Trojan C:\Windows\System32\services.exe

[asda522]

This is my first time using a forum so sorry if I do something I shouldn't.

Lately AVG (2012 Free Edition) picked up the trojan something to do with C:\Windows\System32\services.exe, so I followed AVG's advice to remove it. However I noticed everytime I restart the computer AVG has another pop up informing me of the exact same problem.

I'm not too sure if this has anything to do with it but I thought it would be best if I write it down anyway. Apart from AVG picking up that trojan, when I click on links from Google it redirects me to some unknown site and sometimes there is a black and white pop up box on the bottom right of my screen. When I click close on the black and white pop up it only turns into a small tray with the writing "Recommend for you".

Thank you in advance

[TimW]

Please do the below so that we can boot to System Recovery Options to run a scan. There will be two options to choose from. One if you do not have your Windows 7 boot DVD and another when you have your DVD.

For x32 (x86) bit systems download Farbar Recovery Scan Tool and save it to a flash drive.
For x64 bit systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flashdrive into the infected PC.

Option1: Enter System Recovery Options from the Advanced Boot Options:

• Restart the computer.
• As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
• Use the arrow keys to select the Repair your computer menu item.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account an click Next.

Option2: Enter System Recovery Options by using Windows installation disc:

• Insert the installation disc.
• Restart your computer.
• If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
• Click Repair your computer.
• Select US as the keyboard language settings, and then click Next.
• Select the operating system you want to repair, and then click Next.
• Select your user account and click Next.

On the System Recovery Options menu you will get the following options:

Quote:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

• Select Command Prompt
• In the command window type in notepad and press Enter.
• The notepad opens. Under File menu select Open.
• Select "Computer" and find your flash drive letter and close the notepad.
• In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
  Note: Replace letter e with the drive letter of your flash drive.
• The tool will start to run.
• When the tool opens click Yes to disclaimer.
• Press Scan button.
• It will make a log (FRST.txt) on the flash drive. Please attach this file to your next reply. (See: How to attach)

[asda522]

Thank you for such a quick reply here's the file

[TimW]

We need some additional information so that we can replace an infected system file.

Boot to System Recovery Options and run FRST again.
Type the below bolded text in the edit box after "Search:".

services.exe

Then click the Search button.

It will make a log (Search.txt) on the flash drive. Please attach this log to your next reply.

[asda522]

Here's the log

[TimW]

Save fixlist.txt to your flash drive.

• You should now have both fixlist.txt and FRST.exe on your flash drive.

Now reboot back into the System Recovery Options as you did previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt).
Please attach this to your next message. (See how to attach)

Now boot into normal Windows can continue with the below.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* fixlist.txt
* C:\MGlogs.zip

Make sure you tell me how things are working now!

[asda522]

After making the fixlog, I rebooted the computer but the screen went blue and something about a physical memory dump. It then went to system restore. When the system restore finished I tried to find the MGtools\GetLogs.bat file but that wasn't anywhere.

[TimW]

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

* C:\MGlogs.zip

Make sure you tell me how things are working now!

[asda522]

I haven't got C:\MGtools\GetLogs.bat

[chaslang]

Quote:

Originally Posted by asda522

I haven't got C:\MGtools\GetLogs.bat

Yes! Because you never have run our full cleaning procedure in the READ & RUN ME FIRST sticky/pinnged thread. Run MGtools as per the below and then attach the C:\MGlog.zip file it creates.

Using MGtools

[asda522]

Sorry about that

[TimW]

I am not finding any malware in your logs.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Go to add/remove programs and uninstall HijackThis.
6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
7. After doing the above, you should work thru the below link:
   
   • How to Protect yourself from malware!
   
   

Malware removal from a National Chain = $149
Malware removal from MajorGeeks = $0

[asda522]

Thank you, does this mean my computer is safe to use?

[TimW]

Quote:

Originally Posted by asda522

Thank you, does this mean my computer is safe to use?

Yes. And you are welcome.