Netsky-D Problem

[deno]

Can anyone help???

Every time I do an email send & receive, the Avast on-access scanner tells me that I have Netsky-D worm. It appears that the virus is sending an email headed Re: your software and attaching a file called application.pif.

My problem is, I have performed several Avast scans, including boot time scans and there does not seem to be Netsky, or any other virus on my system!!

I have tried several stand alone virus scanners and removal tools but they all find nothing.

[lee16]

Yep, thats exactly what 'Netsky-D' does, you can find more info on it here: http://www.sophos.com/virusinfo/analyses/w32netskyd.html

But the problem is the the virus is redistributing itself though your email  , if you have been sending email to people, then i suggest you let them know not to open the email and just delete it, or it will just do the same to them.
And just so you know for the future, never ever click or open a .pif file  , you won't like the consequences.

OK so heres what to do, download this: http://www.sophos.com/support/cleaners/ntskygui.com

The open it, run it, then click GO.

Then download hijackthis from here: http://members.home.nl/edeijl/download/hijackthis.exe

Then open it, click 'do a scan and create a log file' thencopy and paste the log file on in this thread so we can check it.

--lee

[deno]

Thanks Lee

I have already tried ntskygui.com and it found nothing!!  but will give it another go and post the hijackthis log.

[deno]

Hi Lee

I ran ntskygui.com again, and as before it found nothing.

Here is the log for you to have a look at.

Dene.



Logfile of HijackThis v1.99.1
Scan saved at 20:43:53, on 07/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\ircomm2k.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ARTIOSCADDB\Binn\sqlservr.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\fotowin\RTETPISv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
T:\Downloads\ntskygui.com
T:\Downloads\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: dlexpertclick Class - {A6927151-F5B4-11D4-AE7A-00D00925CF52} - C:\PROGRA~1\DLExpert\dll\iehelper.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Download by DLExpert (Faster) - C:\Program Files\DLExpert\get.htm
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download &All by DLExpert (Faster) - C:\Program Files\DLExpert\getall.htm
O8 - Extra context menu item: Get Flash by &Arty Flash Ripper - C:\Program Files\Softdigger\FlashRipper\IEMenu.htm
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{070537AB-61F3-4E49-B969-939FE837BD5F}: NameServer = 212.74.114.193 212.74.112.66
O17 - HKLM\System\CS1\Services\Tcpip\..\{070537AB-61F3-4E49-B969-939FE837BD5F}: NameServer = 212.74.114.193 212.74.112.66
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Virtual IR COM Port, Service Program (IrCOMM2kSvc) - Jan Kiszka - C:\WINDOWS\System32\ircomm2k.exe
O23 - Service: Flexlm (lmgrd) - Unknown owner - C:\Program Files\Cadopia\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RTE : TAPI (RTETAPIService) - RTE Software - c:\fotowin\RTETPISv.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

[lee16]

Hi deno,

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
o16 - dpf: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab


Hmm, this is odd, nothing in the log that suggests netsky is there at all, infact the log is almost clean.

So all i can suggest really is to go here: http://members.home.nl/edeijl/ache/cleaning.htm

Run though the steps there an see if the problem goes, there are quite a few programs/steps there, try to get one on the online virus checks from there (rav/housecall).

BTW, when you did a scan with avast, did you do a thorough one with 'scan inside archives' checked?

Also what email client are you using?

--lee

[deno]

I can't believe how stupid I have been.

I have just realised that the Avast on-access scanner is actually warning me about a virus in an email in my Hotmail inbox....Its not on my system at all!!!!

I have just deleted it out of me Hotmail inbox and everything is fine now.

Sooooo sorry for wasting your time Lee

Dene

[lee16]

I have just realised that the Avast on-access scanner is actually warning me about a virus in an email in my Hotmail inbox....Its not on my system at all!!!!

I have just deleted it out of me Hotmail inbox and everything is fine now.

Glad your problems solved 

Sooooo sorry for wasting your time Lee

No problem Deno, in here to help, that why i volunteer here 

Anyway everyone makes mistakes, its better safe then sorry, and better clean then infected 

--lee