Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NETSKY


  • Please log in to reply
4 replies to this topic

#1 miko

miko

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 25 January 2005 - 10:21 PM

This is an example of the emails that I keep getting every time I open Outlook Express:

Address <support@symantec.com> received message:
'Re: Virus Sample' attachment file noname_912.txt
infected with I-Worm.Netsky.Q1 virus.

Mail was blocked.

<Virusbuster Smtp gateway>

Ive scanned with Panda (online), the Stinger from Mcafee, the fix netsky tool from symantec, Karspersky, Norton and they found nothing... only after installing Solo antivirus did I find an executable that probably triggered it all. My guess is that it's probably allocated somewhere but no AV will find it.

P.S.: I just tried Sysclean from TrendMicro but no results, it gets some access denied errors, but it won't let me copy them.

Any suggestions?

BC AdBot (Login to Remove)

 


#2 stidyup

stidyup

  • Members
  • 641 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:36 PM

Posted 26 January 2005 - 03:58 AM

If you think your still infected run HijackThis and post your log in this section of the forum where a expert will look at it for you and give you some advice on how to solve the problem.



Download hijackthis here

#3 miko

miko
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 26 January 2005 - 11:24 AM

here it goes,



Logfile of HijackThis v1.99.0
Scan saved at 09:50:49 p.m., on 25/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
D:\Programas Reinstalacion\sysclean.com
D:\Programas Reinstalacion\sysclean.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Camilo\LOCALS~1\Temp\Rar$EX00.437\HijackThis.exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=020205 serial=DR12CRW-0056256-QYE lang=EN
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SoloSentry] C:\PROGRA~1\SRNMIC~1\SOLOSENT.EXE
O4 - HKLM\..\Run: [SoloSchedule] C:\PROGRA~1\SRNMIC~1\SOLOCFG.EXE
O4 - HKLM\..\Run: [SoloSysCheck] C:\PROGRA~1\SRNMIC~1\SYSCHECK.COM
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1102131301652
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

thanks in advance ! ! !

#4 miko

miko
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:36 PM

Posted 26 January 2005 - 11:28 AM

I just recieved a new virus warning when I opened Outlook. Here it is,

Address <saluddec@guajiros.udea.edu.co> received message:
'Returned mail: Data format error' attachment file noname_1027.txt
infected with I-Worm.Mydoom.Q1 virus.

Mail was blocked.

<Virusbuster Smtp gateway>

Help please.

#5 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:11:36 PM

Posted 26 January 2005 - 11:31 AM

If these are being returned by a mailer-deamon, and you did not originate the message, chances are that someone ELSE's computer is infected, not yours. Many viruses scan an infected computer's address files and send out such Emails to each address they find in the hopes you will open the attachment and infect your own computer.
If the virus had been on your hard drive, one of the scans would have found it.
Regards,
John
Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users