I recently had some problems with my CD-RW and DVD-ROM drives (they physically wouldn’t open or the discs could not be read). Yesterday, I bought Norton AntiVirus 2003 but couldn’t install it because the DVD drive wouldn’t read the disc. Following the Norton manual I checked for viruses that might affect the installation and went to http://security.symantec.com. There I had my hard drive scanned and a worm virus was found. The virus that was found is profiled in http://securityresponse.symantec.com/avcenter/venc/data/w32.pinfi.html. I followed their removal instructions and downloaded the “tool” but after several minutes of running it, it develops an error that forces it to close. After several tries, however, was finally able to install Norton. It found and fixed a number of registry keys, but still couldn’t delete the virus itself. The virus file seems to be called eto26.tmp and is in my temporary files folder, but I can’t delete it (if I try it displays a message that says:
Cannot delete eto26: access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use. ).
I have a Dell dimension 8200 with a Pentium 4 2.53GHz processor, 512MB RDRAM, 80GB 7200 RPM Ultra ATA hard drive, and am running Windows XP.
Start in safe mode and delete the file, as it may not allow you access as it is being used. Also if Norton can’t be installed right, there is an on-line virus scan you can use, but I’d try it after starting in safe mode and deleting the file.
Virus is here
Thanks. That sorta works, some of the infected files were cleaned, but the virus wasn’t deleted. Now, however, the Virus Detected reminder from Norton has a different file name. Instead of the Win32.Pinfi virus and the eto26.tmp file, the virus is called Backdoor.Sdbot and the file name is system32.exe.
The eto26.tmp file is gone now, I can’t find it anywhere. I tried starting the computer in safe mode, but, since that file is gone, I guess there’s no point.
Can I delete the system32.exe file (it’s address is C:WINDOWS\System32\System32.exe)?
If the file is central to the OS and I delete it, can I still boot from the Windows CD-ROM and access my files, have internet access, etc.?
Can I delete my Temp folder (the address is C:\Documents and Settings\user\Local Settings)?
Interesting. It sounds like the virus renamed/replaced some system files. Having never run XP, I can’t confirm this is still an option, but in 98 you could restore certain files from the install disk. Try that.
I once had a similar problem on Win98 with Gator ad software (I consider it a virus, as I did not know it was being installed). Upon boot, it would load into memory; the OS had it marked as “used”, so that I could not delete it. As it turns out, I had to manually remove it from the “Run” folder in the registry, then reboot, at which point it did not load and could be deleted. I hadn’t thought about starting in “Safe Mode”, as svt4Him suggests, which I think would have effectively done the same thing with less risk of screwing things up in the registry, although I would’ve had to run a registry cleaner to fully remove it.
Why do I mention this? It sounds like the virus did just this - placed itself in the registry so that it loads on boot, in addition to renaming/replacing a system file or two. It is possible that the “bad” system file will recreate some files and remodify the registry, thereby reintroducing the symptoms you’re working so hard to remedy. The bad system files need to be replaced with good ones and not just deleted. (It just occurred to me that it is possible that “System32.exe” may not be a real system file - it may just be named that in order to look like you shouldn’t delete it. You’ll have to find a list of valid filenames - somebody with a clean XP install would be able to tell you if it’s on their system.)
Or I could be wrong about exactly what the virus is doing - but it sounds right, and hopefully it’ll help you cure your computer’s ills.
I tried searching the Windows XP CD for system32 and system32.exe and found only a folder named System32–it contained two files, neither of which was called system32 or system32.exe.
I checked the registry addresses that are listed on the symantec web site but couldn’t find anything in my registry editor. I just checked the Run folder and, although I found one file called WhenUSave which sounds like one of those annoying ads, I coudn’t find any of the files listed on the site.
BTW, can I safely delete that registry knowing just the name (as it is unlikely that any necessary Windows program would call itself that)?
Well, the folder that contains the system32.exe file is called System32, although that doesn’t necessarily mean that the file exists in uninfected hard drives with Windows XP.
Also, last night, before going to bed, I left only two programs on: I ran the Win32.Pinfi virus removal tool (that I downloaded from symantec) again (even though Norton is no longer highlighting that as a threat) and I did the TrendMicro scan and cleanup again. I had 2.6GBs of space left on my hard drive. This morning I had 4.8MBs left. Where did all that space go? I wasn’t downloading anything; the only two programs running were the aforementioned two and some part of Norton AntiVirus, none of which take up additional hard drive space (well, maybe a few kilobytes, but certainly not that much).
OK - I feel the need to put a disclaimer on this. I haven’t used XP, so things may be different than what I’ve experienced with Win98. Also, beware of screwing around with the registry - you can really do bad things to your computer.
Not finding a file called System32.exe indicates to me that it is a bogus file. I have to reiterate - I don’t know if that’s true. The last thing you want to do is to delete necessary system files. By the way, I looked at that Symantec link you gave, which indicated that the virus does indeed replace some system files. Whether or not this is one of them, you need to confirm elsewhere.
As to the Run folder, I think I should’ve been more explicit - not that you’re looking in the wrong place, but I just don’t know. Unless MS has radically changed the structure of the registry, there are 3 “folders” under the “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion” entry - Run, RunOnce, and another that I can no longer remember. Each contains entries that load programs at startup. Some of these are necessary (such as systray.exe, which is responsible for maintaining the programs that appear as icons by the clock), but it is a favorite place for viruses and such to make sure they get loaded. For instance, the “Happy99” worm does this, as described at the Symantec website: http://securityresponse.symantec.com/avcenter/venc/data/fix.happy99.worm.html
This is pretty much inexplicable to me. I suppose you could always do a find files from the past 24 hours to see where the space is being used. Something is definitely wrong. Perhaps it’s a log file generated by the anti-virus software?