Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fake worm.win32.netsky?


  • Please log in to reply
7 replies to this topic

#1 MikeJC

MikeJC

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 03 February 2010 - 10:48 PM

Hey everyone,

so I'm doing all this on my iPhone so please excuse the limited searching for answers.

I've had the fake antivirus software (av.exe) 2 or 3 times now but have been able to get rid of it with help from the guides. However, I now have the above listed virus, altho a post on systamtechs website makes me think it is not the listed virus and something else completely. It won't let me access task manager, has changed my sysamtech vptray program, changed AIM, and deleted malwarebytes exe. I tried reinstalling malwarebytes from a flash, but it didn't work. Was immediately deleted. Please help.

Oh, also, whatever this is hasn't touched ccleaner.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:29 PM

Posted 03 February 2010 - 11:47 PM

Hello and welcome... As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\ tc... so please follow our Removal Guide here http://www.bleepingcomputer.com/virus-remo...t-security-2010

You will move to the Automated Removal Instructions for Internet Security 2010 using Malwarebytes' Anti-Malware:

After you completed that post your scan log here,let me know how things are.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 MikeJC

MikeJC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 04 February 2010 - 07:29 AM

Unfortunately I can't get to the desktop in normal windows mode. If I x out if the box that "warns" me about worm.win32.netsky, i get a bsod and a restart, and if I click "ok" then "run once wrapper" stops working, followed by windows explorer stopping working

#4 MikeJC

MikeJC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 04 February 2010 - 07:59 AM

So i dl'd rkill to a flash and started in safe mode and ran it. It stopped dllhost.exe. I then tried to install mbam, and did, but as soon as it finished installing the virus deleted it again. I've tried this cycle 3 times. How does dllhost.exe keep restarting?

#5 MikeJC

MikeJC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 04 February 2010 - 11:59 AM

I'm at work now and am re-reading the guide boopme linked to. I realize I missed a couple steps this morning (reading from an iphone ain't easy). I'll try again tonight and let you all know how it goes.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:29 PM

Posted 04 February 2010 - 12:31 PM

Important links you will need from Guide

RKill
http://download.bleepingcomputer.com/grinler/rkill.com

MBAM
http://download.bleepingcomputer.com/malwa.../mbam-setup.exe

atfer running Rkill and installing MBAm
STEP 8
8.As this infection deletes a core executable of Malwarebytes' we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link:

Malwarebytes' EXE Download Link>> http://mbam.malwarebytes.org/program/random.php

When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.

9.Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 8. MBAM will now start and you will be at the main program screen as shown below.

Update MBAM and scan

Edited by boopme, 04 February 2010 - 12:33 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MikeJC

MikeJC
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:29 PM

Posted 04 February 2010 - 08:50 PM

boopme,

Thanks for your help. I'm back up and running. I uninstalled Symantec and installed avast, added SpyBot, left mbam with the random filename and updated it. Anything else you (or anyone else) recommends so I don't get this stupid virus again? Btw, I'm running Vista Home Premium.

Thanks!

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,762 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:29 PM

Posted 06 February 2010 - 11:13 PM

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users