Windows/Services.exe Trojan (can't delete - need help)

sweetdaisy

waddler_8 wrote: »

Threads on it here at the AVG forums.

http://forums.avg.com/gb-en/avg-forums?sec=thread&act=show&id=209835

Looks like a possible false positive.

I am not very good with computers! What is a 'false positive'?

waddler_8

It's when a file is wrongly detected as being infected by an antivirus. They usually release an update to correct it.

http://www.securelist.com/en/glossary?letter=70#gloss153654932

It is worth checking out though as I know of one infection (Sirefef, aka ZeroAccess) that does patch the legitimate microsoft file services.exe.

Go here

• Click Choose file

• Copy C:\windows\system32\services.exe & paste it into the filename box in the file upload.
• Click open.
• Click scan it
• Click reanalyse if prompted

Copy and paste the link from the address bar when finished and post it here, or copy & paste the SHA256: value & post it here.

sweetdaisy

waddler_8 wrote: »

It's when a file is wrongly detected as being infected by an antivirus. They usually release an update to correct it.

http://www.securelist.com/en/glossary?letter=70#gloss153654932

It is worth checking out though as I know of one infection (Sirefef, aka ZeroAccess) that does patch the legitimate microsoft file services.exe.

Go here

• Click Choose file

• Copy C:\windows\system32\services.exe & paste it into the filename box in the file upload.
• Click open.
• Click scan it
• Click reanalyse if prompted

Copy and paste the link from the address bar when finished and post it here, or copy & paste the SHA256: value & post it here.

Thanks. I tried this and am unable to copy 'C:\windows\system32\services.exe' into the filename box.

Will doing a system restore to a previous time get rid of the trojan?

waddler_8

I don't actually think it's infected - we're just checking to be 100% certain.

You're previous scans are clean.

One program I would recommend you install is the free version of Malwarebytes.


Download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• When the program loads, Decline the Malwarebytes' Anti-Malware Pro Trial
• Select to the Scanner tab, select Perform Quick scan, then click on Scan
• When done, you will be prompted. Click OK. If Items are found, then click on Show Results
• Check all items then click on Remove Selected
• After it has removed the items, Notepad will open. Please post this log in your next reply.

Note: MBAM may ask to reboot your computer so it can continue with the removal process, please do so immediately. Failure to reboot will prevent MBAM from removing all of any malware found.

Figment

sweetdaisy wrote: »

Thanks. I tried this and am unable to copy 'C:\windows\system32\services.exe' into the filename box.

Will doing a system restore to a previous time get rid of the trojan?

You don't copy (as in copy and paste). From the VirusTotal page, click on Choose File then navigate to the folder containing the file you wish to upload (in this case C:\windows\system32\services.exe). Click once on the file, click Open. Then back on the VirusTotal page click Scan it!

waddler_8

I maybe didn't explain it well enough.

When you click on choose file, a file upload dialogue window opens. It's into there where you paste C:\windows\system32\services.exe and click open. That enters it into virustotal's choose file box.

waddler_8

Better?

Go here

• Click Choose file
• A separate File Upload window will open.
• Copy C:\windows\system32\services.exe & paste it into the File name box in the file upload window.
• Click open.
• On VirusTotal, the filename (services.exe) should appear in the Choose File box
• click scan it
• Click reanalyse if prompted

Copy and paste the link from the address bar when finished and post it here, or copy & paste the SHA256: value & post it here.

sweetdaisy

Thanks Waddler_8 . I have been out for most of the day so going to have another go. I am running Malwarebytes at the moment.

I went into the Control Panel, but the link to restore computer to an earlier date didn't work (won't let me click on it - using Windows 7) as I was going to try this. Hubby said to restore computer to factory settings, but know that this will be a hassle as I will have to install everything again.

sweetdaisy

waddler_8 wrote: »

Better?

Go here

• Click Choose file
• A separate File Upload window will open.
• Copy C:\windows\system32\services.exe & paste it into the File name box in the file upload window.
• Click open.
• On VirusTotal, the filename (services.exe) should appear in the Choose File box
• click scan it
• Click reanalyse if prompted

Copy and paste the link from the address bar when finished and post it here, or copy & paste the SHA256: value & post it here.

Here is the SHA value

SHA256: 00d8538999941044286c2ad69600b4c158dbc7a1da6546b49f73327cbb5c3453

waddler_8

sweetdaisy wrote: »

Here is the SHA value

That's actually services.msc that's been scanned.

https://www.virustotal.com/file/00d8538999941044286c2ad69600b4c158dbc7a1da6546b49f73327cbb5c3453/analysis/

Did you run Malwarebytes - Did it detect anything?

Is AVG still detecting services.exe?