July 9, 2008 08:56am pdt

1. rpggamer... 67,716
2. IndiGenus 44,200
3. briancassin 13,000
4. younghv 11,000
5. michko 6,432
6. moh10ly 6,406
7. johnb6767 5,530
8. phototropic 5,500
9. debuggerau 5,150
10. orangutang 4,500
11. war1 4,100
12. Richard_... 3,500
13. and235100 3,400
14. goban 2,600
14. -Mystique- 2,600

1. rpggamer... 103,753
2. IndiGenus 59,515
3. michko 36,302
4. younghv 32,688
5. Sheharya... 23,825
6. phototropic 23,010
7. war1 18,030
8. johnb6767 17,050
9. r-k 15,899
10. briancassin 13,000
11. orangutang 8,500
12. moh10ly 8,307
13. rindi 7,598
14. and235100 7,350
15. jvuz 6,632

04.03.2008 at 06:02PM PDT, ID: 23294766

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.1

How do I get riid of worm.win32.netbooster?

Zones: Desktop Anti-Virus, Spyware / Ad Blockers, Anti-Virus

Tags: worm.win32.netbooster

I am running Win 2000 on an IBM Computer. I have tried Norton, AdAware and others. Computer freezes while running the scan. Worm has also put 3 icons on desktop; error cleaner, privacy protector and one other which links to a website. Various popups, some I believe are from my system, others are from the worm telling me that my system has been infected with worm.win32.netbooster and to click to resolve. Tried to do restore from a previous date, but it doesn't work. Sometimes I can access the internet with this system and sometimes it freezes. I have access to another computer which I am using to post this message.
Please let me know what else I need to provide.
Thanks!
Cathy

Start your free trial to view this solution

Question Stats

Zone: Virus & Spyware

Question Asked By: cathycat04

Solution Provided By: rpggamergirl

Participating Experts: 2

Solution Grade: A

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

04.03.2008 at 06:08PM PDT, ID: 21278332

Rank: Guru

IndiGenus:

Certainly sounds like Smitfruad...

Download SmitfraudFix (by S!Ri) to your Desktop.

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

Reboot your computer in Safe Mode.

If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.
Login on your usual account.

Double-click SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Upload the log that is produced at the end of the fix by selecting Attach File and copying it into that window. Also do that with a HijackThis log so we can see what else might be going on.

http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

Click on "Do a system scan and save a log file" button. Post the text from the log.

Assisted Solution

04.03.2008 at 07:55PM PDT, ID: 21278759

cathycat04:

I have not received an error since following the steps you gave me. Here are the log files. Please let me know if I need to do anything else to clean up my system.

rapport.txt (2 KB) (File Type Details)

Smitfraud Fix log file

hijackthis.log (9 KB) (File Type Details)

HiJackThis Log

04.03.2008 at 11:39PM PDT, ID: 21279448

Rank: Guru

rpggamergirl:

Somehow I think SDFix able to remove those 021 entries as well, where smitfraudfix left out.

In addition, Checkmark these entries in hijackthis and click 'Fix Checked" while all browsers and other windows are closed except hijackthis.
O4 - HKLM\..\Policies\Explorer\Run: [1AQmotiz1E] C:\Documents and Settings\All Users\Application Data\jgzwnazo\bwhilezm.exe
O4 - HKCU\..\Run: [iylvtmki] C:\WINDOWS\system32\zutqfezq.exe
O21 - SSODL: UnknownRunOnce - {523bb73a-f9ba-4713-96e1-d47df272dd3d} - C:\WINDOWS\Installer\{523bb73a-f9ba-4713-96e1-d47df272dd3d}\UnknownRunOnce.dll (file missing)
O21 - SSODL: zip - {40e57369-e01e-4d48-b4a1-0549824c5b7f} - C:\WINDOWS\Installer\{40e57369-e01e-4d48-b4a1-0549824c5b7f}\zip.dll (file missing)

C:\Documents and Settings\All Users\Application Data\jgzwnazo <-- this folder is very suspicious, if you did not create this one, then I'd suggest deleting it. Application Data is a hidden folder so you need to "Show hidden files and folders", and "Show operating system files" first.

C:\WINDOWS\system32\zutqfezq.exe <-- delete this file as well

Assisted Solution

04.04.2008 at 06:57PM PDT, ID: 21286848

cathycat04:

I am still getting an error in AdAware that says Malware with a level 3 and it won't let me delete or quarantine it. Other than that I have not received any popups. It scans clean with norton Attached are my two logs, if you could take one more look I would appreciate it.

Thansk

report.txt (4 KB) (File Type Details)

after SDFix

hijackthis.log (8 KB) (File Type Details)

log file

04.04.2008 at 07:56PM PDT, ID: 21286954

Rank: Guru

rpggamergirl:

Does Ad-Aware give you the path to the malware it is flagging?
If so, can you post it here please.

You might need to run combofix, not sure if the below file is still there or not.
C:\WINDOWS\system32\zutqfezq.exe

Assisted Solution

04.06.2008 at 11:24AM PDT, ID: 21292643

cathycat04:

I followed your recommendation the other day and I use hijackthis to to delete C:\WINDOWS\system32\zutqfezq.exe. I just checked in that directory and I do not see the file.

Ad-Aware still showing a Malware, but won't let me remove it, (it does nothing when I click on remove button). Below is what is says in the log file. I have also attached the log file in case you wanted to see it.

Family Id: 541 Name: Possible Browser Hijack attempt Category: Malware TAI:3
Item Id: 800000143 Value: Browser: Internet Explorer Search Page URL: http://www.infospace.com/info.cablev.toolbar/dog/forms/search.htm

btw I also have Webroot SpySweeper running on this computer (it is a work computer) and it does not find anything when it scans.
Thanks again for any advise you can offer.

ADAWARE.log (266 bytes) (File Type Details)

Adaware log

hijackthis2.log (8 KB) (File Type Details)

today's hijack this log

04.06.2008 at 11:45AM PDT, ID: 21292712

cathycat04:

The previous adaware log showed nothing. Attached is one that I copied and pasted from the program. In looking further into Ad-Aware it seems that it does quarantine the threat and I am able to delete it, but whenever I run the scan it finds it again.

ADAWARE.log (81 KB) (File Type Details)

better ad-aware log

adaware-screen-shot.doc (135 KB) (File Type Details)

screen shot from ad aware

04.07.2008 at 04:44AM PDT, ID: 21295870

Rank: Guru

rpggamergirl:

thanks for the logs.

It seems what Ad=Aware is flagging is the R1 entry.
Adware.Dogpile Adware.Dogpile monitors user's search habits via its toolbar and sends these information to infospace.com for statistics collection. These statistics can then be used by marketing companies for online marketing purposes.

Please fix these entries in Hijackthis, while all windows are closed except hijackthis click "Fix Checked" button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.infospace.com/info.cablev.toolbar/dog/forms/search.htm
O3 - Toolbar: Optimum Online Toolbar - {720B3C59-7EDE-44d1-AD9C-71106A7550AF} - C:\Program Files\OptimumOnline\insptbar.dll
O8 - Extra context menu item: Optimum Online Cursor Search - C:\Documents and Settings\All Users\Application Data\Infospace\OptimumOnline\contextsearch.htm

Fixing the above entries will not remove the toolbar nor the relevant files and folder, hijackthis will only remove the registry entries.

You may uninstall OptimumOnline toolbar via add/remove programs list, and delete their folders;
C:\Documents and Settings\All Users\Application Data\Infospace
C:\Program Files\OptimumOnline

Accepted Solution

04.07.2008 at 06:23AM PDT, ID: 21296587

cathycat04:

Thank you for all your help, I really appreciate your expertise.
Take care
Cathy

20080236-EE-VQP-29 / EE_QW_2_20070628