|
| ||
| win32 worm netbooster SOS Hi, I have done a lot of research on this nasty trojan I downloaded thinking i was getting the latest episode of the Amazing Race (I knew better, but I hoped I was wrong). I have seen a lot of the fixes, and tried to do them, however, this virus has taken over. I cannot run the task manager, cannot edit the registry, cannot see the c:\ drive in my computer. Even in safe mode, I cannot complete a virus scan (AVG), or search & destroy - my computer just shuts off. is there any hope? Thanks |
| ||
| Re: win32 worm netbooster SOS How do you know it is win32 worm netbooster ? |
| ||
| Re: win32 worm netbooster SOS well, as I understand it, the "win32 worm netbooster" is a false virus... ? I get an error message that pops up constantly telling me I have it. I cannot run any virus checker software, the computer just shuts down. It is the shutting down of the computer that concerns me the most, I can never make any progress trying to clean it up!!! |
| ||
| Re: win32 worm netbooster SOS This is a smitfraud infection. The warning is false but it is caused by an infection. Download SmitfraudFix (by S!Ri) Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop. Do Not Run It Yet. Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop. * DoubleClick mbam-setup.exe and follow the prompts to install MBA-M. * Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. * If an update is found, it will download and install the latest version. * Once the program has loaded, select Perform full scan, then click Scan. * When the scan is complete, click OK, then Show Results to view the results. * Be sure that everything is checked, and click Remove Selected. * When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt. Shut down the computer. Reboot your computer into Safe Mode. This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep. Then select Safe Mode from the list. Open the SmitfraudFix folder again. Double-click smitfraudfix.cmd. Select option #2 - Clean by typing 2 and press "Enter" to delete infected files. You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection. The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter". The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply. The report can also be found at the root of the system drive, usually at C:\rapport.txt Reboot the computer in normal mode. Download HijackThis Run a Full System Scan with it and save the log. Post back here with the MBA-M, Smitfraudix and HJT logs. Judy |
| ||
| Re: win32 worm netbooster SOS Thanks for the info... I can't get through a malware bytes scan, I have tried twice and the computer just shuts down around the 7-9 minute mark. Hard to tell where it is, but it looks like IE temporary internet folders. Here is a HJT log that I just ran - any help? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 18:19: VIRUS ALERT!, on 10/2/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\Documents and Settings\All Users\Application Data\yvmpebgv\etwhonup.exe C:\WINDOWS\system32\WLTRAY.exe C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\Network Associates\Common Framework\UdaterUI.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Network Associates\Common Framework\McTray.exe C:\Documents and Settings\Claire Smith\sccs.exe C:\Documents and Settings\Claire Smith\css.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O3 - Toolbar: peltodgx - {1E54E389-923C-4DA3-B476-AFC5DB6EA302} - C:\WINDOWS\peltodgx.dll O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\Claire Smith\sccs.exe O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Claire Smith\css.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [889e6cce] rundll32.exe "C:\WINDOWS\system32\wjoaqafr.dll",b O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKLM\..\Policies\Explorer\Run: [8yD3ofDhaw] C:\Documents and Settings\All Users\Application Data\yvmpebgv\etwhonup.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...n/x86/client/w uweb_site.cab?1170962551437 O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...nt.cab56907.ca b O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Diner Dash - Flo on the Go\Images\armhelper.ocx O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: avgrsstx.dll O21 - SSODL: rwlfsdmk - {28795284-E642-49C5-B78F-0D41C809B17A} - C:\WINDOWS\rwlfsdmk.dll O21 - SSODL: onfwbsak - {C530CB73-86B3-4EA0-A87B-1E8BC599F66C} - C:\WINDOWS\onfwbsak.dll O21 - SSODL: mntwin - {16E2EF24-FA8C-132D-5732-08900AEA34FF} - C:\Program Files\kpdqaid\mntwin.dll O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 7226 bytes |
| ||
| Re: win32 worm netbooster SOS Please re-adjust spacing in your HJT log. It should be single spaced for easier reading. Please Download ATF-Cleaner.exe by Atribune Put it on the desktop for easy access. -- Click on ATF-Cleaner to run it -- Where it says Select Files To Delete, Check the Select All Option -- Click Empty Selected > OK If you use Firefox browser, do this also: * Click Firefox at the top and choose Select All from the list. * Click the Empty Selected button. * NOTE : If you would like to keep your saved passwords, click No at the prompt. Have you been able to run Smitfraudfix? Try the MBA-M again after using ATF-Cleaner. |
| ||
| Re: win32 worm netbooster SOS Thanks. Sorry about the HJT log. Will try to run Malware Bytes again now. No, I have not been able to run Smitfraudfix, it also crashes partway through. |
| ||
| Re: win32 worm netbooster SOS Are you running Smitfraudfix in Safe Mode as directed? |
| ||
| Re: win32 worm netbooster SOS yes, in safe mode, it still gets only part way through and shuts down. And still can't run the MBA-M, even after the ATF Cleaner. The cleaner worked, and then MBA-M got further than it has so far (around 11 minutes), but then the computer just shut down again! |
| ||
| Re: win32 worm netbooster SOS Boy! I will tell you what ces2, you have a very badly infected computer. Some stuff I have honestly never seen before. Lanfilt.b Trojan>>># Allows its creator unauthorized access to a compromised computer. # Attempts to disable some antivirus, firewall, and system-monitoring programs by terminating processes. Troj/MailBot-CE>>>The Trojan may be used to send unsolicited emails from an infected computer. VideoAccessCodec adware. Peltodgx Toolbar>>the latest toolbar infection from the zlob group and like its infectious predecessors it has very similar characteristics to all the previous toolbars. Peltodgx Toolbar displays fakes alerts, warnings and links to rogue anti-spyware products. Alcan Worm. You also have starting as a service something called Boonty Games which is quite scary really. Read this from their Privacy Policy Quote:
Download - Pocket Killbox - ComboFix by sUBs from HERE or HERE Don't run either one yet. Next open your Spybot program. At the top choose Mode, Advanced. Then at the bottom left click Tools. On the left side you will then see a row of buttons. Click Resident. When that opens REMOVE the CHECK MARK from TeaTimer. Close the program. Then look in Task Manager and find TeaTimer and End the Process. You MUST get this to stop as it can interfere with any fixes done with HiJackThis. Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2 O3 - Toolbar: peltodgx - {1E54E389-923C-4DA3-B476-AFC5DB6EA302} -C:\WINDOWS\peltodgx.dll O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\ClaireSmith\sccs.exe O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Claire Smith\css.exe O4 - HKLM\..\Run: [889e6cce] rundll32.exe "C:\WINDOWS\system32\wjoaqafr.dll",b O4 - HKLM\..\Policies\Explorer\Run: [8yD3ofDhaw] C:\Documents andSettings\All Users\ Application Data\yvmpebgv\etwhonup.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegedit=1 O21 - SSODL: rwlfsdmk - {28795284-E642-49C5-B78F-0D41C809B17A} -C:\WINDOWS\rwlfsdmk.dll O21 - SSODL: mntwin - {16E2EF24-FA8C-132D-5732-08900AEA34FF} -C:\Program Files\kpdqaid\mntwin.dll O23 - Service: Boonty Games - BOONTY - C:\Program Files\CommonFiles\BOONTY Shared\Service\Boonty.exe Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis. Now run Pocket Killbox: Choose Tools -> Delete Temp Files and click Delete Selected Temp Files Then after it deletes the files click the Exit (Save Settings) button. Now open PocketKillbox again. NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.. Select: * Delete on Reboot * then Click on the All Files button. * Please copy the file paths below to the clipboard by highlighting ALL of them and after highlighting, right-click and choose copy): C:\Documents and Settings\All Users\ApplicationData\yvmpebgv\etwhonup.exe C:\Documents and Settings\Claire Smith\sccs.exe C:\Documents and Settings\Claire Smith\css.exe C:\WINDOWS\system32\wjoaqafr.dll C:\WINDOWS\rwlfsdmk.dll C:\Program Files\kpdqaid\mntwin.dll C:\Program Files\CommonFiles\BOONTY Shared\Service\Boonty.exe * Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!). If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. Close ALL windows Physically disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running. This will include your Search & Destroy TeaTimer.exe (if it is still running), McAfee. Double click combofix.exe follow the prompts When finished, the program will produce a log Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Post the following logs: ComboFix HijackThis |
| All times are GMT -4. The time now is 6:05 pm. |
Forum system based on vBulletin Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
©2003 - 2009 DaniWeb® LLC