Jump to content

craigsiegel

Members
 View Profile  See their activity

  • Posts

    7

  • Joined

  • Last visited

 Content Type 

Posts posted by craigsiegel

    Another system32/services.exe infection

    in Resolved Malware Removal Logs

    Posted

    Nope. Don't need the caterpillar doc.

    Here is the MBAM quickscan log. I think I am OK now, right?

    Craig

    ---------------------------------------------

    Malwarebytes Anti-Malware 1.62.0.1300

    www.malwarebytes.org

    Database version: v2012.08.07.06

    Windows Vista Service Pack 2 x86 NTFS

    Internet Explorer 9.0.8112.16421

    Craig and Susan :: CRAIGSUSAN-PC [administrator]

    8/8/2012 1:45:44 PM

    mbam-log-2012-08-08 (13-45-44).txt

    Scan type: Quick scan

    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P

    Scan options disabled:

    Objects scanned: 235072

    Time elapsed: 12 minute(s), 48 second(s)

    Memory Processes Detected: 0

    (No malicious items detected)

    Memory Modules Detected: 0

    (No malicious items detected)

    Registry Keys Detected: 0

    (No malicious items detected)

    Registry Values Detected: 0

    (No malicious items detected)

    Registry Data Items Detected: 0

    (No malicious items detected)

    Folders Detected: 0

    (No malicious items detected)

    Files Detected: 0

    (No malicious items detected)

    (end)

    Another system32/services.exe infection

    in Resolved Malware Removal Logs

    Posted

    Reboot appears to have taken care of that problem. Here is the combofix log.

    ComboFix 12-08-08.01 - Craig and Susan 08/08/2012 12:42:24.2.2 - x86

    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1822 [GMT -7:00]

    Running from: c:\users\Craig and Susan\Desktop\ComboFix.exe

    AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}

    SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}

    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    .

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    C:\install.exe

    c:\users\Craig and Susan\AppData\Roaming\agrer.dll

    c:\users\Craig and Susan\AppData\Roaming\vrdms.dll

    c:\users\Craig and Susan\Documents\~WRL0005.tmp

    c:\users\Craig and Susan\Documents\~WRL0144.tmp

    c:\users\Craig and Susan\Documents\~WRL0162.tmp

    c:\users\Craig and Susan\Documents\~WRL0307.tmp

    c:\users\Craig and Susan\Documents\~WRL1058.tmp

    c:\users\Craig and Susan\Documents\~WRL1159.tmp

    c:\users\Craig and Susan\Documents\~WRL1446.tmp

    c:\users\Craig and Susan\Documents\~WRL1654.tmp

    c:\users\Craig and Susan\Documents\~WRL1896.tmp

    c:\users\Craig and Susan\Documents\~WRL3248.tmp

    c:\users\Craig and Susan\Documents\~WRL3531.tmp

    c:\users\Craig and Susan\Documents\~WRL3639.tmp

    c:\users\Craig and Susan\Documents\~WRL3766.tmp

    c:\users\Craig and Susan\g2mdlhlpx.exe

    c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc

    .

    .

    ((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))

    .

    .

    2012-08-08 19:54 . 2012-08-08 19:54 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\offreg.dll

    2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp

    2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp

    2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser.CraigSusan-PC\AppData\Local\temp

    2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp

    2012-08-07 22:43 . 2012-08-07 22:43 -------- d-----w- C:\FRST

    2012-08-07 20:21 . 2012-02-09 21:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{937272F2-4CA6-4830-8EB6-0E864380F4EA}\gapaengine.dll

    2012-08-07 20:18 . 2012-07-16 09:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\mpengine.dll

    2012-08-07 19:50 . 2012-08-07 19:50 -------- d-----w- c:\program files\Microsoft Security Client

    2012-08-07 17:43 . 2012-08-07 17:40 883616 ----a-w- C:\FixExec.exe

    2012-08-07 16:51 . 2012-08-07 17:04 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0

    2012-08-07 16:41 . 2012-08-07 16:41 -------- d-sh--w- c:\windows\system32\%APPDATA%

    2012-08-07 16:36 . 2012-08-07 16:38 -------- d-----w- c:\programdata\036E19320357F9631A6804E82F3B707C

    2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_23239

    2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_12794

    2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AF4AB-E0AD-11E1-8270-B8AC6F996F26}

    2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AB980-E0AD-11E1-8270-B8AC6F996F26}

    2012-08-07 16:35 . 2012-08-07 16:35 57344 ---ha-w- c:\windows\system32\mobsEXEC.dll

    2012-07-17 00:26 . 2012-07-17 00:26 -------- d-----w- c:\users\Craig and Susan\New Folder (1)

    2012-07-11 03:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll

    2012-07-11 03:39 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll

    2012-07-11 03:39 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll

    2012-07-11 03:39 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys

    2012-07-11 03:39 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll

    2012-07-11 03:39 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll

    .

    .

    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2012-08-03 16:54 . 2012-05-02 18:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

    2012-08-03 16:54 . 2011-06-16 13:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

    2012-07-12 19:37 . 2009-04-30 03:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

    2012-07-12 19:37 . 2009-04-30 03:02 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

    2012-07-12 19:37 . 2009-04-30 03:02 30624 ----a-w- c:\windows\system32\LMIport.dll

    2012-07-12 19:37 . 2009-04-30 03:02 87456 ----a-w- c:\windows\system32\LMIinit.dll

    2012-07-03 20:46 . 2011-02-18 08:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

    2012-06-13 13:40 . 2012-07-11 10:08 2047488 ----a-w- c:\windows\system32\win32k.sys

    2012-06-02 22:19 . 2012-06-19 05:45 171904 ----a-w- c:\windows\system32\wuwebv.dll

    2012-06-02 22:19 . 2012-06-19 05:46 53784 ----a-w- c:\windows\system32\wuauclt.exe

    2012-06-02 22:19 . 2012-06-19 05:46 45080 ----a-w- c:\windows\system32\wups2.dll

    2012-06-02 22:19 . 2012-06-19 05:45 35864 ----a-w- c:\windows\system32\wups.dll

    2012-06-02 22:19 . 2012-06-19 05:45 577048 ----a-w- c:\windows\system32\wuapi.dll

    2012-06-02 22:19 . 2012-06-19 05:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll

    2012-06-02 22:12 . 2012-06-19 05:46 2422272 ----a-w- c:\windows\system32\wucltux.dll

    2012-06-02 22:12 . 2012-06-19 05:45 33792 ----a-w- c:\windows\system32\wuapp.exe

    2012-06-02 22:12 . 2012-06-19 05:45 88576 ----a-w- c:\windows\system32\wudriver.dll

    2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll

    2012-05-19 02:04 . 2009-04-30 03:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak

    2012-07-19 14:02 . 2012-02-05 01:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

    .

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4

    .

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]

    "googletalk"="c:\users\Craig and Susan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

    "SlickRun"="c:\program files\SlickRun\sr.exe" [2009-06-02 1161568]

    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]

    "HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]

    .

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]

    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]

    "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]

    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]

    "UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]

    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]

    "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

    "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

    "OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]

    "DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-17 1325936]

    "AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-17 904840]

    "Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-17 136544]

    "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]

    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]

    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]

    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]

    .

    c:\users\Craig and Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

    goSoft (3.1.2.0 F).lnk - c:\program files\goFluent\goSoft(3.1.2.0 F)\goStart.exe [N/A]

    .

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

    HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

    "EnableLUA"= 0 (0x0)

    "EnableUIADesktopToggle"= 0 (0x0)

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

    @=""

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]

    @="Service"

    .

    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]

    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk

    backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup

    backupExtension=.CommonStartup

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AntiVirusOverride"=dword:00000001

    "FirewallOverride"=dword:00000001

    .

    R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]

    .

    .

    --- Other Services/Drivers In Memory ---

    .

    *NewlyCreated* - WS2IFSL

    .

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

    .

    Contents of the 'Scheduled Tasks' folder

    .

    2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job

    - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 16:54]

    .

    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]

    .

    2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

    - c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]

    .

    2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000Core.job

    - c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]

    .

    2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000UA.job

    - c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]

    .

    2012-07-09 c:\windows\Tasks\PCDRScheduledMaintenance.job

    - c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://www.google.com/ig

    mStart Page = hxxp://www.yahoo.com

    uInternet Settings,ProxyOverride = *.local

    uInternet Settings,ProxyServer = http=127.0.0.1:63556

    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000

    IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105

    Trusted Zone: gofluent.com

    TCP: DhcpNameServer = 192.168.0.1 205.171.3.25

    DPF: {F9BF64A0-5A65-43E0-ACDB-B223E7F9DDD9} - hxxp://watch.sniffdoghotel.com:10205/WEBWATCH2.cab

    FF - ProfilePath - c:\users\Craig and Susan\AppData\Roaming\Mozilla\Firefox\Profiles\0368sgmm.default\

    FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

    FF - prefs.js: browser.search.selectedEngine - Google

    FF - prefs.js: browser.startup.homepage - hxxps://portal.gofluent.com/group/trainer|https://mail.google.com/mail/?shva=1#inbox

    FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

    FF - prefs.js: network.proxy.http - 127.0.0.1

    FF - prefs.js: network.proxy.http_port - 63556

    FF - prefs.js: network.proxy.type - 0

    FF - user.js: extentions.y2layers.installId - 45064580-de3b-4a86-878b-7bb7035d3d86

    FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,

    FF - user.js: extensions.autoDisableScopes - 14

    FF - user.js: security.csp.enable - false

    .

    - - - - ORPHANS REMOVED - - - -

    .

    HKLM-Run-vrdms - c:\users\Craig and Susan\AppData\Roaming\vrdms.dll

    HKLM-Run-agrer - c:\users\Craig and Susan\AppData\Roaming\agrer.dll

    .

    .

    .

    **************************************************************************

    .

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2012-08-08 12:55

    Windows 6.0.6002 Service Pack 2 NTFS

    .

    scanning hidden processes ...

    .

    scanning hidden autostart entries ...

    .

    scanning hidden files ...

    .

    scan completed successfully

    hidden files: 0

    .

    **************************************************************************

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]

    "ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]

    "ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

    @Denied: (A) (Users)

    @Denied: (A) (Everyone)

    @Allowed: (B 1 2 3 4 5) (S-1-5-20)

    "BlindDial"=dword:00000000

    .

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

    @Denied: (A) (Users)

    @Denied: (A) (Everyone)

    @Allowed: (B 1 2 3 4 5) (S-1-5-20)

    "BlindDial"=dword:00000000

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\windows\system32\nvvsvc.exe

    c:\program files\Microsoft Security Client\MsMpEng.exe

    c:\windows\system32\rundll32.exe

    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

    c:\program files\Bonjour\mDNSResponder.exe

    c:\program files\Common Files\LightScribe\LSSrvc.exe

    c:\program files\LogMeIn\x86\LMIGuardianSvc.exe

    c:\program files\LogMeIn\x86\RaMaint.exe

    c:\program files\LogMeIn\x86\LogMeIn.exe

    c:\program files\CDBurnerXP\NMSAccessU.exe

    c:\program files\Common Files\Seagate\Schedule2\schedul2.exe

    c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe

    c:\program files\TeamViewer\Version5\TeamViewer_Service.exe

    c:\program files\TomTom HOME 2\TomTomHOMEService.exe

    c:\windows\system32\DRIVERS\xaudio.exe

    c:\program files\TeamViewer\Version5\TeamViewer.exe

    c:\windows\system32\WUDFHost.exe

    c:\windows\System32\rundll32.exe

    c:\windows\ehome\ehmsas.exe

    c:\windows\servicing\TrustedInstaller.exe

    c:\program files\iPod\bin\iPodService.exe

    c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe

    c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

    .

    **************************************************************************

    .

    Completion time: 2012-08-08 13:06:12 - machine was rebooted

    ComboFix-quarantined-files.txt 2012-08-08 20:06

    ComboFix2.txt 2011-02-19 23:06

    .

    Pre-Run: 139,235,803,136 bytes free

    Post-Run: 139,302,969,344 bytes free

    .

    - - End Of File - - EAAE98F1B430770519114F8200B8FB89

    Another system32/services.exe infection

    in Resolved Malware Removal Logs

    Posted

    So far so good. PC is still up and running. But I was so excited to finally be making progress that I forgot to disable MSE before I started combofix. I got it turned off as combofix was installing and before combo fix started running. I think that is OK.

    Combofix ran and generated its log, but I got the "illegal operation" message when I tried to copy it. I am restarting now to see if I can grab it.

    Another system32/services.exe infection

    in Resolved Malware Removal Logs

    Posted

    Thank you, thank you, thank you.

    Here is the log.

    Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01

    Ran by SYSTEM at 2012-08-08 12:18:17 Run:1

    Running from F:\MalwareFix

    ==============================================

    C:\Windows\Installer\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.

    C:\Users\Craig and Susan\AppData\Local\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.

    C:\Windows\System32\services.exe moved successfully.

    C:\Windows\ERDNT\cache\services.exe copied successfully to C:\Windows\System32\services.exe

    ==== End of Fixlog ====

    Now what?

    Another system32/services.exe infection

    in Resolved Malware Removal Logs

    Posted

    Help. I have picked up the system32/services.exe trojan and now my windows Vista won't stay up for more than a couple of minutes. It crashes and goes into an automatic restart. My original problem was that I picked up the live security platinum trojan. I ran fixexec and malwarebytes to get rid of it. But then microsoft security essentials wouldn't run. I reinstalled it and that is when I started getting the windows crashes. I ran kaspersky rescue disk 10 which picked up the trojan but can't clean it.

    I have not run hijackthis but I ran farbar and got what looks to be the log you really need, so I am including it here. It flags the system32\services.exe file in the MD5 check. I am also including the results of the search in farbar for services.exe. The results files are attached.

    Help -- I have been at this almost constantly for two days.

    -------------------------------------------

    Search.txt

    FRST.txt

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.