Windows\system32\services.exe Trojan problem

Hi All

I am hoping you can help - I am very much out of my depth with this.

Avast has identified that my computer has a Win32:Patched-AKC trojan in the windows\system32\services.exe file and it cannot be deleted or moved as the fil is eiter in use or read only are the messages.

I had been using Microsoft Security Essentials but at some point this has been turned off. this is not a computer I use very often but is used by my family so I don’t know when this occurred and also therefore when the computer may have gotten infected.

Reading the forum there seems to be similar isues which have been sorted so I am hoping someone can help.

I ran Malwarebytes and whilst it found something it was not the services.exe file but something else but did seem to get rid of it although it does still show up on the ASW test I ran.

I have attached the text files from the OTL and ASW tests I have run. I have been away for two weeks and as I do not know when the computer would have gotten infected it maybe that I need to run the OTL test again with a longer period than just the previous 30 days?

Thank you in advance.

Jon

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
[2012/08/17 00:45:02 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.FCDB711B7B907334
[2012/08/17 00:41:06 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.B351120E3592A4CD
[2012/08/17 00:37:26 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.EC237657652789C8
[2012/08/17 00:33:22 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.C24FB750B79A2F0D
[2012/08/17 00:08:42 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.AD39BC5FF9D9EA1E
[2012/08/17 00:04:00 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.32993739A9198561
[2012/08/16 23:54:04 | 000,328,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.AA04D956934546AF
[2012/08/17 00:45:02 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.FCDB711B7B907334
[2012/08/17 00:41:06 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.B351120E3592A4CD
[2012/08/17 00:37:26 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.EC237657652789C8
[2012/08/17 00:33:22 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.C24FB750B79A2F0D
[2012/08/17 00:08:42 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.AD39BC5FF9D9EA1E
[2012/08/17 00:04:00 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.32993739A9198561
[2012/08/16 23:54:04 | 000,328,704 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysNative\services.exe.AA04D956934546AF

:Reg
[HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32] 
""="%systemroot%\system32\wbem\wbemess.dll" 
[-HKCU\Software\Classes\clsid\{12d0253a-7c96-815c-11e0-3034bbd97cc0}] 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00

:Files
C:\Windows\Installer\{a8e8875b-691d-c1c4-9f12-bd761c46d476}
C:\Users\Jon\AppData\Local\{a8e8875b-691d-c1c4-9f12-bd761c46d476}
ipconfig /flushdns /c
netsh int ip reset c:\resetlog.txt  /c
ipconfig /release /c
ipconfig /renew /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Thanks Essexboy

I fear I have made a worse than newbie mistake.

I only copied the bit of text display in the window rather than scrolling down and copying it all of it.

I thought all was good as Avast detected and deleted the trojan. Unfortunately when I restarted the computer it flashed up a blue screen with crash dump info and then went to restart and needs to do a startup repair. The difficulty there is no restore info it can find, it displays an error message and start up repair doesn’t seem to work and it can’t find the operating system.

Is there any advice you nay be able to give, I don’t now what file to look for when it is looking for the driver setup. All I know about my PC setup is that it has an SSD to speed up the bootup so some of the start up info may be n that?

Sprry about this and know it is now heading off topic, but any help gratefully received.

Thanks

Jon

Not a problem I have a tool for most problems

Download the following three programmes to your desktop :

  1. WiNTBootIc
  2. Windows 7 64bit RC
  3. Farbar Recovery Scan Tool x64

Extract wintoboot to your desktop
Insert a USB drive of at least 1GB
Run Wintoboot

http://dl.dropbox.com/u/73555776/wintoboot.JPG

Drag and drop the Windows 7 ISO to the programme in the space indicated
Tick the Format box and accept the warnings
Press Do It

You will see it progressing

http://dl.dropbox.com/u/73555776/usb%20progress.JPG

It will let you know when it is done
Then copy FRST to the same USB

http://dl.dropbox.com/u/73555776/frstwintoboot.JPG

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here

When you reboot you will see this although yours will say windows 7.
Click repair my computer

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7275.jpg

Select your operating system

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277202.jpg

Select Command prompt

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

At the command prompt type the following :

notepad and press Enter.
The notepad opens. Under File menu select Open.
Select “Computer” and find your flash drive letter and close the notepad.
In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Thanks Essexboy

I ran the bootup but on the second screen it still did not let me have an option to select an operating system although it did think about it. The computer still gets through to the same screen as you show with the command prompt option even if I do not use the USB bootup but still does not show an operating system.

I ran the FRST via the command prompt and have attached the log. I will try again tonight to see if I can get it to at least show the operating system if it can adn run the FRST again.

Thanks for your help, I will certainly owe you a few beers for this.

Jon

OK the registry hive is corrupted… We will now try a backup restore of them

  1. Type the following commands into the DOS command prompt. Each one of these statements copies the original registry files to the current registry directory.
    [b]
    copy C:\windows\system32\config\regback\system c:\windows\system32\config\system

copy C:\windows\system32\config\regback\software c:\windows\system32\config\software

copy C:\windows\system32\config\regback\security c:\windows\system32\config\security

copy C:\windows\system32\config\regback\sam c:\windows\system32\config\sam

copy C:\windows\system32\config\regback\default c:\windows\system32\config\default[/b]

  1. Press the “Y” key after each copied file. This confirms that you want to overwrite the existing registry files.

Then reboot to normal windows

Thanks Essexboy but my nightmare continues, I have changed the c:\ to the x:\ as it was saying that there was a ‘data error (cyclic redundancy check)’ when trying to us the c:\ and i know the directory structure is in the x:\ drive. However when typing in the command it comes up with ‘The system cannot find the file specified’. I have managed to get into the regback folder so know it exists but cannot confirm if it contains anything.

Is there anything more you can do?

Thanks

Jon

Ah X will be the recovery console drive

Can you change to the C drive by doing the following at the X prompt C:

When you try to access c: you get the same data error cyclic redundancy message.

My understanding for the eay the computer was setup was that it had a separate SSD in it to allow it to. Oot up quicker so I think x: is the right drive for the operating system.

Looking at the description in the open file window in notepad it describes c: as the local disk and x: has a boot written next to it although it shows ot inly containcs 31.1MB. It contains the Program Files, Sources, Users, and Windows folders.

Trying to access the c: drive via notepad does not work and it shows no data regarding free or used space on the drive but it does for x as well as the usb drive. The computer hangs for some time when you try double clicking on the c: drive before you have to click cancel on the open file window.

Thanks for your continued help.

Jon

OK CRC is an error checking system possibly on the SSD

From the USB recovery console could you try start up repair please

I have just realised what was being referred to as c: is actually the external drive I had connected to the computer. When you disconnect this it only shows the SSD. Ran the FRST scan and looking at the text file it appears to show similar info as before with regards to the missing services, svchost etc. and saying the software hive is missing.

When you say run the repair from the usb recovery console do you mean the fix option within the FRST program?

Thank you

Jon

Select startup repair from here

http://i1224.photobucket.com/albums/ee362/Essexboy3/RepairVista_7277.jpg

Tried the startup repair but it is no good it thinks for a little while and then says start up repair cannot repairnthis computer automatically.

As part of the start up it goes into the windows error recovery where I can select the windows startup repair.

To get the screen you have showing in the screen shot, I need tonselect ‘restore your computer using a system image that you created earlier’ when clicking next I get an error ‘an internal error occurred’ with the following message the system cannot find the file specified (0x80070002). I think this error number I had previously when the computer was infected and I tried to uninstall microsoft security essentials and it used to appear every time I turned on the computer.

It seems that the computer cannot see the c: drive for whatever reason even though it appears to be there in the Bios?

Is there still a light at the end of this tunnel?

Thanks

Jon

I think part of the problem is it is an SSD drive … I am trying to read up on that now as I have never had one before. So I will need to see how windows utilises it, or whether special drivers are needed for it to be seen

Thanks Essexboy for your continued help on this.

The x: drive it can see is the SSD drive and it is the main western digital hard disk it is not seeing for some reason. It comes up in the list of hardware, but whatever links the boot up off the SSD to the main program on the actual standard hard disk seems to be an issue. As mentioned trying even to access what is the c: drive via the DOS prompt does not seem to work.

It won’t help with the problem but my understanding of the SSD was that there is a fearture within Windows 7 that allows it to boot off the SSD to enable it to boot up faster. Mildly ironic now…just wish I had copied all of the code.

Thanks

Jon

Thanks you have given me an area to search. So to clarify all the boot data is on the SSD

The disk label is boot and it has the windows directory and the system32 files on it, don’t know what the actual files are to boot it, if you let me know I can look. Is there any way to check that the main hard disk is working?

Thanks

jon

Could you burn a CD as I would like to check the structure of the disc

[*]Download OTLPENet.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPENet.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :slight_smile:
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

Evening Essexboy

There is definite progress and I think we are back where we started but I wanted to run teh logs past you again to see if I am alright to use the original text you created for me.

I ran the reatogo and it could not see my C: drive, however when restarting there is a configure option for the SSD and main hard disk and I removed the sync setup for these and in the BIOS boot set up there was a Realtek Boot Agent after this the Reatogo could see the main hard disk so I restarted again and this time the Startup repair seemed to work and has got me back into windows, I do not understand what has helped get me back into window adn it seems to be a restore point just before Ithe weekend as the OPL and MBAM programs downloaded on teh Sunday could not be found although the text logs were still on the desktop.

Anyway I have run the programs again and attached copies of the log files again which may well be the same. If you could have a look and let me know it woudl be greatly appreciated.

Tthanks

Jon

OK we are back at square one but this time I will take a different approach as I will need to be carefull of the SSD drive. So this will be one step at a time.

I have just had an unbootable system at G2G where the initial fix was to system restore, that failed. But for some reason on the next boot startup repair started on that one and it rebooted. It must be something about windows 7 I think

[*] Download RogueKiller and save it on your desktop.
[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRScan.png

[*]Wait for the end of the scan.
[*] The report has been created on the desktop.
[*] Click on the Delete button.

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRDelete.png

[*]The report has been created on the desktop.

[*]Next click on the ShortcutsFix

http://i1224.photobucket.com/albums/ee362/Essexboy3/RogueKiller/RGKRShortcutsFix.png

[*]The report has been created on the desktop.

Please post: All RKreport.txt text files located on your desktop.