Hi,
when running a scan I got a threat that could not be removed.
File name: C:\Windows\System32\services.exe
Severity: High
Status: Threat: Win32-Patched-AKC [Trj]
Action: Move to chest
Result: The specified file is read only (6009)

I guess the problem is that it’s in a System32 file which means it could harm the system to remove it. So how can I remove it?

I also keep getting popups saying Malware Blocked and sometimes also a trojan horse has been blocked.
I usually get about 3-5 of these messages quickly in a row.
Malware blocked:
Object: C:\Windows\Installer.…(000000cb.@/80000064.@/80000000.@)
Infection: Win32:(Malware-gen/Win32:Trojan-gen)
Action: Moved to chest
Process: C:\Windows\System32\services.exe

Trojan horse blocked:
Object: C:\Windows\Installer.…\80000032.@
Infection:Win32:ZAcces-IJ[Trj]
Action: Moved to chest
Process: C:\Windows\System32\services.exe

Monitoring 8)

Hi,
I will be working on your Malware issues

Step#1

Download TDSSKiller and save it to your desktop

Execute [b]TDSSKiller.exe[/b] by doubleclicking on it.

[*] Press Start Scan

[*] If Suspicious object is detected, the default action will be Skip, click on Continue.
[*] If Malicious objects are found, select Cure.

Once complete, a log will be produced at the root drive which is typically C:\ ,for example, [b]C:\TDSSKiller.<version_date_time>log.txt[/b]

Please post the contents of that log in your next reply.

Step#2

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

Run ComboFix. Click on I Agree!
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.
Note:Do not mouse-click Combofix’s window while it is running.
If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Attach log reports ( ComboFix.txt) back to topic.

Hi Magna,

I’ve attached the logs from the both programs.
ComboFix seemed to mess up my computer, making it unable to connect to the internet again.
Tried all possible solutions I could find but solved it with a system restore in the end…

Hi,
First, there is no need to run TDSSKiller twice. Or is another TDSSKiller log after system restore?

Secondly…

ComboFix seemed to mess up my computer, making it unable to connect to the internet again. Tried all possible solutions I could find but solved it with a system restore in the end...

Do I understand correctly.
You launched Combofix. This is the log that is attached?
Then you realized you lost your internet connection.
Then you back your system with system restore and is now all working normally?
Do you have pop-ups?
How is your computer basicly running now?
Do you have Quobox folder in C:\ ?

Re-run aswMBR and attach here fresh aswMBR.txt log

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.

[*] Make sure that all options are checked.
[*] Press “Scan”.
[] It will create a log (FSS.txt) in the same directory the tool is run.
[] Please attach FSS.txt log to your reply.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

%systemroot%\*. /mp /s
netsvcs
msconfig
safebootminimal
safebootnetwork
CREATERESTOREPOINT
/md5start
services.exe
/md5stop
%systemroot%\Installer|@;true;true;true 
dir /s /a "C:\Windows\Installer\{e618e9ed-fd00-d811-9c7a-11e786fc1979}" /c 
%systemroot%\assembly\GAC\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.* /S /MD5
%systemroot%\assembly\GAC_64\*.* /S /MD5
%systemroot%\assembly\GAC_32\*.ini
%systemroot%\assembly\GAC_64\*.ini 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBT /s
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\NetBIOS /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
>C:\commands.txt echo list vol /raw /hide /c
/wait
>C:\DiskReport.txt diskpart /s C:\commands.txt /raw /hide /c
/wait
type c:\diskreport.txt /c
/wait
erase c:\commands.txt /hide /c
/wait
erase c:\diskreport.txt /hide /c

[*]Then click the Run Scan button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad (OTL.txt) with logreport. Attach here that logreport.

When I checked for the TDSSKiller log I had two of them, the second created about 3 minutes after the first. Thought it would be best to attach both of them…

Yes, you understood correctly.
Everything seems to be working normally, I do however keep getting pop-ups.
Can’t find any Quobox folder in C:\

Will do the rest you suggested now.

• Ok, download fresh TDSSKiller and run again as you did before.
  Reboot your computer.

• Re-run aswMBR.

• Run FSS

• Re-run OTL as i instructed above with custom script.

• Attach here all logs

How is your computer running now?

I just ran TDSSKiller again, and got two logs again created 3 minutes apart.
I’ve attached both of them.

aswMBR, FSS and OTL logs attached.

Edit:
My computer seems to be running fine now, no pop-ups so far…

Ok, i will give you my reply tonight.

Ok, great.
It has now passed 30 minutes since I ran all the programs and still no pop-up.
Thanks!

[*] Please download BlitzBlank by emsisoft and save it to your desktop.

[*] Open Blitzblank.exe by double click on it.

[*] Click OK at the warning (and take note of it, this is a VERY powerful tool!).

[*] Click the Script tab and copy/paste the following text there:

     
DeleteFile:
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini

DeleteFolder:
C:\Users\Axel\AppData\Roaming\xsecva
C:\Users\Axel\AppData\Roaming\Ozynsi
C:\Users\Axel\AppData\Roaming\Ecosfy
C:\Windows\Installer\{e618e9ed-fd00-d811-9c7a-11e786fc1979}

[*] Click Execute Now. Your computer will need to reboot in order to replace the files.
[*] When done, post me the report created by Blitzblank. you can find it at the root of the drive C:
[/list]

[*]Re-run TDSSKiller.exe and click on Change parametres.
[*]Under Additional options check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
[*]Click on Start Scan.
[*]If an infected file is detected, the default action will be Cure, click on Continue.
[*]If a suspicious file is detected, the default action will be Skip, click on Continue.
[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.
[*]Click the Report button and attach the contents of it into your next reply
Note:It will also create a log in the [b]C:[/b] directory.

Re-run OTL.exe.

[list][*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

/md5start
services.exe
/md5stop

[*]Then click the Run Scan button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

When trying to run Blitzbank I get an error saying “Syntax error in line 2, invalid file path”.
Seems like the files are not there anymore… If I delete the “Delete File:” path then I don’t get any errors, I haven’t pressed OK yet though as I’ll wait for your reply.

Edit: I do however have 2x desktop.ini in C:\Users\Axel\Desktop(desktop.ini)

Ok, skip BB. Go to TDSSKiller ( with change parametres ) and at the end run OTL as instructed above.

Alright, logs attached.
Did you see my edit on the post above?

Those are leght.

We need to get rid of rootkits otherwise.

[*]Download FRST64 to a USB flash drive.
[*]Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …

http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png

[*]Select the Command Prompt option.
[*]A command window will open.

[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[]Close Notepad.[/list]
[*]Back in the command window …

[*]Type e:/frst64.exe and hit Enter (where e: is replaced by the drive letter for your USB drive)
[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Next

[*]Type Explorer.exe;Services.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.