Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Worm.Win32.Netsky


  • Please log in to reply
5 replies to this topic

#1 RaeGurl

RaeGurl

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 16 December 2009 - 09:50 AM

My computer has Worm.Win32.Netsky. I'm using another computer as I can no longer use my other. (which is why i can't include all the file stuff) Everything was fine till a last night. A few webpages where coming up red and saying I was infected or whatever so I closed everything off. It seemed like something fake. I reboot but when I did sign back on everything was messed up.

When I first load up windows it goes to the logon screen like everything is normal but than an error pops up. scvhost.exe Application error. I close that ans sign on. I get the long Spyware Alert message. Saying Security Alert. Worm.Win32.Netsky has been detected. Describes what it is and that I should perform a system scan. During this only my desktop loads up (not my tool bar where you click start)

A few secs later a System Shutdown window pops up saying it is shutting down and it's because of RPC and there is a minute countdown.

I tried to access Task Manager (by keys) and it said it was disabled by ADMIN so tried do some RUN: then going to registry or anything trying to and that also did not work. .It said I was infected. I tried safe boot (any safe boot) but it shows all the text scrolling for a bit and then just restarts...

Allot of posts Iv run into talk of downloading things and this and that but I can't even access anything. I'm not a computer expert and really need some help. This all happened quite suddenly. Is there anyway to go delete something without loading up windows? I can access the recovery console but I don't know what to do there..Please, Please help!

*I have Windows XP

Edited by RaeGurl, 16 December 2009 - 09:51 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 16 December 2009 - 03:18 PM

Lets'ee if we can free task manager

This step involves making changes in the registry. Always back up your registry before making any changes.

Go to Start Run and type: regedit
Click OK.
On the left side, click to highlight My Computer at the top.
Go up to File Export
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put RegBackup.
Choose to save it to C:\
Click save and then go to File Exit.

Or you can download and use ERUNTwhich is an excellent free tool that allows you to to take a snapshot (backup) of your registry before making changes and restore it when needed.

Click on the link below:
http://www.kellys-korner-xp.com/xp_tweaks.htm
Scroll down to #275 and click "Lift Restrictions - TM, Regedit and CMD" in the left column. Go to File, choose "Save page as" All Files and save regtmcmdrestore.vbs to your desktop. Double-click on that file to allow the script to run and reboot when done. Since the script modifies certain registry settings your anti-virus package may warn you about it. Ignore the warning and allow it to run.


If this does or doesn't work.. run The Vipre Rescue Program.

Edited by boopme, 16 December 2009 - 03:21 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 dmcmaster

dmcmaster

  • Members
  • 48 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 16 December 2009 - 05:47 PM

I've been notified by my startup page that I also have the Worm.Win32.NetSky virus, malware, or whatever it is. I have been unable to use my scanners for spybot search & destroy, free edition of adaware, superantispyware, and eusing registry cleaner and also McAfee AntiVirus Plus 2010. I suspect that there's a lot more going on than I realize. I really need some professional help. I would be thankful for any help at all.

#4 RaeGurl

RaeGurl
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:45 AM

Posted 16 December 2009 - 07:32 PM

Hello, thanks for the help but I can't access it either. It seems that the false virus program has disable everything I could use task manager, regedit, system restore etc. Each one comes up with one of there false virus errors. How ever I did make a boot CD (i had followed anthers advice to delete a file and afterward I could no longer log in I was able to follow instructions to fix it though.) So I can access registry by using the UBCD4WIN but can't go online.....Anyone have any suggestions?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,212 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:45 AM

Posted 16 December 2009 - 08:27 PM

Ok ,, you need to try running RKill.... It may take several tries

Please download Rkill by Grinler and save it to your desktop.Link 2
Link 3
Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
You will need to run the application again if rebooting the computer occurs along the way.


Now as quick as you can run MBAM.
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

********
Scanning with MBAM in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, it loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM. Doing a safe mode scan should only be done when a regular mode scan fails.

If you cannot use or complete a scan in normal mode, then try performing a Quick Scan in "Safe Mode". After reboot, click the Logs tab and copy/paste the contents of the new report in your next reply.
**************************
TFC by OT
Please download TFC by Old Timer and save it to your desktop.
alternate download link
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


@dmcmaster if you get a log plaese start a new to[ic and let me know. It will be easier for all as we may not progress at the same speed or direction.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:01:45 AM

Posted 17 December 2009 - 05:26 AM

RaeGurl
If you are not able to follow boopme's suggestions at this time, please have a look at the following suggestion.

only my desktop loads up (not my tool bar where you click start) ................. a System Shutdown window pops up saying it is shutting down and it's because of RPC and there is a minute countdown.

Try the following to stop the imminent shutdown when you get the "1 minute" reboot prompt.
Press Ctrl+Esc to bring up the Start Menu.
If that is successful, you should then see the Run box, or be able to click on "Run".
In the Run box, type in "cmd" and press <ENTER> to bring up the command prompt window.
At the command prompt, type "shutdown -a" and press <ENTER> (NOTE: The space between "shutdown" and "-a").

This will abort the reboot with any luck, and allow us some time to attempt to access your system.
Please let us know if this was successful.

You wrote: "i had followed anthers advice to delete a file and afterward I could no longer log in I was able to follow instructions to fix it though."
Please explain what you meant by this statement, and what you have done.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users