Today my Symantec Endpoint Protection started giving me messages about both of these files. Prior to coming here I did run a full scan with Malwarebytes' Anti-Malware (turned up nothing) and a full scan on Symantec Endpoint Protection which turned up some kind of "unavaliable trackware" that it deleted and I hope that doesn't compromise anyone's ability to help me. I'm running Windows 7 64 bit and version 11.0.5002.333 of Symantec Endpoint Protection.
Thanks in advance to whoever may be able to help. Let me know if any other information is needed to proceed.
To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. restart the system and load Windows Please copy and paste it to your reply.
We will deal with your patched services.exe later, unless the system keeps restarting like every 1min after below, then we will have to do extra steps using FRST.
Download the script attached, needs to be the same file name as well, Copy across to flash drive
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Now please enter System Recovery Options again. Like previously
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe or frst64.exe and press Enter Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
Ensure that Combofix is saved directly to the Desktop <--- Very important
Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
Close any open browsers and any other programs you might have running
Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)
According to my Symantec Endpoint Protection, the services are disabled.
I did this by right clicking the icon in the windows startbar and clicking "disable endpoint protection"
The window of symantec indicates that the "file system auto-protect" and the "proactive threat protection" are disabled.
HOWEVER, when running ComboFix, the software indicates that the "antivirus: Symantec" and "antispyware: Symantec" are real scanners that are still active.
I tried using the task manager to end the processes for symantec but it appear to restart itself.
Your services.exe has been cured and I noticed that it also took one of the files where I found the odd Winlogon registry key was and pointing to "C:\Users\NOL\AppData\Roaming\Microsoft\Windows\shell.exe" I took the registry key with FRST in Step 2.
On with step 4.
Please read carefully and Slowly
Please scan with ESET next
I'd like us to scan your machine with ESET OnlineScan
Hold down Control and click on the following link to open ESET OnlineScan in a new window. ESET OnlineScan
Click the button.
For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.
Check
Click the button.
Accept any security warnings from your browser.
Under scan settings, check and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
Click Advanced settings and select the following:
Scan potentially unwanted applications
Scan for potentially unsafe applications
Enable Anti-Stealth technology
ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
Attach the resulting log in your next reply
If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it.
As long as you do not try and move any items including files, leavie any files listed where they are as I will use the ESET log and another log to script and clean things up.