Hiya, today I turned on my computer and got a message saying:
C:\Windows\Sys32\Config\Services.exe
This unit, searchpath or file could not be reached. You might not have permission to access this object. (English is not my native tongue so I had to translate it so the actual message might use different vocubalary)
Okay, so I opened Avast! and during the memory test it said I was infected with Win32:Regrun-M
After asking on this forum earlier today, I was told this is indeed a virus and not a false alarm.
After moving it to the chest. I opened Avast! once again. This time it recommended me to reboot and start their scanner.
It found 1 infected file which I moved to the chest. (By the way, should I let them stay in the chest or delete them?)
Here’s the infected files in the chest:
A0069008.ex, taken from C:\System Volume Information_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP and so on
Size of file: 20992(kb?)
File ID: 7
__
Services.exe, taken from c:\windows\system32\config
Size of file: 20992
File ID 6.
I then turned off system restore and booted up in safe mode.
Avast! didn’t find anything and neither did AVG antirootkit, Ad-aware and NoLop
However, when I boot up in normal mode, this message which I mentiond at the top, still appears.
I’ve tried googling the name but I have yet to find the trojan horse’s “mission”, does anyone know what it’s trying to accomplish by the way?
I also have no idea what might have caused this, I am currently using ZoneAlarm and Avast!
Is this the correct full path (it also differs from the hijackthis log) ?
Hiya, today I turned on my computer and got a message saying:
C:\Windows\Sys32\Config\Services.exe
As the sys32 folder would appear fake (should be system32 I would have thought) and as such the config folder and services.exe. Services.exe on my XP Pro SP2 system is in the system32 folder.
So to me that would make this entry suspect.
F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\system32\config\services.exe”
Do a search of your system for services.exe and report the locations it is found ?
Upload this file to virus total C:\WINDOWS\system32\config\services.exe.
This path is the one mentioned when I get this little window everytime I boot up windows, I have no idea why it differs from the hijack log.
After doing a search, it seems my services.exe is indeed in system32.
I can’t find any “sys32” folder in the windows folder either, and there’s no services.exe in the Config folder.
That is clean, to get rid of the empty remnants do the following:
Temporarily disable System Restore (Windows Me/XP).
You must have an Administrator Privilege to be able to disable System Restore on Windows XP.
a. On the Desktop, Right Click on My Computer
b. Select the System Restore Tab
c. Mark the “Turn Off System Restore” to disable and UnMark to Enable
d. Click Apply on the Bottom of the Dialog Box to save the settings.
e. A message “This deletes all existing restore points” will appear, click Yes to disable.
f. Click OK.
After downloading, browse where the file was saved and double click launch.exe to install it.
Reboot your computer in SafeMode
Starting computer in SafeMode was useful when troubleshooting computer problems by limiting the resources it loads.
a. During BootUp process Press F8 continuously until selection appears
b. Use Arrow Up+Down to select SafeMode on the selections menu.
c. Hit Enter to proceed.
Run DrWebCureIT and do a full scan of your computer. Delete all infected files.
In order to make sure that the threat is completely eliminated from your computer,
carry out a full scan of your computer using Antispyware Software like Malwarebytes: http://www.malwarebytes.org/mbam/database/mbam-rules.exe
That little window/message is an indication that the HJT entry I posted is setting or trying to set explorer.exe to services.exe in the folder location system32\config\services.exe which being a non-standard location I feel it is suspect.
The sys32\config\services,exe is likely to be hidden, see image and ensure that your settings in Explorer, Tools, Folder Options are the same as those opposite the Red line. Now before you attempt to do that you should fix that entry is fixed first
F2 - REG:system.ini: Shell=Explorer.exe “C:\WINDOWS\system32\config\services.exe”
That is the legit location for services.exe so I would expect it to be clean, our problem is with another location.
Now I don’t know if this file no longer exists and it is just the entry in the HJT log, because that is still active it is trying to run the file, hence the message about missing file/location.
I now see you have two topics on the go for this same issue, http://forum.avast.com/index.php?topic=36002.0, this just causes duplication and confusion of effort for those helping (certainly me).
If avast has already alerted on this and you have sent it to the chest/deletion or what ever action you chose then :
it should be gone from that location and
that is probably what placed it into the system volume information folder as a restore point.
Hello again, I’ve ran DrWebIt and found 3 suspected files in PcHealth and HP\bin. I’m not sure if they really were viruses but they’re moved / deleted now.
I have also deleted/repaired the HiJackThis object DavidR told me to. The message which appears when I boot up is now gone.
Sorry about the two threads. The first thread was just about if it was a false alarm or the real deal while this one was created because I wanted to get rid of it properly.
Hopefully it will be all good now. I was going to scan with Panda’s online scan but my Avast! stopped me so hopefully I didn’t get a new virus already!
Just to be as sure as I can, I will scan with Trends free scan, f-secure anti rootkit, avg anti rootkit, search and destroy, ad-aware and avast! virusscanner.
While F-secures Antirootkit can’t find any rootkit, my AVG finds one. It’s been in my system for a very long time and I once decided to delete it. After deleting it, it was still there but with a different name. I don’t think it’s dangerou no?
If anyone’s curious: C:\Windows\System32\Drives\ampja9q7.SYS
Rootkit type: Hidden driver file
EDIT: Is there any difference between a normal Avast! scan and the Avast! reboot scanner?
Is it worth using the normal Avast! scan instead of the Reboot scan y’know? I’ve noticed that the normal Avast! scan takes A LOT of time while the reboot scan goes a lot faster.