craigsiegel
Members-
Posts
7 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by craigsiegel
-
Another system32/services.exe infection
craigsiegel replied to craigsiegel's topic in Resolved Malware Removal Logs
Done. You rock. Small donation coming. -
Another system32/services.exe infection
craigsiegel replied to craigsiegel's topic in Resolved Malware Removal Logs
Nope. Don't need the caterpillar doc. Here is the MBAM quickscan log. I think I am OK now, right? Craig --------------------------------------------- Malwarebytes Anti-Malware 1.62.0.1300 www.malwarebytes.org Database version: v2012.08.07.06 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Craig and Susan :: CRAIGSUSAN-PC [administrator] 8/8/2012 1:45:44 PM mbam-log-2012-08-08 (13-45-44).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P Scan options disabled: Objects scanned: 235072 Time elapsed: 12 minute(s), 48 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) -
Another system32/services.exe infection
craigsiegel replied to craigsiegel's topic in Resolved Malware Removal Logs
Reboot appears to have taken care of that problem. Here is the combofix log. ComboFix 12-08-08.01 - Craig and Susan 08/08/2012 12:42:24.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1822 [GMT -7:00] Running from: c:\users\Craig and Susan\Desktop\ComboFix.exe AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6} SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\install.exe c:\users\Craig and Susan\AppData\Roaming\agrer.dll c:\users\Craig and Susan\AppData\Roaming\vrdms.dll c:\users\Craig and Susan\Documents\~WRL0005.tmp c:\users\Craig and Susan\Documents\~WRL0144.tmp c:\users\Craig and Susan\Documents\~WRL0162.tmp c:\users\Craig and Susan\Documents\~WRL0307.tmp c:\users\Craig and Susan\Documents\~WRL1058.tmp c:\users\Craig and Susan\Documents\~WRL1159.tmp c:\users\Craig and Susan\Documents\~WRL1446.tmp c:\users\Craig and Susan\Documents\~WRL1654.tmp c:\users\Craig and Susan\Documents\~WRL1896.tmp c:\users\Craig and Susan\Documents\~WRL3248.tmp c:\users\Craig and Susan\Documents\~WRL3531.tmp c:\users\Craig and Susan\Documents\~WRL3639.tmp c:\users\Craig and Susan\Documents\~WRL3766.tmp c:\users\Craig and Susan\g2mdlhlpx.exe c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc . . ((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 ))))))))))))))))))))))))))))))) . . 2012-08-08 19:54 . 2012-08-08 19:54 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\offreg.dll 2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp 2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp 2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser.CraigSusan-PC\AppData\Local\temp 2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp 2012-08-07 22:43 . 2012-08-07 22:43 -------- d-----w- C:\FRST 2012-08-07 20:21 . 2012-02-09 21:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{937272F2-4CA6-4830-8EB6-0E864380F4EA}\gapaengine.dll 2012-08-07 20:18 . 2012-07-16 09:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\mpengine.dll 2012-08-07 19:50 . 2012-08-07 19:50 -------- d-----w- c:\program files\Microsoft Security Client 2012-08-07 17:43 . 2012-08-07 17:40 883616 ----a-w- C:\FixExec.exe 2012-08-07 16:51 . 2012-08-07 17:04 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0 2012-08-07 16:41 . 2012-08-07 16:41 -------- d-sh--w- c:\windows\system32\%APPDATA% 2012-08-07 16:36 . 2012-08-07 16:38 -------- d-----w- c:\programdata\036E19320357F9631A6804E82F3B707C 2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_23239 2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_12794 2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AF4AB-E0AD-11E1-8270-B8AC6F996F26} 2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AB980-E0AD-11E1-8270-B8AC6F996F26} 2012-08-07 16:35 . 2012-08-07 16:35 57344 ---ha-w- c:\windows\system32\mobsEXEC.dll 2012-07-17 00:26 . 2012-07-17 00:26 -------- d-----w- c:\users\Craig and Susan\New Folder (1) 2012-07-11 03:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll 2012-07-11 03:39 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll 2012-07-11 03:39 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll 2012-07-11 03:39 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys 2012-07-11 03:39 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll 2012-07-11 03:39 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-08-03 16:54 . 2012-05-02 18:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-08-03 16:54 . 2011-06-16 13:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-07-12 19:37 . 2009-04-30 03:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll 2012-07-12 19:37 . 2009-04-30 03:02 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll 2012-07-12 19:37 . 2009-04-30 03:02 30624 ----a-w- c:\windows\system32\LMIport.dll 2012-07-12 19:37 . 2009-04-30 03:02 87456 ----a-w- c:\windows\system32\LMIinit.dll 2012-07-03 20:46 . 2011-02-18 08:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-13 13:40 . 2012-07-11 10:08 2047488 ----a-w- c:\windows\system32\win32k.sys 2012-06-02 22:19 . 2012-06-19 05:45 171904 ----a-w- c:\windows\system32\wuwebv.dll 2012-06-02 22:19 . 2012-06-19 05:46 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2012-06-19 05:46 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2012-06-19 05:45 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2012-06-19 05:45 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2012-06-19 05:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-06-02 22:12 . 2012-06-19 05:46 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-02 22:12 . 2012-06-19 05:45 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-02 22:12 . 2012-06-19 05:45 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-19 02:04 . 2009-04-30 03:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak 2012-07-19 14:02 . 2012-02-05 01:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] "googletalk"="c:\users\Craig and Susan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648] "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952] "SlickRun"="c:\program files\SlickRun\sr.exe" [2009-06-02 1161568] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144] "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704] "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008] "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216] "UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896] "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304] "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048] "DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-17 1325936] "AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-17 904840] "Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-17 136544] "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712] "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200] . c:\users\Craig and Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ goSoft (3.1.2.0 F).lnk - c:\program files\goFluent\goSoft(3.1.2.0 F)\goStart.exe [N/A] . c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc] @="Service" . [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk] path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup backupExtension=.CommonStartup . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x] . . --- Other Services/Drivers In Memory --- . *NewlyCreated* - WS2IFSL . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache . Contents of the 'Scheduled Tasks' folder . 2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 16:54] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27] . 2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27] . 2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000Core.job - c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29] . 2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000UA.job - c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29] . 2012-07-09 c:\windows\Tasks\PCDRScheduledMaintenance.job - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ig mStart Page = hxxp://www.yahoo.com uInternet Settings,ProxyOverride = *.local uInternet Settings,ProxyServer = http=127.0.0.1:63556 IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000 IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105 Trusted Zone: gofluent.com TCP: DhcpNameServer = 192.168.0.1 205.171.3.25 DPF: {F9BF64A0-5A65-43E0-ACDB-B223E7F9DDD9} - hxxp://watch.sniffdoghotel.com:10205/WEBWATCH2.cab FF - ProfilePath - c:\users\Craig and Susan\AppData\Roaming\Mozilla\Firefox\Profiles\0368sgmm.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - hxxps://portal.gofluent.com/group/trainer|https://mail.google.com/mail/?shva=1#inbox FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p= FF - prefs.js: network.proxy.http - 127.0.0.1 FF - prefs.js: network.proxy.http_port - 63556 FF - prefs.js: network.proxy.type - 0 FF - user.js: extentions.y2layers.installId - 45064580-de3b-4a86-878b-7bb7035d3d86 FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock, FF - user.js: extensions.autoDisableScopes - 14 FF - user.js: security.csp.enable - false . - - - - ORPHANS REMOVED - - - - . HKLM-Run-vrdms - c:\users\Craig and Susan\AppData\Roaming\vrdms.dll HKLM-Run-agrer - c:\users\Craig and Susan\AppData\Roaming\agrer.dll . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-08-08 12:55 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security] "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1" . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}] "ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\nvvsvc.exe c:\program files\Microsoft Security Client\MsMpEng.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\LogMeIn\x86\LMIGuardianSvc.exe c:\program files\LogMeIn\x86\RaMaint.exe c:\program files\LogMeIn\x86\LogMeIn.exe c:\program files\CDBurnerXP\NMSAccessU.exe c:\program files\Common Files\Seagate\Schedule2\schedul2.exe c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe c:\program files\TeamViewer\Version5\TeamViewer_Service.exe c:\program files\TomTom HOME 2\TomTomHOMEService.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\TeamViewer\Version5\TeamViewer.exe c:\windows\system32\WUDFHost.exe c:\windows\System32\rundll32.exe c:\windows\ehome\ehmsas.exe c:\windows\servicing\TrustedInstaller.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe . ************************************************************************** . Completion time: 2012-08-08 13:06:12 - machine was rebooted ComboFix-quarantined-files.txt 2012-08-08 20:06 ComboFix2.txt 2011-02-19 23:06 . Pre-Run: 139,235,803,136 bytes free Post-Run: 139,302,969,344 bytes free . - - End Of File - - EAAE98F1B430770519114F8200B8FB89 -
Another system32/services.exe infection
craigsiegel replied to craigsiegel's topic in Resolved Malware Removal Logs
So far so good. PC is still up and running. But I was so excited to finally be making progress that I forgot to disable MSE before I started combofix. I got it turned off as combofix was installing and before combo fix started running. I think that is OK. Combofix ran and generated its log, but I got the "illegal operation" message when I tried to copy it. I am restarting now to see if I can grab it. -
Another system32/services.exe infection
craigsiegel replied to craigsiegel's topic in Resolved Malware Removal Logs
Question: Can I now start the PC in regular windows without fear of it crashing again after a few minutes? -
Another system32/services.exe infection
craigsiegel replied to craigsiegel's topic in Resolved Malware Removal Logs
Thank you, thank you, thank you. Here is the log. Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01 Ran by SYSTEM at 2012-08-08 12:18:17 Run:1 Running from F:\MalwareFix ============================================== C:\Windows\Installer\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully. C:\Users\Craig and Susan\AppData\Local\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully. C:\Windows\System32\services.exe moved successfully. C:\Windows\ERDNT\cache\services.exe copied successfully to C:\Windows\System32\services.exe ==== End of Fixlog ==== Now what? -
Help. I have picked up the system32/services.exe trojan and now my windows Vista won't stay up for more than a couple of minutes. It crashes and goes into an automatic restart. My original problem was that I picked up the live security platinum trojan. I ran fixexec and malwarebytes to get rid of it. But then microsoft security essentials wouldn't run. I reinstalled it and that is when I started getting the windows crashes. I ran kaspersky rescue disk 10 which picked up the trojan but can't clean it. I have not run hijackthis but I ran farbar and got what looks to be the log you really need, so I am including it here. It flags the system32\services.exe file in the MD5 check. I am also including the results of the search in farbar for services.exe. The results files are attached. Help -- I have been at this almost constantly for two days. ------------------------------------------- Search.txt FRST.txt