services.exe trojan + disabled firewall

[danUK]

After discovering last week my Paypal account had been hacked into, I've become concious that of the fact there must be a number of viruses on my system that I am not aware of. Upon realisation that my Windows Firewall is being prevented from operating, I ran scans through MalwareBytes and Avira. While these detected and remove some problems, the firewall issue still persists.

Following advice from this forum, I downloaded an ran TDSSkiller. This found 11 'suspicious' threats, and I have attached the log of the scan for your expert analysis.

I would appreciate any further help you may have at curing this virus.

Thanks. Dan.

[TimW]

Please follow these instructions:

READ & RUN ME FIRST. Malware Removal Guide

[danUK]

As mentioned in my post, removal software such as MalwareBytes was unable to cure the infected system file.

I've deduced that it's probably a 'trojan horse patched_c.lyt' virus

Any further help will be appreciated.

[chaslang]

Quote:

Originally Posted by danUK

As mentioned in my post, removal software such as MalwareBytes was unable to cure the infected system file.

You need to follow all the instructions in the READ & RUN ME FIRST and attach the logs if you expect us to help you. It does not matter whether they fix it or not. We need the logs to give you a proper fix.

Also you needed to have TDSSKiller fix the below to items which are infections
01:40:36.0196 4060 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
01:40:36.0196 4060 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip

[danUK]

Ah right. Well I ran both TDSSKiller and MalwareBytes again, and removed the threats. However, the problem (disabled firewall, unaccessible virus sites, sercurity threats) still persists.

I've attached the log for the MalwareBytes scan. Thanks.

[TimW]

MBAM is indicating a Ramnit virus as well as a Zero Access virus. Ramnit viruses are near impossible to cure, but first we need to know how infected you are. Please go to eSet Online Scan. Scan it three time and attach each log to your next reply.

[danUK]

Oh dear, well I'll get the logs posted later tonight.

I've bought a new PC as the infected one is fairly ancient now, will it be possible to transfer data onto the new one without necessarily infecting it?

[TimW]

Heed this warning ( until we know how badly you are infected ):

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.

[danUK]

Hi Tim,

Just finished the first scan of my C drive and it detected around 1700 infected files unfortunately, is it worth continuing?

Is any of the undetected data salvagable at this stage? As you mentioned in your posts, it was mostly .exes and .dlls, but what about music libraries etc.? Do they still carry the risk of transfering the Ramnit?

Also, is it possible for the virus to infect other computers via my email account? (Which I found has been comprimised...)

Thanks

[TimW]

Quote:

Originally Posted by danUK

Hi Tim,

Just finished the first scan of my C drive and it detected around 1700 infected files unfortunately, is it worth continuing?

No, you are too highly infected.

Quote:

Originally Posted by danUK

Is any of the undetected data salvagable at this stage? As you mentioned in your posts, it was mostly .exes and .dlls, but what about music libraries etc.? Do they still carry the risk of transfering the Ramnit?

Your best bet would be to transfer your music files to an external drive or thumb drive and then scan that drive.

Quote:

Originally Posted by danUK

Also, is it possible for the virus to infect other computers via my email account? (Which I found has been comprimised...)

Not that I am aware of.

Your only option at this point is to do a complete reformat ( including re-partitioning) and a new install.

Quote:

Originally Posted by danUK

Thanks

Your welcome. Sorry for the bad news.

[danUK]

Quote:

Originally Posted by TimW

No, you are too highly infected.

Your best bet would be to transfer your music files to an external drive or thumb drive and then scan that drive.

On the second scan through I didn't find any files in that drive, is that encouraging or just misleading?

Are there any alternatives to backing up data? It's only a select number of images, music and documents that I'd ideally like to save. Unfortunately I suspect both my flash-drives will also be infected, can they pheasibly be cleaned and used?

My priority is to ensure my new system isn't infected, but if it is at all possible to save some .jpgs, .wavs and .docs without spreading the risk I'd really appreciate some help in acheving that.

Thanks again.

[TimW]

You need to attach the logs from running Eset. Otherwise I haven't a clue as to what is happening.

[danUK]

Right, I've attached the results of the second scan. Unfortunately I didn't save a log of the first one.

Following this I followed the instructions on the ESET site to remove the Sirefef and repair Window Services. (http://kb.eset.com/esetkb/index?page...nt&id=SOLN2895)

So far it looks to have done the job. My Firewall is back and enabled again, and I'm able to access anti-virus sites I wasn't previously able to. I'll do another full scan tomorrow and see if anythings still lingering.

[chaslang]

You need to run what Tim asked you to run in message number 2

Quote:

READ & RUN ME FIRST. Malware Removal Guide

Your Eset logs shows it did not fix the source of the Sirefef infection.

Quote:

C:\Windows\System32\services.exe Win32/Sirefef.FB.Gen trojan unable to clean

[danUK]

Quote:

Originally Posted by chaslang

Your Eset logs shows it did not fix the source of the Sirefef infection.

Indeed, which is why I followed it up through the instructions on the ESET website. By using the link I posted, it managed to repair the services.exe, so I'll run another scan tonight, followed by the Malware removal guide and see where that leaves me.

[chaslang]

Okay. If you at least run MGtools and attach the C:\MGlogs.zip, we can probably tell if you are okay.

[danUK]

Cool, Eset didn't find any threats on the latest scan so no logs to attach.

Ran MGtools and attached the log. Thanks for the help.

[chaslang]

ESET missed a few things. Also they replaced the infected services.exe file with one from Vista SP1 and you are running SP2. They should have used the SP2 backup.

Also you have a big no no! You installed three antivirus programs:
AVG Free 9.0
Avira AntiVir Personal - Free Antivirus
Microsoft Security Essentials

Now you will need to uninstall all of them first, before doing anything else. Then later ( once we finish cleanup ) you will install ONLY ONE antivirus program.

However since you have not run our full cleaning procedure, I will need you to run another scan tool so that we can use it to finish your cleaning.


Please download OTL by OldTimer.

• Save it to your desktop.
• Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
• Check the "Scan All Users" checkbox.
• Check the "Standard Output".
• Change the setting of "Drivers" and "Services" to "All"
• Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
  
  Code:

  netsvcs
  /md5start
  explorer.exe
  services.exe
  svchost.exe
  winlogon.exe
  /md5stop
  %systemroot%\system32\*.exe /lockedfiles
  %systemroot%\system32\drivers\*.sys /lockedfiles

• Now click the Run Scan button.
• Two reports will be created:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Attach both OTL.txt and Extras.txt to your next message. (See how to attach)

[danUK]

Unistalled each Anti-Virus and ran OldTimer, here are the logs attached.

Thanks

[chaslang]

• Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
• Copy the text in the code box below and paste it into the text-field.

Code:

:OTL
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\gaqdwgyq.sys -- (gaqdwgyq)
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:5DEDED40
@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:BC359956
:Files        
C:\Windows\System32\services.exe C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe /replace
C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}\U
C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}\U\00000001.@
C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}
C:\Users\user\AppData\Local\{89926437-646a-a034-f6d4-6d335cc77cd9}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\2t082038vv3fl5we64v2j037hlimvlnj5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\YGvcpA571Wx          
C:\Users\user\AppData\Local\apfkxsuk.log
C:\Users\user\AppData\Local\bgmxqpcl.log
C:\Users\user\AppData\Local\cdcqowfc.log
C:\Users\user\AppData\Local\emgupqlq.log
C:\Users\user\AppData\Local\fvaialog.log
C:\Users\user\AppData\Local\mfgorigc.log
C:\Users\user\AppData\Local\oxwlehkf.log
C:\Users\user\AppData\Local\smpbgqhd.log
C:\Users\user\AppData\Local\uwuxtcqh.log
C:\Users\user\AppData\Local\vpimmpei.log
C:\Users\user\AppData\Local\xergjpsb.log
C:\ProgramData\nqnivhcp.log
C:\Windows\Temp\TMP00032C6C947607733F957E57
C:\Users\user\AppData\Local\Temp\Soft32_Stub_5741.exe
C:\Users\user\AppData\Local\Temp\su-setup.exe
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]

• Now click the button.
• If the fix needed a reboot please do it.
• Click the OK button (upon reboot).
• When OTL is finished, Notepad will open. Close Notepad.
• A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
• Attach this log to your next message. (See: How to attach)

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:

• the log from OTL
• C:\MGlogs.zip

Make sure you tell me how things are working now!