Hi, I have done a lot of research on this nasty trojan I downloaded thinking i was getting the latest episode of the Amazing Race (I knew better, but I hoped I was wrong).
I have seen a lot of the fixes, and tried to do them, however, this virus has taken over. I cannot run the task manager, cannot edit the registry, cannot see the c:\ drive in my computer.
Even in safe mode, I cannot complete a virus scan (AVG), or search & destroy - my computer just shuts off.
is there any hope?
Thanks
How do you know it is win32 worm netbooster ?
well, as I understand it, the "win32 worm netbooster" is a false virus... ?
I get an error message that pops up constantly telling me I have it. I cannot run any virus checker software, the computer just shuts down. It is the shutting down of the computer that concerns me the most, I can never make any progress trying to clean it up!!!
This is a smitfraud infection. The warning is false but it is caused by an infection.
Download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.
Do Not Run It Yet.
Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.
* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
Shut down the computer.
Reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Reboot the computer in normal mode.
Download HijackThis
Run a Full System Scan with it and save the log. Post back here with the MBA-M, Smitfraudix and HJT logs.
Judy
Thanks for the info...
I can't get through a malware bytes scan, I have tried twice and the computer just shuts down around the 7-9 minute mark. Hard to tell where it is, but it looks like IE temporary internet folders.
Here is a HJT log that I just ran - any help?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:19: VIRUS ALERT!, on 10/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application
Data\yvmpebgv\etwhonup.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Documents and Settings\Claire Smith\sccs.exe
C:\Documents and Settings\Claire Smith\css.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: peltodgx - {1E54E389-923C-4DA3-B476-AFC5DB6EA302} -
C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI]
C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan
Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program
Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network
Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program
Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\Claire
Smith\sccs.exe
O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Claire Smith\css.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [889e6cce] rundll32.exe
"C:\WINDOWS\system32\wjoaqafr.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common
Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common
Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search
& Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [8yD3ofDhaw] C:\Documents and
Settings\All Users\Application Data\yvmpebgv\etwhonup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,
DisableRegedit=1
O8 - Extra context menu item: &D&ownload &with BitComet -
res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet -
res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet -
res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} -
res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206
(file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration -
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -
http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/w
uweb_site.cab?1170962551437
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient
Class) -
http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.ca
b
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) -
file://C:\Program Files\Diner Dash - Flo on the Go\Images\armhelper.ocx
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O21 - SSODL: rwlfsdmk - {28795284-E642-49C5-B78F-0D41C809B17A} -
C:\WINDOWS\rwlfsdmk.dll
O21 - SSODL: onfwbsak - {C530CB73-86B3-4EA0-A87B-1E8BC599F66C} -
C:\WINDOWS\onfwbsak.dll
O21 - SSODL: mntwin - {16E2EF24-FA8C-132D-5732-08900AEA34FF} -
C:\Program Files\kpdqaid\mntwin.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common
Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems,
Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision
Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown
owner - C:\WINDOWS\System32\WLTRYSVC.EXE
--
End of file - 7226 bytes
Please re-adjust spacing in your HJT log. It should be single spaced for easier reading.
Please Download ATF-Cleaner.exe by Atribune
Put it on the desktop for easy access.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK
If you use Firefox browser, do this also:
* Click Firefox at the top and choose Select All from the list.
* Click the Empty Selected button.
* NOTE : If you would like to keep your saved passwords, click No at the prompt.
Have you been able to run Smitfraudfix?
Try the MBA-M again after using ATF-Cleaner.
Thanks. Sorry about the HJT log. Will try to run Malware Bytes again now. No, I have not been able to run Smitfraudfix, it also crashes partway through.
Are you running Smitfraudfix in Safe Mode as directed?
yes, in safe mode, it still gets only part way through and shuts down.
And still can't run the MBA-M, even after the ATF Cleaner. The cleaner worked, and then MBA-M got further than it has so far (around 11 minutes), but then the computer just shut down again!
Boy! I will tell you what ces2, you have a very badly infected computer. Some stuff I have honestly never seen before.
Lanfilt.b Trojan>>># Allows its creator unauthorized access to a compromised computer.
# Attempts to disable some antivirus, firewall, and system-monitoring programs by terminating processes.
Troj/MailBot-CE>>>The Trojan may be used to send unsolicited emails from an infected computer.
VideoAccessCodec adware.
Peltodgx Toolbar>>the latest toolbar infection from the zlob group and like its infectious predecessors it has very similar characteristics to all the previous toolbars. Peltodgx Toolbar displays fakes alerts, warnings and links to rogue anti-spyware products.
Alcan Worm.
You also have starting as a service something called Boonty Games which is quite scary really.
Read this from their Privacy Policy
"We also may share payment information with third parties who provide payment services and share aggregate data regarding the type and number of videogames you download, your age, gender, occupation, education level, geographic location, computer equipment data and on-line and video game interests, activities and practices to game publishers. In addition, we share e-mail addresses with third party e-mail carriers who assist us in sending out our e-mails to many of our customers at the same time. Subsidiaries and controlled affiliates are not viewed as third parties for the purpose of data transfers, and hence personal information may be shared within those subsidiaries and affiliates without obtaining additional consent."
Ok, let's try this;
Download
- Pocket Killbox
- ComboFix by sUBs from HERE or HERE
Don't run either one yet.
Next open your Spybot program. At the top choose Mode, Advanced. Then at the bottom left click Tools. On the left side you will then see a row of buttons. Click Resident. When that opens REMOVE the CHECK MARK from TeaTimer. Close the program. Then look in Task Manager and find TeaTimer and End the Process. You MUST get this to stop as it can interfere with any fixes done with HiJackThis.
Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O3 - Toolbar: peltodgx - {1E54E389-923C-4DA3-B476-AFC5DB6EA302} -C:\WINDOWS\peltodgx.dll
O4 - HKLM\..\Run: [Sccs] C:\Documents and Settings\ClaireSmith\sccs.exe
O4 - HKLM\..\Run: [Css] C:\Documents and Settings\Claire Smith\css.exe
O4 - HKLM\..\Run: [889e6cce] rundll32.exe "C:\WINDOWS\system32\wjoaqafr.dll",b
O4 - HKLM\..\Policies\Explorer\Run: [8yD3ofDhaw] C:\Documents andSettings\All Users\
Application Data\yvmpebgv\etwhonup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegedit=1
O21 - SSODL: rwlfsdmk - {28795284-E642-49C5-B78F-0D41C809B17A} -C:\WINDOWS\rwlfsdmk.dll
O21 - SSODL: mntwin - {16E2EF24-FA8C-132D-5732-08900AEA34FF} -C:\Program Files\kpdqaid\mntwin.dll
O23 - Service: Boonty Games - BOONTY - C:\Program Files\CommonFiles\BOONTY Shared\Service\Boonty.exe
Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.
Now run Pocket Killbox:
Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.
Now open PocketKillbox again.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..
Select:
* Delete on Reboot
* then Click on the All Files button.
* Please copy the file paths below to the clipboard by highlighting ALL of them and after highlighting, right-click and choose copy):
C:\Documents and Settings\All Users\ApplicationData\yvmpebgv\etwhonup.exe
C:\Documents and Settings\Claire Smith\sccs.exe
C:\Documents and Settings\Claire Smith\css.exe
C:\WINDOWS\system32\wjoaqafr.dll
C:\WINDOWS\rwlfsdmk.dll
C:\Program Files\kpdqaid\mntwin.dll
C:\Program Files\CommonFiles\BOONTY Shared\Service\Boonty.exe
* Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.
Close ALL windows
Physically disconnect from the Internet, then disable your anti-virus and any real-time anti-spyware monitors that are running. This will include your Search & Destroy TeaTimer.exe (if it is still running), McAfee.
Double click combofix.exe follow the prompts
When finished, the program will produce a log
Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.
Post the following logs:
ComboFix
HijackThis
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.