Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removing W32/Patched.UB from C:\Wndows\System32\services.exe


  • This topic is locked This topic is locked
2 replies to this topic

#1 Emil Svensson

Emil Svensson

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 25 June 2012 - 12:54 AM

Hi,



I've seen the other thread about this exact same topic but also realize that everyone needs personalized help.



A couple of weeks ago I got some help removing Small.FI, Gen2 and atraps (I believe). The files were all gone, but the process left the system in a slightly
crippled (but fully useable) state. Yesterday this new file appeared. Could there be a common denominator?



Anyway; this is my sister's computer, and we're looking to do a clean install of Windows 7 (currently on Vista) in the very near future, but until then it's important that she can use the computer as she works from home. I've supplied the scan report below.



Thanks in advance!


http://pastebin.com/cJ4yd7Ay


Avira Free Antivirus
Report file date: den 25 juni 2012 06:01

Scanning for 3866265 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available.

Licensee : Avira AntiVir Personal - Free Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista ™ Home Basic
Windows version : (Service Pack 1) [6.0.6001]
Boot mode : Normally booted
Username : Hanna
Computer name : HANNA-DATOR

Version information:
BUILD.DAT : 12.0.0.1125 41829 Bytes 2012-05-02 17:40:00
AVSCAN.EXE : 12.3.0.15 466896 Bytes 2012-05-11 12:54:33
AVSCAN.DLL : 12.3.0.15 54736 Bytes 2012-05-11 12:54:33
LUKE.DLL : 12.3.0.15 68304 Bytes 2012-05-11 12:54:34
AVSCPLR.DLL : 12.3.0.14 97032 Bytes 2012-05-11 12:54:34
AVREG.DLL : 12.3.0.17 232200 Bytes 2012-05-11 12:54:34
VBASE000.VDF : 7.10.0.0 19875328 Bytes 2009-11-06 18:18:34
VBASE001.VDF : 7.11.0.0 13342208 Bytes 2010-12-14 09:07:39
VBASE002.VDF : 7.11.19.170 14374912 Bytes 2011-12-20 15:45:29
VBASE003.VDF : 7.11.21.238 4472832 Bytes 2012-02-01 08:38:22
VBASE004.VDF : 7.11.26.44 4329472 Bytes 2012-03-28 08:05:51
VBASE005.VDF : 7.11.29.136 2166272 Bytes 2012-05-10 12:54:32
VBASE006.VDF : 7.11.29.137 2048 Bytes 2012-05-10 12:54:32
VBASE007.VDF : 7.11.29.138 2048 Bytes 2012-05-10 12:54:32
VBASE008.VDF : 7.11.29.139 2048 Bytes 2012-05-10 12:54:32
VBASE009.VDF : 7.11.29.140 2048 Bytes 2012-05-10 12:54:32
VBASE010.VDF : 7.11.29.141 2048 Bytes 2012-05-10 12:54:32
VBASE011.VDF : 7.11.29.142 2048 Bytes 2012-05-10 12:54:32
VBASE012.VDF : 7.11.29.143 2048 Bytes 2012-05-10 12:54:32
VBASE013.VDF : 7.11.29.144 2048 Bytes 2012-05-10 12:54:32
VBASE014.VDF : 7.11.30.3 198144 Bytes 2012-05-14 07:17:58
VBASE015.VDF : 7.11.30.69 186368 Bytes 2012-05-17 09:21:21
VBASE016.VDF : 7.11.30.143 223744 Bytes 2012-05-21 10:14:59
VBASE017.VDF : 7.11.30.207 287744 Bytes 2012-05-23 07:47:54
VBASE018.VDF : 7.11.31.57 188416 Bytes 2012-05-28 12:15:46
VBASE019.VDF : 7.11.31.111 214528 Bytes 2012-05-30 12:14:39
VBASE020.VDF : 7.11.31.151 116736 Bytes 2012-05-31 12:14:49
VBASE021.VDF : 7.11.31.205 134144 Bytes 2012-06-03 18:35:50
VBASE022.VDF : 7.11.32.9 169472 Bytes 2012-06-05 07:11:12
VBASE023.VDF : 7.11.32.85 155648 Bytes 2012-06-08 07:00:53
VBASE024.VDF : 7.11.32.133 127488 Bytes 2012-06-11 07:02:12
VBASE025.VDF : 7.11.32.171 182784 Bytes 2012-06-12 07:22:44
VBASE026.VDF : 7.11.32.251 119296 Bytes 2012-06-14 07:42:52
VBASE027.VDF : 7.11.33.83 159232 Bytes 2012-06-18 14:12:23
VBASE028.VDF : 7.11.33.195 200192 Bytes 2012-06-22 14:52:01
VBASE029.VDF : 7.11.33.196 2048 Bytes 2012-06-22 14:52:01
VBASE030.VDF : 7.11.33.197 2048 Bytes 2012-06-22 14:52:01
VBASE031.VDF : 7.11.33.228 57344 Bytes 2012-06-24 17:26:41
Engine version : 8.2.10.96
AEVDF.DLL : 8.1.2.8 106867 Bytes 2012-06-02 12:52:53
AESCRIPT.DLL : 8.1.4.28 455035 Bytes 2012-06-23 14:52:06
AESCN.DLL : 8.1.8.2 131444 Bytes 2012-01-28 16:54:18
AESBX.DLL : 8.2.5.12 606578 Bytes 2012-06-15 07:43:44
AERDL.DLL : 8.1.9.15 639348 Bytes 2011-09-08 21:16:06
AEPACK.DLL : 8.2.16.22 807288 Bytes 2012-06-23 14:52:05
AEOFFICE.DLL : 8.1.2.38 201083 Bytes 2012-06-23 14:52:05
AEHEUR.DLL : 8.1.4.52 4923767 Bytes 2012-06-23 14:52:05
AEHELP.DLL : 8.1.21.0 254326 Bytes 2012-05-11 12:54:32
AEGEN.DLL : 8.1.5.30 422261 Bytes 2012-06-15 07:42:57
AEEXP.DLL : 8.1.0.54 82293 Bytes 2012-06-23 14:52:06
AEEMU.DLL : 8.1.3.0 393589 Bytes 2011-09-01 21:46:01
AECORE.DLL : 8.1.25.10 201080 Bytes 2012-06-01 12:15:04
AEBB.DLL : 8.1.1.0 53618 Bytes 2011-09-01 21:46:01
AVWINLL.DLL : 12.3.0.15 27344 Bytes 2012-05-11 12:54:31
AVPREF.DLL : 12.3.0.15 51920 Bytes 2012-05-11 12:54:32
AVREP.DLL : 12.3.0.15 179208 Bytes 2012-05-11 12:54:34
AVARKT.DLL : 12.3.0.15 211408 Bytes 2012-05-11 12:54:32
AVEVTLOG.DLL : 12.3.0.15 169168 Bytes 2012-05-11 12:54:32
SQLITE3.DLL : 3.7.0.1 398288 Bytes 2012-05-11 12:54:34
AVSMTP.DLL : 12.3.0.15 63440 Bytes 2012-05-11 12:54:33
NETNT.DLL : 12.3.0.15 17104 Bytes 2012-05-11 12:54:34
RCIMAGE.DLL : 12.3.0.15 4450000 Bytes 2012-05-11 12:54:31
RCTEXT.DLL : 12.3.0.15 96720 Bytes 2012-05-11 12:54:31

Configuration settings for the scan:
Jobname.............................: Quick system scan
Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\quicksysscan.avp
Logging.............................: default
Primary action......................: Interactive
Secondary action....................: Ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: Intelligent file selection
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: extended

Start of the scan: den 25 juni 2012 06:01

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'SynTPHelper.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avshadow.exe' - '1' Module(s) have been scanned
Scan process 'WDC.exe' - '1' Module(s) have been scanned
Scan process 'KBFiltr.exe' - '1' Module(s) have been scanned
Scan process 'ATKOSD.exe' - '1' Module(s) have been scanned
Scan process 'BatteryLife.exe' - '1' Module(s) have been scanned
Scan process 'MsgTranAgt.exe' - '1' Module(s) have been scanned
Scan process 'Hcontrol.exe' - '1' Module(s) have been scanned
Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
Scan process 'Dwm.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'agrsmsvc.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'GFNEXSrv.exe' - '1' Module(s) have been scanned
Scan process 'ASLDRSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Module is infected -> <C:\Windows\System32\services.exe>
[DETECTION] Contains recognition pattern of the W32/Patched.UB Windows virus
[NOTE] Process 'services.exe' was terminated
[WARNING] This process is a system process. The associated file will not be deleted.
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned

Starting the file scan:

Begin scan in 'C:\Users\Hanna'
Begin scan in 'C:\Windows'
C:\Windows\System32\services.exe
[DETECTION] Contains recognition pattern of the W32/Patched.UB Windows virus
Begin scan in 'C:\Users\'
Begin scan in 'C:\Program Files'

Beginning disinfection:
C:\Windows\System32\services.exe
[DETECTION] Contains recognition pattern of the W32/Patched.UB Windows virus
[NOTE] A backup was created as '54a8578f.qua' ( QUARANTINE )


End of the scan: den 25 juni 2012 07:25
Used time: 1:23:16 Hour(s)

The scan has been done completely.

15445 Scanned directories
121684 Files were scanned
2 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 Files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
121682 Files not concerned
576 Archives were scanned
1 Warnings
2 Notes

Edited by SweetTech, 25 June 2012 - 02:58 AM.
Copied log from PB.-ST.


BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:07 AM

Posted 25 June 2012 - 03:18 AM

Hello Emil Svensson and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I'll be addressing you by your username, if you'd like me to address you by something else, please let me know!

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:


  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
  • If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)

    • Because of this, you must reply within 3 days failure to reply will result in the topic being closed! I like chocolate chip cookies.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system or even taking your computer into a repair shop.

    • Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data and have means of backing up your data available.

____________________________________________________

It appears you're infected with an infection known as ZeroAccess.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:


NEXT:



Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



Running TDSSKiller

Download the latest version of TDSSKiller from here and save it to your Desktop.


  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results and offer three (3) options.
  • Ensure SKIP is selected, then click Continue.

    Posted Image
  • Note: Do not choose Cure or Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.


NEXT:



Farbar Service Scanner

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


NEXT:


Running OTL

We need to create a New FULL OTL Report
  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Copy and Paste the following code into the Posted Image textbox.
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    CreateRestorePoint
    "%WinDir%\$NtUninstallKB*$." /30
    C:\Program Files\Common Files\ComObjects\*.* /s
    %systemroot%\*. /mp /s
    %systemroot%\*. /rp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
    %SYSTEMDRIVE%\*.exe
    /md5start
    volsnap.sys
    atapi.sys
    explorer.exe
    winlogon.exe
    wininit.exe
    tdx.sys
    afd.sys
    netbt.sys
    services.exe
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized


NEXT:



Please make sure you include the following items in your next post:

1. Any comments or questions you may have that you'd like for me to answer in my next post to you.
2. TDSSKiller log.
3. Farbar Service Scanner log.
4. OTL.txt & Extras.txt logs.
5. An update on how your computer is currently running.

It would be helpful if you could answer each question in the order asked, as well as numbering your answers.


Please let me know how the above scans go.

Kindest Regards,
ST.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:08:07 AM

Posted 05 July 2012 - 08:40 AM

Due to lack of feedback this thread will now be closed. If you still require assistance, and would like to have your thread re-opened, please feel free to send me a Private Message (PM) being sure to include a link to your topic, and I'd be happy to re-open it.


Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users