Norton AV found a backdoor trojan virus under C:\Windows\etc\services.exe but cannot quarantine nor delete the file. Whenever we try to access our yahoo email, we get this "Cannot find server or DNS Error" message. Please help.
Once downloaded, follow these instructions to install and run the program:
Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.
The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.
* Install Windows Defender according to the (yes, somewhat sparse) directions on the download site. Don't run a scan with it yet, just close it once the installation and updates are complete.
Install and Configure CCleaner: 1. Close all programs so that you are at your desktop. 2. Double-click on the "My Computer" icon. 3. Select the "Tools" menu and click "Folder Options". 4. After the new window appears select the "View" tab. 5. Place a checkmark in the checkbox labeled "Display the contents of system folders". 6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders". 7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types". 8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer. 10. Now your computer is configured to show all hidden files.
Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):
* C:\Windows\Temp * C:\Windows\Prefetch * C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files * C:\Documents and Settings\<Your Profile>\Local Settings\Temp * C:\Documents and Settings\<any other user's Profile>\Local Settings\Temporary Internet Files * C:\Documents and Settings\<Any other user's Profile>\Local Settings\Temp * C:\Documents and Settings\<Your Profile>\Cookies * C:\Documents and Settings\<Any other users Profile>\Cookies Hit OK - After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'. - Don't actually run a scan yet, just close CCleaner for now.
Install and Configure ewido:
Close all other Applications and then run the ewido installer
Select language click Ok
Click I Agree
Wait Ewido will open main screen automatically.
Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
This in very important to get updates
When updating has finished. Close Ewido.
* Open the Services utitilty in your Administrative Tools control Panel - Locate the service named "Windows Protected Content Restoration Service" or "ProtectedContentSvc" and double-click on it. - In the General tab of the Properties window that opens, click the Stop button. - Once the service is stopped, choose Disabled in the "Startup Type" drop-down menu and then click OK. - Repeat the above for the service named "Windows Genuine Advantage Validation Notification" or "wgavn" - Close the Services utility after that.
* Open an MS-DOS window and type the following two commands at the DOS prompt (hit Enter after typing each individual command and wait for the command to complete before proceeding):
sc delete wgavn sc delete ProtectedContentSvc
- Close the DOS window after the second command completes
* Close all open programs/windows, (especially web browsers). Run another HijackThis scan, put a check in the boxes to the left of the following entries, and then click the "Fix Checked" button. Close HiajckThis once the fixes complete: : F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\etc\services.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\etc\services.exe O4 - HKLM\..\Run: [Microsoft (R) Windows Protected Content Restoration Service] C:\WINDOWS\etc\services.exe O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll O23 - Service: Windows Protected Content Restoration Service (ProtectedContentSvc) - Unknown owner - C:\WINDOWS\etc\services.exe O23 - Service: Windows Genuine Advantage Validation Notification (wgavn) - Unknown owner - C:\WINDOWS\system32\wgavn.exe
* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:
* Open CCleaner and run scans in both the 'Cleaner' and 'Issues' option windows. Note: It might take several scans in each to remove all of the junk.
* Run full system scans with your antivirus program and Windows Defender. Have both programs fix all malicious items they find. * Open ewido
Click on scanner top of Ewido sceen
Click on Settings
Under How to Act click on Recommended Action choose Quarantine
Under How to scan all boxes should be selected
Under Possibly unwanted software all boxes should be selected
On right side under Reports: click on Automatically generate report after every scan.
Under What to scan select scan every file
Click On scan Tab
Click on Complete system scan
Let the program scan the machine It can take awhile give it time.
When scan has finished At bottom of screen click Apply all Actions
Click Save report
Click Save Report as (Save as window's screen should pop up.)
* Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files if they still exist: C:\WINDOWS\etc\services.exe C:\WINDOWS\SYSTEM32\avload32.dll C:\WINDOWS\system32\wgavn.exe
Note:C:\WINDOWS\etc is not a valid/normal folder on XP systems. Please look in that folder, write down the names of any files you find there, and include those filenames in your next post.
* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log. Also post the log that ewido generated.
The avload32.dll file is being stubborn, so we'll have to take another approach to remove it. Please start by doing the following:
Download haxfix.exe. Save it to your desktop. Close down all applications and every browser window. Double-Click on haxfix.exe to start the installation. Put a check mark next to "Create a desktop icon". Click "Next" and follow the prompts on the screen. When the installation is finished, make sure that "Launch HaxFix" is enabled. Click "Finish".
A DOS Window will open with the following options to choose: 1. Make logfile 2. Run auto fix 3. Run manual fix 4. Run wnlogow fix E. Exit Haxfix
Chose "Option 1: Make logfile" by pressing "1" and then pressing Enter. This will need a moment of your time. When the HaxFix is finished, a textfile opens (haxlog.txt)
HAXFIX logfile - by Marckie ______________ version 3.03 Sat 07/01/2006 12:36:25.62 checking for haxdoor -------------------- checking for a3d files.... a3d files not found checking for matching notify keys.... no matching notify keys found
checking for matching services.... matching services found Aspi32
checking for matching safeboot services.... no matching safeboot services found
Checking for goldun ------------------- checking for notify keys.... no notify keys found checking for services.... no services found
You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.
Please download the following two rootkit detection tools and save them to new folders of their own:
* Close all open/running programs now.
* Unzip the contents of the downloaded RootKitRevealer.zip file and: - Click on the rootkitrevealer.exe file. - Click on the Scan button and let the scan complete. - When the scan is finished, click on the "Save..." option under the "File" menu; save the report file in the RootKit Revealer folder. - Close the program.
* In the BlackLight folder: - Double-click on the blbeta.exe file to start the program. - Click "I accept the agreement", "next", "Scan" - After the scan is finished, choose "Close" - The scan will have created a report log named "fsbl-xxxxxxxx.log, where the "x"s are a string of numbers (a time and date stamp, specifically).
* Post the contents of log files that the two programs genrated.
Blacklight did not find anything. I downloaded AVG anti-virus and it did find something else. Here's the Root Kit Revealer report file:
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 7/2/2006 12:11 PM 80 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 7/2/2006 12:07 PM 16 bytes Data mismatch between Windows API and raw hive data. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C78D6251559ABAF4FB8196B74A753E25\Usage\ccWebWindow 7/2/2006 12:11 PM 4 bytes Data mismatch between Windows API and raw hive data. D: 0 bytes Error mounting volume
* Did Killbox give you any errors for either file when you ran it, or did it seem to do what it should (for both files)?
* Did you have AVG fix the BiSpy-infected file (C:\WINDOWS\system32\biU.exe)?
- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up). - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Search for the infected C:\WINDOWS\system32\biU.exe file and delete it if it still exists.
* Run HijackThis again and have it fix this entry again: O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll
* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log.
Used Killbox as instructed. I received this message: PendingFileOperations Registry Data has been Removed by External Process! I guess our PC's rid off all virus, thanks to you. We still cannot get access to emails and other secure sites. We also get this annoying "Symantec Security Alert: Firewall Protection is turned off" message that does not go away.
Used Killbox as instructed. I received this message: PendingFileOperations Registry Data has been Removed by External Process!
Unfortunately, that message means that something (probably the infection) prevented Killbox from doing its job. Try the Killbox deletion while booted into Safe Mode:
* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up). * In the "Full Path of File to Delete" box, copy and paste the following: C:\WINDOWS\system32\biU.exe * Select the "Replace on reboot" and "Use Dummy" options. * Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. This time, click Yes when prompted to reboot now.
I guess our PC's rid off all virus
I'm not at all convinced of that yet :(
We still cannot get access to emails and other secure sites.
This could be related to the problem with Norton's firewall, but if not, there are a few possible fixes. The first fix to try is the free IEFix utility. Download and run the utility, and let us know the results.
We also get this annoying "Symantec Security Alert: Firewall Protection is turned off" message that does not go away.
Infections often disable and/or damage firewall and antivirus programs. * If you open the Norton Internet Security program and attempt to turn the Firewall component back on, what happens? * If it does turn on, make sure that the option to start the firewall automatically when Windows starts is selected, reboot, and make sure the firewall actually does start automatically.
I ran Killbox on Safe Mode as instructed but I still get the same "...Removed by External Process" message. I ran AVG again and it did not find any virus. I uninstalled Norton Firewall and we're now able to access emails and all secures websites.