Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by RedJamaX, Jul 24, 2012.

  1. RedJamaX

    RedJamaX Private E-2

    Ok,

    I have AVG Anti-Virus and Win7 64-bit. I Recently began receiving notifications of "trojan horse dropper.generic_c.mmi" infecting my computer via the services.exe executable. I found another post from Ryanpic and Kestrel13! was able to assist him in removing the infection from his PC.

    I analyzed the process laid out by Kestrel13!, then I analyzed the files which were sent back and forth. I then applied the same removal procedure techniques to my PC utilizing the same utility from the previous post. (FRST64.exe)

    While it seems I was able to remove the Trojan Dropper, it looks like I still have some issues that need to be resolved and I am not sure if the same utility can help, or if these items are even related, but I am hoping Kestrel13!, or somebody can help.

    So here is what I have done...

    Files beginning with "1"
    1. Boot Win7 to "Repair" mode.
    2. Ran frst64 to generate report (1-FRST.txt). Analyzed and built a fislist.txt file containing the "Zero Access" items.
    3. Applied frst64 FIX based on (1-fislist.txt)
    4. Fix log file is named (1-fixlog.txt)

    Boot to Windows once. Then rebooted to "Repair" mode.

    5. Generated Second report (2-FRST.txt).
    Services.exe has an "Attention" flag
    svchost.exe has "possible MBR infection"
    6. Generated new fixlist.txt (2-fixlist.txt) which included file replacement procedures for svchost.exe and services.exe.
    7. Applied the FIX a second time (log file named 2-fixlog.txt)

    Boot to Windows once. Reboot to "Repair" mode.

    8. Generate another FRST.txt report (3-FRST.txt)

    Two concerns still remain:
    A. THIS REGISTRY ENTRY: HKU\UpdatusUser\...\Run: [CutePDF] rundll32.exe "C:\Users\Eric\AppData\Local\CutePDF_Filler\CutePDF\tvzjqlnhf.dll",CreateInstance [x]
    B. svchost.exe still listed as "possible MBR infection"

    9. Boot to Windows SAFE MODE. Manually remove the registry entry listed above. Cleaned ALL Temp Files from drive (Windows Drive Cleaning utility)
    10. Boot to Windows once. Reboot to "Repair" mode.
    11. Generate another FRST.txt report (4-FRST.txt)

    Both concerns listed above still remain...
    A. THIS REGISTRY ENTRY: HKU\UpdatusUser\...\Run: [CutePDF] rundll32.exe "C:\Users\Eric\AppData\Local\CutePDF_Filler\CutePDF\tvzjqlnhf.dll",CreateInstance [x]
    B. svchost.exe still listed as "possible MBR infection"

    Any help would be greatly appreciated.

    Thanks!
     

    Attached Files:

    RedJamaX, Jul 24, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.

    ----------------------------------------------------
    Boot to System Recovery Options and run FRST again.
    Type the below bolded text in the edit box after "Search:".

    services.exe

    Then click the Search button.

    It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply.

    ----------------------------------------------------

    Now run FRST without running a fix, just scan, and attach that log too.
     

    Attached Files:

    Kestrel13!, Jul 24, 2012
    #2
  3. RedJamaX

    RedJamaX Private E-2

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    Thanks for helping Kestrel13!

    Here are the other four files I described in my original post, I could only attach four originally and I had to wait for the post to be approved to respond with the second set of files. See my original post for descriptions of where the files are in the time line of my procedure.

    You will see from the last FRST.txt (4-FRST - After manual cleaning.txt) log that I do not seem to have the Zero Access: Desktop.ini file issues any longer. But I do have the MBR and the registry entry I showed you is definitely some kind of spyware...

    REGISTRY ENTRY:
    HKU\UpdatusUser\...\Run: [CutePDF] rundll32.exe "C:\Users\Eric\AppData\Local\CutePDF_Filler\CutePDF\tvzjqlnhf.dll",CreateInstance [x]
    MBR INFECTION:
    svchost.exe still listed as "possible MBR infection"

    I see that you have an extra line at the top of the new fixlist.txt you just sent me and I will run that this evening and return the results.
    "2012-07-23 12:04 - 2009-07-13 17:14 - 00020480 ____A (Microsoft Corporation) C:\Windows\svchost.exe"

    Is there some kind of help guide for this utility that explains the syntax for the fixlist.txt file? Or general help on how to use it?

    Thanks!
     

    Attached Files:

    RedJamaX, Jul 24, 2012
    #3
  4. RedJamaX

    RedJamaX Private E-2

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    Please Note: You can see from the logs on my previous post that I have also performed this operation as well (below), and the "Services.exe" file no longer has the Attention flag in the latest "FRST.txt" report file (4-FRST - After manual cleaning.txt)

     
    RedJamaX, Jul 24, 2012
    #4
  5. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.

    ------------------------------------------------

    Now run FRST normally without a fix and attach the log.

    You then should continue with these instructions. READ & RUN ME FIRST. Malware Removal Guide
     

    Attached Files:

    Kestrel13!, Jul 25, 2012
    #5
  6. RedJamaX

    RedJamaX Private E-2

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    It looks like the log is still reporting the "possible MBR infection" on svchost.exe. and the Registry Entry I described earlier is back again also.
     

    Attached Files:

    RedJamaX, Jul 25, 2012
    #6
  7. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)

    Now attempt to boot normally.

    ------------------------------------

    I want you to run TDSSKiller so refer to the below for how to do so.

    TDSSkiller - How to run


    Please also download MBRCheck to your desktop
    • Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
    • It will show a Black screen with some information that will contain either the below line if no problem is found:
      • Done! Press ENTER to exit...
    • Or you will see more information like below if a problem is found:
      • Found non-standard or infected MBR.
      • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    • Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
    • MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.




    Now do not stop, please continue on with the below instructions too! :)
    v
    V
    V
    V
    READ & RUN ME FIRST. Malware Removal Guide
     

    Attached Files:

    Kestrel13!, Jul 25, 2012
    #7
  8. RedJamaX

    RedJamaX Private E-2

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    Ok!

    Looks like all of that has done the trick. I've attahced the final FRST64 Log file and I see no sign of any other infection.

    Please confirm. Then I will re-enable System Restore and create a new restore point.

    Thank You!!!
     

    Attached Files:

    RedJamaX, Jul 25, 2012
    #8
  9. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re: Kestrel13!, Help Please. trojan horse dropper.generic_c.mmi Win7 x64 via services

    You are welcome! :)

    Ready for final steps?

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /uninstall, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    Kestrel13!, Jul 25, 2012
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds