JJR
Multiple virus scans identify NetSky.B but can't remove it. They say disk is write protected or file is in use. I have something like 65,000 copies and infected files. Most are in C:\_Restore\temp\*.cpy files.
Logfile of HijackThis v1.97.7
Running processes:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id = http://websearch.drsnsrch.com/sidesearch.cgi?id = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id = http://websearch.drsnsrch.com/sidesearch.cgi?id = http://websearch.drsnsrch.com/sidesearch.cgi?id = http://websearch.drsnsrch.com/sidesearch.cgi?id = file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm http://www.msnbc.com/download/nr1228.cab O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://militaryshoppers.com/bin/smsx.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38034.6728819444 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
Any help is greatly appreciated!
Back to Top
Touch Forum Moderator
Hey JJR
Scan with Hijacktis, close all other windows, put a checkmark to these, and fix:
O4 - HKLM\..\Run: [CONSCORR] C:\WINDOWS\CONSCORR.exe
O4 - HKLM\..\Run: [DealHelperUpdate] C:\WINDOWS\DHUpdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe"
Boot to safe mode – F8
C:\PROGRAM FILES\TV MEDIA\TVMBHO.DLL C:\WINDOWS\DEALHLPR.DLL C:\WINDOWS\SYSTEM\LEPUC.DLL C:\WINDOWS\MULTIMPP.DLL C:\WINDOWS\CONSCORR.exe C:\WINDOWS\BXXS5.DLL,Dll c:\windows\system\saie.exe
C:\WINDOWS\SYSTEM\lepucc.exe
C:\WINDOWS\DHUpdt.exe C:\WINDOWS\dhbrwsr.exe c:\Program Files\AutoUpdate\AutoUpdate.exe" C:\PROGRAM FILES\WEB_REBATES\WebRebates0.exe" C:\WINDOWS\ixihqpml.exe
OIS3DV2.EXE <<<Start-find
Download newest Spybot Search and Destroy here : http://www.safer-networking.org/index.php?page=mirrors if it is not already installed on your computer Install the program and then start it. Once the program has started make sure you are in the Spybot-S&D section. Click on the "Search for Updates" button. Download all updates. In some cases the program will restart after an update. When updated, click on the Immunize "Scan System" button. When the Check is over, fix all marked with red we need to configure Ad-aware SE for a full scan. Some of them should be enabled by default, while others you will need to set yourself (see below).
Click on the Gear icon (second from the left) to access the preferences/settings window
In the General Automatically save logfile Automatically quarantine objects prior to removal Safe Mode (always request confirmation)Scanning Scan within archives Scan active processes Scan registry-Deep-scan registry Scan my IE Favorites for banned URLs Scan my Hosts file Select all of your hard drives that are not selected alreadyAdvanced Include additional object informationInclude negligible objects information Include environment information Scanning Engine :
Unload recognized processes & modules during scan Under the Cleaning Engine Let Windows remove files in use at next reboot Proceed to save the settings.
Click Start and on the next screen choose: Use custom scanning options Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.
Save the log file when it asks and then click Finish .
Disable System Restore
Reboot , enable system restore, then post a new HijackThis log and tell how things are running
Touch
Back to Top
JJR
Touch Forum Moderator
JJR
New Hijackthis scan:
Logfile of HijackThis v1.97.7
Running processes:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast http://www.msnbc.com/download/nr1228.cab O16 - DPF: {5445BE81-B796-11D2-B931-002018654E2E} (MeadCo Security Manager) - http://militaryshoppers.com/bin/smsx.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38034.6728819444 O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab Thanks for the guidance.
Back to Top
Touch Forum Moderator Your log is clean now
"think I still have dead links and empty" ... meaning what?
Touch Back to Top
JJR the folder _RESTORE is still on C: along with about 20 files like backup-20041019-202829-363. Ad Destroyer and D Helper Web Driver still have links on the program list. I assume I can delete the startup links but wanted to hear from you first. _RESTORE still won't let me delete it. Back to Top
Forum Information Currently it is Thursday, November 20, 2008 5:22 PM (GMT +1)View Active Threads Who's Online This forum has 27177 registered members. Please welcome our newest member, fillon .Details 5 Latest Threads
Awesome! Running much smoother. I think I still have dead links and empty folders for some of the old hijacker programs.
|