Windows XP wont start successfully HJ this log

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Sweetjen420, Sep 26, 2005.

  1. Sweetjen420

    Sweetjen420 Private E-2

    I have recently dowloaded and installed some updates for windows XP. Ever since my pc has been acting stupid. When I restart my pc, I get the black scrren saying windows was unable to start normally, so I have to select " last known good configuration". I'm not sure if this has anything to do with the updates or what, but frustrating none the less. I assumed I had viruses or spyware, so I downloaded all of the programs recommended here on the site, restarted into safe mode with system restore disabled and selected to not hide any files folders etc. and did the on line scans. It did find a few viruses, I deleted them which in turn made pc act funny, so I restored it....and it's still acting crazy. Please take a look at my HJ log and lemme know what ya think. I GREATLY appreciate it.

    [Inline HJT log removed. Someone will be with you shortly -Kodo]
     
    Last edited by a moderator: Sep 27, 2005
    Sweetjen420, Sep 26, 2005
    #1
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Please follow standard cleanup procedures as given below:

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps below:



    [​IMG] Download HijackThis 1.99.1

    [​IMG] Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    [​IMG] Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

    [​IMG]Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    [​IMG]Run HijackThis and save your log file.

    [​IMG] Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

    [​IMG]Need help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting
     
    bjgarrick, Sep 27, 2005
    #2
  3. Sweetjen420

    Sweetjen420 Private E-2

    As I orginally stated, yes I did do all of the steps before asking for help. I had no problems with downloading any of the programs or doing the online scans. Adaware found a few things, but not many as I run it on a regular base anyways. I am posting the log that I saved from my bit defender scan. After running all of these programs and following all the steps, I did them all a second time just to make sure the viruses were gone. Here is the bit defender log:

    BitDefender Online Scanner



    Scan report generated at: Sat, Sep 17, 2005 - 15:54:35
    Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;
    Statistics
    Time
    00:05:24
    Files
    45249
    Folders
    1376
    Boot Sectors
    2
    Archives
    611
    Packed Files
    4612
    Results
    Identified Viruses
    14
    Infected Files
    28
    Suspect Files
    1
    Warnings
    0
    Disinfected
    0
    Deleted Files
    29
    Engines Info
    Virus Definitions
    208610
    Engine build
    AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
    Scan plugins
    13
    Archive plugins
    39
    Unpack plugins
    4
    E-mail plugins
    6
    System plugins
    1

    Now, I am posting my HJT log again , now that you know that I have read and followed the instructions before asking for help. Thanks!

    Edit by chaslang: Inline log removed
     
    Last edited by a moderator: Sep 27, 2005
    Sweetjen420, Sep 27, 2005
    #3
  4. Sweetjen420

    Sweetjen420 Private E-2

    So sorry, I forgot to attach my HJT log as an attachment. So here it is one more time, but as an attachment. Thanks for your help, it is greatly appreciated.
     

    Attached Files:

    Sweetjen420, Sep 27, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since BJ is not around right now, I'll try to keep you moving along.

    You need to use only one antivirus application. Pick one and uninstall the other. You have AVG and Symantec right now.

    You also need to install HJT properly per BJs instructions. You have it on your Desktop which is also part of Documents and Settings:

    C:\Documents and Settings\Jenette\Desktop\Tools\hijackthis\HijackThis.exe
     
    chaslang, Sep 28, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    After resolving what I said in my last message continue with these steps.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Snake SockProxy Service (or if not found look for SkServer) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Snake SockProxy Service

    If that does not work try entering the short name: SkServer

    Now exit HJT but and do not reboot if it tells you to. We will be restarting HJT to fix some other items first.

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - blank (file missing)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - blank (file missing)
    O4 - HKLM\..\RunServices: [Windows IP Security Service] mzyqy.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O23 - Service: Snake SockProxy Service (SkServer) - Unknown owner - C:\WINDOWS\help\svchost.exe (file missing) <--- should be gone already

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete:
    C:\WINDOWS\help\svchost.exe
    C:\WINDOWS\system32\mzyqy.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Sep 28, 2005
    #6
  7. Sweetjen420

    Sweetjen420 Private E-2

    Okay, I did exactly what you said. However, after restarting in safe mode, I was unable to locate the two files that I was looking for. They were:
    C:\WINDOWS\help\svchost.exe
    C:\WINDOWS\system32\mzyqy.exe
    Should these files be there? I'm a bit confused as to why I can't find them. And just out of curiosity....what was the problem about that I was having? Was this due to the viruses that I previously had on my pc?

    I am now attaching my new HGT log after following your instructions.
    Thanks for your help! ;) Oh and btw chaslang,I deleted the AVG, and put the HJT program where BJ specified. Thanks!
     

    Attached Files:

    Sweetjen420, Sep 28, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sometimes HJT is able to delete problem files as we use it to fix lines. Sometimes you cannot find files because the really are not there or may have renamed themselves. Sometimes you cannot find files, due to viewing of hidden files, system files, and folders not being enabled.

    Yes your problems are due to viruses and trojans and you still have one.

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to SystemManager then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

    Next, go back to HJT and select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    SystemManager

    Now exit HJT but and this time allow your system to reboot. After reboot check to see if the below item no longer shows in your HJT log:

    O23 - Service: SystemManager - Unknown owner - C:\WINDOWS\sysmanager.exe (file missing)
     
    chaslang, Sep 28, 2005
    #8
  9. Sweetjen420

    Sweetjen420 Private E-2

    Okay, I did what you told me. I don't see the SystemManager in the HJT log. Does this mean we took care of it? Also I am curious since I have has so many viruses and trojans, do I need to worry about any of the files on my pc being corrupted? And how does one end with so many viruses when you have virus protection on your pc? Almost seems as good as not having any protection. And I just wanted you to know that when I was searching for those two files that I could not find, I did make sure that viewing of hidden files and folders was enabled. I am now posting yet another HJT log so you can see where we are at now. Thanks so much!
     

    Attached Files:

    Sweetjen420, Sep 28, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Having no protection would be a real bad idea and you would wind up having much bigger problems than what you had. Let's not be specific and say virus. Let's just say malware in general. It is constantly changing and new things can get into your PC before your AV or antispyware applications even know about them. So you need to constantly stay updated! You also need to perform full system scans periodically because just putting in an update does not find things already on your PC without scanning. I would not worry about corruption/infection of other files as long as you are having no problems. What you do need to do is work thru the steps in the below link. One major item your are missing is a full function firewall (which is step 3 in the below link).

    How to Protect yourself from malware!

    Your HJT log is clean so it is time to work thru this link anyway.
     
    chaslang, Sep 28, 2005
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds