how do remove win32 ciadoor-b [UPX]

i cant seem to get rid of this. i followed intructions from my last post (went to symantic for removal instr). it seems to be infected in C:\windows\services.exe [UPX]
i tried to delete it but avast will not let me cause the file is being used by another application. went into regedit and couldnt find the spool… files that symantec told me to delete. im running xp pro sp1.

i tried to delete it but avast will not let me cause the file is being used by another application.
Boot into Safe Mode (F8 on boot)

Please do NOT delete the
C:\windows\system32\services.exe
but this one: C:\windows\services.exe (in SafeMode)

try a scan with Onlinescanners from Trend, KAV & RAV (see below or VGREP links in your initial posting) and report findings…

also please post a hijackthis-Log: http://hjt.klaffke.de/en

i seemed to have gotten rid of it. had to go into registry and delete all the services.exe upx. then it allowed me to delete the offending file in c:windows.
i dont know what a hijack log is?
let me know and ill do my best

whoopsy keep forgetting stuff
even in safe mode i could not delete the sucker. it was in use or write protected

If as I believe you are running WinXP, you will need to disable System Restore, reboot and then delete the files, set avast to do a scan on the next boot.

Once you have completed that boot scan and in you can then enable System Restore - a function of system restore is to hang onto deleted files to enable you to recover to a restore point that may need the file. So in order to get rid of the virus file fully you may need to disable system restore.

Do a search in windows Start>Help and Support for system restore for more information of system restore.

here is my hijack this log
my computer seems to running slow and unstady?

In order for us to help it is important to give us feed back on our suggestion, did you try them, did they work, what results, etc.

[i] From symantec site (my point on system restore)

Removal Instructions

The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

  1. Disable System Restore (Windows Me/XP). [/i]

This can also help others with a similar problem, when they browse or search the forums…

Hi,

  • first move hijackthis.exe to a new, empty folder outside TEMP
  • then close all programs/browser windows
  • and rerun iHijackthis

"R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.searchalot.com
"

If you don’t know this searchalot-stuff, fix the above lines

What is O4 - HKLM..\Run: [IncaPan] IncaPan.Exe ?
scan the file with Trend & KAV

also install, update, run & fix with Spybot, Ad-Aware & cwshredder (see above search for links)

scan the whole PC in “thorough scan” with updated avast

then post a new hijcakthis-log here, if problems remain

:wink: :wink: