[Oldboy1]

Same here. Got hit last night, unasked for shut down and re-start, when restarted had "windows security centre"win32.netsky.q" wanting me to dl something. I didnt. Tried opening IE, but hit a security thing wanting a click too.. I did, but only with wireless switched off. I tried msconfig, only to get same alert and same results, but modified msconfig without clearing alert first. switched off fhexj6825097, also Khost ( kontiki, related to bbci and 4od I think) and a rundll32 that wasnt asigned to the windows directory.
Meantime waded thru task Manager Processes and found TDMservice running, which isnt mean to aparently.

on board F-secure says clean, as does Symantec on line.

Its running, but Im not convinced all is sweet.

I am in NO WAY an expert, but hope shared experience will help all, and the Clever Guys sort this one !

First post, not got HJL yet, will keep an eye out here and see how you get on and I'll follow advice.

Thanks

[Reue]

Got hit by this last night as well and have spent all morning working against it. Exact same symptoms as previous 2 describe:

- Attemting to use ms config results in Ms config error and system auto restart

- "Windows defender" warning about a win32.netsky.q worm and link to get virus protection

- IE and Firefox both crash as soon as opened (having to use Opera)

- MSN crashes when opened

- AVG, Spybot and Malwarebyte all come up negative even when set to scan the 1 specific file we know is responsible.

The fact we've all only just got it recently makes me think this is a brand new virus which hasnt been noticed/added by the anti-virus companies yet and thus nothing is picking it up.

Ive managed to delete the .exe program and related files whilst in safemode but I doubt thats any real permenant fix and will prob see them back there once I reboot in normal after writing this.

[sheeepdot]

Any update? I got hit with it too.

I'm just curious as to what websites you frequent or what could've caused this. I'm a gmail user/XP/AVG. It happened last night after I had installed some .zip files from panasonics website relating to p2 card software.

I also found this:

http://www.411-spyware.com/remove-win32-netsky-q-worm

[ngc4945]

I'd like to add I've also just got this trojan/virus - exactly as described above.

The symantec netsky tool cannot detect it. spybot and adaware can't find anything. I've also tried the smitfraud removal tool in safe mode - but it hasn't fixed it.

[Tomek1988]

Hi, I also have these exact symptoms.

This occured while i was installing Windows XP Service Pack 3, half way through the installation my computer restart. However my firewall (Zone Alarm Pro) has detected the application and has disabled it, now I can access programs such as MSN without crashing and rebooting. I can also use IE without recieving those "Internet not safe" messages now.

But, the pop up claiming my computer is infected is still appearing, I'm still working on a solution, wish me luck.

[cblack9]

Hi,

My symptoms are similar. The fhexj6825097.exe has a run entry at the following location: HKEY_USERS\S-1-5-21-1060284298-1614895754-682003330-1000\Software\Microsoft\Windows\CurrentVersion\Run\\windpipe

I am going to delete the entry and reboot for now and will check it out tomorrow.

[sheeepdot]

Malwarebytes found a series of problems and it seems to have fixed the issue.

[ngc4945]

Just a little more I'd like to add regarding cblack9's post.

After I tried addressing the issue wing ith the approaches I described in my previous post, I also downloaded spybot search and destroy. It detected a change in a registry key and although I didn't record the key it included the text "windpipe". I remember this specifically because in trying to block the key Spybot S&D then went into an infinite loop trying to stop the key being changed - it brought up dialogue box after dialogue box trying to block the changes.

At that point I killed my PC and I've since completely restored my system using a ghost image - so my problems have now been resolved - but not because I could solve the problem by eliminating the issue without reformating. I'm really interested to know what the hell I did to get this virus because I'm normally very wise to the various schemes out there and don't normally get infected.

[danandginny]

I too have the perfect defender 2009 virus. That dang pop-up drove me crazy yesterday. But today I have no desktop. I am getting around the web by typing the URL into my "run" box. I am at IE6 and have thought about downloading IE7 to see if that fixes anything.
I have AVG 7.5 and it removed only part of the virus. AVG 7.5 now show that I am clean. I downloaded PC spy doctor and it show my PC is clean. I have tried a system restore, But the virus will not let me restore. I have located the file, But it tells me that I am not authorized to delete it. I guess I will have to go out and buy a new PC as I do not have a restore CD (nor the code) to re-install the operating system.

[JTMC]

Well I hope this might help any of the above..!

I got the very same problem last - on booting up my firewall had been turned off - it was booting me out of firefox when I tried to download anything that might search the problem and IE was not even finding Google - I could only use Opera too - The fake windows Security Warning about the worm Win32.Netsky.q but and that did not give me any option to allow so didnt look real - this took me to a site on firefox which my Avast was blocking as unsafe called: www.defender-review.com

I did notice however when I logged into windows using another user the firewall was intact and no problems with using any browsers - there pointing it my application data.

I did however downloaded SpyBot and scanning did not find anything related and problem continued - but when I rebooted SpyBot found the changed registry key "windpipe" and listed the link to C:\Documents and Settings\"MYNAME"\Application Data\Google\fhexj6825097.exe the full contents and google folder were created at the time of last night when everythng went pear shaped - I deleted everything including the google folder (Although had to log in as another user to delete this folder as it was running the exe application on my login) - rebooted and everything was back to normal - ran a search on anything I could find on the net relating to this and found nothing more..!

Funny how the file: fhexj6825097.exe had an image relating to Windows Firewall..!

Note: after re-boot my firewall was intact and no Fake message and all browsers working as should be..!

Would anyone know what they were doing when this occurred..?

Thanks JTMC..!

[danandginny]

I have not crashed.
I had no desktop, but after going to 2 websites via the "run" box, my desktop returned. I downloaded IE7, but that still did not remove the perfect defender 2009 pop-up. The darn thing still pops up usually when you change from one website to another website. I do not have anothere user nor another browser. Since this file comes from google, ~google should have to give us a fix.

[JTMC]

Who said the file comes from Google..? maybe whoever set it up wanted to hide it in a file nobody would be looking for..?

I don't have a clue where I got mine from..!

JTMC

[JTMC]

Hello danandginny

If you have the same problem I had then you do not need another browser you and you can log in your system as administrator right..? in Explore folders - make sure you can view hidden folders & locate the offending file/folders I mentioned in my previous post & delete - reboot and you should be ok

I hope this works for you..! JTMC

[Monkeydancer]

Thanks for your info, JTMC.

Your info solved my problem. I restarted my computer in safe mode: looked up in msconfig at the startup tab and saw fhexj6825097.exe being started at startup. Deleting the whole google folder in safe mode solved the whole problem.

They made it really look real. The firewall window and all looked exactly identical to the real thing, except that the buttons for enabling and disabling it was blanked out/disabled.

Don't forget to remove the registry values too. Type regedit in the run window.

When regedit is started up, search in the registry with the keyword "windpipe".

Remove that value, and the startup line in the startup tab at msconfig is removed.

I also suggest just to delete the whole google folder. Google never uses that folder. It's a fake folder, generated by that exe.

And again for your help and info JTMC!

I don't think it's really a virus. It's just malware, forcing you to buy crap software.

Win32.Netsky.Q is automaticly blocked by every decent scanner on the market. The virus is dated from 2004, and 4 years should be enough to find the cure. The message was a fake message and I also ran norton removal tool for that virus. The tool said there was no netsky virus in the first place. I also ran kaspersky, AVG, Avast on my computer, complete schedule scans and nothing was found. I also use malwarebytes, superantispyware, Spywaredoctor and nothing more was found. Only spybot found the changed registry.

I don't think this malware did really that much of a damage. I always surf on the internet very safe, however, the annoying thing is, that I got this piece of malware on a developer blog (IIS 7.0 security blog ironically). AVG did not blocked it, so it's relatively new.

[JTMC]

Cheers Monkeydancer

I think we confirmed one anothers process of elimination here and no I do not think there was anything from the warning message it was a complete red herring I looked up removing this by finding files and there was nothing on my pc..!

I did however remove the windpipe from the regisrty too as you suggested thank you.. but could not find anything in msconfig.... should I have...?

Thanks for your reply too and suggestions..! JTMC