Windows/win32/serrvices.exe Sirefef-AHF [trj]

[zlimrida]

Frst Logs


 PS: Avast stopped spamming me about threats btw, but when i scan i can still see the virus. Not sure if this is relevant, but just
feel i had to say

[magna86]

Step#1.1 


-Delete FRST.txt (notepad) from your USB flash drive if you have it.


Open new notepad.

• Click Start
  
• Type notepad.exe in the search programs and files box and click Enter.
  
• A blank Notepad page should open.
• Copy/Paste the contents of the code box below into Notepad.

Code: [Select]


Start
Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
HKU\Zlim\...\Policies\system: [DisableLockWorkstation] 0
HKU\Zlim\...\Policies\system: [DisableChangePassword] 0
C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}
C:\Users\Zlim\AppData\Local\{7ba12d95-5a21-c945-9f55-8c43c32cc061}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
end




• Save it to your USB flashdrive as fixlist.txt
  

>>  Boot into Recovery Environment


Start FRST in a similar manner to when you ran a scan earlier, but this time when it opens ....

•     Press the Fix button once and wait.
  
•     FRST will process fixlist.txt
•     When finished, it will produce a log fixlog.txt on your USB flashdrive.
  

Step#1.2
While you still there...
>>

• - Click on Scan button to run a fresh FRST.txt scan.
  
• - When finished, it will produce a fresh log FRST.txt on your USB flashdrive.

>>  Exit out of Recovery Environment and post me the log please.
>> Attach fresh FRST.txt log.

************************

Step#2 


Download TDSSKiller  and save it to your desktop

    Execute TDSSKiller.exe by doubleclicking on it.

•     Press Start Scan
  
   
•   If Suspicious object is detected, the default action will be Skip, click on Continue.
   
•   If Malicious objects are found, select Cure.
  

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, C:\TDSSKiller.<version_date_time>log.txt


Please post the contents of that log in your next reply.


************************
Step#3 

• Re-run OTL. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Scan All Users
   
  
• Paste this into Custom Scans/Fixes box at the bottom
  
  
  Code: [Select]
  
drives
/md5start
services.exe
/md5stop
%systemroot%\assembly\GAC_32\*.ini /S /MD5
%systemroot%\assembly\GAC_64\*.ini /S /MD5
%systemroot%\Installer|@;true;true;true
%systemdrive%\$Recycle.Bin|@;true;true;true
%systemdrive%\$Recycle.Bin|n;true;true;true
C:\$Recycle.Bin\S-1-5-18 /s
C:\$Recycle.Bin\S-1-5-21-1862684139-277524484-329249885-1000 /s
c:\windows\installer\@ /s
c:\windows\installer\*.@ /s
dir /s /a "C:\Windows\Installer\{7ba12d95-5a21-c945-9f55-8c43c32cc061}" /c
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s



  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
           
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
               
      
    • Please attach them in this thread.

[zlimrida]

FRST logs

[zlimrida]

OTL  and tds logs

[magna86]

Nice, logs looks good. I will remove some registry entries leftovers related to AVG.

  Step#1 

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]


:OTL
IE:[b]64bit:[/b] - HKLM\..\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}: "URL" = http://eu.ask.com/web?q={searchterms}&l=dis&o=HPNTDF
IE - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\SearchScopes\{FFF4641F-23D0-49B4-BE7E-36D4F871C109}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ORJ&o=&src=kw&q={searchTerms}&locale=&apn_ptnrs=&apn_dtid=OSJ000&apn_uid=89891337-95F1-401B-96F5-C4E83130DE16&apn_sauid=80968523-5D33-4E3F-BDF6-1DBD0AD08FD2
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{F53C93F1-07D5-430c-86D4-C9531B27DFAF}: C:\Program Files (x86)\AVG\AVG2012\Firefox\DoNotTrack\ [2012/09/02 00:19:01 | 000,000,000 | ---D | M]
O2:[b]64bit:[/b] - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiea.dll File not found
O2:[b]64bit:[/b] - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (AVG Do Not Track) - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O3 - HKU\S-1-5-21-1008104762-4221902305-1862361787-1000\..\Toolbar\WebBrowser: (no name) - {BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC} - No CLSID value found.
O9 - Extra Button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files (x86)\AVG\AVG2012\avgdtiex.dll File not found

:files
sc create BITS binpath= "c:\windows\system32\svchost.exe -k netsvcs" start= delayed-auto /c

:commands
[CREATERESTOREPOINT]
[emptytemp]
[purity]
[EMPTYFLASH]
[EMPTYJAVA]
[Reboot]



• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

*****************

  Step#2 


Download Farbar Service Scanner (FSS) and run it on the computer with the issue.

• Check the following options:
• Internet Services
  
• Windows Update
  
• Other Services
  
• Press "Scan" button.
  
• It will create a log (FSS.txt).
  
• Attach here logreport.

*********************
  Step#3 

>  I'd love to see the Combofix log.
Download fresh Combofix. Disable your AntiVirus and try it now to run.

[zlimrida]

OTL and FSS logs



Combofix still not working tho, still says need version 2000 or exp

[magna86]

Ok, download this registry file to your Desktop:

https://www.dropbox.com/s/3kw9vqjixsk6uex/BITS7.reg

Dubleclick to run it. On pop up windows click on YES/OK. Reboot your computer

> Re-run FSS and attach here fresh FSS.txt log

>How's your computer running now?

[zlimrida]

FSS is the normal log ( Internet- update - other services)

FSS2  is the second where i added fire wall to it, since firewall seems to be downs, mind taking a look?



But otherwise compouter is running ok, scanned with avast no malware found. Also no virus alert popups, and no windows shutdowns.

[magna86]

Re-run OTL.exe.

• Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
  
  

Code: [Select]



:processes
explorer.exe
svchost.exe

:commands
[Reboot]

:reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
  00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"First Counter"=dword:000007d2
"Last Counter"=dword:000007e2
"First Help"=dword:000007d3
"Last Help"=dword:000007e3
"Object List"="2002"
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,90,00,00,00,a0,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,5c,00,04,00,00,00,00,02,14,00,ff,01,0f,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,04,\
  00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,06,00,00,00,01,02,\
  00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,05,20,00,00,\
  00,20,02,00,00



 
 




• Then click the Run Fix button at the top.
  
• Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

******************


Re-run FSS , check Windows Update and Scan.
Attach here fresh FSS.txt log

[zlimrida]

OTL, FSS logs

[magna86]

Ah, lets try again...

Download this reg key to your destop. Run it and click on pop-up Yes/Ok
https://www.dropbox.com/s/tf1ilyjlfp23kud/wuauserv7.reg

Reboot your computer.


Then download this one:
https://www.dropbox.com/s/3kw9vqjixsk6uex/BITS7.reg

Click on YES/Ok.
Reboot your computer.

************************


Download Complete Internet Repair tool.
www.datum-forensics.com/down/comintrep.exe


-Extract the program in a separate folder on the Desktop.

         Double-clicking start comintrep and click Extract.
         The program will create a new folder called Complete Internet Repair.


    Close all running applications.
     In the created folder, double-click on CIntRep  run program.
     Check boxes to Repair /Windows Automatic update options and then click Go!

     Wait for the program to finish the repair and then will ask for reboot.
         If no reboot, restart it.

     Restart the program by double-clicking on CIntRep.
     Click on File> Logging> Logging Open Directory.

     With an arrow okaci CIntRep.txt using the attach file option.
     If there are several logs, and they okaci the message.


=============


Re run FSS as before and attach here fresh FSS.txt log.

> How is your computer running now?

[zlimrida]

Logs:

Machine is running good, although  firewall still messed up.

[magna86]

Re-run Complete Internet Repair, check all boxes and click on Go!.
Reboot your windows.

---------------

Download  Windows Repair (all in one)  from this site

Install the programme then run



Go to step 3 and allow it to run SFC



On the start repairs tab click start


Select the following  items and tick restart system when finished




-----------------------


Re-run FSS. Check All options and click Scan. Attach here fresh FSS.txt.

[zlimrida]

Sorry, had a field week at military so couldnt go online. But anyways..

FSS log:

Firewall up and running good, and computer seems stable.

[magna86]

Are your computer running fine?