MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Reply
 
Thread Tools Display Modes
  #1  
Old 07-28-12, 19:51
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default services.exe trojan + disabled firewall

After discovering last week my Paypal account had been hacked into, I've become concious that of the fact there must be a number of viruses on my system that I am not aware of. Upon realisation that my Windows Firewall is being prevented from operating, I ran scans through MalwareBytes and Avira. While these detected and remove some problems, the firewall issue still persists.

Following advice from this forum, I downloaded an ran TDSSkiller. This found 11 'suspicious' threats, and I have attached the log of the scan for your expert analysis.

I would appreciate any further help you may have at curing this virus.

Thanks. Dan.
Attached Files
File Type: txt TDSSKiller.2.7.48.0_29.07.2012_01.32.53_log.txt (126.4 KB, 7 views)
Reply With Quote
Sponsored links
  #2  
Old 07-29-12, 15:52
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,434
Thanks: 430
Thanked 4,580 Times in 4,334 Posts
Default Re: services.exe trojan + disabled firewall

Please follow these instructions:

READ & RUN ME FIRST. Malware Removal Guide
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #3  
Old 07-29-12, 18:20
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

As mentioned in my post, removal software such as MalwareBytes was unable to cure the infected system file.

I've deduced that it's probably a 'trojan horse patched_c.lyt' virus

Any further help will be appreciated.
Reply With Quote
  #4  
Old 07-29-12, 21:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: services.exe trojan + disabled firewall

Quote:
Originally Posted by danUK View Post
As mentioned in my post, removal software such as MalwareBytes was unable to cure the infected system file.
You need to follow all the instructions in the READ & RUN ME FIRST and attach the logs if you expect us to help you. It does not matter whether they fix it or not. We need the logs to give you a proper fix.

Also you needed to have TDSSKiller fix the below to items which are infections
01:40:36.0196 4060 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
01:40:36.0196 4060 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #5  
Old 08-01-12, 10:23
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Ah right. Well I ran both TDSSKiller and MalwareBytes again, and removed the threats. However, the problem (disabled firewall, unaccessible virus sites, sercurity threats) still persists.

I've attached the log for the MalwareBytes scan. Thanks.
Attached Files
File Type: txt mbam-log-2012-08-01 (15-40-29).txt (3.5 KB, 4 views)
Reply With Quote
Sponsored links
  #6  
Old 08-01-12, 13:41
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,434
Thanks: 430
Thanked 4,580 Times in 4,334 Posts
Default Re: services.exe trojan + disabled firewall

MBAM is indicating a Ramnit virus as well as a Zero Access virus. Ramnit viruses are near impossible to cure, but first we need to know how infected you are. Please go to eSet Online Scan. Scan it three time and attach each log to your next reply.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #7  
Old 08-01-12, 14:34
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Oh dear, well I'll get the logs posted later tonight.

I've bought a new PC as the infected one is fairly ancient now, will it be possible to transfer data onto the new one without necessarily infecting it?
Reply With Quote
  #8  
Old 08-01-12, 14:51
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,434
Thanks: 430
Thanked 4,580 Times in 4,334 Posts
Default Re: services.exe trojan + disabled firewall

Heed this warning ( until we know how badly you are infected ):

The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #9  
Old 08-01-12, 19:10
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Hi Tim,

Just finished the first scan of my C drive and it detected around 1700 infected files unfortunately, is it worth continuing?

Is any of the undetected data salvagable at this stage? As you mentioned in your posts, it was mostly .exes and .dlls, but what about music libraries etc.? Do they still carry the risk of transfering the Ramnit?

Also, is it possible for the virus to infect other computers via my email account? (Which I found has been comprimised...)

Thanks
Reply With Quote
  #10  
Old 08-02-12, 10:02
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,434
Thanks: 430
Thanked 4,580 Times in 4,334 Posts
Default Re: services.exe trojan + disabled firewall

Quote:
Originally Posted by danUK View Post
Hi Tim,

Just finished the first scan of my C drive and it detected around 1700 infected files unfortunately, is it worth continuing?
No, you are too highly infected.
Quote:
Originally Posted by danUK View Post
Is any of the undetected data salvagable at this stage? As you mentioned in your posts, it was mostly .exes and .dlls, but what about music libraries etc.? Do they still carry the risk of transfering the Ramnit?
Your best bet would be to transfer your music files to an external drive or thumb drive and then scan that drive.
Quote:
Originally Posted by danUK View Post
Also, is it possible for the virus to infect other computers via my email account? (Which I found has been comprimised...)
Not that I am aware of.

Your only option at this point is to do a complete reformat ( including re-partitioning) and a new install.
Quote:
Originally Posted by danUK View Post
Thanks
Your welcome. Sorry for the bad news.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
Sponsored links
  #11  
Old 08-02-12, 11:26
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Quote:
Originally Posted by TimW View Post
No, you are too highly infected.

Your best bet would be to transfer your music files to an external drive or thumb drive and then scan that drive.
On the second scan through I didn't find any files in that drive, is that encouraging or just misleading?

Are there any alternatives to backing up data? It's only a select number of images, music and documents that I'd ideally like to save. Unfortunately I suspect both my flash-drives will also be infected, can they pheasibly be cleaned and used?

My priority is to ensure my new system isn't infected, but if it is at all possible to save some .jpgs, .wavs and .docs without spreading the risk I'd really appreciate some help in acheving that.

Thanks again.
Reply With Quote
  #12  
Old 08-02-12, 14:23
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,434
Thanks: 430
Thanked 4,580 Times in 4,334 Posts
Default Re: services.exe trojan + disabled firewall

You need to attach the logs from running Eset. Otherwise I haven't a clue as to what is happening.
__________________
Major cake licker.
YCLAHTW, BYCMHD!!

Major Geeks on Facebook

Major Geeks Newsletter
Reply With Quote
  #13  
Old 08-02-12, 19:52
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Right, I've attached the results of the second scan. Unfortunately I didn't save a log of the first one.

Following this I followed the instructions on the ESET site to remove the Sirefef and repair Window Services. (http://kb.eset.com/esetkb/index?page...nt&id=SOLN2895)

So far it looks to have done the job. My Firewall is back and enabled again, and I'm able to access anti-virus sites I wasn't previously able to. I'll do another full scan tomorrow and see if anythings still lingering.
Attached Files
File Type: txt esetscan.txt (582 Bytes, 2 views)
Reply With Quote
  #14  
Old 08-02-12, 23:22
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: services.exe trojan + disabled firewall

You need to run what Tim asked you to run in message number 2 Your Eset logs shows it did not fix the source of the Sirefef infection.
Quote:
C:\Windows\System32\services.exe Win32/Sirefef.FB.Gen trojan unable to clean
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #15  
Old 08-03-12, 10:03
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Quote:
Originally Posted by chaslang View Post
Your Eset logs shows it did not fix the source of the Sirefef infection.
Indeed, which is why I followed it up through the instructions on the ESET website. By using the link I posted, it managed to repair the services.exe, so I'll run another scan tonight, followed by the Malware removal guide and see where that leaves me.
Reply With Quote
Sponsored links
  #16  
Old 08-04-12, 11:26
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: services.exe trojan + disabled firewall

Okay. If you at least run MGtools and attach the C:\MGlogs.zip, we can probably tell if you are okay.
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #17  
Old 08-04-12, 12:28
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Cool, Eset didn't find any threats on the latest scan so no logs to attach.

Ran MGtools and attached the log. Thanks for the help.
Attached Files
File Type: zip MGlogs.zip (370.3 KB, 2 views)
Reply With Quote
  #18  
Old 08-04-12, 13:01
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: services.exe trojan + disabled firewall

ESET missed a few things. Also they replaced the infected services.exe file with one from Vista SP1 and you are running SP2. They should have used the SP2 backup.

Also you have a big no no! You installed three antivirus programs:
AVG Free 9.0
Avira AntiVir Personal - Free Antivirus
Microsoft Security Essentials

Now you will need to uninstall all of them first, before doing anything else. Then later ( once we finish cleanup ) you will install ONLY ONE antivirus program.

However since you have not run our full cleaning procedure, I will need you to run another scan tool so that we can use it to finish your cleaning.


Please download OTL by OldTimer.
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
  • Check the "Scan All Users" checkbox.
  • Check the "Standard Output".
  • Change the setting of "Drivers" and "Services" to "All"
  • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
    Code:
    netsvcs
    /md5start
    explorer.exe
    services.exe
    svchost.exe
    winlogon.exe
    /md5stop
    %systemroot%\system32\*.exe /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
  • Now click the Run Scan button.
  • Two reports will be created:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
  • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
  #19  
Old 08-05-12, 06:46
danUK danUK is offline
Private E-2
 
Join Date: Jul 2012
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: services.exe trojan + disabled firewall

Unistalled each Anti-Virus and ran OldTimer, here are the logs attached.

Thanks
Attached Files
File Type: txt OTL.Txt (253.0 KB, 2 views)
File Type: txt Extras.Txt (63.3 KB, 0 views)
Reply With Quote
  #20  
Old 08-05-12, 19:10
chaslang's Avatar
chaslang chaslang is offline
MajorGeeks Admin - Master Malware Expert
 
Join Date: Feb 2004
Location: Northern New Jersey USA
Posts: 80,140
Thanks: 61
Thanked 7,571 Times in 4,072 Posts
Default Re: services.exe trojan + disabled firewall

  • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
  • Copy the text in the code box below and paste it into the text-field.
Code:
:OTL
DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\gaqdwgyq.sys -- (gaqdwgyq)
@Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:5DEDED40
@Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:BC359956
:Files        
C:\Windows\System32\services.exe C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe /replace
C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}\U
C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}\U\00000001.@
C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}
C:\Users\user\AppData\Local\{89926437-646a-a034-f6d4-6d335cc77cd9}
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\2t082038vv3fl5we64v2j037hlimvlnj5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\YGvcpA571Wx          
C:\Users\user\AppData\Local\apfkxsuk.log
C:\Users\user\AppData\Local\bgmxqpcl.log
C:\Users\user\AppData\Local\cdcqowfc.log
C:\Users\user\AppData\Local\emgupqlq.log
C:\Users\user\AppData\Local\fvaialog.log
C:\Users\user\AppData\Local\mfgorigc.log
C:\Users\user\AppData\Local\oxwlehkf.log
C:\Users\user\AppData\Local\smpbgqhd.log
C:\Users\user\AppData\Local\uwuxtcqh.log
C:\Users\user\AppData\Local\vpimmpei.log
C:\Users\user\AppData\Local\xergjpsb.log
C:\ProgramData\nqnivhcp.log
C:\Windows\Temp\TMP00032C6C947607733F957E57
C:\Users\user\AppData\Local\Temp\Soft32_Stub_5741.exe
C:\Users\user\AppData\Local\Temp\su-setup.exe
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]

[REBOOT]
  • Now click the button.
  • If the fix needed a reboot please do it.
  • Click the OK button (upon reboot).
  • When OTL is finished, Notepad will open. Close Notepad.
  • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
  • Attach this log to your next message. (See: How to attach)
Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


Then attach the below logs:
  • the log from OTL
  • C:\MGlogs.zip
Make sure you tell me how things are working now!
__________________
"There are 10 types of people in this world. Those who understand binary and those who don't."


Support Majorgeeks on Facebook:

Majorgeeks Newsletter
Reply With Quote
Sponsored links
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
XP most services disabled JOHNSIMPSON Software 1 06-25-10 10:45
What services can be disabled? Outlawstar15a2 Software 5 10-11-09 13:47
Restarting Disabled Services Right_Clicked Software 40 01-22-07 21:02
Disabled Windows Services XKazeCloudX Software 3 04-26-06 20:13
Windows XP services disabled Hoopty Software 0 06-11-04 11:28


All times are GMT -5. The time now is 00:06.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger