another System32\services.exe case. Help, please

Viruses and worms
1

Hi there,

I am getting the recurring alert about malware infection by:

C:\Windows\System32\services.exe

Just as reported by other people, it pops up every 3-4 minutes. At the beginning it was only one alert, but then started two and now is three in a row. The three infected files are

C:\Windows\Installer{…}\U\00000001.@
C:\Windows\Installer{…}\U\800000cb.@
C:\Windows\Installer{…}\U\80000000.@ (if this means anything)

Following instructions I ran Anti-Malware, OTL and aswMBR, and I am attaching the logs, in the hope that some of you could give me a hand.

I don’t know if this could be related, but I’m now facing another problem with some 0i763f66bz.exe file which I’m trying as well to fix.

Any help would be much much appreciated.

Thank you in advance!

Regards. Miguel.

2

Hi Lazarus78
, welcome to the forum.

To make cleaning this machine easier
[*]Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
[*]Please do not run any scans other than those requested
[*]Please follow all instructions in the order posted
[*]All logs/reports, etc… must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
[*]Do not attach any logs/reports, etc… unless specifically requested to do so.
[*]If you have problems with or do not understand the instructions, Please ask before continuing.
[*]Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download

Please download ComboFix from Link 1or Link 2 to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[*]If you are using Firefox, make sure that your download settings are as follows:
-Tools->Options->Main tab
-Set to “Always ask me where to Save the files”.

[*]During the download, before you save it to your desktop, rename Combofix to jgh.exe

[]It is important you rename Combofix during the download, but not after.
[]Please do not rename Combofix to other names, but only to the one indicated.
[]Close any open browsers.
[]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Double click on ComboFix.exe (jgh.exe in your case) & follow the prompts.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]
4. If after running comfix you recieve an message “Illegal operation attempted on a registery key that has been marked for deletion” or similar reboot the computer.

Please post back with
[*]combofix log
How is the computer?

Thanks

3

Thanks a lot for your help, oldman!

Things are slightly better now: the 0i763f66bz.exe file has been deleted, and now I’m getting only two warnings (instead of three) for the services.exe… (I’m trying to look at the bright side of life :slight_smile:

ComboFix ran well, but at the end I got the message “illegal operation attempted on a registery key…”, so, rebooted as you said.

I attach the log, and wait for further instructions.

You are just amazing here, pals. Thanks thanks thanks!!

Regards.

4

Hi Lazarus78,

Let’s see if we can find a good copy of the file.

Next

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)

[*]In the window under Custom Scans/Fixes copy and paste the following

[b]

/md5start
services.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

5

Thanks again, oldman.

Here you are.

6

Hi

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE ( to ensure you get it all click the [select]

FCopy::
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe | C:\Windows\System32\services.exe

In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post back with the combofix log.

How’s the computer?

7

Bravo, oldman!!

it seems to be solved!!! no more pop-ups in the last 30 mins or so, and virus scan gave negative results. Thank you so much!

nonetheless, I’m attaching ComboFix log for your review

Warmest regards

8

Hi Lazarus78,

Certainly looks like we may have got it.

Before we cleanup the tools and send you on your way we’ll ceck for a file that may or may not be missing and do a scan with another tool.

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)

[*]In the window under Custom Scans/Fixes copy and paste the following

[b]

/md5start
regedit.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

Next

You have this program installed, Malwarebytes’ Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

[*]Click the Update tab
[*]Click Check for Updates
[*]If an update is found, it will download and install the latest version.
[*]The program will close to update and reopen.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with
[]OTL.xt
[]MBAM log

9

Hi oldman,

I’ve done as you said, and MBAM reports everything is fine. Log is in Spanish, but I guess you won’t have problems with it.

I’m attaching OTL log. Thank you once more.

Regards.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Versión de la Base de Datos: v2012.06.27.06

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
MGL :: MGL-PC [administrador]

27/06/2012 15:14:43
mbam-log-2012-06-27 (15-14-43).txt

Tipos de Análisis: Análisis Rápido
Opciones de análisis activado: Memoria | Inicio | Registro | Sistema de archivos | Heurística/Extra | Heurística/Shuriken | PUP | PUM
Opciones de análisis desactivados: P2P
Objetos examinados: 215027
Tiempo transcurrido: 4 minuto(s), 18 segundo(s)

Procesos en Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Módulos de Memoria Detectados: 0
(No se han detectado elementos maliciosos)

Claves del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Valores del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Elementos de Datos del Registro Detectados: 0
(No se han detectado elementos maliciosos)

Carpetas Detectadas: 0
(No se han detectado elementos maliciosos)

Archivos Detectados: 0
(No se han detectado elementos maliciosos)

fin)

10

Hi Lazarus78,

Just a little file replacement.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
[*]Click the Start button, click run
[*]in the run box type notepad
[*]click ok
[*]In the notepad, Click “Format” and be certain that Word Wrap is not checked.

[*]Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Fcopy::
C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe | C:\Windows\regedit.exe
C:\Windows\winsxs\wow64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5a78515e29ea6f39\regedit.exe | C:\Windows\SysWOW64\regedit.exe

In the notepad
[*]Click File, Save as…, and set the Save in to your Desktop
[*]In the filename box, type (including quotation marks) as the filename: “CFScript.txt”
[*]Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Please post the combofix log. How is the computer?

11

Hi oldman,

Thank you again. I will follow your instructions in a few hours, now I have to go.

But just time to ask you what do you want to know exactly when you ask “how is my computer”?

Regards.

12

Hi Lazarus78,

what do you want to know exactly when you ask "how is my computer"?
How is it running, any problems?
13

Hi oldman,

Computer is working fine since you started helping me. Before I was having the services.exe problem, plus this other 0i763f66bz.exe file which I reported at the beginning, and I suffered a few blue-screen problems in a couple of days. Now everything is going smoothly and no further problems since you came into action. Thank you so much!

I ran ComboFix following your instructions and here it is the report.

Just to add, for the moment when we start deleting all the programs installed, that I renamed ComboFix as jgh.exe (as you said). I don’t know if this might be important, but I thought on mentioning it.

Regards, and once again, lots of thanks!

14

Hi Lazarus78,

Just to add, for the moment when we start deleting all the programs installed, that I renamed ComboFix as jgh.exe (as you said). I don't know if this might be important, but I thought on mentioning it.
The renaming won't effect the removal of the tool.

You have 2 AVs installed. This wil not give you more protection as the 2 will conflict. Please uninstall Trend Micro Internet Security

Let’s make sure that the last fix did work.

Please open OTL.

[*]Make sure all other windows are closed and to let it run uninterrupted.
[*]When the window appears, click the None button near the top (it may looked greyed out)

[*]In the window under Custom Scans/Fixes copy and paste the following

[b]

/md5start
regedit.*
/md5stop

[/b]

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open a notepad window, OTL.Txt. Please post this log.

15

All right, oldman.

Just as you said, Trend Micro AV uninstalled, and OTL ran. Here it is the log.

How does it look to you?

16

Hi Lazarus78,

[QUOTE]How does it look to you?
[/quote]
Looks pretty good.

We’ll clean up the tools now.

From your desktop, please delete, if present
[]any notepads/logs that we created
[]aswMBR.exe
[]mbr.zip
[]mbr.dat

Next

Click the Start button. Copy and paste the following line into the search box and hit enter


Combofix /uninstall

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates

Java

Your java is out of date. Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) [looks like a coffee cup) in the list and click on it
[*]when the java console opens click the update tab
[*]Click update now
Remember to decline the Ask ToolBar offered during the update.

Next

Click your start button > Control Panel
[*]Use the drop down menu beside view by and change it to small icons
[*]locate java (32bit) in the list and click on it
[*]On the General tab, Click Settings under Temporary Internet Files.
[*]On the Temporary Files Settings screen, Click Delete Files.
[*]check all boxes
[*]Click OK

.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Those you have now provided you are using a firewall. Windows 7 has a built in firewall which is pretty good when set up. You can find some very good information HERE .

*A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.

Please note: Follow the instruction in the link named Important! Windows 7 requires special instructions.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
[*]Click once on the Security tab
[*]Click once on the Internet icon so it becomes highlighted.
[*]Click once on the Custom Level button.
[*]Change the Download signed ActiveX controls to Prompt
[*]Change the Download unsigned ActiveX controls to Disable
[*]Change the Initialize and script ActiveX controls not marked as safe to Disable
[*]Change the Installation of desktop items to Prompt
[*]Change the Launching programs and files in an IFRAME to Prompt
[*]Change the Navigate sub-frames across different domains to Prompt
[*]When all these settings have been made, click on the OK button.
[*]If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

  • Make sure you have reset Windows Updates to your chosen option. Click your start button > Control Panel > System > Windows updates (lower left) > change settings

  • Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE

Please post back if you have any problems.

Take care

17

Hi there, oldman.

I am facing some problems to uninstall Combofix: by doing as you say, I receive the message “cannot find jgh.exe”. The file is in the desktop, though. How to proceed now?

No problems with OTL and aswMBR, and Java was updated.

In your reply, please provide an address to send a cake, a pizza or some flowers (on demand) as a thanksgiving present :slight_smile:

This help you are providing here is simply awesome.

Warmest regards,

18

Hi Lazarus78,

Since you removed OTL after you had problems removing combofix, the uninstall for combofix will not work without a new copy of combofix.

Delete combofix (jgh.exe) from your desktop and download a new copy from Link 1

Make sure it’s saved to your desktop. No need to rename.

Try running the command again from the search box.

Let me know how it goes.

19

Damn, it does not work.

I deleted the file, downloaded a new version of Combofix, but the command doesn’t work. It says it cannot find it. I tried again after rebooting the computer, but I get the same answer…

Sorry for messing things up…

20

Hi Lazarus78,

No problem.

Use this command instead. (don’t miss the " mark at the beginning)

“%userprofile%\desktop\combofix.exe” /uninstall