Windows/Services.exe Trojan (can't delete - need help)

sweetdaisy

waddler_8 wrote: »

That's actually services.msc that's been scanned.

https://www.virustotal.com/file/00d8538999941044286c2ad69600b4c158dbc7a1da6546b49f73327cbb5c3453/analysis/

Did you run Malwarebytes - Did it detect anything?

Is AVG still detecting services.exe?

Sorry haven't been around to answer your questions. I'll do the scan again (later on this evening).

Malwarebytes did detect some Trojans. But for some reason AVG won't complete a full scan - I left it overnight and the scan just stops at 56% and won't go any further. I think I will uninstall it and load it up again.

Sorry, another silly question . When Viruses have been detected after doing an anti-virus scan, do I leave the virus in the Quarantine or do I delete them?

Thanks

waddler_8

sweetdaisy wrote: »

Malwarebytes did detect some Trojans.

Post the malwarebytes log where the detections were made. You can do this by getting the log from the Logs tab when the program is open. Highlight the relevant log and click the open button. Then copy & paste it here.

Sorry, another silly question . When Viruses have been detected after doing an anti-virus scan, do I leave the virus in the Quarantine or do I delete them?

No questions are silly questions, just ones to which you don't know the answer.

It doesn't hurt to leave them in quarantine for a while. When they are moved to quarantine they are encrypted, renamed, and password protected by the antivirus - so they can't cause any harm whatsoever whilst in there - they're effectively useless.

IF they turn out to be a false positive like I explained earlier, then they can be restored to their original location in their proper state.

sweetdaisy

waddler_8 wrote: »

Post the malwarebytes log where the detections were made. You can do this by getting the log from the Logs tab when the program is open. Highlight the relevant log and click the open button. Then copy & paste it here.

Thanks for all your help . Here is the Malawarebytes log - one trojan detected, however . . . AVG is still popping up saying that I have a 'Windows/System32/services.exe trojan'?

Malwarebytes Anti-Malware 1.61.0.1400
https://www.malwarebytes.org

Database version: v2012.06.26.07

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385


26/06/2012 19:21:56
mbam-log-2012-06-26 (19-21-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211357
Time elapsed: 17 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(

waddler_8

That's enough to see what's going on.

Go here and read through the instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

• Ensure you temporarily turn off your antivirus (AVG) before running. Instructions here
• Double click combofix.exe & follow the prompts closely.
• When it's finished, it'll produce a log. Post the contents of that log.
• It'll be found on your C:\ drive named combofix.txt

Above all, BE PATIENT! and let it run it's course.

sweetdaisy

Thanks Waddler. I may not do this tonight as I am shattered. I uninstalled AVG and re-installed it and it's currently doing a Full Scan, so it willl take a while. I will definitely do it tomorrow and I'll post the log.

Thank you for being so helpful .

waddler_8

No problem.

This is the latest variant of the infection I alluded to earlier (Sirefef aka Zero Access). Turns out AVG was bang on the money with added confimation from Malwarebytes (mbam).

It can be quite a nasty one, so it might be a good precaution to backup anything important to you if you haven't already done so as a precaution.

That said, combofix is currently the best way of dealing with this. That is unless you started afresh with a clean install of windows or returned it to factory settings. That brings with it it's own obstacles - You lose any custom settings you've made to windows, have to reinstall programs & their custom settings if you made any, re-download & install updates etc etc...

It's up to you. I'm prepared to help as long as you need me.

sweetdaisy

Thanks. I will definitely download and run ComboFix tomorrow. It just seems too much hassle to restore my computer to factory settings.

waddler_8

Post the logs tomorrow then.

sweetdaisy

waddler_8 wrote: »

Post the logs tomorrow then.

Thanks I'll do it later on. Managed to do an AVG scan on the whole computer and it took 15 hours! Did show one object: Trojan in Windows/System32/services.exe but said that it was unable to be removed.

waddler_8

sweetdaisy wrote: »

Did show one object: Trojan in Windows/System32/services.exe but said that it was unable to be removed.

That's because it's a legitimate Microsoft Windows system file that has been infected. It has to be replaced with an uninfected copy rather than removed as the computer wont run without it.