services.exe problem

Hi guys, im having a bit of an annoying problem with a Services.exe error.

just recently we recovered from a pretty big virus infection, we ended up getting the PC cleaned and did a system restore to about 6 weeks previous. ever since then ive been getting this error report appearing (just writing these sentences its happened 4 times) i'll atach a screenshot of the report. also on startup we're getting one that says Init.exe, i'll atach that one too.

any help would be great :) cheers


error.-EE.bmp
LVL 2
beefstu123Asked:
Who is Participating?
 
rpggamergirlCommented:

[COLOR=RED] c:\windows\system32\userinit.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\system32\spoolsv.exe . . . is infected!![/COLOR]
[COLOR=RED] c:\windows\explorer.exe . . . is infected!![/COLOR]
Thanks for posting the CF log.
This looks very much like a Virut or Sality infection. It infects legit exes etc. If this is virut the files are uncleanable so all infected files have to be replaced.
Looks like Combofix couldn't find any clean files in the system to replaced the above infected files.
Under the sigcheck section of the log, there are also other system files that looks like infected.

Depending how long the system has been infected (how any files need replacing, and programs need re-installing) I would suggest a reformat and reinstall of the OS.
When reformatting, you can't backup any .exes, scr, archives of .zip and .rar, .htm and .html files.

If you decide to combat and clean this, we'll still try and help you.
0
 
houssam_balloutCommented:
is that  happens with every user on the computer
0
 
☠ MASQ ☠Commented:
Possibly this friendly little bug:
http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotatt.html
 
Check the "More information" tab for registry entries that will confirm.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
Dirtpatch-JenkinsCommented:
You have something left over from your cleaning trying to start...

goto start - run - type in msconfig - then select the startup tab

uncheck anything you dont recognize or want to start up,, see if that helps..
0
 
beefstu123Author Commented:
the ocmputer has two users and yes, it happens on both. thanks for the link, im checkin it out now
0
 
beefstu123Author Commented:
ive already worked thru msconfig and there are'nt any unwanted processes starting
0
 
rpggamergirlCommented:
Run MalwareBytes or even better Combofix and let's see what the log shows.http://www.malwarebytes.org/mbam.php


Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0
 
beefstu123Author Commented:
ok, ive run them before but i'll do a fresh scan an post both logs for u
0
 
Dirtpatch-JenkinsCommented:
listed as an alias for trojanshield

also look for
%System%\init.exe
%Temp%\init.exe
%Windir%\temp\suqqrcyqrh\init.exe
%Windir%\windowsmp.exe
c:\explorer.exe

    *  %System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    * %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
    * %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.


Find them and delete them.
0
 
beefstu123Author Commented:
combofix done MBAM on its way
log.txt
0
 
DooflegnaCommented:
If you can get online, please run the Kaspersky online scanner. This can help us check for the presence of Virut / W32/Scribble-A.

http://www.kaspersky.com/virusscanner

If it finds Virut, I agree with RPGgamergirl that a system restore may be necessary.  Otherwise, if that's not the case, we can clean out the infections using Hijack This/Combofix and manually replace system files using the XP Recovery console.  As long as it isn't Virut, we should be able to clean this system.
0
 
rpggamergirlCommented:

Virut:
http://www.freedrweb.com/

Sality:
http://support.kaspersky.com/viruses/solutions?print=true&qid=208279889


If you decide to try and clean this, then also use the above tools, a lot of bad files are showing in the combofix log which we can also delete, but a lot of infected legit files will not be listed in the CF log because it will only list few of the modified/infected system files.
0
 
beefstu123Author Commented:
update time....i finshed the combofix and MBAM scans and they picked up some infected services.exe files but that didnt fix the problem. so i ran the dr web program which seemed to work fine, it found and cure a lot of infections but after the restart ive been having major troubles with the data execution program within windows. its preveting the network command shell from opening so i have no network connections whatsoever, this is turning out to be a pretty severe problem. hope u gusy can provide continued advice and assistance, :)

Cheers
0
 
rpggamergirlCommented:
A virut is a hard one tackle when a lot fo files has already been infected.

So you've run DrWebCureIt which would've deleted legit infected files. You then need to replace all system files that have been deleted/corrupted using the Windows disk if you still have it.
Have you run the Kaspersky online scanner to check for any infected files?
Also attach the result of the last combofix run.
0
 
beefstu123Author Commented:
still replacing vital files....its pretty hectic here too. updates may be few and far between
0
 
rpggamergirlCommented:
Did MBAM or DrWebCureIt deleted those numerous .tmp files howing in the combofix log?
Once done, you can scan again with combofix and show us the log.
0
 
beefstu123Author Commented:
tried to combat the infections and failed lol.  we ended up replacing the hard drive.  thanks heaps for the diagnosis of the combofix reports etc.  cheers :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.