Services.exe infected with trojan

Hi, I am new to the avast forum and have an issue with services.exe,
in the last system scan with avast I found a virus, when trying to move it to quarantine it did not work, neither deleting or repair.
I then noticed it is located in the system32 folder and is vital for the PC to run. (It is a "Win32:patched-AKC [Trj])

I already read a few other posts about an infected services.exe, but there it says “This fix is only relevant for this system and no other, using on another computer may cause problems” so I thought it would be better if I post it in an own question.

I have no real problems because of the virus while running the PC, however a big issue is the boot: From one to another day it started to take very long to start up, like 6 minutes at least, today it was even 10 min! So i guess the issue could be connected to the virus.
And even if not, I don’t think it is a good idea to keep the Trojan virus on my computer^^

So does someone have a option how to “cure” the services.exe without having to format the whole hard drive?

So does someone have a option how to "cure" the services.exe without having to format the whole hard drive?

if you read the other posts then i guess you also did see the logs you need to attach for a inside check

AdwCleaner / Malwarebytes / OTL / aswMBR
attach …not copy and paste
http://forum.avast.com/index.php?topic=53253.0

Ok here are the logs from AdwCleaner / Malwarebytes / OTL, but aswMBR always has a problem with avast! Anti-Rootkit (even though I deactivated avast).
I guess I’ll try to run it in safe mode now.

Wow there’s even a problem with avast Anti-Rootkit when I run it in safemode :o
Well I saved a log shortly before it crashed.

Edit: I read in another topic that it would run if AV Scan is set to “none”, so with these settings in runs without crash, but does not find any viruses, with normal settings it found the Trojan in services.exe, however here is the log of the second run.

malware removers are notified. it may take hours before one arrive so be patient

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-2569829827-3530333325-4195363794-1002\..\Toolbar\WebBrowser: (no name) - {64EAD72B-FFD4-4E01-AA3A-4C71665D73E4} - No CLSID value found.

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

:Files
C:\Windows\Installer\{7a105c2f-0a77-7d03-18fc-b9ba0dc339af}
C:\Users\Dima\AppData\Local\{7a105c2f-0a77-7d03-18fc-b9ba0dc339af}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

FINALLY

run farbar service scanner

https://dl.dropbox.com/u/73555776/FSS.GIF

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

Ok did everything.
So the first attachment is the log OTL created after reboot and the second is the log after Quick Scan with OTL.
Next are of course the log of ComboFix and FSS.

And the computer is running normal, I don’t notice any changes, but it booted normal and did not take as long as before, I hope this will stay and not change.

Edit: Actually there is a change, when I try to play the game Guild Wars 2 I get crazy graphical bugs all over the screen, even when I set to minimal settings :o

On completion of this could you let me know of any problems … So the graphics are pixelated ?

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache]
"DisplayName"="@%SystemRoot%\\System32\\dnsapi.dll,-101"
"Group"="TDI"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,4e,00,65,00,74,00,77,00,6f,00,72,00,6b,00,53,00,65,00,72,00,76,\
  00,69,00,63,00,65,00,00,00
"Description"="@%SystemRoot%\\System32\\dnsapi.dll,-102"
"ObjectName"="NT AUTHORITY\\NetworkService"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"Type"=dword:00000020
"DependOnService"=hex(7):54,00,64,00,78,00,00,00,6e,00,73,00,69,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,68,00,61,00,6e,00,67,00,65,00,4e,\
  00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,00,6c,\
  00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,\
  65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  64,00,6e,00,73,00,72,00,73,00,6c,00,76,00,72,00,2e,00,64,00,6c,00,6c,00,00,\
  00
"ServiceDllUnloadOnStop"=dword:00000001
"extension"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
  00,6e,00,73,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Parameters\DnsCache]
"ShutdownOnIdle"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\Security]
"Security"=hex:01,00,14,80,f8,00,00,00,04,01,00,00,14,00,00,00,30,00,00,00,02,\
  00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
  00,00,02,00,c8,00,08,00,00,00,00,02,18,00,9d,01,02,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,21,02,00,00,00,02,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,02,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,00,00,00,00,02,\
  14,00,8d,00,02,00,01,01,00,00,00,00,00,05,14,00,00,00,00,02,14,00,8d,00,02,\
  00,01,01,00,00,00,00,00,05,13,00,00,00,00,02,18,00,cd,00,02,00,01,02,00,00,\
  00,00,00,05,20,00,00,00,2c,02,00,00,00,02,28,00,cd,01,02,00,01,06,00,00,00,\
  00,00,05,50,00,00,00,04,c9,44,af,94,d9,d3,e5,2b,e1,b7,1c,17,84,87,13,6e,1a,\
  fa,65,01,01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,\
  00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\TriggerInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dnscache\TriggerInfo\0]
"Type"=dword:00000004
"Action"=dword:00000001
"GUID"=hex:07,9e,56,b7,21,84,e0,4e,ad,10,86,91,5a,fd,ad,09
"Data0"=hex:35,00,33,00,35,00,35,00,00,00,55,00,44,00,50,00,00,00,00,00
"DataType0"=dword:00000002

:Files
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Well it doesn’t look like it changed anything :-
In the game it is laggy and there appear strange lines and rectangles on the ground and on the sky.
I thought it could be a problem with the graphics card drivers and reinstalled them, but it did not change anything.

Maybe cleaning the registry with CCleaner could be helpful? The scan shows a lot of issues there (I attached a textfile of the scan result).

Is this an online game ? As it may be the download speed

The reg cleaning will not help at all

Yes it is, but that cannot be, because before I did that fix and got rid of the virus it ran perfectly, but something has changed :confused:
I did not change anything, it must have been caused by the tools I used.

Pls try to figure out what’s wrong, this is not just a little problem, I have crazy graphical issues there :confused:

This is all that the tools did… OTL initially removed the zero access folders :

C:\Windows\Installer{7a105c2f-0a77-7d03-18fc-b9ba0dc339af}
C:\Users\Dima\AppData\Local{7a105c2f-0a77-7d03-18fc-b9ba0dc339af}

Combofix removed the remnants and replaced the infected file :

c:\users\Dima\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\windows\SysWow64\FlashPlayerInstaller.exe
.
Infizierte Kopie von c:\windows\system32\Services.exe wurde gefunden und desinfiziert
Kopie von - c:\windows\winsxs\amd64_microsoft-windows-s…s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe wurde wiederhergestellt
.

And I then reset the DNS by removing the bad service dll path and replacing with a good one

Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache: “%SystemRoot%\System32\pouaybvss.dll”.

At no stage were the graphics or game folders interfered with

Ok maybe I can figure out what’s wrong somehow :-\

But thank you, at least I got rid of the virus^^

Is there any way to re-install the main programme without losing data ? As the programme may have been corrupted by the malware

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix

[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall (Notice the space between the “x” and “/”) then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Go to control panel
[*]Select folder options (Appearance > Folder options in category view)
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:

[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

SPRING CLEAN

To manually create a new Restore Point

[*]Go to Control Panel and select System
[*]Select System
[*]On the left select System Protection and accept the warning if you get one
[*]Select System Protection Tab
[*]Select Create at the bottom
[*]Type in a name i.e. Clean
[*]Select Create

Now we can purge the infected ones

[*]GoStart > All programs > Accessories > system tools
[*]Right click Disc cleanup and select run as administrator
[*]Select Your main drive and accept the warning if you get one
[*]For a few moments the system will make some calculations
[*]Select the More Options tab
[*]In the System Restore and Shadow Backups select Clean up
[*]Select Delete on the pop up
[]Select OK
[
]Select Delete

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif

Malwarebytes. Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?

Keep safe :wave:

Ok I did everything, but I can’t create a restore point, it only allows me to create one on CD/DVD, not on the hard drive.
I made one such “restore point” when my laptop was new, I saved everything on a couple of CDs… I don’t have an external hard drive :-[
And I have only one hard drive on this laptop, one with 500GB, so I can’t use “Hard drive D” or something^^

And I don’t know why, but my Computer only boots fast if it is a restart, if it was shut down before and then started normally it takes looooong to start :o

Maybe I actually should format the hard drive and use those CDs to restore the system, because it seems I have profound issues here ;D

That would be an option … As long as it was before you became infected

Ok I’ll see, maybe it will get better somehow ;D

But anyway, thank you for your time and help!

Hey just another quick question: This Backup I made, I guess it is just a restore point, so I couldn’t really format the hard drive, could I?
Because I don’t have a CD supplied with the laptop, from which I could just install Win7.
So I have to restore from these CDs, I created this Backup with Acer Backup Manager.
But will this be enough to get rid of all problems, or will I need to format in the end?

Edit: Ah Acer eRecovery Management seems to offer the option to clean the whole volume, so I can format I guess^^

But still, how could I actually restore from CDs? The windows save and restore doesn’t seem to offer the option to restore from CDs.

This is from the Acer site

How to Recover your system from within Windows

Click on Start, then All Programs, then Acer Empowering Technology.
Click on Acer eRecovery Management.
If prompted to create a password, create the password and hint
Do not lose this password.
If asked for a password, enter the previously set password.
When the Acer eRecovery Management loads click the button labeled Restore.
Click on Restore system to factory default.
The unit will restart and start the restore.
It should state “Please wait a moment…” with the Acer logo in the upper left hand corner.
At the eRecovery Management menu it will ask you how to restore.
Click on the restore option you would like to use.