Author Topic: services.exe file infected, Can't delete with found methods  (Read 16911 times)

0 Members and 1 Guest are viewing this topic.

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
services.exe file infected, Can't delete with found methods
« on: September 08, 2012, 07:56:51 AM »
I got avast because my computer was acting odd, so I ran a deep scan, good idea, found thirteen infected files, deleted all except one, it was a specific trojan patch file and it was located in my services.exe file. I tried to do as the internet said by running task manager and ending any suspicious looking processes, but my windows blocked me at every turned saying 'access denied' (And i'm the admin!) so now I need to figure out how to delete a secure locked file on my windows 7 home premium system without restoring (I'm pretty sure it can just come back if I restored the system). Any help would be appreciated.
« Last Edit: September 08, 2012, 07:58:24 AM by zeratrix »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36791
Re: services.exe file infected, Can't delete with found methods
« Reply #1 on: September 08, 2012, 10:41:21 AM »
Quote
so I ran a deep scan, good idea, found thirteen infected files, deleted all except one
never delete as first option....you have none left

Clean, Quarantine, or Delete?   http://antivirus.about.com/b/2007/03/11/clean-quarantine-or-delete.htm



Quote
so now I need to figure out how to delete a secure locked file on my windows 7 home premium system without restoring (I'm pretty sure it can just come back if I restored the system). Any help would be appreciated.
start a topic in the virus and worms section and you will get help removing it



Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5416
  • Spartan Warrior
Re: services.exe file infected, Can't delete with found methods
« Reply #2 on: September 08, 2012, 01:40:25 PM »
Hi zeratrix,
...found thirteen infected files, deleted all except one, it was a specific trojan patch file and it was located in my services.exe file. I tried to do as the internet said by running task manager and ending any suspicious looking processes, but my windows blocked me at every turned saying 'access denied' (And i'm the admin!) so now I need to figure out how to delete a secure locked file on my windows 7 home premium system without restoring...
Deleting services.exe will kill your system deader than dead, just so you know.  System files should never be deleted even if infected.  This requires expert help to fix the services.exe file.

Here:  http://forum.avast.com/index.php?topic=53253.0

Attach the the logs from these three programs:  Malwarebytes (MBAM), OTL, and aswMBR.exe in your next reply.
Windows 10 Home 64-bit 1909 Avast Premier Security version 20.8.2432 (build 20.8.5684.604) UI version 1.0.575.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: services.exe file infected, Can't delete with found methods
« Reply #3 on: September 08, 2012, 06:42:31 PM »
This is a zero access infection .. Monitoring

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
Re: services.exe file infected, Can't delete with found methods
« Reply #4 on: September 10, 2012, 02:50:29 AM »
Quote

Here:  http://forum.avast.com/index.php?topic=53253.0

Attach the the logs from these three programs:  Malwarebytes (MBAM), OTL, and aswMBR.exe in your next reply.


I don't have any of those programs, so I don't have logs from said programs sorry, I do need expert help and if it will kill my system then i'm in big trouble, I just got back on my laptop today and after MSN loads up my computer stops responding period. I had to load my laptop up in safe mode with networking just so I could get on the internet today.

Offline schmidthouse

  • VIRUS FREE A Long Time
  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6553
  • When you think you know, Think Again
Re: services.exe file infected, Can't delete with found methods
« Reply #5 on: September 10, 2012, 02:57:32 AM »
Quote

Here:  http://forum.avast.com/index.php?topic=53253.0

Attach the the logs from these three programs:  Malwarebytes (MBAM), OTL, and aswMBR.exe in your next reply.


I don't have any of those programs, so I don't have logs from said programs sorry, I do need expert help and if it will kill my system then i'm in big trouble, I just got back on my laptop today and after MSN loads up my computer stops responding period. I had to load my laptop up in safe mode with networking just so I could get on the internet today.

Hi:

Follow the 'link' and subsequent direction that mchain has supplied in his response. ;)
***HP ENVY 15K LT W10 Pro 20H2 64Bit/750GB HD/16GB Ram/Avast Premium 20.10.2439b/Secureline VPN v.5.8.5262b/ADU v.20.2.921b/ASB v.87b/SANDBOXIE/Prey Project
**HP Compaq 8510p LT W10 Pro 20H2 64Bit/1TB HD/8GB Ram/Avast Premium 20.10.2439b/ADU v.20.2.921b/SANDBOXIE/Prey Project/HotSpot Shield VPN
     
*Dell Inspiron XPsp4 PRO 32Bit/Avast(since 2002)18.8.2356/WP/Comodo FW 3.14/Secureline/Comodo IceDragon v.40
LAYERED SECURITY SOFTWARE PROTECTION

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
Re: services.exe file infected, Can't delete with found methods
« Reply #6 on: September 10, 2012, 05:08:27 AM »
I don't want to download additional software though, can spybot search and destroy be used as a substitute, I'm not sure but it might have logs, i'm not positive though

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: services.exe file infected, Can't delete with found methods
« Reply #7 on: September 10, 2012, 12:08:20 PM »
No Spybot is not man enough for the job. I will need to use at least two specialist tools to clear this

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
Re: services.exe file infected, Can't delete with found methods
« Reply #8 on: September 11, 2012, 02:49:26 AM »
*sighs* alright spybot always caught malware that malwarebytes didn't, the programs I have for these sorts of things are: Advanced Systemcare 4, Spybot Search & Destroy, and Avast Antivirus. The computer started to seriously lag when I downloaded avast, so I'm extremely wary of downloading new software.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36791
Re: services.exe file infected, Can't delete with found methods
« Reply #9 on: September 11, 2012, 07:59:01 AM »
Quote
*sighs* alright spybot always caught malware that malwarebytes didn't
you mean tracking cookies or some adware .....spybot once a good program in the old days of spyware cant handle todays tuff malware
also they release a small update a week ....malwarebytes may have 10 in one day


Quote
The computer started to seriously lag when I downloaded avast, so I'm extremely wary of downloading new software.
EssexBoy can't fix this unless he is allowed to use his tools
it's like saying to the car mechanic, fix my car but you can only use the sissors in the clove compartment

he will remove all tools when done, you can trust him he does several cases like this every day....just surf the virus and worms section and see

so he need logs from  AdwCleaner / Malwarebytes / OTL / aswMBR   http://forum.avast.com/index.php?topic=53253.0


« Last Edit: September 11, 2012, 08:20:24 AM by Pondus »

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
Re: services.exe file infected, Can't delete with found methods
« Reply #10 on: September 12, 2012, 03:04:08 AM »
I see what you mean, the crazy thing is (and now I feel dumb) is that I HAD malwarebytes on my computer, but since the scans were coming up negative and yet spybot would find the problems instead I uninstalled it, now I reinstalled it, here's the log from malwarebytes (I am an amateur user so I have NO IDEA what any of this stuff means)

Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.11.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Nathan :: NATHAN-PC [administrator]

9/11/2012 8:55:24 PM
mbam-log-2012-09-11 (20-55-24).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 206509
Time elapsed: 6 minute(s), 45 second(s)

Memory Processes Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> 2800 -> Delete on reboot.

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.

(end)

I'll send in the logs for adwarecleaner and stuff when I'm told what this gobbledygook means (as you can tell i'm pretty dumb when it comes to tech, part of the reason why i'm in this mess in the first place)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40631
  • Dragons by Sasha
    • Malware fixes
Re: services.exe file infected, Can't delete with found methods
« Reply #11 on: September 12, 2012, 01:22:56 PM »
Quote
C:\Windows\svchost.exe (Trojan.Agent) -> Delete on reboot.
This is the problem, and if you run malwarebytes it will be there again as malwarebytes is not strong enough either

So with the OTL scan I will be able to determine the trigger delte that and then look at removing the bad boy

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
Re: services.exe file infected, Can't delete with found methods
« Reply #12 on: September 13, 2012, 03:20:48 AM »
alright i'll download otl but among the programs you suggested that one looks the most complicated to use.

Offline zeratrix

  • Jr. Member
  • **
  • Posts: 26
Re: services.exe file infected, Can't delete with found methods
« Reply #13 on: September 13, 2012, 03:22:57 AM »
Ok got the OTL downloaded and is scanning, no idea how the save file format thing is supposed to work but since I can simply attach the logs as is under 'attachments and other options' this shouldn't be a problem, hopefully we'll be able to find a solution to this problem it's actually starting to scare me a little.

Also the OTL and all the files somehow ended up under the downloads area of my computer *shrugs* as long as it works.

« Last Edit: September 13, 2012, 03:49:46 AM by zeratrix »

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5416
  • Spartan Warrior
Re: services.exe file infected, Can't delete with found methods
« Reply #14 on: September 13, 2012, 03:48:06 AM »
New problem now, windows won't let me use OTL, it says and quote 'OTL can't be run from a temporary folder, to use OTL please download it to your desktop' I know the answer says to save it to your desktop but I don't know how to do that, how do you save otl to your desktop, here's what happens when I click on it

pop up appears at the bottom asking if I want to run, save or cancel the usage of the software
I click run, a new popup shows up saying it can't be verified and if I still want to run the software I click 'yes'
otl refuses to load because apparently the file is running from a location other then the desktop.

Here's what I want to know, I'm sure now that I have to click on save but once I do that what do I do next?
Move OTL from the download folder to the desktop. 
  • Right-click the OTL file in "Downloads" if using Firefox (inside My Documents)
  • or "My Documents" if using Internet Explorer and select/click "Cut" option.
  • Move your mouse to any place on the desktop and right-click.
  • A drop-down menu will appear.
  • Select/click "Paste".

OTL will move from the download folder or My Documents to the desktop.  If winds up in the middle of the desktop, that is ok.

You should now be able to scan using OTL and produce the needed log for essexboy to read and craft the specialized fix your system needs to run as it should again.  There is more work ahead, as essexboy said, the OTL fix will disable the malware; he will then be able to kill it with your help.  Disabling it comes first, removal of the actual malware comes later.

Do not worry, you are in good hands with essexboy.
Windows 10 Home 64-bit 1909 Avast Premier Security version 20.8.2432 (build 20.8.5684.604) UI version 1.0.575.