win64/patched.a in services.exe problem

Discussion in 'Malware Help (A Specialist Will Reply)' started by chelmets, Oct 5, 2012.

  1. chelmets

    chelmets Private E-2

    Being stupid, I was looking for a crack for a piece of software. Been doing this for over 15 years now, but I was being dumb and endued up with a trojan on my services.exe file(Win64/patched.a). Did the read me first stuff and ended up here. Any help would be appreciated as this seems like a rather individualistic virus and blanket solutions don't seem to get rid of it. Thank you in advance. Running Windows 7, 64 bit by the way.
     

    Attached Files:

    chelmets, Oct 5, 2012
    #1
  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Did you run Hitman Pro as per our procedures? Attach the log please.
     
    Kestrel13!, Oct 6, 2012
    #2
  3. chelmets

    chelmets Private E-2

    I did, but I forgot to post the log. Sorry.
     

    Attached Files:

    chelmets, Oct 6, 2012
    #3
  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    You can re run Hitman and have it delete all it finds EXCEPT this entry:

    With this, the option for it should be to REPLACE. So do that please. Once done, re run again, and attach new log.


    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:

    • [ZeroAccess][FILE] @ : C:\Windows\Installer\{20870bdd-21eb-b845-b49f-f05c6081f1b0}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\Windows\Installer\{20870bdd-21eb-b845-b49f-f05c6081f1b0}\U --> FOUND
    • [ZeroAccess][FOLDER] L : C:\Windows\Installer\{20870bdd-21eb-b845-b49f-f05c6081f1b0}\L --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
    • [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND
    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Do not reboot your computer yet.



    Delete this if you can see it: C:\Windows\@öå

    Re run RogueKiller - just a scan - and attach new log.

    Let me know how things are running now please.
     
    Kestrel13!, Oct 6, 2012
    #4
  5. chelmets

    chelmets Private E-2

    I think so far so good. I got a "delete failed" on the services.exe replace in hitman, and when I rebooted, per hitman's instructions, it was all still there. So I ran hitman a second time, did not reboot, and went to rogue killer. Deleted the files. Enclosed are the logs on all of that.

    Thanks a lot for your help on this, by the way. AVG's not popping up ever few seconds like it was before, but I'll be a little leery for a while.
     

    Attached Files:

    chelmets, Oct 6, 2012
    #5
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    http://img805.imageshack.us/img805/9659/rktigzy.gif Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Files/Folder tab and locate these 5 detections:

    • [ZeroAccess][FILE] @ : C:\Windows\Installer\{20870bdd-21eb-b845-b49f-f05c6081f1b0}\@ --> FOUND
    • [ZeroAccess][FOLDER] U : C:\Windows\Installer\{20870bdd-21eb-b845-b49f-f05c6081f1b0}\U --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
    • [ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND
    • [Susp.ASLR][FILE] services.exe : C:\Windows\system32\services.exe --> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.
    Re run RogueKiller again - attach new log.



    http://img827.imageshack.us/img827/1263/frst.gif For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)
     
    Kestrel13!, Oct 7, 2012
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds