Please help: Trojan horse infected Win64\Patched.A (infected file: services.exe)

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by dylanrose, Mar 16, 2013.

  1. dylanrose

    dylanrose Private E-2

    I have been running my compuer in safe mode with networking as I'm doing the said steps.

    Here are the logs from all the tools that might help my computer be cleaned.

    Also my problems are these viruses: 2 desktop.ini & trojan horses.

    Trojan horses like:
    (AVG Detected)
    Luhe.Sirefef.A
    Trojan horse Generic31.ZCS
    Trojan horse Generic28.CBQW

    all of these pertains to c:\windows\installer\{6.....} & the services.exe

    Please help. Thank you for your assistance. :)
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Why does the below process showup as running about 13 times in your logs?
    C:\Users\user\AppData\Local\RockMelt\Application\rockmelt.exe

    Is this some kind of tabbed browser? And why does it have to run the below every time you start your PC?
    O4 - HKCU\..\Run: [RockMelt Update] "C:\Users\user\AppData\Local\RockMelt\Update\RockMeltUpdate.exe

    Also why do you have the below in your hosts files?
    Code:
    127.0.0.1 http://www.iobit.com
    127.0.0.1 iobit.com
    127.0.0.1 98.129.229.186
    127.0.0.1 http://www.iana.org
    127.0.0.1 iana.org
    127.0.0.1 http://www.iobit.com
    127.0.0.1 iobit.com
    127.0.0.1 98.129.229.186
    127.0.0.1 http://www.iana.org
    127.0.0.1 iana.org
    127.0.0.1 http://www.iobit.com
    127.0.0.1 iobit.com
    127.0.0.1 98.129.229.186
    127.0.0.1 http://www.iana.org
    127.0.0.1 iana.org
    This is typical of what malware would do and loopback legit websites.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista or Win 7, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&CUI=UN40362079636498285&ctid=CT3266585
    R3 - URLSearchHook: (no name) - {ee8030a5-22ac-4f75-bcab-433218ae8c81} - (no file)
    O2 - BHO: Vuze Remote - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll
    O2 - BHO: 4shared.com DH - {ee8030a5-22ac-4f75-bcab-433218ae8c81} - (no file)
    O3 - Toolbar: Vuze Remote Toolbar - {ba14329e-9550-4989-b3f2-9732e92d17cc} - C:\Program Files (x86)\Vuze_Remote\prxtbVuz2.dll
    O3 - Toolbar: (no name) - {ee8030a5-22ac-4f75-bcab-433218ae8c81} - (no file)
    O4 - HKLM\..\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"

    After clicking Fix, exit HJT.

    Now uninstall the below programs:
    Java(TM) 6 Update 37
    Vuze Remote Toolbar

    Now install the current version of Sun Java from: Sun Java Runtime Environment


    Please download OTM by Old Timer and save it to your Desktop.
    • Run it by double clicking on it (Note: if using Vista, Win7, or Win8, don't double click, use right click and select Run As Administrator).
    • Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
      (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
      the code box
    Code:
    :Processes
    explorer.exe
     
    :Files
    C:\ProgramData\Tarma Installer
    C:\Program Files (x86)\Common Files\Spigot
    C:\Users\user\AppData\LocalLow\Mp3Tube Toolbar
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\@
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\L\00000004.@
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\L
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\U\00000008.@
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\U\80000032.@
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\U\80000064.@
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}\U
    C:\Windows\Installer\{6baaf310-a02a-ca0e-6de9-781f14c58ceb}
    C:\Program Files (x86)\Mozilla Firefox\searchplugins\babylon.xml
    C:\Users\user\AppData\Local\Babylon
    C:\Users\user\AppData\Roaming\Babylon
    C:\Users\user\AppData\Roaming\Funmoods
    C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\aadudf1t.default\searchplugins\funmoods.xml                                                                          
    C:\Windows\TEMP\*.*
    C:\Users\user\AppData\Local\Temp\*.*
     
    :Reg
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158}]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942}]
    [-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011221158}]
    [-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{46897C77-E7A6-4C33-BFFB-E9C2E2718942}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\AppID\{EA28B360-05E0-4F93-8150-02891F1D8D3C}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\DataMngr]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}]
    [-HKEY_USERS\.DEFAULT\Software\Funmoods]
    [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    [-HKEY_USERS\S-1-5-18\Software\Funmoods]
    [-HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\DataMngr]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\DataMngr_Toolbar]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{2EECD738-5844-4A99-B4B6-146BF802613B}]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{4D2D3B0F-69BE-477A-90F5-FDDB05357975}]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{98889811-442D-49DD-99D7-DC866BE87DBC}]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}]
    [-HKEY_USERS\S-1-5-21-3359990823-1646706164-2264289314-1000\Software\Softonic]
     
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
    "Tabs"="res://ieframe.dll/tabswelcome.htm"
    :Commands
    [purity]
    [EmptyTemp]
    [start explorer] 
    
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
      ) and choose Paste.
    • Now click the large [​IMG] button.
    • If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
    • Close OTM.
    Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
    saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
    this log file to your next message.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the C:\_OTM\MovedFiles log
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  3. dylanrose

    dylanrose Private E-2

    Regarding the rockmelt, yes, it is a tabbed browser that is why it has 13 logs. I'll do what you ask then I'm gonna upload it. Thank you for your immediate assistance! :)
     
  4. dylanrose

    dylanrose Private E-2

    Regarding the hosts file, I didn't know that it loops back again and again. I only know that I have the iObit as software protection.

    Please see attached files regarding the logs you need. Thank you!
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.
    Okay then do the below.

    Download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by right clicking on it and selecting Run As Administrator.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Is eveything working okay now?
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds