Unable to disable System Restore after infection with backdoor.trojan virus

This is an XP pro Dell Dimension 8250 which I purchased second hand. About a month after I purchased it, Norton AV 2002, with the latest definitions, informed me that I have the backdoor.trojan virus. The "object" is C:\Windows\system32\py.exe. Action taken:unable to repair this file. When I click ok, the very same dialog box comes up except that action taken this time is Access to file was denied. Clicking ok makes it all go away.
This notification occurrs about once every two to three days, and seems to come up when I go online(dialup, Earthlink). A full system virus scan shows nothing. Symantec doesn't support 2002, so I'm on my own. Their website states that the procedure to eliminate this virus involves Disabling System restore, then, in Safe Mode, run a full scan, delete all found files, and, finally reverse changes made in the Registry. I can't get past step 1.
When I attempt to disable system restore, I get the following: "System restore encountered an error trying to enable/disable one or more drives.Please restart your machine and try again ". Restarting results in the same response, over and over again. I've also tried unchecking system restore under the processes tab that you get to via msconfig. Same message.
Can anyone tell me what my next step could be? Would buying a newer version of Norton AV do anything? Symantec also provides downloadable "tools" that supposedly attack specific viruses.
Two that look promising: Backdoor.Autoupder, and Backdoor.Winshell.50, but neither specifically identify Backdoor.Trojan as their target.
I'm sorry about the length of this posting.

 

Never any need to apologize for the length of a post if you needed lots of words to make the problem clear - and you did.

backdoor.trojan as Symantec uses the term is not a specific trojan but describes a group of them that behave in a similar fashion. Very possible that whichever one(s) you have are causing the system restore problem.

You will need a newer version of Norton AV if you intend to stay with that AV app. But that's for later.

First thing to try is a different way of stopping system restore. May work and if not, you are no worse off. You'll need an admin account to do this and I'd boot to safe mode to try it.
- right click on My Computer
- click on Manage
- go to services and open it
- locate System Restore Service and right click it
- set the startup to Disable
- reboot. It should not start if it allowed you to set it to disable.

Next, scan with an online app that will find and hopefully clean what it finds. RAV (from my signature) is a good one as are several others.

If that works, download, imediately update, then run first Ad-aware and then Spybot (also in my signature). Delete all that Ad-aware finds and any that Spybot shows in red and with check marks. The others from Spybot are optional. Then while still in Spybot, immunize.

Next download Hijackthis and follow the instructions to generate a log file. Post it here. Don't try to fix anything on your own.

Moving this thread to the security section.

 

Thank you so much, Newt, for your interest and willingness to help.
So far, I've downloaded AdAware and Spybot, and will download the RAV next. I'm doing this on my wife's computer. It is mine that is infected. While I was downloading, I went downstairs and went through the process you described, on my computer. When I right-clicked SR Services, the only options available to me were START(Stop,Pause,Resume,Resart are all greyed out), ALL TASKS has only Start available. Refresh is available, though I ignored it.
Properties and HELP are also available. Under Properties, in the lower half of the screen, it shows that Service status is Stopped.
When I right click My Computer and look at the System Restore tab, the box for Turn Off SR on all drives is still unchecked. BTW, this computer has 2 drives, though the second one is nearly empty. When I put a check mark in the box and click either ok or apply, I get the typical "you have chosen to turn off SR. If you continue..." Then, I click yes, and I again get the "SR encountered an error... "
Looking at services by way of the msconfig route, I see that SR is unchecked, and status is "STOPPED ". When I look at SR through the route you describe: My computer>manage>services> it still shows automatic in the right column. This is after rebooting.
My best guess is that SR is indeed stopped. Do you agree?
My next step will then be to download RAV, run it in safe mode, and proceed per your recommendation.
Thanks again, Newt. You are much appreciated.

 

After you do all that Newt suggested, have your XP disk ready and do a System File Check.

Start > Run > cmd
sfc /scannow

sfc - system file checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.

If you want to see what was replaced, right click My Computer > manage, expand event viewer > system.

When you are through with "clean up ", do an SFC, enable SR, set a point manually, and reboot. Let us know how you fare.

Johanna

 

When I right-clicked SR Services, the only options available to me were START(Stop,Pause,Resume,Resart are all greyed out), ALL TASKS has only Start available. Refresh is available, though I ignored it.

I think we are talking about two slightly different things here although it does sound like things might be stopped. Many of the services will not allow themselves to be stopped while the system is running though.

What I suggest for those times is to set the Startup option to disabled and then boot the PC. Pictures here of what I mean.

http://www.go-fishing.org/upload/files/wh-svc1.jpg

http://www.go-fishing.org/upload/files/wh-svc2.jpg

And the sfc that Johanna recommended is perfect.

 

Thank you Newt and Johanna.
I'm pretty confident that I've successfully disabled system restore via the manage>services>properties route.
The only thing I've had time for thus far, on my computer, was to do the online RAV virus run. It came up with two viruses: the TrojanDownloader:Win32/Lalus, which is in the C:\Windows\msgcenter_lminv1(UPXW) folder(file?), and the TrojanDownloader:Win32/Agent.B, which shows up 3 times, always in the system32 folder of the Windows directory, and it infected the ezmzuvok.dll,the jvafyoti.dll, and the oghgwfjo.dll.
I then reran the online scan, scanning only the Windows directory, but this time I placed a checkmark in the "clean as you go "(something like that-it was late last night) box. I don't think it cleaned it. Maybe I didn't look hard enough for some response. I clicked on the report button, which, during the scan was named "stop scan ", but it didn't seem to respond.
Newt, you implied, I think, that there may be a better AV program out there than the Norton AV. If it doesn't violate the rules of this BB, would you recommendation one? I'll tackle the Ad-Aware and spy-bot this weekend. Johanna, I'll also follow through with your recommendation.
Thank you both.

 

Just so we're clear, you only have AV installed? No third party firewall? Trojans and worms come through unprotected internet connections. Norton sells AV alone, Firewall alone, or other combinations.

There are several good firewalls available. Which one suits you epends on your own tastes. There are people who like e-Trust, others who stick with Norton, some like AVG, some Kerio, Panda, and I know I've forgotten a few. Unless you are using a router designed to act as a firewall, you need a third party firewall. The one included with XP, both HE and Pro, has limitations, as well as only blocking one way (incoming not from MS)

Look up the specific things you found on the Symantec site, and there will be detailed instructions or tools for removal posted there. Read Tony Klein's "So how did I get Infected?" pinned to the top of the Security forum. He explains how it happens, and how to prevent it.

Johanna

FWIW,
I would take that computer off line, back up any data files, and do a format and clean install. Then I would load eTrust or Norton or something, go online and get every update I could, first thing. If my firewall is disabled, my modem is disconnected. Period. JMO

 

Hi Johanna,
I've always thought that firewalls were only for DSL and cable connections, not the brief exposure that a dial up connection creates.
I guess my own experience proves me wrong.
I am not married to Symantec, but my first instinct is to stick with them anyway. The most telling response to that opinion would be to ask you which AV program you yourself use, and which firewall you have.
BTW, sorry about that grammatical error in the last post-I carelessly revised the sentence and was evidently distracted.
I only mention this because I'm married to an English professor.
This infected computer, as I mentioned is second hand. It has Win XP pro installed. I just looked at the box of recovery CDs the seller provided, and what's in there is a still sealed restore CD, but it is XP home. Oh well. I'd love to avoid the format and clean install route, but I guess I'll end up there sooner or later.
In the meantime, I'll try and do all that you and Newt have suggested.
Thanks.

 

skaler2k - there is rarely a PC that can't be cleaned.

As to AV, I use Norton myself and it's been fine. I will probably stick with it unless I have to do a clean install of the OS for some reason since Norton is horrible to try and remove.

I don't think as highly of it since Peter Norton sold out to Symantec and I don't need lots of the features since XP has good native stuff but all-in-all, I'll probably stay with it for the near future.

Firewall with dial-up - several years ago I'd have agreed you didn't need one. Not the case these days and you really need a good, tight firewall running any time you connect to any outside systems.

 

Newt said:

I use NIS 2003, and will, until I have to do a reinstall, or my sub runs out. Same reason- it is not easy to get rid of!

Johanna

 

I think/hope I'm ok now+thanks to Newt and Johanna

I didn't want to disappear without saying thanks again to Johanna and Newt.
I ended up buying Norton Internet security 2004, as, coincidentally, it happened to be on sale at Best Buys, for $60, with two rebates that total $60. An offer I couldn't refuse. I installed it on my wife's computer, as her virus subscription was two days from expiration. Norton wouldn't let me put it on two computers, so I obtained NIS2003 on ebay, and installed it on my computer. This time, when the message about backdoor.trojan appears, the action taken is something to the effect of captured and fixed. The only thing that troubles me is that this has happened again yesterday evening. So, did the backdoor.trojan virus reinfect my computer and Norton fixed it again?If not, what should I do to permanently get rid of the virus?
I have the latest updates for all of the Norton Internet Security 2003 features, and I have the latest Windows Updates for WinXPpro. Also, Newt, I again went to the RAV site late last night, downloaded the latest definitions, and ran an online scan of just my Windows folder. Again, there are 4 infections found, the very same ones that were found a couple of weeks ago when you first pointed me to the RAV site. I'm not sure of what to think of that. A full scan by Norton never identifies these 4 locations. RAV calls the virus something different, but it does have the word "backdoor" in it.
Any recommendations?
Thanks again,
Skaler2k

 

The specific locations would help.

Many AV programs can see an infected file if it is compressed (part of a zip or cab or similar) but not deal with it. OTOH, the infection isn't active while the file is compressed.

 

Specific locations of the infection

Hi Newt,
I wrote down what RAV found, but not what Norton found. I do recall, though, that Norton stated the object of the infection was in C:\Windows\System32\py.exe. Sometimes, the file would show up as py[2].exe. I think, one of the times the location was in C:\Documents... \py[2].exe.
What RAV found is 4 instances, all in C:\Windows, but the first one reads:
C:\Windows\msgcenterlminv1.exe->(UPXW)_TrojanDownloader:Win32/Lalus->
infected. The next three, all in the Windows\System32 folder.#1:ezmzuvok.dll-trojanDownloader:Win32/Agent.B. #2 jvafyoti.dll-TrojanDownloader:Win32/Agent.B. #3 oghgwfjo.dll-trojanDownloader:Win32/Agent.B.
Sounds Greek to me.
Thanks..

 

Were you able to get system restore working properly again? If so, disable, boot to safe mode and delete these files.


C:\Windows\System32\py.exe
C:\Windows\msgcenterlminv1.exe
C:\Windows\System32\ezmzuvok.dll, jvafyoti.dll, oghgwfjo.dll

Empty the recycle bin, run disk cleanup to clear Temps and TIFs. Reboot and scan again. If all clean re-enable system restore and set a manual restore point. Wouldn't hurt to post a HijackThis log too.

 

skaler2k,

I was wondering if you have installed a firewall yet!? I've been on a cable connection with a router for some time now and also have a software firewall. I've only had two things get past the router's firewall since installing it and the software firewall blocked them both. My cable has been down for the last couple of days so I'm using dialup.........no hardware firewall........and my software firewall is blocking incoming requests from all over the planet about every three minutes. Take that back. I just counted 80 incoming requests in 52 minutes. I'm getting prompted with new ones about every 3 min. Once denied, a request gets blocked without prompting, which explains the 80+ an hour versus number of prompts per hour.

 

Hello skaler2k,

Until you get a software 3rd party firewall, turn on XP's one-way firewall. It might already be enabled.

Start > run type services.msc and scroll down to Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)

Double click on the line. A dialog box will open and choose for open type - automatic.

Regards - Charles

 

Firewall as part of Norton IS2003

Hi Dave,
I know that Norton has a firewall, but that is about all I know. When I installed the program, I just accepted all of the default/recommended settings.At this point, I have no idea about incoming requests and how to know when one occurrs. I guess I ought to take more interest in finding out the inner workings of the various portions of the program. I use earthlink dial up. Will probably switch to BellSouth sometime in May. Might even convince myself that I can afford DSL. Then I'll probably have to get the hardware router as I understand that it is a pretty effective firewall.
I plan to find time tomorrow and follow your instructions on deleting those infected files in the Windows directory.
Thank you for your interest and support.
Vic

 

Hi Newt,

Quote from skaler2k *Symantec doesn't support 2002, so I'm on my own.* and from you *You will need a newer version of Norton AV if you intend to stay with that AV app.*

I was able to renew NAV2002 for the third time (tonight). 19.95 > 24.95 > 29.95 - I detect a pattern here

I was really afraid that I wasn't going to be able to renew for another year and be given no choice but to upgrade to the "AV that ate the World ". In that case I would have either gone to NOD (for which I have a license - run it on WinME) or eTrust or AVG.

Regards - Charles

 

Deleted the infected files

Hi Dave,
Through the search function, I found the 3 .dll files, the msgcenter..., and the py.exe file. The py file came up as xcopy.exe.
I hope it didn't do any harm, but I failed to first boot into safe mode.
I did, however, disable system restore by way of Newt's recommended route>
my computer>manage>services>etc. If I try and disable by way of control panel>system> system restore tab, I still get the same error message.
After I deleted the files, ran disk cleanup, emptied the recycle bin, I ran the procedure recommended by Johanna. That is, from the XP cd, I ran the system file check procedure. After it finished, the only file restored was the xcopy.exe. The 3 .dll files are nowhere to be found. I even searched the XP CD-though I suspect that they are probably zipped or compacted there.
What do you think is the consequence of my now running Win XP with those 3 .dll files missing?
Thanks,
Vic

 

Since they aren't native XP dll's, I'd say there won't be any consequences. They were created/installed by the virus.