1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Netsky Virus??

Discussion in 'Virus & Other Malware Removal' started by shesun4givn2, Apr 15, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Hi folks it's me again. :D :D

    This PC I'm currently working on is running WinME. The user said she received several emails in the past 2-3 days indicating she had the netsky virus. I explained that just becase she had emails returning to her indicating her computer was infected didn't mean it WAS infected .. that it could be due to another infected computer with her email addy in it. She, however, had opened each and every email telling her she was infected and quiet possibly is infected NOW. :eek: She says each time she boots up she has LOADS of errors. She has not been able to access either her CD-ROM drive nor her CDRW drive, nor has she been able to run many of her programs at all. :rolleyes:

    When I boot her WinME pc up, I have to go through a multitude (the quantity of this error varies with each boot) of:
    DVP for Windows 95: Virus detected:
    C:\WINDOWS\SYSTEM\ various and asundry file names, could be infected with an unknown virus


    Along with at least one:

    Error Starting Program
    A Required .DLL file, C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE, was not found.


    I've had very little experience with WinME. Does it have system restore and would it be advisable for me to try to restore to a point prior to infection ... say ... April 1, 2004? Do I need to try to eliminate the virus(es) before restoring? Do I need to have her recycle this pc as a doorstop? :D :D

    Any ideas/help would be greatly appreciated. :p
     
  2. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    When I ran HJT on her pc and saved the log, I received a message stating:
    NOTEPAD could be infected with a virus.

    I put the diskette in my pc and ran Trend Micro's Housecall on it and it showed no virus. Is it safe to open on my pc so I can post a copy of her log here?
     
  3. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
  4. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    I tried to access System Restore through Start>Programs>Accessories>System Tools>System Restore and get the message:

    System Restore cannot run until you restart the computer. Please restart the computer, and then run System Restore again.

    I've restarted several times and get this same message each time I try to run System Restore. :(
     
  5. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Hi ya Dai! :) I'll download that tool now. I have the stinger tool as well. I don't have anything yet that is telling me exactly what virus she does have ... just her comment about the emails she has since deleted. Do you think this IS netsky virus?

    Also, she has several things in her HJT that I believe are questionable. Do you think it's safe for me to open her log in my A drive since Housecall shows the file to be clean?
     
  6. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    it sounds like restore is corrupted
    try and delete the virus with the tool and then run the system file checker
     
  7. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    you will need to know what virus it is to d/l the tool
    check the disk for virus with another online check panda has one,before opening it up
     
  8. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Thanks Dai. :) I don't currently have access online with the infected pc. I'm running the fxnetsky removal tool now although I keep having to 'OK' the many DVP for Windows 95: Virus detected messages so the fix can continue running. I'll give you an update as soon as it's through.

    The pc I'm working on isn't currently connected to the internet. She does have Command AntiVirus software installed, but she hasn't updated her DAT files in months, nor has she purchased any continuing updates.
     
  9. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    The Fxnetsky tool has completed and says 'Netsky Virus was not found on this computer.'

    I'm currently setting up Panda's online scanner to scan the disk in drive A so I can, hopefully, post the HJT log. :D
     
  10. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Ooooooook. :D Here's her HJT log.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:33:32 PM, on 4/15/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\WINUPD.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\PROGRAM FILES\COMMAND SOFTWARE\F-PROT95\CSS_1631.EXE
    C:\PROGRAM FILES\COMMAND SOFTWARE\F-PROT95\DVPAPI9X.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRA~1\COMMAN~1\F-PROT95\DVP95.EXE
    C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    C:\PROGRAM FILES\N-CASE\MSBB.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSUPD.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\WEATHERCAST\WEATHER.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
    C:\WINDOWS\SYSTEM\WINUPD.EXE
    C:\PROGRAM FILES\SCREENART\WILLOWRD.EXE
    C:\LOTUS\SMARTCTR\SMARTCTR.EXE
    C:\LOTUS\SMARTCTR\SUITEST.EXE
    C:\LOTUS\WORDPRO\LTSSTART.EXE
    C:\LOTUS\REGISTER\REMIND32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cox-internet.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
    O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_22.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [DVP95] C:\PROGRA~1\COMMAN~1\F-PROT95\DVP95.EXE
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
    O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.EXE
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
    O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
    O4 - HKLM\..\Run: [pujevar] C:\WINDOWS\pujevar.exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [CSS_Central] C:\PROGRA~1\COMMAN~1\F-PROT95\CSS_1631.EXE
    O4 - HKLM\..\RunServices: [dvpapi9x] C:\PROGRA~1\COMMAN~1\F-PROT95\DVPAPI9X.EXE
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
    O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape 6\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [SPYKILLER] C:\PROGRAM FILES\SPYWARE KILLER\SPYWAREKILLER.EXE /BOOT
    O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\SYSTEM\winupd.exe
    O4 - Startup: F-AGENT 95.lnk = C:\Program Files\Command Software\F-PROT95\F-AGENT.exe
    O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
    O4 - Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
    O4 - Startup: Lotus SmartCenter 97.lnk = C:\lotus\smartctr\smartctr.exe
    O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
    O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
    O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.compute-inc.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.7801736111
    O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20034713
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
     
  11. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Am currently running the stinger removal tool which $teve had previously suggested to another user who possibly had netsky virus.

    As soon as stinger started running it found numerous infections of W32/[email protected] and some W32/Bagle.gen

    Results are:

    Number of infected files 188
    Number of files repaired 2
    Number of files deleted 140

    :eek: That means 46 files are still infected eh?

    Help! :D :D
     
  12. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    OK all 46 of the infected files which show couldn't be repaired are this type and range :

    C:\RESTORE\TEMP\AR0000018 - C:\RESTORE\TEMP\AR0000105
     
  13. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Personal Log, Stardate 0415.2004 :D :D :D

    I've re-ran stinger (because I was still getting all the 'virus' error messages after rebooting) and this time stinger's results were:

    Number of infected files 92 (a lot of them were the same files shown as deleted the 1st time through)
    Number of files repaired 1
    Number of files deleted 20

    That leaves 70 infected files this time through. :D

    On the UP side, I have been able to get msconfig to run now. I've unchecked a lot of (I believe) unnecessary items. Now I'll reboot and try running stinger again. :D
     
  14. shesun4givn2

    shesun4givn2 Thread Starter

    Joined:
    Jul 7, 2003
    Messages:
    237
    Personal Log, Stardate 0415.2004 continued :p

    Oh what a difference an interferring (and otherwise useless), obsolete, UNupdated (but STILL running!) antivirus software can be. :D :D

    THIS time through the results were:

    Number of infected files 122
    Number of files repaired 276 (I'm still not sure how it's repairing more than it found :D )
    Number of files deleted 3

    and on the LAST run through with stinger ......

    the ONLY place it found infected files (121 of them suckers now) and it could not repair them was in the .... you guessed it! ...

    C:\RESTORE\TEMP\AR0000018.CPY - C:\RESTORE\TEMP\AR0000256.CPY

    range. :D :D :D

    I wonder, are these files part of the currently deactivated System Restore??

    Hmmmmm I think I should boot to DOS (or in safe mode) and deleted these little pests. :D
     
  15. dai

    dai

    Joined:
    Mar 6, 2003
    Messages:
    11,198
    dump the command a/v and put the free version of avg a/v on
    they are probably in the restore.
    run the system file checker and see if it will fix it so you can get into the restore to turn it off.
    i have not used me for years so i am very rusty on it
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/220690

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice