1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Several Viruses found, but can't clean or delete...

Discussion in 'Virus & Other Malware Removal' started by outrag1, Sep 6, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. outrag1

    outrag1 Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    23
    Windows ME OS

    Location C:\_RESTORE\Temp\A0037457.cpy.....to....A0072563.cpy

    Across that range of files, there are 209 infected files with the following Virus Attributes:

    PE_Magistr.B
    Worm_Yaha.G
    Worm_Hybris.D

    I've used several virus scanning tools that successfully point these files out to me, but cannot clean/delete/quarantine because the "files are in use."

    I've tried in Safe mode and normal...with no success. Please assist as this is one of several issues I'm dealing with in trying to clean this computer.

    Thank you!

    -Bob
     
  2. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    Hi outrag1,

    Please do this. Click here to download Hijack This. Run Hijack this.
    Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

    DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

    *Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.
     
  3. outrag1

    outrag1 Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    23
    Thank you for the help, here is the hijackthis log.....

    Logfile of HijackThis v1.98.2
    Scan saved at 7:37:18 PM, on 9/6/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCIOMON.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCPFW.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMPROXY.EXE
    C:\WINDOWS\SYSTEM\DEVLDR16.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
    C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCGUIDE.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\PCCLIENT.EXE
    C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\TMOAGENT.EXE
    C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)
    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
    O4 - HKLM\..\Run: [STOPzilla] "" /autorun
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
    O4 - HKLM\..\Run: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
    O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
    O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [STOPzilla Service] C:\PROGRAM FILES\STOPZILLA!\SZNTSVC.EXE
    O4 - HKLM\..\RunServices: [PCCIOMON.exe] "C:\Program Files\Trend Micro\Internet Security\PCCIOMON.exe"
    O4 - HKLM\..\RunServices: [PccPfw] C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
    O4 - HKLM\..\RunServices: [tmproxy] C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
    O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
    O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.msnbc.com/download/nr1228.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe
    O16 - DPF: {52ADE293-85E8-11D2-BB22-00104B0EA281} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v7/ticker.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {0FF3E97F-433D-11D2-B31A-00A0C9B135DB} (CoDetectDigitalRiver Class) - http://ebot.digitalriver.com/v2.0-doc/dlwizard/wizard3.0.4.3.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {D10B5C22-DC60-430D-B548-489CB49A2367} (FreeScan Class) - http://alternatedownload.zeroads.com/zerospyware/landingpage/files/zsfreescan.cab
    O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1437/ftp.coupons.com/v3123/cpbrkpie.cab
    O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4389/mcfscan.cab
     
  4. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    Please go to Add/Remove programs and uninstall P2P NETWORKING.

    Run Hijack This again and put a check by these. Close all windows except Hijack This and click Fix checked

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)

    O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - (no file)

    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)

    O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART


    Find and delete:

    The C:\WINDOWS\SYSTEM\P2P NETWORKING folder

    Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

    Empty the Recycle Bin

    Turn off System Restore:

    1. Click Start, Settings, and then click Control Panel.
    2. Double-click the System icon. The System Properties dialog box appears.

    NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

    3. Click the Performance tab, and then click File System.
    4. Click the Troubleshooting tab, and then check Disable System Restore.
    5. Click OK. Click Yes, when you are prompted to restart Windows.

    Once you have cleaned the virus or other problem from the computer, reenable System Restore by following these directions

    To enable System Restore:

    1. Click Start, point to Settings, and then click Control Panel.
    2. Double-click System, and then click the Performance tab.
    3. Click File System, and then click the Troubleshooting tab.
    4. Uncheck Disable System Restore.
    5. Click OK. Click Yes, when you are prompted to restart Windows.
     
  5. outrag1

    outrag1 Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    23
    Thanks for your continued help. I've followed all your directions. Just as a point to note, the System Restore was already checked as "disable", so I left it like that.

    I am unfortunately still facing the original problem where I cannot clean or delete these files below....

    -----------------------------------------------------------------------

    Location C:\_RESTORE\Temp\A0037457.cpy.....to....A0072563.cpy

    Across that range of files, there are 209 infected files with the following Virus Attributes:

    PE_Magistr.B
    Worm_Yaha.G
    Worm_Hybris.D

    I've used several virus scanning tools that successfully point these files out to me, but cannot clean/delete/quarantine because the "files are in use."
     
  6. rtty

    rtty

    Joined:
    May 11, 2003
    Messages:
    294
    Are you positive the system restore is disabled? Because the viruses you mentioned reside in your system restore folder. Do another virus scan with the system restore disabled.
     
  7. outrag1

    outrag1 Thread Starter

    Joined:
    Aug 16, 2004
    Messages:
    23
    The System Restore was in fact checked (disabled), so ironically, what I did was uncheck it (enable), re-boot and run virus scan. This time it successfully cleaned or quarantined the viruses. I've since left system restore enabled as well.

    Thank you for all your help.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270982

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice