FrEn

E-mail Print

NetSky Fix - Get rid of NetSky (FVProtect.exe,FirewallSvr.exe,netstats.exe)
Written by Administrator  |  Friday, 18 September 2009 05:15
AddThis Social Bookmark Button

Alias

  • Email-Worm.Win32.NetSky.q[Kaspersky Lab]
  • Email-Worm.Win32.NetSky.z [Kaspersky Lab]
  • Email-Worm.Win32.NetSky.q [Kaspersky Lab]
  • Email-Worm.Win32.NetSky.r [Kaspersky Lab]
  • ...
  • Backdoor.Win32.IRCBot.alo [Kaspersky Lab]
  • Worm.Feebs!sd5 [PCTools]
  • Email-Worm.NetSky [PCTools]
  • Email-Worm.NetSky!sd5 [PCTools]
  • I-Worm.Netsky.Q2 [PCTools]
  • W32.Netsky.gen@mm [Symantec]
  • W32.Netsky.dam [Symantec]
  • W32.Netsky.P@mm [Symantec]
  • W32.Netsky.Y@mm [Symantec]
  • ...
  • W32/Feebs.gen [McAfee]
  • W32/Opanki.worm.gen [McAfee]
  • W32/Netsky.gen@MM [McAfee]
  • W32/Netsky.y@MM [McAfee]
  • W32/Netsky.p@MM[McAfee]
  • ...
  • WORM_FEEBS.KV [Trend Micro]
  • WORM_NETsky.dam [Trend Micro]
  • WORM_NETSKY.P[Trend Micro]
  • WORM_NETSKY.BN [Trend Micro]
  • ...


All lists are non-exhaustive.

Information The virus uses the network and the Internet to spread, it can also enter through the ports used by the system of peer-to-peer sharing.
Can send emails using SMTP.
Able to communicate with a remote machine using the SMTP protocol.

The fix removes NetSky and all its variants.

File The virus puts files in the system directory

  • nmvcs.exe
  • LegitCheckControl.dll
  • WgaLogon.dll
  • WgaTray.exe
  • ddcbxxv.dll
  • WGA.exe
  • winini.exe
  • opnnljj.dll
  • msij32.dll
  • msoo.exe
  • remote.exe
  • vcmgcd32.dll
  • defender.exe
  • vcmgcd32.dl_
  • msed32.dll
  • mslz.exe
  • msoi.exe
  • mspi32.dll
  • keymaker.exe
  • winini.exe


Other files in Windows directory

  • FVProtect.exe
  • base64.tmp
  • userconfig9x.dll
  • zip1.tmp
  • zip2.tmp
  • winsystem.exe
  • FirewallSvr.exe
  • zip3.tmp
  • fuck_you_bagle.txt
  • uinmzertinmds.opm
  • winini.exe
  • winlogon.scr
  • zipped.tmp
  • EasyAV.exe
  • netstats.exe
  • system.dll.exe
  • Jammer2nd.exe
  • attachment.zip
  • services.exe
  • winlogs.exe


In the temporary directory

  • UYF4E7\installer.bat
  • UYF4E7\LegitCheckControl.dll
  • UYF4E7\WgaLogon.dll
  • UYF4E7\WgaTray.exe
  • IXP000.TMP\keymaker.exe
  • Data.txt .exe
  • 7C56B4F2.EXE
  • *.zip
  • *.tmp


Processus

  • FVProtect.exe
  • netstats.exe
  • system.dll.exe
  • defender.exe
  • winini.exe
  • FirewallSvr.exe
  • msoi.exe
  • keymaker.exe
  • is151287.exe
  • 7C56B4F2.EXE
  • qpfu.exe
  • winlogon.scr
  • trvp.exe
  • WGA.exe
  • msoo.exe
  • remote.exe
  • nmvcs.exe
  • winsystem.exe
  • 1001 Sex and more.rtf.exe
  • 3D Studio Max 6 3dsmax.exe
  • ACDSee 10.exe
  • Adobe Photoshop 10 crack.exe
  • Adobe Photoshop 10 full.exe
  • Adobe Premiere 10.exe
  • Ahead Nero 8.exe
  • Altkins Diet.doc.exe
  • American Idol.doc.exe
  • Arnold Schwarzenegger.jpg.exe
  • Best Matrix Screensaver new.scr
  • Britney sex xxx.jpg.exe
  • Britney Spears and Eminem porn.jpg.exe
  • Britney Spears blowjob.jpg.exe
  • Britney Spears cumshot.jpg.exe
  • Britney Spears fuck.jpg.exe
  • Britney Spears full album.mp3.exe
  • Britney Spears porn.jpg.exe
  • Britney Spears Sexy archive.doc.exe
  • Britney Spears Song text archive.doc.exe
  • Britney Spears.jpg.exe
  • Britney Spears.mp3.exe
  • Clone DVD 6.exe
  • Cloning.doc.exe
  • Cracks & Warez Archiv.exe
  • Dark Angels new.pif
  • Dictionary English 2004 - France.doc.exe
  • DivX 8.0 final.exe
  • Doom 3 release 2.exe
  • E-Book Archive2.rtf.exe
  • Eminem blowjob.jpg.exe
  • Eminem full album.mp3.exe
  • Eminem Poster.jpg.exe
  • Eminem sex xxx.jpg.exe
  • Eminem Sexy archive.doc.exe
  • Eminem Song text archive.doc.exe
  • Eminem Spears porn.jpg.exe
  • Eminem.mp3.exe
  • Full album all.mp3.pif
  • Gimp 1.8 Full with Key.exe
  • Harry Potter 1-6 book.txt.exe
  • Harry Potter 5.mpg.exe
  • Harry Potter all e.book.doc.exe
  • Harry Potter e book.doc.exe
  • Harry Potter game.exe
  • Harry Potter.doc.exe
  • How to hack new.doc.exe
  • Internet Explorer 9 setup.exe
  • Kazaa Lite 4.0 new.exe
  • Kazaa new.exe
  • Keygen 4 all new.exe
  • Learn Programming 2004.doc.exe
  • Lightwave 9 Update.exe
  • Magix Video Deluxe 5 beta.exe
  • Matrix.mpg.exe
  • Microsoft Office 2003 Crack best.exe
  • Microsoft WinXP Crack full.exe
  • MS Service Pack 6.exe
  • netsky source code.scr
  • Norton Antivirus 2005 beta.exe
  • Opera 11.exe
  • Partitionsmagic 10 beta.exe
  • Porno Screensaver britney.scr
  • RFC compilation.doc.exe
  • Ringtones.doc.exe
  • Ringtones.mp3.exe
  • Saddam Hussein.jpg.exe
  • Screensaver2.scr
  • Serials edition.txt.exe
  • Smashing the stack full.rtf.exe
  • Star Office 9.exe
  • Teen Porn 15.jpg.pif
  • The Sims 4 beta.exe
  • Ulead Keygen 2004.exe
  • Visual Studio Net Crack all.exe
  • Win Longhorn re.exe
  • WinAmp 13 full.exe
  • Windows 2000 Sourcecode.doc.exe
  • Windows 2003 crack.exe
  • Windows XP crack.exe
  • WinXP eBook newest.doc.exe
  • XXX hardcore pics.jpg.exe


The file autorun.inf is always present in the root of all partitions including removable drives as external drives or flash disks, another file accompanies it.

Registry Key deleted:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\InProcServer32
    • (Default) = <system>\webcheck.dll
    • ThreadingModel = Apartment


Key created:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • Norton Antivirus AV = <Windows>FVProtect.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • MSN = system.dll.exe
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    • Windows Zero Spooler = "nmvcs.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{446624E1-B767-4443-AA6E-0F355CAFD21B}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{446624E1-B767-4443-AA6E-0F355CAFD21B}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbxxv
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861


Value created:

  • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{446624E1-B767-4443-AA6E-0F355CAFD21B}\InprocServer32]
    • (Default) = "%System%\ddcbxxv.dll"
    • ThreadingModel = "Both"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Settings]
    • Time = F0 F8 36 23 83 51 C8 01 00 00 00 00
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    • {446624E1-B767-4443-AA6E-0F355CAFD21B} = ""
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcbxxv]
    • Asynchronous = 0x00000001
    • DllName ="ddcbxxv.dll
    • Impersonate = 0x00000000
    • Logon = o
    • Logoff = f
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\00cd0861]
    • (Default) = "A91FE206B0B441D793ADE1C11C88B399&"
  • [HKEY_CURRENT_USER\Software\Microsoft\Installer]
    • (Default) = 94 6E 12 24 83 51 C8 01


ATTENTION This virus runs automatically each time you open or explore a partition, it is preferable to download the patch and unpack it on the desktop, reboot your machine in Safe Mode and run the patch, always in safe mode.
The virus also sends emails to your contacts and vice versa, your contacts send to you infected emails and asking you to download a file if you have problem in reading the email

Download
 

Add comment


Security code
Refresh

Related articles
Latest posts

  • Free malware removal tool for Guard Online

    Written by %s admin 10/10/2011
    Guard Online is a another rogue Antispyware from the OpenCloud and AV Guard Online familly, it's a malware that pretends to be an Antivirus. Guard Online conducts a fake scan of your system; you are…
    Read more...

  • Free malware removal tool to remove AV Guard Online

    Written by %s admin 05/10/2011
    AV Guard Online is a another rogue Antispyware from the OpenCloud familly, it's a malware that pretends to be an Antivirus. AV Guard Online conducts a fake scan of your system; you are warned by a…
    Read more...

  • Free removal tool to remove Security Guard 2012

    Written by %s admin 05/10/2011
    Security Guard 2012 is a another rogue Antispyware from the OpenCloud familly, it's a malware that pretends to be an Antivirus. Security Guard 2012 conducts a fake scan of your system; you are warned…
    Read more...

  • Free removal tool for Advanced PC Shield 2012

    Written by %s admin 01/10/2011
    Advanced PC Shield 2012 is a another rogue Antispyware, it's a malware that pretends to be an Antivirus. Advanced PC Shield 2012 conducts a fake scan of your system; you are warned by a fake alarm…
    Read more...

  • Security Sphere 2012 Free Removal Tool

    Written by %s admin 01/10/2011
    Security Sphere 2012 is another spyware from the Security Tool family. Security Sphere 2012 is not a legit program; it's a fake, a counterfeit. Security Sphere 2012 claims to fix your system, but…
    Read more...
.
Information | Contact

© All Rights Reserved. net-studio.org 2009