Today i have decided to do a full system scan and even though it said it is working the number of files scanned stays as zero and i have tried running malwarebytes but it doesn’t work because it saids something is preventing it from working and it just closes. Moments later norton detected a backdoor but it didn’t say it was blocked or anything.This has never happend before and i don’t know what to do any help would be appreciated.
Which version and product of Norton do you have?
2009 products have a Recovery Disk, which is a bootable "windows" on a CD having the norton program you bought on it, and it can scan your windows.
The other thing I will try to do is a Clean Boot (http://support.microsoft.com/kb/310353), and when windows is booted up, go to Control Panel -> Administrative Tools -> Services, and start your Norton product.
If it still can't run the scan from the norton ui, stop the process.
Click on Start -> Run, and in the "text box" write navw32.exe /a (maybe you have to give the full path for it...), and hit Enter. This way you can start a manual full system scan. This can be done in safe mode too.
If you have done everything, open msconfig, and set everything back to a normal boot.
Let us know the result ;)
If, after following PapauZ’s instructions, there are still problems, please update Malwarebytes, disable system restore, disconnect from the internet and run another scan. You will be able to find the results of the scan in a log under the logs tab. You can paste it here for us to see what is still infected.
Do I just click on your link that you provided and click download then run? Another message just popped up and said backdoor.tidserv has been detected
Today i have decided to do a full system scan and even though it said it is working the number of files scanned stays as zero and i have tried running malwarebytes but it doesn’t work because it saids something is preventing it from working and it just closes. Moments later norton detected a backdoor but it didn’t say it was blocked or anything.This has never happend before and i don’t know what to do any help would be appreciated.
YES, Scan and save log
Quads
i can't scan it when ever i tried running the gmer thing it just freezes up and i have been waiting for it ever since the second post
Please run a SysProt log for us so we can check your system for rootkit activity. You will need to disable Norton auto-protect while you run the scan.
Right Click run as Administrator if using Vista
Choose report or log, check all the boxes and the box for HD and scan.
http://homepages.slingshot.co.nz/~crutches/SysProt
Quads
how do i disable the auto protect
Right Click the Norton SysTray icon down by the clock You will see in the menu "Disable Auto-Protect"
Quads
how to i post the log. I am kind of new to this forum so i don’t know much
look down below the post button and you will see the Add Attachments link
Quads
hope this is it
Hi
If you have Spybot S&D installed remove it
Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.
1. Download Avenger to your desktop,
Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/
Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop
2. Click to run "Avenger.exe" (right click "Run as Administrator" if using Vista)
3. In the "Input script here:" copy and paste the script between the lines
Drivers to disable:
ESQULserv.sys
Drivers to delete:
ESQULserv.sys
Files to delete:
C:\Autorun.inf
D:\Autorun.inf
C:\Windows\System32\drivers\ESQULciitxdsmgjgisdpnxithpqcrmuglfwoh.sys
C:\Windows\System32\ESQULiecworphvkvyqmfptixuqumdpoiaehwe.dll
C:\Windows\System32\ESQULlvecsderutiqaorscqgqfwpgsxfspfhb.dll
C:\Windows\System32\ESQULzcounter
Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\ESQULserv.sys
HKEY_LOCAL_MACHINE\SOFTWARE\ESQUL
Here is a screenshot (script updated since shot)
Make sure the "Automatically disable any rootkits found" is NOT selected
4. Click "Execute"
You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.
Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.
5. Restart the PC again, then see if you can install Update and run Malwarebytes http://www.filehippo.com/download_malwarebytes_anti_malware/
Quads
This is what came up after i rebooted the computer there was actually some trouble when restarting there was black screen at the home menu and i had to start the task manager and log out and log back on to actually see the home screen
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com
Platform: Windows Vista
*******************
Script file opened successfully.
Script file read successfully.
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
Rootkit scan active.
No rootkits found!
Disablement of driver "ESQULserv.sys" failed!
Status: 0xc0000001 (STATUS_UNSUCCESSFUL)
When you start Sysprot Go to the "Kernel Modules" tab, Do you see the "ESQULserv.sys" in RED
Quads
yes
Select it, then click the Disable button, Then Restart your PC
The do it all again for the second time
Quads
norton just popped up a message saying backdoor.tidserv detected but it didn't say blocked or anything and i am running the malwarebyte program rite now and its still scanning and found 3 infected objects should i restarted rite now or wait til it finish scanning ?
Hmmm
T be able to run Malwarebytes Avenger must have gone through some of the script to break the Rootkit as this variant of Rootkit has Malwarebytes in it's disallowed list.
Avenger just didn't get to write the full log.
Malwarebytes will create a log when finished scanning.
Quads