Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack log looking for netmonster.vbs

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack log looking for netmonster.vbs

Unread postby david sez » February 23rd, 2008, 5:57 am

Hi,

My PC has been infected with netmonster.vbs which puts an image of a dollar bill on the screen and replicates it to any flash-drives connected to the computer. I have searched and found a couple of forums that discuss the problem but most (all I have found) are in French or another European language. The French forum has a reply by the student who developed this as a means to test out anti-virus programs but the thing has been released through the universities and now I have it too.

The 'cure' as far as I could translate was to run regedit to remove the command:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run : clear 'System '
and then to delete: windows \ system32 \ NetService.vbs

I did all that and the problem persists.

A German forum suggested to download Hijackthis and run a logfile for someone who knows what they are doing to have a look at... have done so and attach it to this!

Grateful for your feedback as this is now on six PCs / laptops in our working group!
You do not have the required permissions to view the files attached to this post.
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am
Advertisement
Register to Remove

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 27th, 2008, 10:29 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and sometimes a post manages to slip by us.
Unfortunately there are far more people needing help than there are helpers.

----------------------------------------------------------------------------------------





Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 27th, 2008, 2:39 pm

Hi Katana,

Thanks for the advice; have downloaded Combofix and run as indicated log attached; also is the latest Hijackthis log.

The Combofix has an entry with netmonster on so there may be light at the end of the tunnel!

Awaiting your further instructions!

regards

David
You do not have the required permissions to view the files attached to this post.
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 27th, 2008, 3:52 pm

Flash Disinfector by sUBs
Please downloadFlash_Disinfector.exe by sUBs and save it to your desktop:


* Double-click Flash_Disinfector.exe to run it.
* Follow any prompts that may appear.
* Wait until the program has finished scanning, then please exit the program.
The tool may ask you to insert your flash drive, or other removable drives. Please do so and allow the tool to clean it up as well.


Please restart your computer.


Create A Registry File
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it Regfix.reg Please save it on your desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCDrProfiler"=-
"SunJavaUpdateSched"=--
"Corel Reminder"=-
"Acrobat Assistant 7.0"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1350db0d-4aca-11dc-9c61-001731abfbe7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3803312a-d12b-11db-9b76-001731abfbe7}]


Make sure there are NO blank lines before REGEDIT4 and ONE blank line at the end/bottom
Double click on Regfix.reg and click Yes at the prompt

Please make sure your flash drive is inserted for the next scan



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Please post the Kaspersky scan in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 28th, 2008, 7:28 am

Hi katana,

OK I have completed the Flash disenfector, the registry edit and Kaspersky on-line scans. Attached is the Kaspersky report in text file format.... the viral image still appears on my desktop.

Awaiting your further suggestions.
You do not have the required permissions to view the files attached to this post.
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 28th, 2008, 7:56 am

Please can you post the logs in your reply, rather than attaching them.
This forum is primarily for teaching new fighters, and it makes it easier for the students if they can see the logs without having to download them.


find a file
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
FOR %%G IN (
C:\NetMonster.*
D:\NetMonster.*
F:\NetMonster.*
) DO (
dir /a /S %%G >> C:\kresults.txt
)
start notepad C:\kresults.txt
del /q look.bat
exit


Double click look.bat. A CMD window will open, please be patient while it scans for files.
Notepad will then open, copy and paste the contents in your reply.


Deckard's System Scanner (DSS)

Please download Deckard's System Scanner (DSS) to your Desktop.
Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 28th, 2008, 8:56 am

Thanks for the reply. I have tried to run look.bat as per the code you included but it will not run properly. A command window opens and then notepad opens instantaneously with an error message saying 'Cannot find C:\kresults' and asking if I want to create this file? If I accept then the notepad window stays open and nothing is written to it.
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 28th, 2008, 9:30 am

My mistake, please try this.

find a file
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.
Save it as "All Files" and name it look.bat Please save it on your desktop.

@echo off
if exist C:\kresults.txt del /q C:\kresults.txt
FOR %%G IN (
C:\NetMonster
D:\NetMonster
F:\NetMonster
) DO (
dir /a /s %%G.* >> C:\kresults.txt
)
start notepad C:\kresults.txt
del /q look.bat
exit


Double click look.bat. A CMD window will open, please be patient while it scans for files.
Notepad will then open, copy and paste the contents in your reply.

Please post the DSS logs also.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 28th, 2008, 10:02 am

I have been able to run the look.bat file with the following result:

Volume in drive C is PRESARIO
Volume Serial Number is 038E-987E

Directory of C:\Documents and Settings\Compaq_Owner\Desktop

23/02/2008 11:01 339 netmonster.txt
1 File(s) 339 bytes

Directory of C:\Documents and Settings\Compaq_Owner\Recent

23/02/2008 13:51 522 netmonster.txt.lnk
1 File(s) 522 bytes

Total Files Listed:
2 File(s) 861 bytes
0 Dir(s) 40,633,454,592 bytes free
Volume in drive D is PRESARIO_RP
Volume Serial Number is 4B6E-6BC0
Volume in drive F is Lacie
Volume Serial Number is 54CE-68D3


The Netmonster.txt file listed above is the text I copied off the French forum to try to remove the infection.

I have tried to run DSS three times and each time it closes with a windows error message 'DSS needs to close, do you wish windows to send an error report?' Do I need to turen off my anti-virus or something else to allow this to run?
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 28th, 2008, 4:53 pm

You shouldn't need to turn off your AV for DSS to run ????

Please try running it in safe mode

To reboot in safe mode
You can boot in Safe Mode by restarting your computer, then continually tapping F5 OR F8 until a menu appears.
Use your up arrow key to highlight Safe Mode, then hit enter.

Log in to your normal account and then run DSS.exe
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 28th, 2008, 11:26 pm

Have re-booted in Safe Mode but DSS still collapses while reading the event logs. However the annoying netmonster image does not appear in safe mode if that's any assistance!
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 29th, 2008, 6:23 am

Grateful for your feedback as this is now on six PCs / laptops in our working group!


Are you able to get the original file that causes the infection ?
It would make it a lot easier if we could see what it actually does.

Is the netmonster image set as your desktop background ?
Have you tried changing the desktop back to normal through desktop properties ?
Try and see where the desktop image is located, or even just the name of it.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 29th, 2008, 9:31 am

Hi Katana,

Okay that seems to have sorted it out! The Desktop background was set to the netmonster.jpg but there was no address for it. When I changed it to another image and then went to change it back to the netmonster image again it had disapeared off the desktop background list.

I had similarly regedited the other network machines and the same seems to be true of them, so now none of them have the original image and script. We do have a lap-top that is still infected but it is in Germany at the moment, if you want a copy of the original I will get them to e-mail it over to me before cleaning off their machine.

Thanks for your assistance and patience!
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am

Re: Hijack log looking for netmonster.vbs

Unread postby Katana » February 29th, 2008, 9:46 am

That is strange, the file search we did should have shown the .jpg file as well ?????
Oh well, as long as it is sorted :)

I have sent you an address to send the file to, it is safer to send it direct than risk you getting infected again :lol:

So, if you have no more problems .....




Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up :D

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Image
You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan ... ncipal.htm
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • AVG Anti-Spyware 7.5 <<< A good "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 3.5.1
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep


Also PLEASE read this article.......So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Hijack log looking for netmonster.vbs

Unread postby david sez » February 29th, 2008, 11:56 pm

Hi Katana,

Thanks for the message and apologies for the delay in responding, we had lightening storms yesterday afternoon and evening and I have lost three routers already so kept everything unplugged.

I will get the original file sent across to you so you can dissect it!

Thanks again for all your assistance.

best regards

David
david sez
Active Member
 
Posts: 9
Joined: February 23rd, 2008, 5:40 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 314 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware