Author Topic: how do remove win32 ciadoor-b [UPX]  (Read 3136 times)

Offline matatak6

  • Newbie
  • *
  • Posts: 9
  • I'm a llama!
    • Personal Message (Offline)
how do remove win32 ciadoor-b [UPX]
« on: May 27, 2004, 10:15:26 AM »
i cant seem to get rid of this. i followed intructions from my last post (went to symantic for removal instr). it seems to be infected in C:\windows\services.exe \[UPX]
i tried to delete it but avast will not let me cause the file is being used by another application. went into regedit and couldnt find the spool...... files that symantec told me to delete. im running xp pro sp1.

Offline .: Mac :.

  • avast! Überevangelist
  • Ultra Poster
  • *****
  • Posts: 4599
  • Gender: Male
    • Championship Networks
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #1 on: May 27, 2004, 10:55:56 AM »
Quote
i tried to delete it but avast will not let me cause the file is being used by another application.
Boot into Safe Mode (F8 on boot)
"People who are really serious about software should make their own hardware." - Alan Kay

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #2 on: May 27, 2004, 10:58:55 AM »
Please do NOT delete the
 C:\windows\system32\services.exe
but this one:  C:\windows\services.exe (in SafeMode)

try a scan with Onlinescanners from Trend, KAV & RAV (see below or VGREP links in your initial posting) and report findings..

also please post a hijackthis-Log: http://hjt.klaffke.de/en

Offline matatak6

  • Newbie
  • *
  • Posts: 9
  • I'm a llama!
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #3 on: May 27, 2004, 02:25:22 PM »
 i seemed to have gotten rid of it. had to go into registry and delete all the services.exe upx. then it allowed me to delete the offending file in c:windows.
i dont know what a hijack log is?
let me know and ill do my  best

Offline matatak6

  • Newbie
  • *
  • Posts: 9
  • I'm a llama!
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #4 on: May 27, 2004, 02:27:08 PM »
whoopsy keep forgetting stuff
even in safe mode i could not delete the sucker. it was in use or write protected

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #5 on: May 27, 2004, 03:30:04 PM »
If as I believe you are running WinXP, you will need to disable System Restore, reboot and then delete the files, set avast to do a scan on the next boot.

Once you have completed that boot scan and in you can then enable System Restore - a function of system restore is to hang onto deleted files to enable you to recover to a restore point that may need the file. So in order to get rid of the virus file fully you may need to disable system restore.

Do a search in windows Start>Help and Support for system restore for more information of system restore.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline matatak6

  • Newbie
  • *
  • Posts: 9
  • I'm a llama!
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #6 on: May 28, 2004, 02:34:16 AM »
here is my hijack this log
my computer seems to running slow and unstady?

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #7 on: May 28, 2004, 10:56:21 AM »
here is my hijack this log
my computer seems to running slow and unstady?

In order for us to help it is important to give us feed back on our suggestion, did you try them, did they work, what results, etc.

Quote

From symantec site (my point on system restore)

Removal Instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1.  Disable System Restore (Windows Me/XP).

This can also help others with a similar problem, when they browse or search the forums..
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
    • Personal Message (Offline)
Re:how do remove win32 ciadoor-b [UPX]
« Reply #8 on: May 28, 2004, 11:41:12 AM »
Hi,

- first move hijackthis.exe  to a new, empty folder outside TEMP
- then close all programs/browser windows
- and rerun iHijackthis


"R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
"

If you don't know this searchalot-stuff, fix the above lines

What is O4 - HKLM\..\Run: [IncaPan] IncaPan.Exe  ?
scan the file with Trend & KAV

also install, update, run & fix with Spybot, Ad-Aware & cwshredder (see above search for links)

scan the whole PC in "thorough scan" with updated avast

then post a new hijcakthis-log here, if problems remain

 ;) ;)

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now