Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.win32.netbooster


  • This topic is locked This topic is locked
7 replies to this topic

#1 SaxyLady

SaxyLady

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 15 July 2008 - 06:26 PM

I have a computer at work that is infected by Worm.Win32.NetBooster. Have no "Start -> All Programs", no Control Panel, no Task Manager, cannot get to command prompt, cannot see C: or D: drives. I have most of the tools mentioned to remove it, but I would like "step--by-step" instructions if possible. In other words, what do I do first, then next, etc.

Edited by SaxyLady, 16 July 2008 - 05:27 PM.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:08 AM

Posted 16 July 2008 - 01:56 AM

http://downloads.andymanchesta.com/Removal...CodecRepair.inf

start with this repair tool, right click and install

reboot

http://www.bleepingcomputer.com/forums/ind...mp;#entry839950

run MBAM, ATF cleaner and SAS in this exact order, print the directions if possible, post the logs

Every computer seems to react differently to an infection
Chewy

No. Try not. Do... or do not. There is no try.

#3 SaxyLady

SaxyLady
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 16 July 2008 - 07:48 PM

I tried to run the XP_CodecRepair.inf tool, but when I selected "Y" to run the tool, the command prompt dialogue box just disappeared. Logged on as Administrator, I ran MBAM and ATF cleaner. I re-booted the PC (in safe mode) after running MBAM. When I tried to run SAS, it says that "The system administrator has set policies to prevent this installation". HELP!!!!!!!!!!!! What should I do now???

Below is the log from MBAM.

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 2

5:32:08 PM 7/16/2008
mbam-log-7-16-2008 (17-32-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 73462
Time elapsed: 17 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 17
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\jkkljjJb.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\qoMfeDVL.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0902cc4b-b295-4058-916a-e50437a53484} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0902cc4b-b295-4058-916a-e50437a53484} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f0fccd91-e695-4651-82d7-029f328a8120} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0fccd91-e695-4651-82d7-029f328a8120} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomfedvl (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f3df79a8-bacd-4a0e-86d9-f70e645a9bdb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f3df79a8-bacd-4a0e-86d9-f70e645a9bdb} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcgn6j0e1e3 (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{1ca3fdca-2340-4dd0-80e3-68ec677cd140} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9a3d91fb-fcf6-46a4-a0c2-b4865d8d05dc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e72ac0f3-1102-4fa9-bf25-26347f4ca582} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{68f00154-b318-462d-8b77-d6b0629a8f7c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{05721fb0-2c8d-41a1-bef7-0957168a3502} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{05721fb0-2c8d-41a1-bef7-0957168a3502} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.bbtv (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qndsfmao.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f0fccd91-e695-4651-82d7-029f328a8120} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{9a3d91fb-fcf6-46a4-a0c2-b4865d8d05dc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\evgratsm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkljjjb -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\jkkljjjb -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jkkljjJb.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bJjjlkkj.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\bJjjlkkj.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMfeDVL.dll (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\A9CZ01Q9\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MRMJQDK7\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\MRMJQDK7\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lily\Local Settings\Temporary Internet Files\Content.IE5\IL6T6D03\1216079348[1].exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Lily\Local Settings\Temporary Internet Files\Content.IE5\UQFFLCFZ\CAW1IV4P (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP871\A0083391.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP872\A0084495.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP872\A0087516.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP872\A0088525.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP872\A0088527.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP872\A0088533.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6C85056A-2552-4466-A371-5731F09F5EBB}\RP872\A0088535.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\epeb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\enbaxwij.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hjbnylqh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mhewug.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nbgkli.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nhenpqwp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rigzcr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vsigkt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yluhiabl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\qndsfmao.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\kvxqmtre.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\evgratsm.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\agpqlrfm.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\kgxmotaptvw.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:08 AM

Posted 16 July 2008 - 08:06 PM

Run MBAM again as a quick scan and fix, reboot the computer into normal mode then try a boot into safe mode to run the codec repair tool

You might have to disconnect from the internet to keep the infection from redownloading elements
Chewy

No. Try not. Do... or do not. There is no try.

#5 SaxyLady

SaxyLady
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 17 July 2008 - 12:04 PM

I re-ran MBAM again (while in Safe Mode). The log is below. However, after I re-started the computer in Normal mode and then booted into Safe Mode, I still am having problems with running SDFix/XP_CodecRepair.inf. When I right-click on XP_CodecRepair.inf and select Install, nothing seems to happen. I then do Start -> Run -> c:\SDFix\RunThis.bat and click on OK. I get the SDFix window and enter "Y" and hit Enter. The SDFix window just disappears. When I boot the computer in normal mode, I get the desktop, but there background is all white.

This is the log from the most recent running of MBAM:

Malwarebytes' Anti-Malware 1.20
Database version: 960
Windows 5.1.2600 Service Pack 2

9:07:15 AM 7/17/2008
mbam-log-7-17-2008 (09-07-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 72603
Time elapsed: 45 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1f55ee7d-6379-4319-9039-44b152e79bbc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1f55ee7d-6379-4319-9039-44b152e79bbc} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f0fccd91-e695-4651-82d7-029f328a8120} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0fccd91-e695-4651-82d7-029f328a8120} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\qomfedvl (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f0fccd91-e695-4651-82d7-029f328a8120} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\jkkljjJb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bJjjlkkj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qoMfeDVL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:05:08 AM

Posted 17 July 2008 - 12:19 PM

there are a couple of tricks listed in the sdfix guide, would you try them
Chewy

No. Try not. Do... or do not. There is no try.

#7 SaxyLady

SaxyLady
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:05:08 AM

Posted 17 July 2008 - 06:48 PM

I have run all the things you have suggested. The system is much better, but the desktop is still showing up with a big white "block" at the upper left-hand corner which takes up about 2/3 of the screen. I can at least get to everything again.

Edited by Orange Blossom, 18 July 2008 - 11:41 PM.
Removed DSS log. ~ OB


#8 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,911 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:05:08 AM

Posted 18 July 2008 - 11:48 PM

Hello SaxyLady,

I see that you have an HJT log posted here: http://www.bleepingcomputer.com/forums/t/158399/wormwin32netbooster/ Because you have this log posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

To avoid confusion, I am closing this topic. Good luck with your log.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users