service.exe - Virus Identified: Win64/Patched.A

Discussion in 'Malware Help (A Specialist Will Reply)' started by opal_tide, Sep 23, 2012.

  1. opal_tide

    opal_tide Private E-2

    AVG Free detects
    Infection: Virus identified Win64/Patched.A
    File: C:\Windows\System32\services.exe

    When installing a basic sound recorder the executable file ran an install for Adobe Flash Player 11.3, the executable also disappeared after being run. At this point I knew there was an issue and sure enough an AVG threat detection pop-up appeared moments later.

    I've followed all the directions for submission as carefully as possible. Please let me know if I missed anything or if there is something you require. I really appreciate your time in helping me out!

    Thank you so much in advance!
     

    Attached Files:

    opal_tide, Sep 23, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rescan with HitmanPro, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
    Choose to Delete these files if they are detected:


    • C:\Users\Derek\Documents\Vuze Downloads\boujou_4.0.1_full\crack\patcher.exe
      C:\Windows\assembly\GAC_32\Desktop.ini
      C:\Windows\assembly\GAC_64\Desktop.ini
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\80000000.@
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\80000032.@
      C:\Windows\system32\services.exe
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\@ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\L\ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\L\00000004.@ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\L\201d3dde (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\00000004.@ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\00000008.@ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\000000cb.@ (ZeroAccess)
      C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U\80000064.@ (ZeroAccess)

    Ignore all other detections.
    Afterwards, click the Next button.
    HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Files/folders tab and locate these detections:


    • [ZeroAccess][FILE] @ : C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\@ --> FOUND
      [ZeroAccess][FOLDER] U : C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\U --> FOUND
      [ZeroAccess][FOLDER] L : C:\Windows\Installer\{9044f4d4-01a1-c43f-4f9b-15c5f27f32c6}\L --> FOUND
      [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
      [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
      [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)

    They may not be there after running Hitman.

    Now re-run both Hitman and RogueKiller and attach both the logs.

    Then run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 24, 2012
    #2
  3. opal_tide

    opal_tide Private E-2

    Thank you very much for your help!

    I have attached the logs you requested.
    For some reason 3 logs were created by RogueKiller.
    I believe [2] should be the one you referred to as [2] and [4] should be the one created before running MGtools.

    Thank you again!
     

    Attached Files:

    opal_tide, Sep 24, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Attached is bfe.zip

    Inside is:





    Extract bfe.reg to your desktop.
    Double-click bfe.reg and allow it to merge into the registry. If you get a "successfully merged into registry" type of message, reboot your PC and see if you can turn on BFE, or if it is already turned on.

    You can run these commands from the command prompt.


    • net start bfe
    • sc qc bfe


    Tell me how things are running.
     
    TimW, Sep 25, 2012
    #4
  5. opal_tide

    opal_tide Private E-2

    Thank you again for your response!

    After running bfe.reg and restarting my computer I entered the commands into the command prompt:

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation. All rights reserved.

    C:\Users\Derek>net start bfe
    The Base Filtering Engine service is starting.
    The Base Filtering Engine service could not be started.

    A system error has occurred.

    System error 5 has occurred.

    Access is denied.


    C:\Users\Derek>sc qc bfe
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: bfe
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNoNe
    twork
    LOAD_ORDER_GROUP : NetworkProvider
    TAG : 0
    DISPLAY_NAME : Base Filtering Engine
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME : NT AUTHORITY\LocalService

    What am I required to do next?

    Thank you again for all your help!
    You really are a lifesaver.
     
    opal_tide, Sep 25, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try doing this:
    Run regedit:
    1. Browse to the location for the BFE service in the registry (HKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy), right click and select permissions. (note: HKLM is short for HKEY_LOCAL_MACHINE_
    2. In the “Permissions for Policy” window, click advanced | Add.
    3. Once the “Select Users, Computers or Group” box appears, change the “From this location:” to point to the local machine name.
    4. After changing the search location, enter “NT Service\BFE” in the “Enter the object name to select” box and click “Check names” – this will allow you to add the BFE account.

    5. Give the following privileges to the BFE account:
    Query Value
    Set Value
    Create Subkey
    Enumerate Subkeys
    Notify
    Read Control

    After adding the BFE account to the registry key, please try to start the Base Filtering Engine service.
     
    TimW, Sep 26, 2012
    #6
  7. opal_tide

    opal_tide Private E-2

    Once again, thank you so much!

    After the steps you outlined, the following was generated in the command prompt:

    C:\Users\Derek>net start bfe
    The Base Filtering Engine service is starting.
    The Base Filtering Engine service was started successfully.


    C:\Users\Derek>sc qc bfe
    [SC] QueryServiceConfig SUCCESS

    SERVICE_NAME: bfe
    TYPE : 20 WIN32_SHARE_PROCESS
    START_TYPE : 2 AUTO_START
    ERROR_CONTROL : 1 NORMAL
    BINARY_PATH_NAME : C:\Windows\system32\svchost.exe -k LocalServiceNoNe
    twork
    LOAD_ORDER_GROUP : NetworkProvider
    TAG : 0
    DISPLAY_NAME : Base Filtering Engine
    DEPENDENCIES : RpcSs
    SERVICE_START_NAME : NT AUTHORITY\LocalService

    Are there any further steps I should take?

    Thank you again for all your help!
     
    opal_tide, Sep 26, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Good to know.

    If you are not having any other malware problems, it is time to do our final steps:

    1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware. You can uninstall RogueKiller and HitManPro.
    2. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista or Win 7, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
      related to MGtools and some other items from our cleaning procedures.
    7. After doing the above, you should work thru the below link:


    Malware removal from a National Chain = $149
    Malware removal from MajorGeeks = $0
     
    TimW, Sep 27, 2012
    #8
  9. opal_tide

    opal_tide Private E-2

    Thank you very much for all of your help!
     
    Last edited: Sep 27, 2012
    opal_tide, Sep 27, 2012
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome. Safe surfing. :)
     
    TimW, Sep 28, 2012
    #10

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds