Jump to content


Photo
- - - - -

Win VISTA services.exe infected by Trojan Horse Patched_C.LYT


  • This topic is locked This topic is locked
15 replies to this topic

#1 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 11 July 2012 - 08:56 PM

Redirects IE browser, shuts down firewall and MS Security Essentials in control panel Windows Security Center, prevents reactivation of firewall and security features, will continually reboot computer (in one minute) if Security Essentials is re-downloaded and installed (quickly keep un-installing Security Essentials between reboots to get out of this loop), evidently made restore points disappear, causes error message and system lockup when trying to use computer repair option during boot up (the F8 option), and seems to anticipate and defeat diverse attempts to eliminate. AVG and other anti-virus software readily finds this Trojan Horse but none will eliminate it because of its infection of Windows system files. I even renamed services.exe to services.bad but services.exe will continue to show up, with infection, of course. Now a second trojan horse is being shown by AVG - maybe a mutation of the first?? "Trojan Horse Generic28.AUQH" infecting Desktop.ini. I eventually had to boot from "Operating System Disc" CD just to get Windows to open.

I have followed emisoft instructions to create the attached log files.

HELLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLP !

#2 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 11 July 2012 - 09:05 PM

Download Hitman Pro to your Desktop.

Press the CTRL key and double-click on Hitman Pro. Hitman Pro will shut down all unnecessary processes when ran this way.

If Hitman Pro wants to update, let it.

If Hitman Pro wants to download signatures, let it.

If Hitman Pro wants to remove something, let it.

Attach any logs produced by Hitman Pro.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#3 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 11 July 2012 - 09:36 PM

I ran Hitman, grabbed the Hitman log, and rebooted. The log is attached.

#4 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 11 July 2012 - 10:03 PM

Download ComboFix from one of these locations:

Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop

Link 1
Link 2

* IMPORTANT !!! Save ComboFix to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    See HERE for help
  • Double click on Combo-Fix & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, ComboFix will produce a log.

Note:
1. Do not mouseclick combofix's window while it's running. That may cause it to stall!
2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.

Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
  • ComboFix (C:\combofix.txt)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#5 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 11 July 2012 - 11:04 PM

Security Essentials is working again! A complete scan by AVG reveals NO infections.

The ComboFix log is attached.

#6 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 12:33 AM

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. NOT supported for use in 9x or ME

Upgrading Java:
  • Download the latest version of JRE 7 Update 5.
  • Click the "Download JRE" button to the right.
  • Accept the license agreement.
  • Click on the download link for your system and save it to your desktop.
    Windows x86 Offline (jre-7u5-windows-i586.exe)
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista/7 users, right click on the JRE download and select "Run as an Administrator.")
The installed version of Adobe Reader on this computer is out-dated. Install the latest version of Adobe Reader available from Adobe.

Using Add or Remove Programs in the Control Panel; uninstall the following:
Java(TM) SE Runtime Environment 6 Update 1

Download Windows Repair by Tweaking.com to your desktop. Use the direct download link for the Portable version of Windows Repair by Tweaking.com

  • Double-click tweaking.com_windows_repair_aio.zip and extract the Tweaking.com - Windows Repair folder to your desktop.
  • Now open this folder and double-click Repair_Windows.exe.
  • Click the Start Repairs tab on the far right.
  • Click the Start button (bottom right)
    Note: When asked if you would like to create a restore point. It is recommended just in-case something does not go as planned.
  • Click Unselect All
  • Put a checkmark in the following items:
    • Reset Registry Permissions
    • Reset File Permissions
    • Remove Policies Set By Infections
    • Repair Winsock & DNS Cache
    • Repair Proxy Settings
    Note: Leave everything else unchecked
  • Put a checkmark in Restart System When Finished
  • Now click the Start button (bottom right)

Run OTL.exe
  • Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
    :OTL
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No CLSID value found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\control panel present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\restrictions present
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM File not found
    O8 - Extra context menu item: AMV convert tool grab multimedia file - C:\Program Files\MP3 Player Utilities 5.02\AMVConverter\grab.html File not found
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 File not found
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html File not found
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM File not found
    O32 - AutoRun File - [2004/04/30 20:01:00 | 000,000,053 | -HS- | M] () - D:\Autorun.inf -- [ NTFS ]
    O32 - AutoRun File - [2006/11/02 16:00:00 | 000,000,043 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
    [2012/06/24 04:12:59 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
    [9 C:\Users\rbm\Documents\*.tmp files -> C:\Users\rbm\Documents\*.tmp -> ]
    [2012/06/24 06:18:36 | 000,000,195 | ---- | C] () -- C:\0.bak 
    @Alternate Data Stream - 298 bytes -> C:\Windows\System32\drivers\xadogswj.sys:changelist
    
    :Files
    c:\program files\2pres.dll
    
    :Commands
    [Purity]
    [EmptyTemp]
    [EmptyFlash]
    [EmptyJava]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Attach the new log produced by OTL (C:\_OTL). (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS)
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#7 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 12 July 2012 - 02:13 AM

Wow, the Tweaker sure went thru a zillion gyrations! Yipes!! (But fun to watch). When finished, the dreaded msg "Windows will shut down in less than a minute" showed up, but this time it was planned, not result of an infection.

After reboot I keep getting this msg, "Microsoft Security Client - Error has occurred in the program during initialization 0X80073b01" but it hasn't created any problems during this process.

Ran OTL after inserting copied text into code box.

OTL log attached.

#8 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 03:00 AM

The OTL fix did not run properly. When you copy & paste the fix to OTL, make sure it looks exactly like the one I posted.

Run the fix again.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#9 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 12 July 2012 - 04:04 AM

(BTW: Before running Tweaking.com - Windows Repair I updated Java and Adobe as instructed)

I copied and pasted LINE BY LINE the prescribed code to the inside of the code box in the Custom Scans/Fixes box located at the bottom of OTL.

I ran OTL. It ran alot longer than it did with my improperly formatted copy of code.

The resulting OTL log is attached.

#10 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 06:29 PM

Let's take another look. Run a fresh scan with OTL, attach the new OTL log to your next reply.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#11 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 12 July 2012 - 08:11 PM

Ran OTL scan with Minimal Output and the following parameters enabled: LOP Check and Purity Check.

Log filed from this scan attached.

#12 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 08:29 PM

Unless you are having problems, it is time to do the final steps.

Now to remove most of the tools that we have used in fixing your machine:
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.
Delete the following from your Desktop (If they exist)
CFscript.txt
TDSSKiller.exe
Anything else I had you use

Delete the following files: (If they exist)
C:\ComboFix.txt

Delete the following folders: (If they exist)
C:\ComboFix
C:\Qoobox

Empty the Recycle Bin

Download to your Desktop:
- CCleaner Portable
  • UnZip CCleaner Portable to a folder on your Desktop named CCleaner
Run CCleaner
  • Open the CCleaner Folder on your Desktop and double click CCleaner.exe (32-bit) or CCleaner64.exe (64-bit)
  • The following should be selected by default, if not, please select:
    Posted Image
  • Click Posted Image and choose Posted Image
  • Uncheck Posted Image
  • Then go back to Posted Image and click Posted Image to run it.
  • Exit CCleaner.

Turn off System restore to flush all your restore points then turn system restore back on. See How To Enable and Disable System Restore.

You can delete and uninstall any programs I had you download, that you do not wish to keep on the system.

Run Windows Update and update your Windows Operating System.

Run the Secunia Online Software Inspector, this will inspect your system for software that is out-of-date and in need of updating. Update anything program/application detected as being out-dated.

Articles to read:
How to Protect Your Computer From Malware
How to keep you and your Windows PC happy
Web, email, chat, password and kids safety
10 Sources of Malware Infections

That should take care of everything.

Safe Surfing!
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#13 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 12 July 2012 - 08:57 PM

Ran OTC and rebooted.

Still getting this msg after reboot: Microsoft Security Client "An error has occurred in the program during initialization. If this problem continues, please contact your system administrator." Error code: 0x80073b01

I examined the security features in Control Panel and they all seem to be working fine.

How shall I proceed?

#14 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 09:08 PM

Uninstall MSE, reboot, install MSE again. That should fix the error.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall

#15 thermistor

thermistor

    New Member

  • Members
  • Pip
  • 8 posts
  • OS:Windows Vista
  • AV:AVG
  • HIPS:-None-

Posted 12 July 2012 - 10:42 PM

Re-installing MSE took care of the problem. CCLEANER worked fine. Secunia found an outdated Macromedia Flash Player. I downloaded the current version.

Thank you so much ShadowPuterDude and Emsisoft for providing this service! And thanks to the programmers and companies that produced the excellent array of software that was used in this clean up!

#16 Kevin Zoll

Kevin Zoll

    Malware Removal Support

  • Emsisoft Employee
  • 13253 posts
  • LocationDepauville, NY, USA
  • OS:Windows 7 x64
  • AV:Emsisoft Anti-Malware
  • HIPS:Windows Firewall
  • Other:WinPatrol Plus

Posted 12 July 2012 - 11:29 PM

Thread Closed

Reason:
Resolved

The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on your system could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE, if you don't we are just going to send you back to this thread.
Kevin Zoll [Malware Removal Support]
Emsisoft Team - www.emsisoft.com

I am online Monday - Friday each week from 1900-2100 Central European Time/1300-1500 Eastern Time (US).
 
If you are seeking Malware Removal support keep it in the forums.  It is not permissible to contact support staff by Private Message (PM), IM (Skype, MSN, AOL, Yahoo, etc.) or Email.

Purchase Emsisoft Anti-Malware and Online Armor Firewall




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users