[Resolved] Worn.Win32.Netsky

[Sangz]

My dad’s computer was infected with these malwares: Error Cleaner, Spyware & Protection, Priracy Protector and who know what else. He had his friend came in and fixed it. Everything back to normal all look clean and run normally. But when he turn his computer off for a night the next day I turn it on the window security warning kept popping up:

“Window security Alert:

Window has detected an Internet attempt…Somebody’s trying to infect your PC with spyware and harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempt and spyware! Click here you download spyware remover for total protection”

I kept clicking cancel but it kept coming back (out internet connection was even connect at this point), so I click exit but still the window kept popping up. After a while after I click exit the window security warning another window pop up

“Spyware Alert:

Security Warning!

Worn.Win32.Netsky detected on your machine this virus is distributed via Internet through e-mail and Active-X objects. The worm has it own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst case this worm can allow attacker access your computer stealing passwords and personal data.
This process should be removed from your system.


Type: Virus
System Affected: Window 2000, NT, ME, XP, Vista
Security Risk (0-5): 5
Recommendations: click yes to remove it from your PC immediately.”

It wouldn’t let you click exit only option of Yes or No. If you click Yes it will trying to open up IE browser trying to connect to a website (but couldn’t because internet connection was on). If you click No it will go away for 20 second or so then the balloon pop up from the taskbar:

“Window System Alert:

System detected virus activities. These may impact the performance of your computer. Please, use recommended antispyware software to protect your system from parasite programs.”

Then the cycle kept repeating. (at the moment Norton Antivirus is still running, Window firewall is on). So I downloaded Ad-Aware 2007 and run it. I have to run d-Aware scan twice before it found the infection and got rid of it. I try re-boot the system to see it came back or not. Everything seems fine. Just incase I ran Norton scan and Ad-ware a few times to make sure. Didn’t find anythings. So I let my parents use theirs computer normally. The next day the symptoms start again. My dad finally decided to re-format his computer.

So before he do that I kept looking for help finally found this TechSpot forums. I read through the “Viruses/Spyware/Malware, preliminary removal instructions” thread.

I followed instruction step by step until step 11 where I run “Panda Antirootkit programme” PAVARK.exe (We use Window XP Home edition with service pack 2). I tick the box that say “In depth scan” and then “Start Scan”. It told me it need to restart the computer before it can run scan. I click ok. When the computer load up the desktop it re-boot itself again, then it ran scan disk checking for errors. There were many parts for files that invalid and the window try to correct the file and recovering the files and kept on rebooting after about 9-10 times of rebooting, made correction to the files system. It stop and Panda Antiroot Kit start scanning as soon as desktop finished load up. But it couldn’t find anything.

I found it a bit odd. Is it ok to continue step 12? Or do I need to re-do everything form
Step 1 again? also At the moment the computer seem to run fine.


Thank your for take your time reading. I’m really need confuse right now.

 

[AlbertLionheart]

I suspect either or both of the following has occured:
1 - the virus has damaged a critical windows file
2 - you have a conflict between Norton and Panda - not uncommon.
Suggestions:
1 - remove Panda using the uninstall tools. If this is no good,
2 - try a system restore back to before the point where you had the virus
3 - reinstall windows

 

[Sangz]

Hi again. Thanks, my dad computer seem to be working fine now but just in case I've complete all 15 steps so here are the three logs files:

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

1. Boot into safe mode under your normal user name. See how HERE
   
2. Next turn on "Show all files and folders, including hidden and system". See how HERE
   
   
3. Go to start > Control Panel > Add and Remove Programs.
   Remove anything related to the following:
   
   AntiSpywareBot < A ROGUE program. utility that uses false positives to lure the user into buying the product. Please see HERE.
   
   
4. After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
   
   O2 - BHO: XTN Monitor - {8F8292B7-353C-427D-A52F-8EA4120E3A6F} - (no file)
   O3 - Toolbar: The enqvwkp - {F1348462-25DE-4F17-869F-BAAFE04DD599} - C:\WINDOWS\enqvwkp.dll (file missing)
   O21 - SSODL: agrlmvp - {F0EC4223-7816-4457-BBF9-7DD5925A9773} - C:\WINDOWS\agrlmvp.dll
   O21 - SSODL: bmlvqkn - {EB57D2B7-46A9-4DBA-8336-0ED011E5306D} - C:\WINDOWS\bmlvqkn.dll (file missing)
   
   Close HJT.
   
   
5. Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):
   
   

   File::
   C:\WINDOWS\system32\guard32.dll.vir
   C:\WINDOWS\bmlvqkn.dll
   C:\WINDOWS\agrlmvp.dll
   C:\WINDOWS\enqvwkp.dll
   C:\WINDOWS\fxtqdrl.exe
   C:\WINDOWS\dependencies.exe
   C:\WINDOWS\runtime.exe
   Registry::
   [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
   [-HKEY_CLASSES_ROOT\clsid\{f1348462-25de-4f17-869f-baafe04dd599}]
   [-HKEY_CLASSES_ROOT\enqvwkp.ToolBar.1]
   [-HKEY_CLASSES_ROOT\TypeLib\{382F7ECF-8A84-482F-BEE7-E933ACDC0962}]
   [-HKEY_CLASSES_ROOT\enqvwkp.ToolBar]
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   "agrlmvp"=-
   "bmlvqkn"=-

6. Save this as CFScript on the desktop.
7. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
8. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
   
   
9. Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT and AVG Antispyware logs and the resultant ComboFix log from the above instructions as attachments into this thread.


Regards,
momok =)

This thread is for the use of Sangz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Sangz]

Hi again, I got a bit of a problem.

- I start windows in safe mode, login as my dad user name not admin
- fire up HJT
- run a scan system
- tick 4 files list from the instruction and fixed it
- copy & paste the text in the quote box to note pad & safe as CFSript to desktop
- drage CFscript into Combofix on desktop
-but the combo fix telling me that it was expire and asked me to update it and uninstall Combofix from Desktop
- I restart in normal mode and re-download combofix but it wouldn't let me save the file to desktop
- so I save it on G drive(partition hard disk) and try to drag it onto desktop, wouldn't let me either (also try cut and paste option)
- I try start window in save mode again and move the file to desktop, it work
- Then I try drag CFscript onto Combofix but it still telling me the combofix is expire.

Now I'm start HJT and restore everything back and try to the whole step again but still the same result. Please help me.

 

[momok]

Hi,

Could you try downloading ComboFix again from my signature? Before doing that, please delete all versions of ComboFix you have on your system.
If it still does not work, try changing the date of your system back a few days.

Please post a new HijackThis and the resultant ComboFix log in your next reply.

 

[Sangz]

Thanks for a quick response. Yes the Combofix download link from your signature work. Here are the new logs:

 

[momok]

Hi,

The HijackThis and ComboFix logs are both old logs. Please carry out my instructions as in the previous posts and post the new logs. AVG Antispyware scan is no longer needed.

Regards,
momok

 

[Sangz]

Sorry about that. here they are:

 

[AlbertLionheart]

Your hijackthis log is clean. You have two anti-spyware services running - I would keep AVGAS and unload Spysweeper.

 

[Sangz]

Ok, I will remove Spysweeper and keep AVSAS then.

Thanks AlbertLionheart and momok so much for the help. This will make my dad happy he doesn't need to re-format his HD anymore.


Regard

Sangz

 

[momok]

Hi,

Your logs look clean now.

1. Please download and run CCleaner via step 9 of the instructions HERE.
   
   
2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)
   
   
3. Turn off system restore (XP/ME only). Learn how to do that HERE.
   This will remove all the remaining nasties from your old restore points.
   
   
4. After that turn system restore back on.
   This would have created a new safe and clean restore point for your system.
   
   
5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
momok =)

This thread is for the use of Sangz only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[Sangz]

ok. Followed your instructions. Thank you again for the help.

 

[momok]

No problems, glad to be of assistance.
Thread closed as the problem appears to have been resolved. Should the original starter require it to be reopened, please PM a mod.