Trojan horse Dropper.Generic_c.MMI infection

[catamongthebats]

Hi guys and girls I'm hoping someone can help.
AVG(free version) keeps informing me that I have the above trojan in my C:\windows\system32\services.exe folder. As it is an important folder I didn't want to mess around with it. I've read the other posts here regarding this Trojan, ran Combofix and then followed the instructions in your Read Me section, I have attached all the logs as requested below.
I was trying to think when this could have happened - when AVG first flagged the trojan I was browsing for some pictures of birds to paint using both Google images and various websites, when I got the flag that a Trojan was detected I shut down Internet Explorer and ran both AVG and Malwarebytes. AVG found it, but it being a systems folder is obviously unable to remove it.
I then noticed a new icon on my desktop for a program called "Live Security Platinum" which I did not agree to install. I uninstalled it, re scanned, but the problem remains(I hope I didn't screw up by unistalling it!).
After following all the steps in your read me I still have the infection, so I'm posting the logs and hoping for help when someone is able.
On a side note, my father has a search engine redirect happening on his laptop which he only just mentioned, apparently that's been there for sometime and as we use a router I'm concerned it might be infected. I haven't been able to fix his redirect either following your steps for it's removal but I'll start a seperate thread for that issue.
I didn't want to re-set the router unless you told me to - at this moment I don't to touch anything unless directed to do so.

Thankyou so much for your time and experience,

regards,
Cathy.

[Kestrel13!]

For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

To enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Choose your language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

On the System Recovery Options menu you will get the following options:

Quote:

• Startup Repair
• System Restore
• Windows Complete PC Restore
• Windows Memory Diagnostic Tool
• Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
• Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

[catamongthebats]

Thankyou Kestrel13!,

My system is 64 bit.

Please find attached the log as requested.

Thanks again.

[Kestrel13!]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Attached is fixlist.txt

• Save fixlist.txt to your flash drive.
• You should now have both fixlist.txt and FRST64.exe on your flash drive.

Now re-enter System Recovery Options.
Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (How to attach)

Now attempt to boot normally.

------------------------------------

Before we continue I would like for you to use MSConfig to put this machine back into normal start up mode.

If you did not deliberately set this proxy yourself then please include it in the HJT fix further below:

Quote:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Quote:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;<local>
R3 - URLSearchHook: (no name) - {1392b8d2-5c05-419f-a8f6-b9f15a596612} - (no file)
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: (no name) - {F6BD6330-76F8-44d9-B775-87614E2D8374} - (no file)

After clicking Fix exit HJT.




What is inside of these folders?

C:\Users\All Users\0C1CFAEF004783B9BA08A775F875F002
C:\Users\Cathy\AppData\Local\826D2194-E317-4BB2-A1DE-47227F1D9C49.aplzod

• Now rerun FRST no fix just a scan and attach the log
• Re run RogueKiller, no fix, just a scan and attach that log too please.
• Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
• Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!

[catamongthebats]

Thanks Kestrel13!

All the steps ran without issue, please find the logs attached as requested.

I am no longer getting the AVG pop up alerting to an infection and a scan no longer shows the infection. (It does show a C:\FRST\Quarantine\services.exe file as a trojan that it has now placed in it's virus vault, please advise if I need to permanently delete this file, I can restore it from the virus vault to it's original position if additional steps need to be taken. I wasn't given a choice by the software, it just moved it.)

Otherwise it seems to be running smoothly again. Thank you soooo much for your help it is very much appreciated.

with regards,

Cathy.

[Kestrel13!]

Nothing needs to be restored! That services.exe was infected. Now it isn't.

And I had asked.

Quote:

What is inside of these folders?

C:\Users\All Users\0C1CFAEF004783B9BA08A775F875F002
C:\Users\Cathy\AppData\Local\826D2194-E317-4BB2-A1DE-47227F1D9C49.aplzod

Glad everything is running well though, when you respsond, I can give you final steps.

[catamongthebats]

Oops, sorry I misread that question about the folders,

The first folder in the All Users folder contains an .ico file named 0C1CFAEF004783B9BA08A775F875F002.ico.

The folder in the App Data\Local contains two Data base files - Alarms.db and Main.db.

Thanks, looking forward to the final steps!

[Kestrel13!]

Delete these then unless you know what they are for

C:\Users\All Users\0C1CFAEF004783B9BA08A775F875F002
C:\Users\Cathy\AppData\Local\826D2194-E317-4BB2-A1DE-47227F1D9C49.aplzod

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

[catamongthebats]

Thank you so much for your help Kestrel13!

[Kestrel13!]

You are *most* welcome. Safe surfing!