yolagp
05-08-2004, 10:28 AM
Hi, I've been trying to help a friend of mine to get rid of lots of pests he had in his computer.
I ran SpybotS&D and Adaware. Adaware found some pests, but SpybotS&D found everything was allright.His connection is very slow, so I downloaded Stinger and scanned his computer, and found out that Netsky had infected his system. This is the log:
McAfee AVERT Stinger Version 2.2.5 built on May 4 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on May 4 2004.
Ready to scan for 41 viruses, trojans and variants.
Scan initiated on Sat May 08 15:14:54 2004
C:\WINDOWS\zip1.tmp\zip1.tmp
Found the W32/Netsky.p@MM!zip virus !!!
C:\WINDOWS\zip1.tmp\zip1.tmp could not be repaired.
C:\WINDOWS\zip2.tmp\zip2.tmp
Found the W32/Netsky.p@MM!zip virus !!!
C:\WINDOWS\zip2.tmp\zip2.tmp could not be repaired.
C:\WINDOWS\zip3.tmp\zip3.tmp
Found the W32/Netsky.p@MM!zip virus !!!
C:\WINDOWS\zip3.tmp\zip3.tmp could not be repaired.
Number of clean files: 43746
Number of infected files: 3
I disabled system restore, rebooted and ran hijackthis. This is the log:
Logfile of HijackThis v1.97.7
Scan saved at 16:06:06, on 08/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\VIDEO BLASTER WEBCAM CONTROL\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\AUDIOSYSTEM EWS88 MT\MTPANEL.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\ESCRITORIO\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Archivos de programa\Copernic 2000 Pro\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Archivos de programa\Copernic 2000 Pro\CopernicFind.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Detector de disco] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Archivos de programa\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Archivos de programa\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\ARCHIV~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DATA BECKER Reminder] C:\Archivos de programa\DATA BECKER\Impresión de Tarjetas de Cumpleaños\No me olvides\BDR.EXE Check
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PavProc] C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrS9x.exe
O4 - Startup: ControlPanel.lnk = C:\Archivos de programa\AudioSystem EWS88 MT\MtPanel.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Archivos de programa\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Search Using Copernic - file://C:\Archivos de programa\Copernic 2000 Pro\Search Extension.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O12 - Plugin for .mp3: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mid: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
(Sometimes I think my friends over-estimate my capacity for this stuff, but then I think it's nice to have such friends! They make me feel useful)
My questions are: how can I delete Netsky completely from his system? What do you think about this Hijackthis log?
Thank you for your help!
I ran SpybotS&D and Adaware. Adaware found some pests, but SpybotS&D found everything was allright.His connection is very slow, so I downloaded Stinger and scanned his computer, and found out that Netsky had infected his system. This is the log:
McAfee AVERT Stinger Version 2.2.5 built on May 4 2004
Copyright (C) 2004 Networks Associates Technology, Inc. All Rights Reserved.
Virus data file v1000 created on May 4 2004.
Ready to scan for 41 viruses, trojans and variants.
Scan initiated on Sat May 08 15:14:54 2004
C:\WINDOWS\zip1.tmp\zip1.tmp
Found the W32/Netsky.p@MM!zip virus !!!
C:\WINDOWS\zip1.tmp\zip1.tmp could not be repaired.
C:\WINDOWS\zip2.tmp\zip2.tmp
Found the W32/Netsky.p@MM!zip virus !!!
C:\WINDOWS\zip2.tmp\zip2.tmp could not be repaired.
C:\WINDOWS\zip3.tmp\zip3.tmp
Found the W32/Netsky.p@MM!zip virus !!!
C:\WINDOWS\zip3.tmp\zip3.tmp could not be repaired.
Number of clean files: 43746
Number of infected files: 3
I disabled system restore, rebooted and ran hijackthis. This is the log:
Logfile of HijackThis v1.97.7
Scan saved at 16:06:06, on 08/05/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\PRINTRAY.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\SBLIVE\AUDIOHQ\AHQTB.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\VIDEO BLASTER WEBCAM CONTROL\CAMTRAY.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\AUDIOSYSTEM EWS88 MT\MTPANEL.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\ARCHIVOS DE PROGRAMA\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\ESCRITORIO\HIJACKTHIS.EXE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\Archivos de programa\Copernic 2000 Pro\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - C:\Archivos de programa\Copernic 2000 Pro\CopernicFind.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: @msdxmLC.dll,-1@3082,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Detector de disco] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Archivos de programa\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [Disc Detector] C:\Archivos de programa\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Archivos de programa\Creative\Video Blaster WebCam Control\CAMTRAY.EXE
O4 - HKLM\..\Run: [Register MediaRing Talk] C:\Archivos de programa\MediaRing Talk\register.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\ARCHIV~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DATA BECKER Reminder] C:\Archivos de programa\DATA BECKER\Impresión de Tarjetas de Cumpleaños\No me olvides\BDR.EXE Check
O4 - HKLM\..\Run: [REGSHAVE] C:\Archivos de programa\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [PavProc] C:\Archivos de programa\Archivos comunes\Panda Software\PavShld\PavPrS9x.exe
O4 - Startup: ControlPanel.lnk = C:\Archivos de programa\AudioSystem EWS88 MT\MtPanel.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Archivos de programa\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O8 - Extra context menu item: Search Using Copernic - file://C:\Archivos de programa\Copernic 2000 Pro\Search Extension.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra 'Tools' menuitem: Launch Copernic (HKLM)
O9 - Extra button: Copernic (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time (HKLM)
O12 - Plugin for .mp3: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mid: C:\ARCHIV~1\INTERN~1\PLUGINS\npqtplugin2.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (Control HouseCall) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
(Sometimes I think my friends over-estimate my capacity for this stuff, but then I think it's nice to have such friends! They make me feel useful)
My questions are: how can I delete Netsky completely from his system? What do you think about this Hijackthis log?
Thank you for your help!