Oh yeah- you've got Nasties, and they're even using the "Microsoft" name in their infections. Very tricky.
Please do the following:
You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.
* Use Norton's Live Update feature to make sure you have the most current antivirus updates installed.
* Download the following utilities:
Windows Defender - http://www.microsoft.com/downloads/d...displaylang=en
CCleaner - www.ccleaner.com
ewido Anti-malware (14-day trial version) - http://www.ewido.net/en/download/
* Install Windows Defender according to the (yes, somewhat sparse) directions on the download site. Don't run a scan with it yet, just close it once the installation and updates are complete.
Install and Configure CCleaner:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):
* C:\Windows\Temp
* C:\Windows\Prefetch
* C:\Documents and Settings\\Local Settings\Temporary Internet Files
* C:\Documents and Settings\\Local Settings\Temp
* C:\Documents and Settings\\Local Settings\Temporary Internet Files
* C:\Documents and Settings\\Local Settings\Temp
* C:\Documents and Settings\\Cookies
* C:\Documents and Settings\\Cookies
Hit OK
- After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.
- Don't actually run a scan yet, just close CCleaner for now.
Install and Configure ewido:Close all other Applications and then run the ewido installer
Select language click Ok
Click I Agree
Click next
Click Install
Click Finish
Wait Ewido will open main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido.
* Open the Services utitilty in your Administrative Tools control Panel
- Locate the service named "Windows Protected Content Restoration Service" or "ProtectedContentSvc" and double-click on it.
- In the General tab of the Properties window that opens, click the Stop button.
- Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK.
- Repeat the above for the service named "Windows Genuine Advantage Validation Notification" or "wgavn"
- Close the Services utility after that.
* Open an MS-DOS window and type the following two commands at the DOS prompt (hit Enter after typing each individual command and wait for the command to complete before proceeding):
sc delete wgavn
sc delete ProtectedContentSvc
- Close the DOS window after the second command completes
* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button.
Close HiajckThis once the fixes complete:
:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\etc\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\etc\services.exe
O4 - HKLM\..\Run: [Microsoft (R) Windows Protected Content Restoration Service] C:\WINDOWS\etc\services.exe
O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll
O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe
O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe
* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:
* Open CCleaner and run scans in both the 'Cleaner' and 'Issues' option windows. Note: It might take several scans in each to remove all of the junk.
* Run full system scans with your antivirus program and Windows Defender. Have both programs fix all malicious items they find.
* Open ewidoClick on scanner top of Ewido sceen
Click on Settings
Under How to Act click on Recommended Action choose Quarantine
Under How to scan all boxes should be selected
Under Possibly unwanted software all boxes should be selected
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file
Click On scan Tab
Click on Complete system scan
Let the program scan the machine It can take awhile give it time.
When scan has finished At bottom of screen click Apply all Actions
Click Save report
Click Save Report as (Save as window's screen should pop up.)
Click desktop
Click Save
Exit ewido
* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files if they still exist:
C:\WINDOWS\etc\services.exe
C:\WINDOWS\SYSTEM32\avload32.dll
C:\WINDOWS\system32\wgavn.exe
Note:C:\WINDOWS\etc is not a valid/normal folder on XP systems. Please look in that folder, write down the names of any files you find there, and include those filenames in your next post.
* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
