Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Started as worm.netsky

Started by OMG_nic , Feb 16 2010 10:42 PM

  • Please log in to reply

#1
OMG_nic
Posted 16 February 2010 - 10:42 PM

OMG_nic

    New Member

  • Member
  • Pip
  • 3 posts
Hi

I am here out of sheer desperation. I have been working on my father-in-laws laptop for the past 2.5 days and I am now officially over it. :)

I have been following a few of your links and recommendations but to no avail. I am hoping that you may be able to point me in the right direction and finally fix this for me.

So far the below is what has been carried out:

Computer boots with an error message stating that worm.netsky32(blah blah) has been detected.

1. F-I-L (father-in-law) carried out a virus scan with clamwin. Found 2,500 affected files. Restarted machine, ran the scan again hoping that the files were removed = alas no, then restarted and got an error
<A problem is preventing windows from accurately checking the license for this computer. Error code 0x80090006. [OK]>

Click [OK]

Goes to desktop with no icons, no start bar, nadda...

2. I removed the hard drive and have placed it into an external casing and have run an AVG virus scan. Found 3000 files affected. Removed all files. Tried to restart - got the same error message <A problem is preventing windows from accurately checking the license for this computer. Error code 0x80090006. [OK]> [/color]and desktop location.

3. Located your OTL scan\fix

Ran this with pasting a few different recommendations from you (an old hacker at heart thought i could fix this myself but to no avail)

At least I can now get to the hard drive and view it as c:\

4. Ran Symmantec netsky fix file only to be told that no netsky virus was found. {okie dokie}

5. Then consulted your Malware and Spyware Cleaning Guide and followed the instructions.

Ran Smitfraudfix - loaded it - a flash on the screen then nothing

Ran MBAM - tried to load but get an access is denied error mesage as it is trying to look to x:\i386\system32\drivers\mbamswissarmy.sys {even though I pointed it to run to c:\ ???} then got <An error occurred. Please report the following error code to the Malwarebytes anti-malware support team. Error code: 723 (2, 0) The system can not find the file specified.

Ran Gmer - log available below

Ran OTL - logs available below

Logs are as follows:

Gmer:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-02-17 14:30:55
Windows 5.1.2600
Running: gmer.exe; Driver: B:\uwtdrpoc.sys


---- Threads - GMER 1.0.15 ----

Thread System [4:144] F6D39178
Thread System [4:148] F6C6D096

---- EOF - GMER 1.0.15 ----


=================================

[color="#000000"]
Error: Unable to interpret <netsvcs> in the current context!
Error: Unable to interpret <%SYSTEMDRIVE%\*.exe> in the current context!
Error: Unable to interpret </md5start> in the current context!
Error: Unable to interpret <eventlog.dll> in the current context!
Error: Unable to interpret <scecli.dll> in the current context!
Error: Unable to interpret <netlogon.dll> in the current context!
Error: Unable to interpret <cngaudit.dll> in the current context!
Error: Unable to interpret <sceclt.dll> in the current context!
Error: Unable to interpret <ntelogon.dll> in the current context!
Error: Unable to interpret <logevent.dll> in the current context!
Error: Unable to interpret <iaStor.sys> in the current context!
Error: Unable to interpret <nvstor.sys> in the current context!
Error: Unable to interpret <atapi.sys> in the current context!
Error: Unable to interpret <IdeChnDr.sys> in the current context!
Error: Unable to interpret <viasraid.sys> in the current context!
Error: Unable to interpret <AGP440.sys> in the current context!
Error: Unable to interpret <vaxscsi.sys> in the current context!
Error: Unable to interpret <nvatabus.sys> in the current context!
Error: Unable to interpret <viamraid.sys> in the current context!
Error: Unable to interpret <nvata.sys> in the current context!
Error: Unable to interpret <nvgts.sys> in the current context!
Error: Unable to interpret <iastorv.sys> in the current context!
Error: Unable to interpret <ViPrt.sys> in the current context!
Error: Unable to interpret <eNetHook.dll> in the current context!
Error: Unable to interpret <ahcix86.sys> in the current context!
Error: Unable to interpret <KR10N.sys> in the current context!
Error: Unable to interpret <nvstor32.sys> in the current context!
Error: Unable to interpret <ahcix86s.sys> in the current context!
Error: Unable to interpret <nvrd32.sys > in the current context!
Error: Unable to interpret <symmpi.sys> in the current context!
Error: Unable to interpret <adp3132.sys> in the current context!
Error: Unable to interpret <mv61xx.sys> in the current context!
Error: Unable to interpret </md5stop> in the current context!
Error: Unable to interpret <%systemroot%\*. /mp /s> in the current context!
Error: Unable to interpret <CREATERESTOREPOINT> in the current context!
Error: Unable to interpret <%systemroot%\system32\*.dll /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\Tasks\*.job /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\system32\drivers\*.sys /lockedfiles> in the current context!
Error: Unable to interpret <%systemroot%\System32\config\*.sav > in the current context!

OTLPE by OldTimer - Version 3.1.29.0 log created on 02172010_140857







Any help you can offer is sooooooo greatly appreciated.

Thanks in advance.

Cheers

Nic
  • 0

Advertisements

#2
RKinner
Posted 20 February 2010 - 01:02 AM

RKinner

    Malware Expert

  • Expert
  • 24,624 posts
  • MVP
The microsoft thing you might have been able to fix with one of these:

Method 1: Rename the Wpa.dbl file and the Wpa.bak file
If you want to force activation in Windows XP again, rename the Wpa.dbl file and the Wpa.bak file.
Method 2: Rename the Wpa.bak file
Consider the following scenario. You receive an error code that states that you must start Windows XP. However, you cannot start Windows XP. In this scenario you must rename the Wpa.dbl file to invalidate the Wpa.dbl file name. For example, change the name of the Wpa.dbl file to Wpa.dblinvalid. Then, change the name of the Wpa.bak file to Wpa.dbl.
Method 3: Restore the system
Restore the Windows XP-based computer from a restore point by using the system recovery options. For more information about how to restore the system, visit the following Microsoft Web site:
http://technet.micro...y/bb457025.aspx (http://technet.micro...y/bb457025.aspx)
Method 4: Perform an in-place upgrade
Perform an in-place upgrade on the system. For more information about performing an in-place upgrade, click the following article number to view the article in the Microsoft Knowledge Base:
315341 (http://support.micro....com/kb/315341/ ) How to perform an in-place upgrade (reinstallation) of Windows XP

It appears that the system is now so messed up that nothing is really working right. When you say you can get to C:\ are you starting in Safe Mode - Command Prompt or perhaps in Recovery Console?

None of our tools will work in either mode so it's not surprising that your logs are garbage.

I assume you do not have an XP disk? What brand of PC is this? Perhaps it has the option to restore to factory specs?

You can try to get PC Regedit
from the link on the lower half of this page:
http://www.raymond.c...ing-in-windows/

The page explains how to use it to fix a no logon condition. In your case netsky usually messes winlogon too but if userinit looks normal then check the value of shell which should be explorer.exe.

From a recent post we can see these Netsky infection points in an OTL log:

O4 - HKLM..\Run: [notepad] C:\WINDOWS\System32\notepad.DLL (Microsoft)
O4 - HKLM..\Run: [tqammy] C:\WINDOWS\System32\msaouahn.DLL (USA)

O4 - HKLM..\Run: [vodifatun] C:\WINDOWS\System32\guyewijo.DLL ()
O4 - HKLM..\Run: [winupdate86.exe] C:\WINDOWS\system32\winupdate86.exe (cLAeVTkp)

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)

O4 - HKCU..\Run: [notepad] C:\Documents and Settings\Administrator\ntload.dll (Microsoft)

(HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run )

O20 - AppInit_DLLs: (yebesuna.dll) - C:\WINDOWS\System32\yebesuna.dll ()
O20 - AppInit_DLLs: (c:\windows\system32\guyewijo.dll) - C:\WINDOWS\system32\guyewijo.dll ()

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\winlogon86.exe) - C:\WINDOWS\system32\winlogon86.exe (cLAeVTkp) <== This is the usual cause of a no logon. The file winlogon86.exe has been removed but the bad entry remains so windows tries to run a non existent file to log you on so nothing happens. Should be C:\WINDOWS\system32\userinit.exe,

(HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon)

O21 - SSODL: luvehihoy - {5fb9c357-8436-4f7d-b86f-4c3d6ef35eec} - C:\WINDOWS\system32\guyewijo.dll ()

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad )

O22 - SharedTaskScheduler: {5fb9c357-8436-4f7d-b86f-4c3d6ef35eec} - kupuhivus - C:\WINDOWS\system32\guyewijo.dll ()

(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler)

O32 - AutoRun File - [2009/12/21 11:30:12 | 00,034,308 | -H-- | M] () - E:\autorun.exe -- [ FAT32 ]

(possible infected file on USB drive or external drive)


NetSvcs: BtwSrv - C:\WINDOWS\system32\BtwSrv.dll (FTD2XX Software Technology)
NetSvcs: Iprip - C:\WINDOWS\system32\Ipripv32.dll ()

These last two will mess up your internet. See:

http://www.threatexp...74451a9e6c0b5ef

http://www.quickheal....Agent2.kuz.asp

If in doubt compare to a working system.

Most of these are pretty old so may not remove anything but they may point to something. You can also use the Kaspersky one to rescue data.
http://www.askvg.com...ure-and-others/

If you google for Kaspersky rescue disk 2010 you may find one that is uptodate enough to work. Can't vouch for them tho.

Ron
  • 0

#3
OMG_nic
Posted 20 February 2010 - 06:05 AM

OMG_nic

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Hi Ron

Thanks for all of your advice. I shall start working my way through your suggestions.

Cheers

Nic
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP