explanation is welcome!

    I already downloaded HijackThis, because I saw someone had a similar post and they were told to do this.

    The following is my HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:36:20 PM, on 1/6/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\wdfmgr.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\program files\support.com\client\bin\tgcmd.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
    C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\WINDOWS\System32\hphmon03.exe
    D:\My Music & Videos\iTunesHelper.exe
    C:\Program Files\Messenger\MSMSGS.EXE
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\System32\HPHipm09.exe
    D:\PASPortal.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
    C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [WUSB54Gv2] "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE" /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\System32\hphmon03.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "D:\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "D:\My Music & Videos\iTunesHelper.exe"
    O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: PASPortal.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1156977386218
    O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} - http://mvnet.xlontech.net/qm/fox/061...ie06101001.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{20B96B25-E611-4514-A32A-6672434A6806}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\..\{251C84AE-A6C0-435E-A3DC-14E19CB55A98}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8F391C6-56C1-4D9C-AC55-651586C8EC39}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AA541E-B9FF-4EAA-8847-7D446BF87D1C}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O21 - SSODL: bvtqfvx - {D232B5AC-D5A2-46F6-A003-258AF34902DD} - C:\WINDOWS\bvtqfvx.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver - HP - C:\WINDOWS\System32\HPHipm09.exe
    O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
    O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
    O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
    O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WUSB54Gv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    O24 - Desktop Component 0: (no name) - http://www.fox.com/oc/features/wallp...60_kaitlin.jpg

    --
    End of file - 8245 bytes


    Now the only problem I have is that I have no idea which ones I am supposed to check.

    Help is greatly appreciated!!

  2. #2
    Member
    Join Date
    Dec 2002
    Posts
    12,000
    Points
    1191

    Default

    Disconnect from the internet, close all browser windows, including this one.

    Run another HJT scan and check the following files to have HJT fix:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{20B96B25-E611-4514-A 32A-6672434A6806}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\..\{251C84AE-A6C0-435E-A 3DC-14E19CB55A98}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A8F391C6-56C1-4D9C-A C55-651586C8EC39}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B4AA541E-B9FF-4EAA-8 847-7D446BF87D1C}: NameServer = 85.255.113.147,85.255.112.188
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.147 85.255.112.188


    Press the fixed check button. Close the HJT program.

    Print out these instructions for reference, since you will have to restart your computer during the fix.

    1. Please download FixWareout from here:-

    http://downloads.subratam.org/Fixwareout.exe

    2. Save it to your desktop and run it.

    3. Click Next > then Install > then make sure
    Run fixit
    is checked and click Finish.

    4. The fix will begin, follow the prompts.

    5. You will be asked to reboot your computer, please do so. Your system may take longer than usual to load this is normal.

    6. When your system reboots (BE patient), follow the prompts. Afterwards, HijackThis may launch. Please Close HijackThis, and click OK to proceed.

    At the end of the fix, you may need to restart your computer again, restart if prompted.

    Finally, please post the contents of :-

    C:\fixwareout\report.txt
    A new HijackThis log.

    There will be more to do......

    BG