Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Get Rid Of Pesky W32.netsky.p@mm Worm!


  • Please log in to reply
12 replies to this topic

#1 Conquistador

Conquistador

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 20 May 2008 - 11:08 PM

Original topic title: Slow And Loooong Rebooting Computer as found in the HJT forum. - OB

Dear Bleeping Computer technician,

My computer is perpetually slow on almost everything. It takes forever to reboot (8.5 min plus the time to turn of, another 5), slowly loads its programs, sucking the life out of everyone who uses it.
My system is as follows:
___________________________
System:
Microsoft Windows XP
Home Edition
Version 2002
Service Pack 3
Manufactured and Supported by:
Compaq
Presario
Has a Intel®
Celeron® CPU 2.70GHz
2.69 GHz, 0.99GB of Ram
___________________________

A couple of things to note before you Read further.
1.) All the programs I downloaded were FREEWARE, and so those steps I took may not have been very affective.
2.) Before this, we had various interesting things happen to the computer which were worked out:
Had several power outages (write caching is on) and had a minute camera stuck in backwards, crashing the computer.
Had an extra hard drive die, which cause several crashes. After this, the computer got really slow half a year later as it is now (Last crash occurred almost three years ago).
3.) The computer has a hard drive with 120 GB and has, to the present 33.5 GB left, with 14.5 GB from my sister's picture work (Since she draws a lot. Right now she's in college, and has a laptop, though won't put it on hers, for various reasons and was encouraged after her laptop was stolen)

In trying to diagnose the problem from the top of the page, I first looked up all the well-known free computer error fixers, but this didn't cure the problem. I went on a updating frenzy during this and updated almost everything on this computer, from ALL the hardware (includes the stuff in Device Manager) to the software (Including updating to Service Pack 3) on the computer. I could see no real improvement there.
I then ran most of the freeware virus scanners which found little to nothing except some spyware (which AVG would have found anyway) programs and then, after I uninstalled them, I had useless files on my system which they left. This still didn't change anything noticeable as to the performance of the computer.
I then looked up all the online scanners from the site Castlecops.com, which all took forever and found nothing new. From there I got multifarious programs that were to check on the registry files and the prefetch. All this proved was just one worm of which I'll post in another blog.
Nothing seems to work. In fact, the computer even ran a little slower (though temporarily as that was to my being deceived about the prefetch dumping.). I also installed the program CCleaner to rid of empty and useless stuff, but I;m still left with a slow computer.
I then looked up sites, including this one, on how to improve the computer and did just the safe ones (Since I didn't want to touch the registry apart from a program, being that I know that I'm not very knowlegeble about that part of the machine).

These things still haven't done anything noticeable in the least and so I decided I would use this program HijackThis which I heard about (also from Bleeping Computer as well) which I have run, though done nothing as of yet, and so now here we are.

Any help would be MUCH appreciated. :thumbsup:
~Conquistador

Edited by Orange Blossom, 20 May 2008 - 11:40 PM.
Merged topics and added in original topic title to merged topic. ~ OB


BC AdBot (Login to Remove)

 


#2 Conquistador

Conquistador
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 20 May 2008 - 11:24 PM

Dear Bleeping Computer technician,

For some time I have received junk mail that usually advertises Viagra or some such junk and have been at a loss as to where it was coming from. On my computer, I have AVG Free, Spybot, and Windows Defender on it and was unable to find the thing, though I knew it was there.
I found this program, W32.Netsky.P@mm, after using [Microsoft® Windows® Malicious Software Removal Tool (KB890830) . The program was unable to get rid of the worm since it had put its dirty claws on the registry files.
I read up on the worm and got directions on how to remove it from a technician site. I followed the directions fully, but as I was in Safe Mode, I couldn't locate the registry files (or the .dll's either) at all.
Since then I have found it from AVG Free but again, it couldn't get rid of the registry files of course.

I am at a loss as to what to do, What do I do?

Edited by Conquistador, 20 May 2008 - 11:27 PM.


#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:07 PM

Posted 20 May 2008 - 11:38 PM

Hello Conquistador and welcome to Bleeping Computer :thumbsup:

I have merged your earlier topic which you posted in the HJT forum with your topic here in the Am I Infected forum as the earlier topic contained no logs.

Please let us know if these are concerning different computers. If they are, we will need to re-split the posts so that both topics are in this forum and titled in such a way that it is clear that two computers are involved.

Posting more than one topic about the same issue gets confusing for both the one being helped and those helping and can make things more difficult for the one being helped. Equally confusing is posting topics about different computers and not making that clear in the posts.

Basic posting rule of thumb: One computer issue to one thread.

Orange Blossom :flowers:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 21 May 2008 - 08:57 AM

Please download and scan with Norman Malware Cleaner. Be sure to print out and follow the instructions[/]
Restart your computer in "Safe Mode" and double-click on Norman_Malware_Cleaner.exe to start the remover.
In some cases Norman Malware Cleaner may require that you restart the computer to completely remove an infection. If prompted, reboot and run the tool again to ensure that all infections are removed.

If that does not help, then do this:

Please download and scan with the Kaspersky AVP Tool in "Safe Mode".
-- [i]The most current build of this tool can also be downloaded from here
.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Conquistador

Conquistador
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 22 May 2008 - 12:02 AM

The Norman Malware Cleaner cleaned these files:
C:/Documents and Settings/Owner/My Documents/Desktop stuff Feb 17 1008/WebfettiSetup2.2.60.11-2.exe (Infected with W32/WebSearchJO)
C:/Program Files/Wild Tangent/Apps/WebDriverInstall.exe (Infected with W32/Agent.AMZU)
C:/Program Files/Wild Tangent/Components/SystemConfig0100.dll (Infected with W32/WinAd.ET)
C:/System Volume Information/_RESTO~1/RP1651/A0154151.exe (Infected with W32/WebSearchJO)
C:/System Volume Information/_RESTO~1/RP1656/A0154243.exe (Infected with W32/WebSearchJO)
C:/System Volume Information/_RESTO~1/RP1758/A0170286.exe (Infected with W32/Agent.AMZU)
C:/System Volume Information/_RESTO~1/RP1758/A0170287.dll (Infected with W32/WinAd.ET)
I didn't see the file(s) I was looking for.

Also, when I installed the other program Kaspersky, it didn't find it and now I am unable to uninstall it since the uninstaller won't open and the Add and Remove Programs can't find it either!


Should I give you the HijackThis log now?

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,993 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:06:07 PM

Posted 22 May 2008 - 12:11 AM

Hello Conquistador,

No, please do not post an HJT log here. Please await quietman7's further instructions. If he finds that you will need to post an HJT log, he will tell you so at that time and also provide specific instructions for doing so.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 22 May 2008 - 06:27 AM

I didn't see the file(s) I was looking for.

What file name was that and do you know the exact path (location) where you found it?

Norman claimed the cleaner would be able to remove this malware. Since it didn't and Kaspersky did not find anything, let's try this.

Please print out and follow the instructions for using Symantec's "W32.Netsky@mm Removal Tool".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Conquistador

Conquistador
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 22 May 2008 - 03:52 PM

I'm a step ahead of you. I already downloaded and ran the thing. It didn't locate it so one of my anti-malware programs (AVG and Windows Defender) must have picked it up finally. I even used (MWMSRT) again but it didn't find it.

Oh, and what was it I was looking for?
___________________________________________________________________________________
%Windir%\FVProtect.exe.
file %Windir%\userconfig9x.dll.
registry value: Norton Antivirus AV
with data: %Windir%\FVProtect.exe
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
__________________________________________________________________________________

Got those from an instruction by Microsoft Windows Malicious Software Removal Tools (MWMSRT) site they had me go to.


This still leaves me with the slow computer problem. Back to what was said earlier, after I ran the things, later in the day it froze while trying to restart the computer. It also froze while trying to hibernate (It was set to enable that) that night so I know that something still exists.

What's next?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 22 May 2008 - 04:28 PM

This still leaves me with the slow computer problem.

If your computer seems to be slow, read Slow Computer/Browser? Check here first; it may not be malware. There are reasons for slowness besides malware - i.e. disk fragmentation, disk errors, corrupt system files, too many startup programs, unnecessary services running, not enough RAM, dirty hardware components, etc. As your system gets older it becomes filled with more files/programs and has a natural tendency to slow down so cleaning and regular maintenance is essential.
Note: If you are not on a local area network (LAN), disable the Workstation Service which creates and maintains client network connections to remote servers and that should also help to speed up your boot time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Conquistador

Conquistador
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 22 May 2008 - 08:46 PM

I did as you asked. The only things I hadn't already done was the special fragmentation and the Windows XP verifier, which found nothing wrong.
The computer, I noted, does now boot up from a dead start in a little under 8 minutes, so there is some benefit.

Also, I noticed that in C:/Documents and Settings there is a folder named 'Valerie' (One of my sister's name) which has pretty much the same folders that another 'logger' would have. There is only two actually, Administrator and Owner, so I'm confused about it.

Edited by Conquistador, 22 May 2008 - 09:25 PM.


#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,596 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 PM

Posted 23 May 2008 - 06:45 AM

Default Local Disk Folders include:
Documents and Settings\Administrator
Documents and Settings\All Users
Documents and Settings\Default User
Documents and Settings\LocalService
Documents and Settings\NetworkService
Documents and Settings\Owner (or your name)

NOTE: Some of the folders (Default User, NetworkService, LocalService) are hidden folders unless you reconfigure Windows to show them.

1. Administrator is for the Administrator account.

2. All Users is used for your Desktop, Start Menu, Favorites, Shared Documents, etc. Each user's Start menu and Desktop contain all of the items from the All Users profile as well as from their own profile. The items from the All Users profile are considered common program items which are seen by every user on the computer.

3. Default User is used when creating new accounts. When a user logs on for the first time, Windows creates a new folder to store the new user's profile and copies the default profile into that new folder. Changes that the user makes to the default profile are then recorded in the user's copy.

4. The LocalService and NetworkService profiles are automatically created by Windows XP for built in user accounts. They are used by the Service Control Manager to host services that do not need to run as the local system account. These profiles are required by the system to run and should not be modified.

Edited by quietman7, 23 May 2008 - 06:46 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:07 PM

Posted 23 May 2008 - 06:57 AM

Are you using the avg antivirus?

What other security programs do you have installed besides defender?

Don't worry about ones like MBAM etc that don't load at bootup
Chewy

No. Try not. Do... or do not. There is no try.

#13 Conquistador

Conquistador
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:07 PM

Posted 24 May 2008 - 09:24 AM

I have Spybot1.5.2, Spam Subtract on, and Spyware Blaster.

Also, even though I apparently got rid of the spammer, I still get spam from something.
Here's one of them (Just the details of it when you go to its properties):
_______________________________________________________________________________
<parts4@h-ebmeyer.de>
Received: from aarpub06.charter.net ([10.20.200.169]) by mta52.charter.net
(InterMail vM.7.08.04.00 201-2186-134-20080326) with ESMTP
id <20080524131029.SASV17675.mta52.charter.net@aarpub06.charter.net>;
Sat, 24 May 2008 09:10:29 -0400
Received: from adsl190-027000173.dyn.etb.net.co ([190.27.8.173])
by aarpub06.charter.net with SMTP
id <20080524131028.OHMP2698.aarpub06.charter.net@adsl190-027000173.dyn.etb.net.co>;
Sat, 24 May 2008 09:10:28 -0400
Date: Sat, 24 May 2008 06:10:26 -0800
From: Florine <parts4@h-ebmeyer.de>
To: gmoore1000@charter.net Subject: Re:
MIME-Version: 1.0
Message-Id: <20080524131028.OHMP2698.aarpub06.charter.net@adsl190-027000173.dyn.etb.net.co>
X-Chzlrs: 0
X-Antivirus: AVG for E-mail 8.0.100 [269.24.0/1462]
Content-Type: multipart/mixed; boundary="=======AVGMAIL-483821AB0000======="
________________________________________________________________________________

On a side note, I noticed after I installed Process Explorer that my hardware interrupts were quite high. Is that normal?

Edited by Conquistador, 24 May 2008 - 06:04 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users