services.exe trojan + disabled firewall

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by danUK, Jul 28, 2012.

  1. danUK

    danUK Private E-2

    After discovering last week my Paypal account had been hacked into, I've become concious that of the fact there must be a number of viruses on my system that I am not aware of. Upon realisation that my Windows Firewall is being prevented from operating, I ran scans through MalwareBytes and Avira. While these detected and remove some problems, the firewall issue still persists.

    Following advice from this forum, I downloaded an ran TDSSkiller. This found 11 'suspicious' threats, and I have attached the log of the scan for your expert analysis.

    I would appreciate any further help you may have at curing this virus.

    Thanks. Dan.
     

    Attached Files:

  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  3. danUK

    danUK Private E-2

    As mentioned in my post, removal software such as MalwareBytes was unable to cure the infected system file.

    I've deduced that it's probably a 'trojan horse patched_c.lyt' virus

    Any further help will be appreciated.
     
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to follow all the instructions in the READ & RUN ME FIRST and attach the logs if you expect us to help you. It does not matter whether they fix it or not. We need the logs to give you a proper fix.

    Also you needed to have TDSSKiller fix the below to items which are infections
    01:40:36.0196 4060 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
    01:40:36.0196 4060 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
     
  5. danUK

    danUK Private E-2

    Ah right. Well I ran both TDSSKiller and MalwareBytes again, and removed the threats. However, the problem (disabled firewall, unaccessible virus sites, sercurity threats) still persists.

    I've attached the log for the MalwareBytes scan. Thanks.
     

    Attached Files:

  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    MBAM is indicating a Ramnit virus as well as a Zero Access virus. Ramnit viruses are near impossible to cure, but first we need to know how infected you are. Please go to eSet Online Scan. Scan it three time and attach each log to your next reply.
     
  7. danUK

    danUK Private E-2

    Oh dear, well I'll get the logs posted later tonight.

    I've bought a new PC as the infected one is fairly ancient now, will it be possible to transfer data onto the new one without necessarily infecting it?
     
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Heed this warning ( until we know how badly you are infected ):

    The problem is that the damage caused by this infection really makes a PC unreliable/untrustworthy. PE file infectors like Ramnit, Virut,.... etc can infect all executable files (DLL, EXE, SCR....and many more and also HTML). These infections can open back doors that truly may compromise your computer and your security. These backdoors could allow a remote attacker to access and instruct the infected computer to download and execute more malicious files.

    In many cases the infected files (which could number in the thousands) cannot be disinfected properly by your anti-virus or by other scanning tools. Also when disinfection is attempted, the files often become corrupted and the system may become unstable or irrepairable. The longer Ramnit remains on a computer, the more files it may infect and/or corrupt so the degree of infection can vary.

    Ramnit is commonly spread via a flash drive (usb, pen, thumb, jump) infection where it copies the Ramnit worm using a random file name. The infection is often contracted by visiting remote, crack and keygen sites. These type of sites are a major source of system infection.
     
  9. danUK

    danUK Private E-2

    Hi Tim,

    Just finished the first scan of my C drive and it detected around 1700 infected files unfortunately, is it worth continuing?

    Is any of the undetected data salvagable at this stage? As you mentioned in your posts, it was mostly .exes and .dlls, but what about music libraries etc.? Do they still carry the risk of transfering the Ramnit?

    Also, is it possible for the virus to infect other computers via my email account? (Which I found has been comprimised...)

    Thanks
     
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    No, you are too highly infected.
    Your best bet would be to transfer your music files to an external drive or thumb drive and then scan that drive.
    Not that I am aware of.

    Your only option at this point is to do a complete reformat ( including re-partitioning) and a new install.:(
    Your welcome. Sorry for the bad news.
     
  11. danUK

    danUK Private E-2

    On the second scan through I didn't find any files in that drive, is that encouraging or just misleading?

    Are there any alternatives to backing up data? It's only a select number of images, music and documents that I'd ideally like to save. Unfortunately I suspect both my flash-drives will also be infected, can they pheasibly be cleaned and used?

    My priority is to ensure my new system isn't infected, but if it is at all possible to save some .jpgs, .wavs and .docs without spreading the risk I'd really appreciate some help in acheving that.

    Thanks again.
     
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You need to attach the logs from running Eset. Otherwise I haven't a clue as to what is happening.
     
  13. danUK

    danUK Private E-2

    Right, I've attached the results of the second scan. Unfortunately I didn't save a log of the first one.

    Following this I followed the instructions on the ESET site to remove the Sirefef and repair Window Services. (http://kb.eset.com/esetkb/index?page=content&id=SOLN2895)

    So far it looks to have done the job. My Firewall is back and enabled again, and I'm able to access anti-virus sites I wasn't previously able to. I'll do another full scan tomorrow and see if anythings still lingering.
     

    Attached Files:

  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to run what Tim asked you to run in message number 2 Your Eset logs shows it did not fix the source of the Sirefef infection.
     
  15. danUK

    danUK Private E-2

    Indeed, which is why I followed it up through the instructions on the ESET website. By using the link I posted, it managed to repair the services.exe, so I'll run another scan tonight, followed by the Malware removal guide and see where that leaves me.
     
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay. If you at least run MGtools and attach the C:\MGlogs.zip, we can probably tell if you are okay.
     
  17. danUK

    danUK Private E-2

    Cool, Eset didn't find any threats on the latest scan so no logs to attach.

    Ran MGtools and attached the log. Thanks for the help.
     

    Attached Files:

  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    ESET missed a few things. Also they replaced the infected services.exe file with one from Vista SP1 and you are running SP2. They should have used the SP2 backup.

    Also you have a big no no! You installed three antivirus programs:
    AVG Free 9.0
    Avira AntiVir Personal - Free Antivirus
    Microsoft Security Essentials

    Now you will need to uninstall all of them first, before doing anything else. Then later ( once we finish cleanup ) you will install ONLY ONE antivirus program.

    However since you have not run our full cleaning procedure, I will need you to run another scan tool so that we can use it to finish your cleaning.


    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
      /md5start
      explorer.exe
      services.exe
      svchost.exe
      winlogon.exe
      /md5stop
      %systemroot%\system32\*.exe /lockedfiles
      %systemroot%\system32\drivers\*.sys /lockedfiles
      
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
  19. danUK

    danUK Private E-2

    Unistalled each Anti-Virus and ran OldTimer, here are the logs attached.

    Thanks
     

    Attached Files:

  20. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    • Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
    • Copy the text in the code box below and paste it into the [​IMG] text-field.
    Code:
    :OTL
    DRV - File not found [Kernel | System | Stopped] -- C:\Windows\system32\drivers\gaqdwgyq.sys -- (gaqdwgyq)
    @Alternate Data Stream - 128 bytes -> C:\ProgramData\Temp:5DEDED40
    @Alternate Data Stream - 116 bytes -> C:\ProgramData\Temp:BC359956
    :Files        
    C:\Windows\System32\services.exe C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe /replace
    C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}\U
    C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}\U\00000001.@
    C:\Windows\installer\{89926437-646a-a034-f6d4-6d335cc77cd9}
    C:\Users\user\AppData\Local\{89926437-646a-a034-f6d4-6d335cc77cd9}
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\2t082038vv3fl5we64v2j037hlimvlnj5
    C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\YGvcpA571Wx          
    C:\Users\user\AppData\Local\apfkxsuk.log
    C:\Users\user\AppData\Local\bgmxqpcl.log
    C:\Users\user\AppData\Local\cdcqowfc.log
    C:\Users\user\AppData\Local\emgupqlq.log
    C:\Users\user\AppData\Local\fvaialog.log
    C:\Users\user\AppData\Local\mfgorigc.log
    C:\Users\user\AppData\Local\oxwlehkf.log
    C:\Users\user\AppData\Local\smpbgqhd.log
    C:\Users\user\AppData\Local\uwuxtcqh.log
    C:\Users\user\AppData\Local\vpimmpei.log
    C:\Users\user\AppData\Local\xergjpsb.log
    C:\ProgramData\nqnivhcp.log
    C:\Windows\Temp\TMP00032C6C947607733F957E57
    C:\Users\user\AppData\Local\Temp\Soft32_Stub_5741.exe
    C:\Users\user\AppData\Local\Temp\su-setup.exe
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]
    :Commands
    [PURITY]
    [EMPTYTEMP] 
    [EMPTYFLASH]
    
    [REBOOT]
    • Now click the [​IMG] button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  21. danUK

    danUK Private E-2

    Attached both logs. As for functionality, everything seems fine at the moment. Firewall working, recovered a lot of disk space, no redirects or blocked sites.

    Thanks
     

    Attached Files:

  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.



    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures pointed to by step 7 of the READ ME
        for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
  23. danUK

    danUK Private E-2

    So what did the logs suggest? Is my System OK? I probably wouldn't use it to log into anything sensitive anymore (Banking, Paypal etc.), but is it looking like it might be safe to transfer some .jpg and .wav files to my new PC?

    Thanks for all the help guys.
     
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes. That is why I gave final instructions. If you had nay other problems, you would have to describe them and then we would make special scans/fixes to address them.

    It's up to you but this PC is like just as safe as any new PC that you connect to the internet. Once any PC has been connected to the internet, there are no guarantees that it is 100% clean. However in most cases, running thru a full cleaning process like we perform is a pretty reliable check up. The problems is that many people can get themselves reinfected rather quickly after already have been given the all clean. As stated in the How to protect yourself from malware link, the 1st line of defense and can also be the weakest link. And that is the end user/users of the PC. ;)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds