July 23, 2008 01:54pm pdt

1. IndiGenus 88,221
2. rpggamer... 73,795
3. war1 8,840
4. phototropic 8,225
5. Jonvee 7,350
6. briancassin 7,150
7. -Mystique- 6,500
8. younghv 6,470
9. johnb6767 6,400
10. orangutang 5,675
11. rindi 5,630
12. Admin3k 5,475
13. willcomp 4,600
14. r-k 4,440
15. Delphineous 3,752

1. rpggamer... 120,396
2. IndiGenus 109,646
3. war1 25,640
4. younghv 13,034
5. Sheharya... 13,014
6. r-k 12,874
7. phototropic 12,300
8. rindi 10,242
9. johnb6767 8,825
10. orangutang 8,605
11. justchat_1 7,424
12. Jonvee 7,350
13. briancassin 7,150
14. -Mystique- 6,824
15. michko 6,392

04.10.2008 at 04:17AM PDT, ID: 23311213

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.1

How to uninstall worm.win32.netbooster/sdbot problems II

Zones: Spyware / Ad Blockers, HijackThis Software, Anti-Virus

Tags: microsoft, windows xp, home, spyware attack

Windows XP - got message about worm.win32.netbooster - the user tried to install the spyware programs so three are three on the PC already (error cleaner, privacy protector, spyware&malware protection) - have tried number of system restores to get the PC back but does not seem to be affected.
I have had this problem recently on another very similar PC, where the advice received was to run hijackthis, then sdfix to fix sdbot, and run kaspserky on-line - that did not work in this case, hence asking the question again - I suspect that even though the symptoms are similar, this PC has been infected in a different way ...
1. The 3 icons for the programs are on the desktop.
2. When running SDfix this time, the icons still remain on the desktop and the problems remain.
3. When running kaspersky on-line, there are 10 viruses detected.
4. Norton Internet Security (NIS) is installed on the machine, but does not detect any of the 10 issues - it does not appear possible to disable NIS - I would like to try and run something line AVG to detect and remove the problem
Hijack this log provided as attachment.

Attachments:

hijackthis.log (6 KB) (File Type Details)

hijack this log report

Start your free trial to view this solution

Question Stats

Zone: Software

Question Asked By: simonrobs

Solution Provided By: rpggamergirl

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
Automotive
New Net Users
New Users

Software
Digital Music
Gaming World
Home Security

Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Displays / Monitors
Handhelds / PDAs
Components
Peripherals
Laptops/Notebooks

Servers
Misc
Apple
Embedded Hardware
Networking Hardware

Storage
Desktops
New Users

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMware
Misc
Web Development

OS
CYGWIN
Voice Recognition
Virtualization
Message Queue
Quality Assurance
Security
Firewalls

MultiMedia Applications
Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals
Devices

Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
Web Computing
WebApplications
IDS
Vulnerabilities
Email Clients
File Sharing

Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Consulting
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMware

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel
Automation

Algorithms
Game
Signal Processing
Project Management
Open Source
Database

Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Web Services

Images
Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration

WebApplications
Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Web Computing

Broadband
Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Lounge
Business Travel
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles
Automotive

Community Support

Suggestions
New to EE
New Topics
CleanUp

Announcements
General
Feedback

Input
EE Bugs

04.10.2008 at 05:48AM PDT, ID: 21324120

simonrobs:

Currently running through spybot and and adaware - smitfraud detected amongst others. Kaspersky log attached

kaspersky.txt (28 KB) (Possible File Type Mismatch)

KASPERSKY ONLINE SCANNER REPORT

04.10.2008 at 08:04AM PDT, ID: 21325592

Rank: Guru

IndiGenus:

SDFix will target and remove most of what is there..

Download SDFix (by Andy Machesta) and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Open the SDFix folder and double click on RunThis.bat to start the script.
Type Y and press Enter to begin the script.
It will start cleaning your PC and then prompt you to press any key to Reboot.
Press any key to restart the PC.
Your system will take longer than normal to restart as the fixtool will be removing files.
When the desktop loads the Fixtool will complete the removal and display Finished.
Press any key to end the script and to load your desktop icons.

A text file should automatically open,
Please do not post the log into the comment window. Use "Attach File" under the comment window to post the log.

Please also upload a fresh HijackThis log.

04.11.2008 at 01:25AM PDT, ID: 21332184

Rank: Guru

rpggamergirl:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
O3 - Toolbar: vnbptxlf - {E22B6A50-4AE1-42CC-90F7-6CB1086D3A2D} - C:\WINDOWS\vnbptxlf.dll
O4 - HKCU\..\Run: [fnakirkc] C:\WINDOWS\system32\qvobgnoz.exe
O21 - SSODL: PrxWin - {dc99002e-70f2-4e9f-8b07-95826a3cf3f4} - C:\WINDOWS\Resources\PrxWin.dll
O21 - SSODL: qdnkewfa - {27B2CFD3-A0B9-4B39-BFAA-3455577CA1F3} - C:\WINDOWS\qdnkewfa.dll
O21 - SSODL: SetupRom - {837fa1ed-dfd0-460b-992c-c19e7378672b} - C:\WINDOWS\Resources\SetupRom.dll
O21 - SSODL: mgsvflkw - {93C1F7A2-D96F-46FF-8DF4-7484D606F38C} - C:\WINDOWS\mgsvflkw.dll
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

Some of the above bad entries showing in your hijackthis log should have been removed when SDFix was run.
What version of SDFix did you run? here's the latest version --> SDFix v1.169
Some viruses are in the System Restore folder which can be easily removed later on once you're done cleaning.
But a lot are still being flagged by Kaspersky, even some SDBot variants which SDFfix should've detected.

Try Combofix,
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Accepted Solution

04.11.2008 at 08:03AM PDT, ID: 21334916

simonrobs:

I have removed the entries from hijackthis as above and that got rid of the final icon on the desktop.
Spybot comes back with 47 items but can't delete anything - there's something still being a gremlin.
I will now run combofix.
Thanks

04.11.2008 at 09:25AM PDT, ID: 21335695

simonrobs:

Hi, I ran combofix - see attached log.
Rebooted and the PC feels much healthier - looking good
Ran hijackthis and have attached log.
I will run spybot again and see if (a) it finds the 47 issues still and (b) can remove them
Will then run adaware
As Kaspersky found 11 viruses, I assume that they are still there. Norton Internet Security did not find any of them and said the machine was clean. Would like to know whether I should remove Norton and install AVG and see if I can detect and remove?
Many Thanks

combofix-log.txt (12 KB) (File Type Details)

combofix log

hijackthis-2.txt (7 KB) (File Type Details)

hijackthis log

04.11.2008 at 09:45AM PDT, ID: 21335881

simonrobs:

I have just run adaware - this time 35 issues and it removed them all - great news.
Adware next and I await response on AV plan.
Many Thanks!

04.11.2008 at 07:18PM PDT, ID: 21339538

Rank: Guru

rpggamergirl:

We used to have Norton then we shift to a few others and now we just have the free Avast. Each pc users have their own preferences on AV, we used to have Kaspersky too and it was excellent as it's a very thorough scanner.
If you prefer free one, either AVG or Avast are good.

Your Hijackthis.exe is in the temp folder and it might get accidentally deleted when you clean your C:\temp folder, the backup that it creates will also be deleted. Please save Hijackthis into its own permanent folder.

Open notepad and copy/paste the text inside the lines below into it.
--------------------------------------------------------------
File::
C:\WINDOWS\system32\qvobgnoz.exe
C:\WINDOWS\system32\tnohhpee.dll_old
C:\WINDOWS\system32\eephhont.ini
C:\WINDOWS\system32\emqoasow.ini

Folder::
C:\Program Files\vidica
C:\Documents and Settings\All Users\Application Data\uzsrmtyd
--------------------------------------------------------------
Save this as CFScript in the same location as ComboFix.exe
drag CFScript.txt into ComboFix.exe

This will start ComboFix again. Follow the prompts. After reboot, (in case it asks to reboot), attach the contents of Combofix.txt in your next reply together.

Run Hijackthis and checkmark these entries let Hijackthis fix these entries below:(while all browsers and other windows are closed)
O2 - BHO: (no name) - {1BF71CDB-D4B5-48AB-B52F-D8DA7229EF0B} - C:\WINDOWS\system32\jkkKdbBQ.dll (file missing)
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\system32\aogagjoo.dll (file missing)
O2 - BHO: DVA Media - {50E8CC4E-858E-4B2E-96FD-C929138B99BB} - C:\WINDOWS\temlxopqftg.dll (file missing)
O2 - BHO: (no name) - {BE1EB109-6BE2-4272-ACCE-E9B7A3D0831D} - C:\WINDOWS\system32\cbXRJYSm.dll (file missing)
O2 - BHO: (no name) - {D66354ED-F8D6-4063-8A8D-2B953621CC19} - C:\WINDOWS\system32\nnnnMGXN.dll (file missing)
O21 - SSODL: PrxWin - {dc99002e-70f2-4e9f-8b07-95826a3cf3f4} - (no file)

04.11.2008 at 11:36PM PDT, ID: 21340069

simonrobs:

Hi,
Combofix instructions run - log attached
Hijackthis instructions run, files deleted, run again - log attached
Adaware found 250 cookies
Uninstalling Norton and will run AVG

ComboFix-Log2.txt (26 KB) (File Type Details)

ComboFix Log

hijackthis-3.txt (6 KB) (File Type Details)

HijackThis Log

rpggamergirl

04.15.2008 at 03:33AM PDT, ID: 21357388

Sorry for late reply... I assume problem is solved.
Thanks!

20080236-EE-VQP-29 / EE_QW_2_20070628