removing win64/Patched.A from services.exe

Discussion in 'Malware Help (A Specialist Will Reply)' started by Joe1128, Nov 5, 2012.

  1. Joe1128

    Joe1128 Private E-2

    I ran the entire procedure detailed in this forum and AVG still keeps popping up threat warnings that the Win64/Patched.A is in services.exe and can't be removed. AVG keeps detecting and removing numerous trojans and other malware.

    It started a 2 - 3 weeks ago. I've been updating and running AVG on a regular basis. I am attaching the requested logs. Avg and the other programs you requested seem to point to the Patched.A and two Desktop.ini files that are infected. These dont seem to be removable. Not sure what it was, but my kids like the gaming sites with all the little flash games.

    I can also attach the log of the viruses removed by AVG in just the last two days, if its helpul
     

    Attached Files:

    Joe1128, Nov 5, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.


    Choose to Delete these files if they are detected:

    • C:\Users\Katie\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\links@rivalgaming.com\components\xpcomponent.dll
      C:\Users\Katie\AppData\Roaming\Mozilla\Firefox\Profiles\ox6v1glo.default\extensions\links@rivalgaming.com\
    • \components\xpcomponent.dll
      C:\Windows\assembly\GAC_32\Desktop.ini
      C:\Windows\assembly\GAC_64\Desktop.ini
      C:\Windows\Installer\{b0b4e0a2-5b87-a302-03bc-b50352022fa8}\U\80000000.@
      C:\Windows\Installer\{b0b4e0a2-5b87-a302-03bc-b50352022fa8}\U\80000032.@
    Ignore all other detections.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button


    Now click the Files/folders tab and locate these detections:

    • [ZeroAccess][FILE] @ : C:\Windows\Installer\{b0b4e0a2-5b87-a302-03bc-b50352022fa8}\@ --> FOUND
      [ZeroAccess][FOLDER] U : C:\Windows\Installer\{b0b4e0a2-5b87-a302-03bc-b50352022fa8}\U --> FOUND
      [ZeroAccess][FOLDER] L : C:\Windows\Installer\{b0b4e0a2-5b87-a302-03bc-b50352022fa8}\L --> FOUND
      [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
      [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
      [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Now rescan with both RogueKiller and Hitman and attach those new logs as well.
     
    Last edited: Nov 7, 2012
    TimW, Nov 6, 2012
    #2
  3. Joe1128

    Joe1128 Private E-2

    I ran the procedure as detailed below. When I first ran hit man, it mentioned that the delete of the services.exe failed (even though I didnt tell it to delete just to replace as the second post warned me)

    Rogue killer gave variuos logs, not just one so I included all. When I ran Hit man pro again, the services.exe didnt pop up. Hopefully this means its fixed.

    Avg usually pops up a warning every 10 mins or so, and I havent seen it in an hour or so. I am crossing my fingers.

    Let me know if I need to do anything else

    Joe
     

    Attached Files:

    Joe1128, Nov 6, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Files/folders tab and locate these detections:

    • [ZeroAccess][FOLDER] U : C:\Windows\Installer\{b0b4e0a2-5b87-a302-03bc-b50352022fa8}\U --> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Now rescan with RogueKiller and attach that log as well. Make sure to tell me how things are running.
     
    TimW, Nov 7, 2012
    #4
  5. Joe1128

    Joe1128 Private E-2

    I'm sorry I didnt reply quickly. The computer seemed to be working well. Here are the logs. The Patched.A virus seems to be gone but I seemed to have a redirect virus that is associated with only certain user profiles and not others. When we try to get to something through Google it redirects us to an ad of some sort. Cant get anywhere on the internet. Avg is finding trojans left and right again. I tried the obvious things, like looking at the "host" files for added code, looking at LAN Settings in internet options, and making sure the proxy and DNS settings weren't rerouted.

    I attached all the new logs RogueKiller created.


    Joe
     

    Attached Files:

    Last edited: Nov 16, 2012
    Joe1128, Nov 16, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't
    double click, use right click and select Run As Administrator).

    Attach the new C:\MGLogs.zip.
     
    TimW, Nov 17, 2012
    #6
  7. Joe1128

    Joe1128 Private E-2

    Here is the report. The redirect virus doesn't seem to affect Mozilla and only affects IE under certian user names, not all. It seems only to be attached to google. If we google search and try to follow a link in google. I believe its also letting in Trojans and other malware, because AVG seems to detect malware especially when using IE and google

    Thanks
    Joe
     

    Attached Files:

    Joe1128, Nov 20, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Then boot into the user account that has the issue and run MBAM, RogueKiller and Hitman on that account and attach the logs.
     
    TimW, Nov 20, 2012
    #8
  9. Joe1128

    Joe1128 Private E-2

    Here are the logs run from one of the users that is having the redirect problem
     

    Attached Files:

    Joe1128, Nov 30, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please re-run MBAM and have it fix what it found.

    Then:

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these detections:

    • [RUN][SUSP PATH] HKUS\S-1-5-21-2015490786-1681137006-671436948-1003[...]\Run : bmqwhhhd (C:\Users\Katie\AppData\Local\upwyratjq\hruewculanw.exe) -> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    Reboot and run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't
    double click, use right click and select Run As Administrator).

    Attach both the RogueKiller log and the new C:\MGLogs.zip
     
    TimW, Dec 1, 2012
    #10
  11. Joe1128

    Joe1128 Private E-2

    I did all that. Here are the new logs.

    Thanks,
    Joe
     

    Attached Files:

    Joe1128, Dec 15, 2012
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    What issues are you still having, if any.
     
    TimW, Dec 16, 2012
    #12
  13. Joe1128

    Joe1128 Private E-2

    Right after posting, the last time, I tried linking through google, and everything seems to be fine now. Thank You
     
    Joe1128, Dec 18, 2012
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 4 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link
    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Dec 18, 2012
    #14

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds