Unsolved
This post is more than 5 years old
7 Posts
0
10590
Netsky Q, HELP!
HI, I have been infected by Netsky Q. I have AVG (that found it but couldn't remove it) Ad-aware 6 and Spybot Search and Destroy.
I couldn't find info in your board.
what do i do?
Thanks
Celina
pskelley
933 Posts
0
June 25th, 2004 20:00
Hi Celina, Just follow the directions below, and be patient.
Please follow the directions below, once your log is posted, be patient. Keep in mind that we are all volunteers with families and real jobs. It is very busy, and we work the logs in the order they come in. One of the experts will be along to assist with your log as soon as possible. Thanks...pskelley
http://209.133.47.12/~merijn/files/HijackThis.exe
Stay in this thread for continuity. Reply to this message.
In Training at TomCoyote.com and Spywareinfo.com
TomCoyote.com and SpywareInfo.com to help with Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley.
celiQ
7 Posts
0
June 26th, 2004 10:00
Logfile of HijackThis v1.97.7
Scan saved at 13:20:17, on 26/06/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Wanadoo\CnxMon.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Wanadoo\EspaceWanadoo.exe
C:\Program Files\Wanadoo\ComComp.exe
C:\Program Files\Wanadoo\Watch.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/fr/fra/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Wanadoo
R3 - URLSearchHook: Search Class - {08C06D61-F1F3-4799-86F8-BE1A89362C85} - C:\PROGRA~1\Wanadoo\SEARCH~1.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WooCnxMon] C:\PROGRA~1\Wanadoo\CnxMon.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WOOWATCH] C:\PROGRA~1\Wanadoo\Watch.exe
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WOOTASKBARICON] C:\PROGRA~1\Wanadoo\TaskbarIcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Viajes Gratis (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Wanadoo (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {5F426A93-0821-47D2-A126-5A48A874B289} (DialerWeb Class) - http://212.145.159.194/251065/dialercab/WebRecomendada.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.5288657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B635C5C-D6B3-4BDB-9E99-345D6E5080D5}: NameServer = 80.10.246.1 80.10.246.132
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B635C5C-D6B3-4BDB-9E99-345D6E5080D5}: NameServer = 80.10.246.1 80.10.246.132
celiQ
7 Posts
0
June 26th, 2004 10:00
Hi pskelly,Thank you for your advise. I will do it all and let you know.
I know. we are all busy. I can't answer you v quick either. But i'll let you know how i am doing and ask you if I have any doubts.
Like allways a great help!
Thanks,
Celina
celiQ
7 Posts
0
June 26th, 2004 10:00
Have i done all right????????
hope it is OK!
What's next?
Thanks Celina
Texruss
3.4K Posts
0
June 28th, 2004 03:00
Not Netsky...two different Blaster worms. Link 1 Link 2
Run Hijackthis and fix check these lines:
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
1. Reboot to SAFE MODE
2. Show HIDDEN FILES and folders
FAQ 8 and 9 on this page:
http://www.russelltexas.com/malware/faqhijackthis.htm
Open Windows Explorer: type the word explorer at Start/Run box and click OK:
Drill on down and delete the following files and/or folders:
C:\Windows\System32\mslaugh.exe
C:\Windows\System32\teekids.exe
Exit Explorer and empty the Recycle Bin.
Reboot in normal mode Windows and immediately run Live Update (pull down under Tools in Internet Explorer 6 to Windows Update. Get the critical updates...you are far behind.
Next update your Norton definitions and run a full system scan.
Post back a fresh Hijackthis log.
After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System Restore which can't be cleaned by your antivirus programs.
See FAQ 12 here: http://www.russelltexas.com/malware/faqhijackthis.htm
All the best,
Texruss
www.russelltexas.com
Spyware Fighter Wilders Forum
Slyware Warrior Tom Coyote Forum
Expert Malware Responder Dell Forum
Please be aware only the following DellForum members were trained at TomCoyote.com and SpywareInfo.com to help with malware like viruses, worms, adware, scumware, foistware and crudware in general. They are also the only experts specifically trained to analyze and advise on Hijackthis logs: Texruss, Baskar1234, Grinler, ChrisRLG, SpotCheckBilly, and pskelley. (If you are one of our classmates and not on this list email me for an addition to this list...we need all the help we can get *;-) BTW...clicking on people's usernames at the left will reveal information about them if they chose to have an open profile. My credentials are available for your perusal.
pskelley
933 Posts
0
June 28th, 2004 15:00
Hi Celina, There is one item that needs to be corrected in the original instructions for installing the HJT log. WARNING, your HJT.exe is a file and not in a folder. It needs to be in a folder so it can create backups if they are needed. Your log shows it like this now: C:\HJT.exe, and it must look like this: C:\HJT\HijackThis.exe. Please review this information, create that folder and move the HJT:exe into that folder. Here is Texruss's tutorial for doing this if it helps. Thanks...pskelley
http://www.russelltexas.com/malware/copyHJTfile.htm
Texruss
3.4K Posts
0
June 28th, 2004 23:00
Thanks pskelley...good eye!
Texruss