Possible virus that is shutting down firefox

By anonymeX ยท 10 replies
Dec 15, 2008
  1. Hi, I don't really know how i got this virus but i think it started when i turned off ad block plus so i can download a movie from zshare. Then all of a sudden this Windows Security Alert pops up and asks me to "enable protection" for Win32.Netsky.Q. I usually just closed the box instead of clicking enable protection. Also, i scanned my entire computer with AVG 8.0 but the security alert still pops up and firefox closes unexpectedly from time to time. My AIM also closes too, without warning. I don't know what else would close. But this is really annoying. Can someone please help? Thank you.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Win32.Netsky.Q. is usually but not always email related. But it is possible that you do have malware that is causing the problem and it may be identifying Netsky to gt you to click on something that will give you malware.

    It would be best if you followed the steps for running the cleaning programs here:

    You can skip Step 1, but do Steps 2,3,4,5 and 7. If Java needs to be updated, I'll catch it in the logs. When finished, attach all three logs for review.
  3. joealso

    joealso TS Rookie

    My computer knowledge is about a 5 on a scale of 10, however i've been hounded by a problem with something called Win32.Netsky.Q all day. I've searched forums like this one and downloaded 2 removers or cleaners - one was from Symantec and i can't recall the other one ( i downloaded them onto another comp and saved them to a disk - then ran them on the infected comp). Both scans said that the comp was not infected.

    I was about to run the steps above when the fake "warning" window popped up again. Out of curiosity, i opened my task manager (ctrl+alt+del) and ended the application. A moment later i got an error message that said a file named FHEXJ6825097.exe-1D1AB669.pf was not running properly and asked if i wanted to shut it down. I did a search for the file and it was found in C:\WINDOWS\Prefetch

    I edited the file name by deleting the "exe" part of the name. Then i opened my browser and everything worked fine. I can surf again and it's been about 25 minutes and no pop-ups regarding the Netsky thing.

    I don't know if i've affected anything important, but if not, i hope this can help someone.
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Deleting the exe part of the Prefetch folder, file name: FHEXJ6825097.exe-1D1AB669.pf
    Will do nothing!

    Locating FHEXJ6825097.exe and then removing that file, will

    Please note, that these files can have any filename, they are always different names. Following the guide is the best initial option.
  5. anonymeX

    anonymeX TS Rookie Topic Starter

    Thank you joealso for the input. I've completed the 8-step removal. I've also attached the logs. Now what do i do?
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Well for starters, you can uninstall:
    1 McAfee
    2 AVG
    3 Protector Suite

    Once all 3 are uninstalled
    4 Update Malwarebytes, then run another 5 full scan (trust me, there's more to go ;) )
    Then 6 download, 7 update and 8 scan with Avira free Antiirus

    That'll probably make you a 100x safer
  7. anonymeX

    anonymeX TS Rookie Topic Starter

    i did the scan. What do i do next?
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Hey, I counted 8 things I suggested for you to do
    I'll number them above ;)

    You can now resubmit the new logs if you like
    I'd say it's probably working well now though (?)
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Once you do what kimsland has instructed, consider this:

    You have (Trojan.TDSS) in the system Restore points. These are protected files and the cleaning programs don't remove them. We will have to drop the old restore points when clean. In the meantime, do NOT use system Restore.

    SAS is showing WinFixer, Vundo, Rootkit.TDSServ and Tracking Cookies. All those entries need to be removed. We can reset the Cookie later.

    Bottom line: you have WAY too many programs and processes starting up! You're also running the File Sharing BitComet- this is like a magnet for malware!

    I am also noticing that the Toshiba systems have an enormous number of processes set to start on boot. I have to wonder if users realize this, check them out and stop what they don't use or need to start on boot. One example is:

    O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
    Product: RAMASST.exe or RAMAsst Application or CD Burning of Windows XP disabling tool for DVD MULTI Drive or RAMASST.exe ...

    Do you use this? Do you really need it starting on boot and running in the background ALL the time?

    We'll see what the new logs show. Be sure to run all three programs in the correct order and attach the new logs.

    OK, kimsland?
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    And another excellent post by Bobbye :grinthumb (sounds patronizing, but definitely not intended to be)

    Reading that original log would have been extremely grueling to say the least.
    Yes it would be nice to see a cleaner log ;) (hopefully Bobbye may view, no doubt, if posted)
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Naw, no patronizing here kimsland! I work with you, now otherwise. Just a courtesy to you since you are already helping out here.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...