services.exe and desktop.ini plus a crapload of tracking cookies?

Discussion in 'Malware Help (A Specialist Will Reply)' started by sythja, Aug 1, 2012.

  1. sythja

    sythja Private E-2

    AVG has been going off for 3 days now, not sure WHAT the trigger was as it started while I was gone.

    The things it has been popping are as follows:

    services.exe
    C:\Windows/Assembly/GAC_64/Desktop.ini
    C:\Windows/Assembly/GAC_32/Desktop.ini
    A crapload of tracking cookies in 'C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies'

    MBAM keeps detecting and blocking outgoing attempts from both services.exe and svchost

    I ran through the steps in http://forums.majorgeeks.com/showthread.php?t=139681
    including the steps in the links it directed me to.

    Now after running each of the tools in order specified with zero problems running them (my comp never argues about running things thank goodness) I rebooted and AVG popped the gac64\desktop.ini again right on boot but nothing else this time, reinstalled mbam and it has been silent.

    Running avg scan now to see if anything pops up.
    Win7 home pro is the OS btw.

    will give further info as I can. will also run hitman again since i goofed on getting the log from it
     

    Attached Files:

    sythja, Aug 1, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download ComboFix to your desktop and run it. Do not do anything while it runs. Attach the log when it is finished.

    Once done, run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Aug 1, 2012
    #2
  3. sythja

    sythja Private E-2

    Woot, clean boot! No alerts from anything after this last reboot, hopefully this problem is licked, here is the combofix log
     

    Attached Files:

    sythja, Aug 1, 2012
    #3
  4. sythja

    sythja Private E-2

    Status report:

    everything appears fine except that blasted gac_64\desktop.ini thing is popping again.
    I can't even manage to navigate to this blasted thing
     
    sythja, Aug 1, 2012
    #4
  5. sythja

    sythja Private E-2

    forgot to include this with the combofix log, sorry
     

    Attached Files:

    sythja, Aug 1, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please Disable Spybot's TeaTimer --> Should have been done as per the R&R instructions!

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Now put ComboFix directly on your desktop, not where you have it:
    Running from: c:\users\Lynn\Downloads\ComboFix.exe

    Now disable Daemon tools!!

    Now let's use ComboFix to remove a bunch of malware files.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::
File::
C:\Windows\assembly\GAC_64\Desktop.ini
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
    • C:\ComboFix.txt

    Make sure you tell me how things are working now!
     
    TimW, Aug 2, 2012
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds