help hijack log netsky virus for sure

Discussion in 'adware, spyware & hijack cleaning' started by apple, Mar 9, 2004.

Thread Status:
Not open for further replies.
  1. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    Hi, I need my log looked at, I know I have the netsky virus and that there is spyware but not sure how to get rid of it.
    Thanks

    Logfile of HijackThis v1.97.7
    Scan saved at 8:07:39 AM, on 3/9/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\msdtc.exe
    C:\PROGRA~1\avgserv.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
    C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
    C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
    C:\WINDOWS\System32\mqsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
    C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    C:\WINDOWS\system32\P2P Networking\P2P Networking.exe
    C:\PROGRA~1\avgcc32.exe
    C:\Program Files\Microsoft Office\Office\Osa.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\avgw.exe
    C:\Documents and Settings\regine\My Documents\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:80
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\Program Files\SVA Player\SVAPLAYER.DLL (file missing)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SVAPlayer] C:\Program Files\SVA Player\SVAPLAYER.EXE
    O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
    O4 - HKLM\..\Run: [Tray Temperature] C:\Program Files\AWS\MiniBug\MiniBug.exe 1
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ljbtyplq] C:\WINDOWS\zzvbpxmm.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth
    O4 - HKLM\..\RunOnce: [SpyBotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Startup: SpywareGuard.lnk = SpywareGuard\sgmain.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: PartyPoker.com (HKLM)
    O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {01645AFE-97C0-4D3D-8754-A1FDF8C5FFB5} (Bash Control) - http://mirror.worldwinner.com/games/v40/bash/bash.cab
    O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
    O16 - DPF: {04063354-A10E-4427-A1EC-F3CC81587BC6} (Mines Control) - http://mirror.worldwinner.com/games/v40/mines/mines.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {2C153C75-8476-434B-B3C3-57B63A3D1939} (Brickout Control) - http://mirror.worldwinner.com/games/v42/brickout/brickout.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
    O16 - DPF: {41D1977F-4161-4720-800F-EA4903983A38} (Puzzle Control) - http://mirror.worldwinner.com/games/v41/jigsaw/jigsaw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://www.worldwinner.com/games/shared/dephlp.cab
    O16 - DPF: {6C6FE41A-0DA6-42A1-9AD8-792026B2B2A7} (FreeCell Control) - http://mirror.worldwinner.com/games/v40/freecell/freecell.cab
    O16 - DPF: {6F6DBC29-7A0C-4AC0-A42D-10EC70678526} (Word Cubes Control) - http://mirror.worldwinner.com/games/v40/wordcube/wordcube.cab
    O16 - DPF: {7BC394DE-07B8-412B-9F98-52E7E7A4ABD4} (Pencil Wars Control) - http://mirror.worldwinner.com/games/v42/territory/territory.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8BDF4BDB-7C40-4DC8-B2DD-138D8059698C} (Focus Control) - http://mirror.worldwinner.com/games/v40/focus/focus.cab
    O16 - DPF: {90B7E2B3-2E56-4571-9E54-823E33C4B4B4} (TracMan Control) - http://mirror.worldwinner.com/games/v46/tracman/tracman.cab
    O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://mirror.worldwinner.com/games/v40/sol/sol.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37617.7484953704
    O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
    O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partners/shockwave/blasterball2Remix/install.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {E5EF1E59-8AFD-425A-9F30-817FD6507215} (Darts Control) - http://mirror.worldwinner.com/games/v40/darts/darts.cab
     
  2. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    First please move Hijackthis out of the temp directory (extract from zip)into a permanent folder. Example:
    c:\program files\hijackthis\hijackthis.exe

    This will allow backups to be made and saved By hijackthis in case something goes wrong.


    Please close all windows, internet explorers and check mark the following items only in Hijackthis.
    R3 - URLSearchHook: PerfectNavBHO Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing)
    O2 - BHO: (no name) - {1E6F1D6A-1F20-11D4-8859-00A0CCE26836} - C:\Program Files\SVA Player\SVAPLAYER.DLL (file missing)
    O4 - HKLM\..\Run: [ljbtyplq] C:\WINDOWS\zzvbpxmm.exe
    O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\system32\P2P Networking\P2P Networking.exe /AUTOSTART
    O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
    O4 - HKLM\..\Run: [ICQ Net] C:\WINDOWS\winlogon.exe -stealth



    Click the fix button. Close hijackthis.

    Recommend you dump kazaa as its loaded with adware. Also it is a haven for a lot of viruses which may be how you got it in the first place.
    you may want to see here:
    http://www.spywareinfoforum.com/articles/p2p

    Reboot and show hidden files and folders per the link in my signature.
    Please delete the following files or folders.

    Files:
    C:\WINDOWS\winlogon.exe
    C:\WINDOWS\zzvbpxmm.exe
    Folders:



    Run a new log and post it here
     
  3. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    Help, Ok I fixed the things in hijack this that you said. I went to reboot and now I can't get on. It started fine and went to windows opening and then went to a blue screen and it just sits on the blue screen. I don't know what to do can someone help me. I am on my other computer.
     
  4. Shadowwar

    Shadowwar Spyware Expert

    Joined:
    Feb 26, 2004
    Posts:
    305
    Can you start in safe mode? what was the blue screen message?
     
  5. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    I can't start in safe mode either. There is no message on the blue screen. I can get to the page that says microsoft 2000 starting up then it goes to a light blue screen that is totally blank, it makes alot of noise like it is trying to run and then just sits on the blue screen.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Apple,

    Did you just fix those 7 items in HijackThis or did you do more during that first pass? Did you delete the files that were recommend, or were you rebooting after just the HJT fixes? Specific information on this may help determine what went wrong and then how to fix it.

    What OS is on the other system you are using now? (In case we need files from there to help the other system.)
     
  7. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    I fixed the 7 items only then it said to reboot which is when i could no longer get on. Not sure what you mean by os?
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Okay, so you were in HijackThis, checked the 7 items recommened and hit Fix. Then you rebooted and the system wouldn't come up (stuck at blue boot up screen)?

    We need to be very clear and specific here because it makes a lot of difference figuring out what, out of all the different things, might have gone wrong.

    This will have to be looked at to determine the best approach here. Stand-by.

    As to OS I was asking what version of Windows you have on your second PC in case there is something that could be copied from there to the other PC.
     
  9. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    Yep i checked the 7 items and hit fix and then rebooted. It goes to the microsoft 2000 logo and says starting up and then it goes to a light blue screen and sounds like it is loading but it just stays on the blue screen. How can i tell what version of windows is on the computer i am now using.
    thanks for your help as you can see i am really lost.
     
  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Let's see... Probably the easiest is to right-click on the "My Computer" icon on your desktop and choose the "Properties" item. That brings up a system summary screen which includes the Windows version.

    We have a call out for people to take a look at this thread to help determine the problem. It is a rare case where a normal Fix operation causes a problem like this, but sometimes this spyware is so embedded on a system that removing it is a difficult task.
     
  11. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    I am using windows 2000 5.00.2195 service pack 4
     
  12. rand1038

    rand1038 Guest

    Two suggestions at this point, perhaps I will have some more once I get home and have access to my win2000 install.

    Let it sit at the screen it gets to for 10 minutes or so, perhaps a driver is hanging which may eventually clear and alllow the system to finish loading. While you are waiting for it to start, try <ctrl><alt><del> periodically to see if you can launch task manager. If you can then go to file>new task and type explorer.exe in the box then press enter.

    If you can get task manager to open but not explorer to run let us know what you see under the Applications, Processes and Performance tabs.
     
  13. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    I let the screen sit there for 20 minutes and nothing, also when i hit ctr,alt,del nothing happens, i tried this numerous times.
     
  14. rand1038

    rand1038 Spyware Fighter

    Joined:
    Mar 9, 2004
    Posts:
    13
    I was able to reproduce the problem by deleting winlogon.exe however my system did reboot itself so that may not be the casue of your worries.

    When you attempt to boot into safe mode, on the options screen, try "last known good configuration"

    Do you know if the down system is using an NTFS or a FAT32 file system?
    Do you have a windows 2000 installation CD available (not the recovery cds they give you when you buy a computer).
     
  15. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    Im not sure on the NTFS or FAT32 file system, how could i tell? I found 2 cd's one says microsoft windows 2000 professional and the other say microsoft windows 2000 professional step by step interactive. I will try to boot again in safe mode last known good configuration.
     
  16. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    Went to last known good configuration and it says original configuration, i also noticed in safe mode directory services restore mode windows 2000 domain controllers only. I did not go to original configuration and try it was not sure if i should.
     
  17. rand1038

    rand1038 Spyware Fighter

    Joined:
    Mar 9, 2004
    Posts:
    13
    Ok, this is good. We have a few options. We'll save the last known good configuration for later if necessary as your problem sounds more like a corrupt or missing file. The first thing to try is booting into safe mode with command prompt. Can you do that?
     
  18. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    safe mode with command prompt goes to the blue screen also, so no I can't do that either.
     
  19. rand1038

    rand1038 Spyware Fighter

    Joined:
    Mar 9, 2004
    Posts:
    13
    Ok, looks like we'll have to use the recovery console.
    Turn on the computer, after it passes the boot screen open the cd drive and put the windows 2000 cd rom into the drive, close it and turn the compuer off and back on, it should boot from the cd.

    When the option comes up choose recovery console

    When you are prompted for an administrator password enter it, if you don't have one just press <enter> (it is blank by default).
    <s> means hit the space bar one time
    You should get a c:> prompt
    Type dir<s>c:\winnt\system32 and press <enter>

    Is there a file called winlogon.exe listed?
     
  20. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    ok so i put the cd in and it does no do anything, i tried both cds and it is not loading from either
     
  21. rand1038

    rand1038 Spyware Fighter

    Joined:
    Mar 9, 2004
    Posts:
    13
    This is going to take more interaction than is possible on the board here. There are some extremely knowledgeable folks at the spywareinfo chat room. Go to this page to get a java irc chat client (unless you already have one). Join the channell they have on that page, let the people there know of your problem (you can post a link to this thread into the room). They will be able to walk you through it live. This time of day is the best time to go there as it is usually very active.

    If you already have a client, the server is
    irc.dixiesys.net
    The channell is #privacy
     
  22. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    thanks for all your help
     
  23. rand1038

    rand1038 Spyware Fighter

    Joined:
    Mar 9, 2004
    Posts:
    13
    Let us know how things work out.
     
  24. Mosaic1

    Mosaic1 Guest

    Check your BIOS to be sure it is loading the CD Drive before the Hard Drive or it won't boot to the CD. You say nothing is happening? Does the regular boot start or does everything just sit there doing nothing.
     
  25. apple

    apple Registered Member

    Joined:
    Mar 9, 2004
    Posts:
    49
    The regular boot starts, i will try checkin on this.
     
Thread Status:
Not open for further replies.