Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.Win32.NetSky


  • This topic is locked This topic is locked
2 replies to this topic

#1 jrgong

jrgong

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 09 December 2009 - 05:50 AM

Hello,

I'm posting here asking for help with a problem the laptop has been having recently. For the past 2 weeks or so internet explorer has randomly popped up while I am browsing (my browser is Firefox) but I never paid it any mind. Then earlier today someone else was using the laptop and noticed that the desktop had changed itself to "Your computer is infected" and that I must run a spy ware scan immediately. I ran two and got rid of a few trojans/viruses but not this one. Whenever I reboot the computer it notifies me that it is the worm.win32.netsky it is infected with but offers no help in removing it. Starting up in safe mode was of no aid as the trojan/virus was still present. I can not run the dds as the virus will not allow me to, and I can't ctrl alt del.

Here is my logs:

HiJackThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:37 AM, on 12/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16915)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winupdate86.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.Lazaro\My Documents\Downloads\RootRepeal.exe
C:\Documents and Settings\Owner.Lazaro\My Documents\Downloads\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\winlogon86.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [pakojoroh] Rundll32.exe "c:\windows\system32\hisekeke.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.Lazaro\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B7870C61-1EB0-4EF2-ACEA-A47E608C8B41}: NameServer = 83.149.115.182
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA0731DA-1FC0-4100-AE8D-5A4EB527D615}: NameServer = 83.149.115.182
O18 - Filter hijack: text/html - {ba2b5bd5-f17c-4f01-bdcd-a5743d1798c4} - (no file)
O20 - AppInit_DLLs: dijuboru.dll c:\windows\system32\hisekeke.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

BC AdBot (Login to Remove)

 


#2 jrgong

jrgong
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 09 December 2009 - 01:18 PM

Problem solved - thanks.

Edited by jrgong, 10 December 2009 - 10:59 AM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,114 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:33 PM

Posted 18 December 2009 - 10:01 AM

Topic closed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users