craigsiegel
-
Posts
7 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by craigsiegel
-
-
Nope. Don't need the caterpillar doc.
Here is the MBAM quickscan log. I think I am OK now, right?
Craig
---------------------------------------------
Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org
Database version: v2012.08.07.06
Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Craig and Susan :: CRAIGSUSAN-PC [administrator]
8/8/2012 1:45:44 PM
mbam-log-2012-08-08 (13-45-44).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 235072
Time elapsed: 12 minute(s), 48 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
-
Reboot appears to have taken care of that problem. Here is the combofix log.
ComboFix 12-08-08.01 - Craig and Susan 08/08/2012 12:42:24.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2942.1822 [GMT -7:00]
Running from: c:\users\Craig and Susan\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\install.exe
c:\users\Craig and Susan\AppData\Roaming\agrer.dll
c:\users\Craig and Susan\AppData\Roaming\vrdms.dll
c:\users\Craig and Susan\Documents\~WRL0005.tmp
c:\users\Craig and Susan\Documents\~WRL0144.tmp
c:\users\Craig and Susan\Documents\~WRL0162.tmp
c:\users\Craig and Susan\Documents\~WRL0307.tmp
c:\users\Craig and Susan\Documents\~WRL1058.tmp
c:\users\Craig and Susan\Documents\~WRL1159.tmp
c:\users\Craig and Susan\Documents\~WRL1446.tmp
c:\users\Craig and Susan\Documents\~WRL1654.tmp
c:\users\Craig and Susan\Documents\~WRL1896.tmp
c:\users\Craig and Susan\Documents\~WRL3248.tmp
c:\users\Craig and Susan\Documents\~WRL3531.tmp
c:\users\Craig and Susan\Documents\~WRL3639.tmp
c:\users\Craig and Susan\Documents\~WRL3766.tmp
c:\users\Craig and Susan\g2mdlhlpx.exe
c:\users\Craig and Susan\Once upon a time there were two caterpillars .doc
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-08 19:54 . 2012-08-08 19:54 56200 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\offreg.dll
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser\AppData\Local\temp
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\LogMeInRemoteUser.CraigSusan-PC\AppData\Local\temp
2012-08-08 19:53 . 2012-08-08 19:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-08-07 22:43 . 2012-08-07 22:43 -------- d-----w- C:\FRST
2012-08-07 20:21 . 2012-02-09 21:17 713784 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{937272F2-4CA6-4830-8EB6-0E864380F4EA}\gapaengine.dll
2012-08-07 20:18 . 2012-07-16 09:41 6891424 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{2CA333C5-A7DA-4692-A634-AB2A6D7726F0}\mpengine.dll
2012-08-07 19:50 . 2012-08-07 19:50 -------- d-----w- c:\program files\Microsoft Security Client
2012-08-07 17:43 . 2012-08-07 17:40 883616 ----a-w- C:\FixExec.exe
2012-08-07 16:51 . 2012-08-07 17:04 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-08-07 16:41 . 2012-08-07 16:41 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-08-07 16:36 . 2012-08-07 16:38 -------- d-----w- c:\programdata\036E19320357F9631A6804E82F3B707C
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_23239
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\windows\scoped_dir_9056_12794
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AF4AB-E0AD-11E1-8270-B8AC6F996F26}
2012-08-07 16:36 . 2012-08-07 16:36 -------- d-----w- c:\users\Craig and Susan\AppData\Local\{E94AB980-E0AD-11E1-8270-B8AC6F996F26}
2012-08-07 16:35 . 2012-08-07 16:35 57344 ---ha-w- c:\windows\system32\mobsEXEC.dll
2012-07-17 00:26 . 2012-07-17 00:26 -------- d-----w- c:\users\Craig and Susan\New Folder (1)
2012-07-11 03:40 . 2012-06-05 16:47 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
2012-07-11 03:39 . 2012-06-05 16:47 1401856 ----a-w- c:\windows\system32\msxml6.dll
2012-07-11 03:39 . 2012-06-05 16:47 1248768 ----a-w- c:\windows\system32\msxml3.dll
2012-07-11 03:39 . 2012-06-04 15:26 440704 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2012-07-11 03:39 . 2012-06-02 00:04 278528 ----a-w- c:\windows\system32\schannel.dll
2012-07-11 03:39 . 2012-06-02 00:03 204288 ----a-w- c:\windows\system32\ncrypt.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-03 16:54 . 2012-05-02 18:26 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-08-03 16:54 . 2011-06-16 13:02 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-12 19:37 . 2009-04-30 03:02 83392 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-07-12 19:37 . 2009-04-30 03:02 52128 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-07-12 19:37 . 2009-04-30 03:02 30624 ----a-w- c:\windows\system32\LMIport.dll
2012-07-12 19:37 . 2009-04-30 03:02 87456 ----a-w- c:\windows\system32\LMIinit.dll
2012-07-03 20:46 . 2011-02-18 08:18 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-13 13:40 . 2012-07-11 10:08 2047488 ----a-w- c:\windows\system32\win32k.sys
2012-06-02 22:19 . 2012-06-19 05:45 171904 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-02 22:19 . 2012-06-19 05:46 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2012-06-19 05:46 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2012-06-19 05:45 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2012-06-19 05:45 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2012-06-19 05:46 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:12 . 2012-06-19 05:46 2422272 ----a-w- c:\windows\system32\wucltux.dll
2012-06-02 22:12 . 2012-06-19 05:45 33792 ----a-w- c:\windows\system32\wuapp.exe
2012-06-02 22:12 . 2012-06-19 05:45 88576 ----a-w- c:\windows\system32\wudriver.dll
2012-06-02 08:25 . 2012-07-11 10:03 1129472 ----a-w- c:\windows\system32\wininet.dll
2012-05-19 02:04 . 2009-04-30 03:02 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll.000.bak
2012-07-19 14:02 . 2012-02-05 01:08 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"googletalk"="c:\users\Craig and Susan\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"SlickRun"="c:\program files\SlickRun\sr.exe" [2009-06-02 1161568]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
"HPADVISOR"="c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2009-08-05 1644088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-27 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-27 92704]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-07 148888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-25 63048]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2009-10-17 1325936]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2009-10-17 904840]
"Seagate Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2009-10-17 136544]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2009-09-09 1148200]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-18 421160]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-27 931200]
.
c:\users\Craig and Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
goSoft (3.1.2.0 F).lnk - c:\program files\goFluent\goSoft(3.1.2.0 F)\goStart.exe [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=c:\windows\pss\Microsoft Find Fast.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-02 16:54]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 03:27]
.
2012-08-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000Core.job
- c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1015957308-2917552244-2219005616-1000UA.job
- c:\users\Craig and Susan\AppData\Local\Google\Update\GoogleUpdate.exe [2010-04-14 02:29]
.
2012-07-09 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 14:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:63556
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
Trusted Zone: gofluent.com
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
DPF: {F9BF64A0-5A65-43E0-ACDB-B223E7F9DDD9} - hxxp://watch.sniffdoghotel.com:10205/WEBWATCH2.cab
FF - ProfilePath - c:\users\Craig and Susan\AppData\Roaming\Mozilla\Firefox\Profiles\0368sgmm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://portal.gofluent.com/group/trainer|https://mail.google.com/mail/?shva=1#inbox
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 63556
FF - prefs.js: network.proxy.type - 0
FF - user.js: extentions.y2layers.installId - 45064580-de3b-4a86-878b-7bb7035d3d86
FF - user.js: extentions.y2layers.defaultEnableAppsList - Buzzdock,Buzzdock,
FF - user.js: extensions.autoDisableScopes - 14
FF - user.js: security.csp.enable - false
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-vrdms - c:\users\Craig and Susan\AppData\Roaming\vrdms.dll
HKLM-Run-agrer - c:\users\Craig and Susan\AppData\Roaming\agrer.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-08 12:55
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{BD6912E3-AC9D80E8-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\LMIGuardianSvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\programdata\Skype\Toolbars\Skype C2C Service\c2c_service.exe
c:\program files\TeamViewer\Version5\TeamViewer_Service.exe
c:\program files\TomTom HOME 2\TomTomHOMEService.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\windows\ehome\ehmsas.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\hphc_service.exe
c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
.
**************************************************************************
.
Completion time: 2012-08-08 13:06:12 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-08 20:06
ComboFix2.txt 2011-02-19 23:06
.
Pre-Run: 139,235,803,136 bytes free
Post-Run: 139,302,969,344 bytes free
.
- - End Of File - - EAAE98F1B430770519114F8200B8FB89
-
So far so good. PC is still up and running. But I was so excited to finally be making progress that I forgot to disable MSE before I started combofix. I got it turned off as combofix was installing and before combo fix started running. I think that is OK.
Combofix ran and generated its log, but I got the "illegal operation" message when I tried to copy it. I am restarting now to see if I can grab it.
-
Question: Can I now start the PC in regular windows without fear of it crashing again after a few minutes?
-
Thank you, thank you, thank you.
Here is the log.
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 05-08-2012 01
Ran by SYSTEM at 2012-08-08 12:18:17 Run:1
Running from F:\MalwareFix
==============================================
C:\Windows\Installer\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.
C:\Users\Craig and Susan\AppData\Local\{bce63da1-5ed8-b0ec-38c5-863b6df10fa5} moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\ERDNT\cache\services.exe copied successfully to C:\Windows\System32\services.exe
==== End of Fixlog ====
Now what?
-
Help. I have picked up the system32/services.exe trojan and now my windows Vista won't stay up for more than a couple of minutes. It crashes and goes into an automatic restart. My original problem was that I picked up the live security platinum trojan. I ran fixexec and malwarebytes to get rid of it. But then microsoft security essentials wouldn't run. I reinstalled it and that is when I started getting the windows crashes. I ran kaspersky rescue disk 10 which picked up the trojan but can't clean it.
I have not run hijackthis but I ran farbar and got what looks to be the log you really need, so I am including it here. It flags the system32\services.exe file in the MD5 check. I am also including the results of the search in farbar for services.exe. The results files are attached.
Help -- I have been at this almost constantly for two days.
-------------------------------------------
Another system32/services.exe infection
in Resolved Malware Removal Logs
Posted
Done.
You rock.
Small donation coming.