Spyware, Viruses, & Security forum

General discussion

worm.win32.netbooster

by jimdad / April 14, 2008 10:32 AM PDT

System appears infected with a virus/spyware. Appears to be id'd as worm.win32.netbooster
Logged onto my Profile and got a bright red screen with xtra shortcuts not seen before and symbol similar virus hazard used in medicine. Have two icons in tray flashing red octogon with X and other shield with x switching to shield with question mark. This sucker keeps running in background trying to convince me to download a fix. Ain't buyin that one.

Computer - Dell XPS 5 running XP Home
Outlook for e-mail

Running Zonealarm spyware did not pick it up. Am now running Zonealram AV.

Anyone here dealt with this one? Suggested fix would be appreciated.

Discussion is locked
You are posting a reply to: worm.win32.netbooster
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: worm.win32.netbooster
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
I'd suggest.....
by Marianna Schmudlach / April 14, 2008 11:23 AM PDT
In reply to: worm.win32.netbooster

1. Download SmitfraudFix (by S!Ri) to your Desktop (Win2k/WinXP only!).
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

How to extract (decompress) zipped or compressed files

Collapse -
Appears to have worked
by jimdad / April 14, 2008 1:51 PM PDT
In reply to: I'd suggest.....

Ran through process as previously posted but had to take a couple detours.

First had to get Smithfraudfix download using son's computer and transferring via stick. Couldn't get to site to access it on my computer. Can't definitely explain why. Tried both Firefox and Explorer to get to site for download.

Second, Smithfraudfix would not run in Safe Mode. Got to command screen but as soon as hit any key to continue came up and I did, instant lock up. Even tried waiting it out. Ran the program in Normal Mode without ill effects noticed so far.

The went for AV as recommended and ran that. Picked up another 11 hits that required quarantine.

So far so good.

Thanks for the suggestion.

BTW, my son found same fix through yahoo search but I needed to see it here before I was willing to risk the pain.

Jimdad

Collapse -
Great to hear.........
by Marianna Schmudlach / April 14, 2008 2:18 PM PDT
In reply to: Appears to have worked

do you have CCleaner?

IF not:

Download CCleaner HERE and install it.

Before first use, check under Options, Settings, and ensure "Only delete files in Windows Temp folder older than 48 hours" is unchecked.

Then open it and select the items you wish to clean up.

In the Windows Tab:

I recommend cleaning all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section
Clean all entries in the "System" section
Clean all entries in the "Advanced" section.

In the Applications Tab:

Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

Then click the "Run Cleaner" button.

Then I would purge\flush the System Restore points .

Right click "My Computer", Properties, and then click the System Restore tab. Checkmark the box at the top to stop System Restore on all drives. Click the "Apply" button. Agree to the deletion of old Restore Points. Then uncheck the box at the top and again click the "Apply" button. Finally, click the "OK" button. This will create a new Restore Point reflecting your clean system state.

Happy SAFE Computing Happy

Collapse -
Pain in the . . . :)
by TWhitehead1081 / April 16, 2008 3:52 PM PDT
In reply to: Great to hear.........

I'm helping a friend of mine with his laptop (HP) and he picked up the Worm as well. I followed the instructions above and removed the Worm from his computer. He called me the next day and said it had returned. I stopped in to see him and once again, followed the steps to remove the Worm, which I did successfully.

I've recieved a third phone call from him letting me know its appeared once again, same as before. Keep in mind his computer runs the latest version of Norton AV as well as the AVG Spyware application. I'm at my wits end with this. I've been told that both times it's happened, they were on their bank's website to do online banking for their business. Any ideas how I can kill this third round with the Worm and prevent it from coming back?

Collapse -
yeah works good but now what...
by dellzrule / May 24, 2008 11:22 AM PDT
In reply to: Pain in the . . . :)

Hey, i was really happy when i found this post about the win32 trojan. i too was infected by it and when i got through this instruction set, it went away. so now that its gone, i dont have to worry about those stupid popups, but i have alot of "damage" to clean up.

first, My start menu is messed up. the 'all programs' tab is gone, and 'my computer, documents and settings and the search bar' etc (everything on the right side of the menu) are all gone. inaccessible.

second, the desktop background is white, from where the trojan background was. when i right click, properties to change it, it pops up a window and displays it as if the privacy_danger image was still there from the trojan.

and third, the least of my worries, in the corner where the clock is, on the right side of it is a message saying "VIRUS ALERT!".

I just needed to know if anyone has any idea about how to correct this, but i just am really glad i can use my laptop again without having to close up an advertisement of some anti-virus crap.

Once again Thanks
-DELLZRULE-

Collapse -
Maybe you are still having
by Marianna Schmudlach / May 24, 2008 3:29 PM PDT
Collapse -
worm.net32.netblaster
by dmdb918 / July 7, 2008 9:37 PM PDT

I have the same thing on my computer. HP running windows XP.

help me...please!

Collapse -
worm.win32.netblaster
by dmdb918 / July 7, 2008 9:53 PM PDT

do not know if anyone is still reading this site, but, if you are, I do not have the option to "run" or "search". When I click start, all of those options are GONE. Even "all documents". what do I do. Has anyone found out anything new since all of these problems were posted.

Thank you

Collapse -
Assuming you are "worm free" and...
by Carol~ Forum moderator / July 8, 2008 12:28 AM PDT
In reply to: worm.win32.netblaster

not knowing anything about which system you're using, have you tried:

Right-clicking on Start and choosing Properties. Select the Start Menu tab, then Customize. When you scroll down the Start Menu Items under the Advanced tab, is there a tick mark next to "display as a link" ( under My Documents )? Scrolling further below is there a check mark next to Run and Search? Check to see if all missing items are either "ticked or checked". It might not be a bad place to start.

Best of luck..
Carol

Collapse -
worm
by dmdb918 / July 8, 2008 7:12 AM PDT

I will try this and get back thank you

Collapse -
(NT) You're welcome and Good Luck!
by Carol~ Forum moderator / July 8, 2008 7:15 AM PDT
In reply to: worm
Collapse -
SmitFraudFix
by thejhw / July 9, 2008 5:14 AM PDT

Thanks, Marrianna!
I followed your instructions exactly and everything worked just right!

I also had lost my All Programs, Run and other commands in the start menu (WXP SP2), but running SmitfraudFix cured it.
I am running Superantispyware right now (typing this on the laptop) and it has already found 35 threats including 10 instances of 2 different trojans all of which were missed by my AV and previous anti spyware.

Thanks again

JIM

Collapse -
(NT) Glad to hear it also worked for you ! Thanks for posting :)
by Marianna Schmudlach / July 9, 2008 7:19 AM PDT
In reply to: SmitFraudFix
Collapse -
SmitFraudFix tool says 'Registry editing has been disabled'
by mjones58 / July 12, 2008 12:56 AM PDT
In reply to: I'd suggest.....

I?ve been hyjacked

Hi All,

I seem to have the worm.win32.netbooster virus and tried to use the advise below, but ran into this error running SmithFraudFix. I've spent 4 hours trying to figure this out and realize I need some help.

The system is XP SP2. It's actually my Raid 5 server with three other computers connected and luckily backuped up because all the data is stored on it from all the computers.

My desktop has been hyjacked with new application icons and a blue screen that says in a yellow box "Warning! Spyware detected on your computer. Install an antivirus or spyware remover to clean your computer."

I ran AVG Antivirus and AntiSpyware that found some stuff and cleaned them. I tried to run SmithfraudFix and it ran okay until it got an error saying "Registry editing has been disabled by your administrator". This is where I'm stuck and appealing to your kindness for some help.

Luckily, my other computers still have internet access and access to the server's hard drives. I'm crossing my fingers that the other computers don't get infected, too.

Please help!

Michele

Collapse -
This error occurs if the DisableRegistryTools Policy is enab
Collapse -
I?ve been hyjacked
by dmdb918 / July 12, 2008 1:50 AM PDT

HI

Well I tried everything, even had some "expert" try to fix, in the end I reformatted my computer. Luckily I had everything backed up.

Seems it attacks the auto updates, notice the little red shield in your bottom right corner???

Good Luck
Debbie

Collapse -
Hi, mjones58
by Bugbatter / July 12, 2008 1:16 PM PDT

Try a scan with MBAM:
(For Operating Systems: Microsoft Windows 2000, XP, Vista)

Download Malwarebytes' Anti-Malware from one of these locations:
http://www.besttechie.net/tools/mbam-setup.exe
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

NOTE: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

If that does not fix the problem, you have something more serious, so please post back if you need further instructions.

Collapse -
SmitFraudFix tool says 'Registry editing has been disabled'
by mjones58 / July 12, 2008 9:31 PM PDT
In reply to: Hi, mjones58

I tried your suggestion and my system thinks Malwarebytes is a virus so I don't think it lets it do its thing. I have Windows Defender and AVG. I can't even get out to the net right now and have to download on my laptop and copy the files across. I'm thinking I might have to rebuild the computer (my Raid 5 server). Ugh.

Collapse -
GGGrrrr
by TAYLOR-MANIA / July 12, 2008 10:20 PM PDT

Well, sadly I'm another one who's infected with this crap. Annoying isn't it?

Got it last night. I suddenly saw some new shortcuts on my desktop & then the pop-ups started. Then I discovered I couldn't launch TaskManager & the Start Menu items had gone & can't access my Hard Drive.

I can think of better ways to spend my day but I need to sort this out.

I used the SmitFraudFix but then I had problems rebooting. As the bar under the Windows XP logo was scrolling during the start-up sequence it would restart itself over & over again.
I'm a little worried that it's damaging my computer more & more.

Currently I'm running Comodo AntiVirus, SuperAntiSpyware (2nd time now), Windows Defender & Ccleaner.

I'll see what happens when the scans are finished. Might be back later requiring help.

Collapse -
Re: SmitfraudFix says..
by Carol~ Forum moderator / July 13, 2008 5:05 AM PDT

Michele..

When you first posted, you wrote "I tried to run SmithfraudFix and it ran okay until it got an error saying "Registry editing has been disabled by your administrator". Did you try Marianna's suggestion in this post? If so, were you able to continue on using these instructions?

See this too..
http://www.winguides.com/registry/display.php/190/

If you're having a problem with MBAM, you might try downloading the free version of SUPERAntiSpyware. After installing it, update it and try scanning in Safe Mode. It can't hurt and might help.

http://www.superantispyware.com/

Good luck..
Carol

Collapse -
Me again
by TAYLOR-MANIA / July 13, 2008 6:32 AM PDT

Hi, I'm sorry to jump in like this but I could really use your help?

I followed the instructions on the second post.
I ran Smitfraudfix and then SuperAntiSpyware last night.
It discovered about 400 items to be quarantined and removed.
Nothing much changed after the restart.

So today I ran SuperAntiSpyware again along with the other scanners I mentioned in my last post.
8 hours later and found another 40 or so items to be quarantined and removed.

Restarted just now.

Still have the VIRUS ALERT beside the clock. Still got the red shield about Auto Updates Are Off. Still can't access task manager or my drives. And just had two pop-ups appear.

Please tell me, what else can i do?

I'm running Windows XP Home SP3. Stock hardware.

-Regards

Taylor

Collapse -
Also...
by TAYLOR-MANIA / July 13, 2008 6:48 AM PDT
In reply to: Me again

...The worst thing is when explorer suddenly stops running! Everything on my desktop will dissappear...no taskbar, nothing.
Unless I have something open when it (by 'it' im referring to explorer.exe, i think) stops running then i'm left with NOTHING.

This is beginning to get very frustrating for me... please, what can I do to get rid of this? I really don't want to reinstall XP or format my HD.

Collapse -
Re: Me again
by Carol~ Forum moderator / July 13, 2008 7:21 AM PDT
In reply to: Me again

Taylor..

With the continuous and varied problems you're having, it might help to post a HJT log at one of the designated forums. They can at least SEE what's going on and walk you through the varied fixes. It's going to take a while for them to get to you. In the meantime, if someone has an easy fix for you, they may post it here.

HOW to post your HJT log on ONE of the HJT forums

We don't analyze them here, but these are some that do:

http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
http://www.bleepingcomputer.com/forums/forum22.html
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.subratam.org/index.php?showforum=7
http://forum.gladiator-antivirus.com/ - Gladiator Security

http://forums.cnet.com/5208-6035_102-0.html?hhTest=1&forumID=32&threadID=255339&messageID=2533167

Best of luck to you..
Carol

Collapse -
Progress has been made...
by TAYLOR-MANIA / July 13, 2008 7:37 AM PDT
In reply to: Re: Me again

Ok i'll do that, thanks.

I just scanned with SpyBot S&D & rebooted. I can now access the taskmanager, my start menu is back and the red sheild is gone. So atleast theres *some* improvements Happy

So I'll see if i can get some more help at those links - cheers!

Collapse -
Sounds good! ..
by Carol~ Forum moderator / July 13, 2008 8:00 AM PDT

Taylor..

I don't want to add anything more to the "mix", especially if you do decide to post a log, but have you also tried scanning with Malwarebytes' Anti-Malware, in addition to Spybot?

If not, it can be downloaded from here:
http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

**If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll


Posting a HJT log may give you "peace of mind", if nothing else. Wink Furthered good luck!
Carol

Collapse -
Aaah wonderful!
by TAYLOR-MANIA / July 13, 2008 6:24 PM PDT
In reply to: Sounds good! ..

Yup, I scanned using that one last night, restarted & hey presto - no apparent sign of it anymore! Hip hip hooray Happy

Thank you for your help, really. I felt some relief I can tell you.

I hope the rest of you manage to get rid of this nasty stuff.
I used a number of scanners to weed it all out, & to me it seemed like it was mostly SpyBot & Malwarebytes AntiMalware that got the job done (not to mention using the SmitFraudFix first).

Thanks again for the assistance, it's much appreciated.
Lessons have been learnt - thats the last time I open an AutoRun file for an Ebook!!! Heh. I can laugh now but it wasn't funny!

-Regards
Taylor

Collapse -
You're welcome, Taylor. Aaah wonderful is right!! :)
by Carol~ Forum moderator / July 14, 2008 8:58 AM PDT
In reply to: Aaah wonderful!

So very glad to hear your good news. As you said, another lesson learned. Seems to be a never-ending process. "A good thing" .. IMO.

Safe surfing..
Carol

Collapse -
I think I love you!
by ellenas_1 / October 18, 2008 2:22 AM PDT
In reply to: Sounds good! ..

Seriously. You saved the life of my computer (alfonso)!

Collapse -
Almost there but 1 question..
by christinamtl / July 23, 2008 1:20 PM PDT
In reply to: Re: Me again

I am so grateful to all who posted with links and how to go about getting rid of this horrible intruder!! You guys were so much help!! I ran everything and all seems to be fine. Except that now that I am rebooted, my display is blue and i can't change it because an error box comes up saying that it has been disable by the administrator and the same thing goes for the task manager. Anyone able to help? I am running WindowsXP with service pack 2.

Collapse -
Re: "Registry editing disabled by your administrator" error
by Carol~ Forum moderator / July 23, 2008 2:05 PM PDT
Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.