Worm.win32.netsky, probably others [Solved]

Hello magaggie !

Welcome to the site! My nickname is heir and I'll be helping clean up your computer.

Before we proceed to clean your computer from malware, let's go over some points that will help both me and you, and prevent causing damage to your computer:

• To make sure that you receive an email when I reply to this topic, please click here and check that this topic is listed under Malware Removal and Spyware Removal.
• Please don't be afraid to ask questions! No question is considered dumb here. It's better to be safe than sorry!
• When posting logs, please ensure Wordwrap is turned off in Notepad (to check, open Notepad in the menubar click on Format and make sure that Word Wrap is unchecked)
• Please follow the steps exactly in the same order posted. If you can't perform a certain step, or you're unsure on what to do, please stop and let me know.
• NEVER fix anything in HijackThis or other programs on your own! This can be very dangerous and cause harm to your system. If you see a certain entry or program you're unsure about, please don't hesitate to ask!
• Make sure you reply to this thread using the Add Reply button:

Please read my posts completely before following the instructions.
It may be easier for you if you copy and paste a post to a new text document or print it for reference later.
This is required when you won't have access to Internet.


Sure you've come to the right place


Please follow the directions in this guide.
If a step can't be performed continue with the next one and post the logs from MalwareBytes AntiMalware , OTL (OTL.txt and Extras) and the log from GMER.

Hello, and thank you for your help. First of all, I checked my control panel in this forum, and I see that this topic is listed under Virus, Spyware and Trojan Removal. Do I need to repost it over in Malware Removal and Spyware Removal?

Another question before I do anything else. Since I just repaired XP, do I need to try to do anything like a Windows Update? I don't even know if I'd be able to do that if I tried. I saw on the XP Repair instructions that you should immediately enable windows firewall, but every time I tried to go to "run" to type in "Fireweall.cpl" I couldn't even get that far, because error messages kept popping up on my desktop, and my computer was constantly freezing up. I haven't been able to properly log off either--I can never get it to open the shut-down option from the start menu, and ctrl-alt-delete doesn't work either. Also, just for your info, when I did the windows XP repair, after the 2nd reboot, it went to a black screen with the XP logo and "please wait" under that with an hourglass. I waited over an hour. I repaired it again early this morning and left for school with the "please wait" screen there, and I came back now 4 hours later and it's still like that. I'm guessing I have to just turn it off at this point? I don't have a reset button--it's a Dell Inspiron 1501. I can't imagine it's still working on the repair.

Thank you so much!

Maggie

That was a lot of questions/comments. Let's try sort them out.

Hello, and thank you for your help. First of all, I checked my control panel in this forum, and I see that this topic is listed under Virus, Spyware and Trojan Removal. Do I need to repost it over in Malware Removal and Spyware Removal?

No, the forum has been renamed to Virus, Spyware and Trojan Removal.

Another question before I do anything else. Since I just repaired XP, do I need to try to do anything like a Windows Update?

No never do a windows update on an infected machine. It needs to be cleaned first.

I saw on the XP Repair instructions that you should immediately enable windows firewall, but every time I tried to go to "run" to type in "Fireweall.cpl" I couldn't even get that far, because error messages kept popping up on my desktop, and my computer was constantly freezing up.

We'll take care of that later.

I haven't been able to properly log off either--I can never get it to open the shut-down option from the start menu, and ctrl-alt-delete doesn't work either.

I'll let you now when it's necessary to turn it off or reboot. Else leave the computer on.

Also, just for your info, when I did the windows XP repair, after the 2nd reboot, it went to a black screen with the XP logo and "please wait" under that with an hourglass. I waited over an hour. I repaired it again early this morning and left for school with the "please wait" screen there, and I came back now 4 hours later and it's still like that.

How many times have you repaired /tried to repair Windows?

I'm guessing I have to just turn it off at this point? I don't have a reset button--it's a Dell Inspiron 1501. I can't imagine it's still working on the repair.

Don't know as your description on what has happened.

Can you please describe in steps what you have done and separate them and end with you current status of the computer?



If you are able to boot and login as normal please follow the guide I directed you to in my first post and post the logs from MalwareBytes AntiMalware, OTL (OTL.txt and Extras.txt) and GMER. In total it should be four logs. It's essential that I get these logs to be able to see whats going on with the computer.

If any step should fail please continue with the next step.
If you for some reason can't advance further in the guide please post here and let me know and we'll sort it out from there.

Also, just for your info, when I did the windows XP repair, after the 2nd reboot, it went to a black screen with the XP logo and "please wait" under that with an hourglass. I waited over an hour. I repaired it again early this morning and left for school with the "please wait" screen there, and I came back now 4 hours later and it's still like that.

How many times have you repaired /tried to repair Windows?

I've gone through the process twice. Both times, it was because I couldn't get past the login. It was on a continuous loop of logging on and off. I couldn't start safe mode or do anything to get in there to attempt any of the scans or repair steps.

I'm guessing I have to just turn it off at this point? I don't have a reset button--it's a Dell Inspiron 1501. I can't imagine it's still working on the repair.

Don't know as your description on what has happened.

Can you please describe in steps what you have done and separate them and end with you current status of the computer?

First, I have PC Cillin that came with my computer, and it suddenly alerted me to a bunch of viruses all at once, and a few seconds later, I got BSOD. I turned it back on, got a system message saying I had Worm.win32.netsky. I updated my antivirus software and did a full virus/spyware scan, and it showed nothing. This whole time I was getting popups for Antivirus Plus and Internet Security 2010, so I knew I was infected.

I loaded a toolbar from my ISP (Comcast) which had a spyware scanning feature. I started running that, and I saw that it had found a few low-risk cookies, and I let it keep running while I was doing some other things. I'm not sure if it finished scanning, because when I came back to the computer several minutes later, the screen was black, like in sleep/hibernation mode. I couldn't get it to "wake up" by touching the mouse, or quicky hitting the power button, like I usually can, so I just turned it off and back on.

I clicked on my user name like usual, and that's when it started to log me in and log me back off in a continuous loop, and I still couldn't log in in safe mode without getting a blue screen. At that point I did the XP repair (which is the first time I ever done that). It seemed to be successful, but at the very end, when it rebooted itself, it looked like it was logging back in as usual, and then I saw a black screen with the windows XP log. It said "please wait" underneath that and had an hourglass. I had posted a question on the XP forum to see if I should just let it run indefinitely, and I only got one answer speculating that it didn't sound right. After about 90 minutes, I just turned it off and back on.

When I turned it back on, I was able to log in, and I wanted to start to follow the steps in the Malware/Spyware cleaning guide, but I wasn't able to open any browsers, and I was still getting all of the popups and error messages. I waited about 2 hours to see if I could get into a browser, but I finally gave up and turned it off.

This time I rebooted in safe mode, and since I couldn't do anything when I was not in safe mode, I tried to run TFC. It seemed to run fine. It ran for several minutes and finally finished, but it didn't automatically reboot. I waited a long time to see if it would reboot and then rebooted it myself. I didn't reboot back into safe mode. Maybe I should have. I got a blue screen saying it was beginning a dump of physical memory, and I turned it off, because I didn't know what else to do.

After that, I tried to log back on in safe mode, and it did the same thing. Then I tried to turn it on again, and it was in another loop of starting up and shutting down again. It was a bit different from the first time. I never got as far as being able to click my user name. It just looked like it was turning on and off by itself.

That was the point that I decided to run the repair again. I figured I'd give it one more shot before doing a fresh install. I think the repair went as before. It went through all of the steps as expected, and then it rebooted, and now I have the black screen with the Windows XP Logo, it says "please wait" under that and there is an hourglass. It's been like that for several hours. I am not going to do anything else without instruction.

Sorry that was so long. I figured it was best to give as much detail as possible.

If you are able to boot and login as normal please follow the guide I directed you to in my first post and post the logs from MalwareBytes AntiMalware, OTL (OTL.txt and Extras.txt) and GMER. In total it should be four logs. It's essential that I get these logs to be able to see whats going on with the computer.

If any step should fail please continue with the next step.
If you for some reason can't advance further in the guide please post here and let me know and we'll sort it out from there.

Since I'm stuck in that "please wait" screen should I manually turn off the computer, turn it on again and attempt the Malware Spyware Cleaning Guide now?

Thanks for your informative answers.

Yes please force a reboot and follow the malware cleaning guide.

Thanks for your informative answers.

Yes please force a reboot and follow the malware cleaning guide.

OK, thanks. Should I try first in normal mode or go to safe mode?

Unless instructed else, always run tools in normal mode.

OK, I did the hard reboot, and just as the screen came up to select my user name, I got the following error:

winlogon.exe - Application error
The instruction at "0x00083256" referenced memory at "0x00083256". The memory could not be "written".

Click on OK to terminate the program
Click on CANCEL to debug the program

OK button and Cancel buttons under that.

Then another error popped up...it doesn't say anything at the top, but inside the box it says: The requested lookup key was not found in any active activation context.

Then there is an OK button under that.

Click on OK on the second and Cancel on the first and let me know what happens.

OK, the 2nd box had already gone away on its own. I clicked cancel on the first one, and the computer restarted. When it came back to the log-in screen, no error messages popped up. I clicked on my user name, it started loading my settings and eventually got this error message:

msfeedssync.exe - Application Error
The instruction at "0x77d4bbcd" referenced memory at "0x00000048". The memory could not be "read".

Click on OK to terminate the program
Click on CANCEL to debug the program

Cancel.

I did that, and now it's been loading my personal settings for almost 10 minutes. There is no hourglass.

Do a manual restart and try to login to Safemode.

Let me know if you can login.

I have 3 safe mode options.
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

I usually choose Safe Mode with Networking. Is that what I should do here?