help hijack log netsky virus for sure

[apple]

Hi, I need my log looked at, I know I have the netsky virus and that there is spyware but not sure how to get rid of it.
Thanks

Logfile of HijackThis v1.97.7
Scan saved at 8:07:39 AM, on 3/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\PROGRA~1\avgserv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
C:\PROGRA~1\avgcc32.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\avgw.exe
C:\Documents and Settings\regine\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\Program Files\SVA Player\SVAPLAYER.DLL (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\AWS\MiniBug\MiniBug.exe 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ljbtyplq] C:\WINDOWS\zzvbpxmm.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth
O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Startup: SpywareGuard.lnk = SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O16 - DPF: {01645AFE-97C0-4D3D-8754-A1FDF8C5FFB5} (Bash Control) - http://mirror.worldwinner.com/games/v40/bash/bash.cab
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldwinner.com/games/v40/mines/mines.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldwinner.com/games/v42/brickout/brickout.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v40/wordcube/wordcube.cab
O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/v42/territory/territory.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} (TracMan Control) - http://mirror.worldwinner.com/games/v46/tracman/tracman.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37617.7484953704
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/blasterball2Remix/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldwinner.com/games/v40/darts/darts.cab

[Shadowwar]

First please move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:
c:\program files\hijackthis\hijackthis.exe

This will allow backups to be made and saved By hijackthis in case something goes wrong.


Please close all windows, internet explorers and check mark the following items only in Hijackthis.
R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\Program Files\SVA Player\SVAPLAYER.DLL (file missing)
O4 - HKLM\..\Run: [ljbtyplq] C:\WINDOWS\zzvbpxmm.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth



Click the fix button. Close hijackthis.

Recommend you dump kazaa as its loaded with adware. Also it is a haven for a lot of viruses which may be how you got it in the first place.
you may want to see here:
http://www.spywareinfoforum.com/articles/p2p

Reboot and show hidden files and folders per the link in my signature.
Please delete the following files or folders.

Files:
C:\WINDOWS\winlogon.exe
C:\WINDOWS\zzvbpxmm.exe
Folders:



Run a new log and post it here

[apple]

Help, Ok I fixed the things in hijack this that you said. I went to reboot and now I can't get on. It started fine and went to windows opening and then went to a blue screen and it just sits on the blue screen. I don't know what to do can someone help me. I am on my other computer.

[Shadowwar]

Can you start in safe mode? what was the blue screen message?

[apple]

I can't start in safe mode either. There is no message on the blue screen. I can get to the page that says microsoft 2000 starting up then it goes to a light blue screen that is totally blank, it makes alot of noise like it is trying to run and then just sits on the blue screen.

[LowWaterMark]

Apple,

Did you just fix those 7 items in HijackThis or did you do more during that first pass? Did you delete the files that were recommend, or were you rebooting after just the HJT fixes? Specific information on this may help determine what went wrong and then how to fix it.

What OS is on the other system you are using now? (In case we need files from there to help the other system.)

[apple]

I fixed the 7 items only then it said to reboot which is when i could no longer get on. Not sure what you mean by os?

[LowWaterMark]

Okay, so you were in HijackThis, checked the 7 items recommened and hit Fix. Then you rebooted and the system wouldn't come up (stuck at blue boot up screen)?

We need to be very clear and specific here because it makes a lot of difference figuring out what, out of all the different things, might have gone wrong.

This will have to be looked at to determine the best approach here. Stand-by.

As to OS I was asking what version of Windows you have on your second PC in case there is something that could be copied from there to the other PC.

[apple]

Yep i checked the 7 items and hit fix and then rebooted. It goes to the microsoft 2000 logo and says starting up and then it goes to a light blue screen and sounds like it is loading but it just stays on the blue screen. How can i tell what version of windows is on the computer i am now using.
thanks for your help as you can see i am really lost.

[LowWaterMark]

Quote:

quoting: apple link=board=17;threadid=24044;start=0#msg141791 date=1078856590]How can i tell what version of windows is on the computer i am now using.

Let's see... Probably the easiest is to right-click on the "My Computer" icon on your desktop and choose the "Properties" item. That brings up a system summary screen which includes the Windows version.

We have a call out for people to take a look at this thread to help determine the problem. It is a rare case where a normal Fix operation causes a problem like this, but sometimes this spyware is so embedded on a system that removing it is a difficult task.

[apple]

I am using windows 2000 5.00.2195 service pack 4

Two suggestions at this point, perhaps I will have some more once I get home and have access to my win2000 install.

Let it sit at the screen it gets to for 10 minutes or so, perhaps a driver is hanging which may eventually clear and alllow the system to finish loading. While you are waiting for it to start, try <ctrl><alt><del> periodically to see if you can launch task manager. If you can then go to file>new task and type explorer.exe in the box then press enter.

If you can get task manager to open but not explorer to run let us know what you see under the Applications, Processes and Performance tabs.

[apple]

I let the screen sit there for 20 minutes and nothing, also when i hit ctr,alt,del nothing happens, i tried this numerous times.

[rand1038]

I was able to reproduce the problem by deleting winlogon.exe however my system did reboot itself so that may not be the casue of your worries.

When you attempt to boot into safe mode, on the options screen, try "last known good configuration"

Do you know if the down system is using an NTFS or a FAT32 file system?
Do you have a windows 2000 installation CD available (not the recovery cds they give you when you buy a computer).

[apple]

Im not sure on the NTFS or FAT32 file system, how could i tell? I found 2 cd's one says microsoft windows 2000 professional and the other say microsoft windows 2000 professional step by step interactive. I will try to boot again in safe mode last known good configuration.

[apple]

Went to last known good configuration and it says original configuration, i also noticed in safe mode directory services restore mode windows 2000 domain controllers only. I did not go to original configuration and try it was not sure if i should.

[rand1038]

Ok, this is good. We have a few options. We'll save the last known good configuration for later if necessary as your problem sounds more like a corrupt or missing file. The first thing to try is booting into safe mode with command prompt. Can you do that?

[apple]

safe mode with command prompt goes to the blue screen also, so no I can't do that either.

[rand1038]

Ok, looks like we'll have to use the recovery console.
Turn on the computer, after it passes the boot screen open the cd drive and put the windows 2000 cd rom into the drive, close it and turn the compuer off and back on, it should boot from the cd.

When the option comes up choose recovery console

When you are prompted for an administrator password enter it, if you don't have one just press <enter> (it is blank by default).
<s> means hit the space bar one time
You should get a c:> prompt
Type dir<s>c:\winnt\system32 and press <enter>

Is there a file called winlogon.exe listed?

[apple]

ok so i put the cd in and it does no do anything, i tried both cds and it is not loading from either

[rand1038]

This is going to take more interaction than is possible on the board here. There are some extremely knowledgeable folks at the spywareinfo chat room. Go to this page to get a java irc chat client (unless you already have one). Join the channell they have on that page, let the people there know of your problem (you can post a link to this thread into the room). They will be able to walk you through it live. This time of day is the best time to go there as it is usually very active.

If you already have a client, the server is
irc.dixiesys.net
The channell is #privacy

[apple]

thanks for all your help

[rand1038]

Let us know how things work out.

Check your BIOS to be sure it is loading the CD Drive before the Hard Drive or it won't boot to the CD. You say nothing is happening? Does the regular boot start or does everything just sit there doing nothing.

[apple]

The regular boot starts, i will try checkin on this.