[Drei]

I praise myself for not getting any viruses and having my machines clean for the past 10 years or so (I see myself as an IT geek:) but viruses and technology are advancing faster than I can keep up with)... until yesterday, this is my 2nd virus, first one was back in 1996:) As I was browsing the Net I can only assume a website must have installed something without my consent and I got the system warning about Win32.Netsky.Q, same as the photo. I obviously didn't think and clicked protect... I can only assume this was the virus in disguise. Straight away SpyBot told me a new registry was trying to get added something to do with windpipe of course I clicked decline and AVG told me something about Netsky found and it cleaned it but a MSN popup box appeared asking me to log into MSN, kept cancelling and about 10 seconds later my system Shut Down, I got a warning from Word stating that I had to save my file which I didn't... and lost my work but never mind that. On Reboot I was warned by SpyBot that this program was trying to access my Registry, the culprit was in a folder called Google inside my Documents and Settings under Application Data, I've used Unlocker to delete the files as they were in use and though that's that since the Google folder was now gone... but nooo, upon Reboot I was asked again about a registry editing with windpipe so of course I declined and looked into the registry and deleted the record, also as soon as I connect to the NET I get the MSN login popup. The system decided to shut down... This seemed to me like the Google folder was never deleted, as I couldn't see it I decided to take the HDD out stick it into my other PC and have a look, did that and backed up some of the files in Application Data which I needed and deleted the folder, at this point I got an error about deleting it so instead I just renamed it TODELETE, I scanned the whole HDD using the Windows Defender, AVG... but nothing, all files looked OK. HDD back into old system boot up no more warnings so I decide to do a scan with SpyBot, got a warning about some registry stuff and not long after System Shutdown:(, I reboot and decide to Delete the TODELETE folder, error doing so and again I used Unlocker to delete it and it did (maybe I should have stopped using Unlocker). So now that folder is gone... even used the SpyBot shredder.

Now you might ask me why I didn't go in SafeMode, well it seems I cannot, as soon as I get past the 2 YES questions, to load something.sys and another system file it hangs and never goes in SafeMode so that's out the question. So instead I use the Windows Minimal boot option, I assumed it was close to SafeMode, I start doing a scan with MBAM and all seems OK but System Shutdown again... so now every time I do a scan using any software the system will simply Shut Down, NOT Reboot, Shut Down. Time wise it seems to be random... or it could be as soon as the scanner gets to that specific file... it also happened by doing a registry search in less then 2 minutes after reboot, whilst scanning with MBAM it took about 20 minutes before it shut down... seems all random to me.

Maybe the virus is gone but something was left behind to trigger this shutdown?? anyone know where such a command would be found? can it be a rootkit hiding the program? is Netsky associated with shudowns or is this another virus?

Any help is much appreciated...

Attached Thumbnails

• 

[Advertisements]

just gonna bump this up so a guru can tell me what to do next:)

One thing is for sure, I wish I knew anyone that makes viruses like these, I would beat the crap out of them as this is pure crime, might as well get in the streets and cause harm to others, it is teh exact same thing but vritually. Bunch of no life losers... (sorry if this offends anyone but you gotta be very sad to hide behind a PC and cause so much grief to others, time wasting and data loss since it is probably faster for me to format my HDD and install windows)

Edited by Drei, 16 December 2008 - 06:16 AM.

[Drei]

just gonna bump this up so a guru can tell me what to do next:)

One thing is for sure, I wish I knew anyone that makes viruses like these, I would beat the crap out of them as this is pure crime, might as well get in the streets and cause harm to others, it is teh exact same thing but vritually. Bunch of no life losers... (sorry if this offends anyone but you gotta be very sad to hide behind a PC and cause so much grief to others, time wasting and data loss since it is probably faster for me to format my HDD and install windows)

Edited by Drei, 16 December 2008 - 06:16 AM.

[Drei]

I think I found someone that has same issue:

I have some stupid "Win32.NetSky.Q" pop up. I know that NetSky.Q is not actually the problem, the malware is using that dated trojan as a coverup. The malware puts up pop up's that look like your traditional windows firewall settings and suggests "enable protection" for "NetSky.Q".

I have used rouge remover and ad-aware in safe-mode and they both claimed to remove it but the pop up still occurs. I removed any suspicious entries in the msconfig and also did a full registry clean with CCleaner and Eusing Reg Cleaner....

The hardest part about this thing is that it won't allow you to end processes or it will use the auto-shutdown feature. Also, it will not allow you to load spybot or go to any anti-virus website.

from: http://www.alienware...ead.php?p=38346

So it has been somehow removed yet the Auto-Shutdown trigger is still somehow used, so I need to check what causes that, is there a way to disable Auto-Shutdown?

Edited by Drei, 16 December 2008 - 06:28 AM.

[Drei]

just bumping for guru to have a look:)

Will run a hijackthis when I get home... if I can and have neough time to do so... before the [bleep] system shuts down:(

I just want someone to have a read and give me an idea where to start, maybe they have a easy fix or they seen similar issues before.

[Drei]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:43:19, on 16/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINNT\system32\CTsvcCDA.EXE
D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
D:\WINNT\system32\nvsvc32.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
D:\Program Files\UPHClean\uphclean.exe
D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\WINNT\SYSTEM32\CTXFISPI.EXE
D:\WINNT\system32\ctfmon.exe
D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
D:\WINNT\system32\wuauclt.exe
D:\WINNT\explorer.exe
D:\WINNT\system32\wscntfy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = D:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - D:\Program Files\GetRight\xx2gr.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O4 - HKLM\..\Run: [AudioDrvEmulator] "D:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "D:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iMON] D:\Program Files\SOUNDGRAPH\iMON\iMON.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] D:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe resetprofile
O4 - HKCU\..\Run: [Creative Detector] "D:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] D:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Download with GetRight - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - D:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Send To &Bluetooth - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - D:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} -
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1208554172546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1214987734312
O20 - AppInit_DLLs: ice_time.dll
O20 - Winlogon Notify: vtutr - D:\WINNT\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - D:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - D:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - D:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - D:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - D:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - D:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 6735 bytes

[Drei]

bump

[Drei]

Since no one seemed to help I decided it was a lot easier to just format the hard drive and reinstall windows. The PC works perfectly now... much faster than wait around for an asnwer:) wasted a whole day on teh virus issue anyhow. Reinstalling took a few hours.

I would still like to know if you can tell anything from the log, since it might be avoidable in the future.