Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » [SOLVED] Trojan: Windows\Win32\services.exe
Page 1 of 2 12››
July 20, 2012 01:47 [SOLVED] Trojan: Windows\Win32\services.exe #212902
Top
Joydle

Avatar

Novice
Join Date: 20.7.2012
Posts: 2
Hi,

I keep getting the AVG resident shield alert popping up saying that I have a trojan, but it is white-listed and "resolved". But it clearly is not resolved due to the constant alerts/threats.

Unfortunately, nothing seems to be able to locate and destroy this sucker. AVG scanning, Spybot, Malwarebytes' Anti-malware, and SUPER Anti Spyware have all failed to help at all.

Should I delete AVG and re-download it?

Thanks in advance for any and all help!

joy
July 20, 2012 12:31 Re: Trojan: Windows\Win32\services.exe #212941
Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23807
@ Joydle

Joy, Have a look thro' this link http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=209835 particularly post #210193 & the last post #212044. If the issue persists provide the required info.. Also have a look @ Weekly Overview: 30/2012.. A system file is infected. Subscribe to this RSS feed if you want to be notified about new Weekly Overviews.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
July 24, 2012 20:02 Re: Trojan: Windows\Win32\services.exe #213245
Top
Elochai

Avatar

Novice
Join Date: 24.7.2012
Posts: 20
BIG AL 43 wrote
@ Joydle

Joy, Have a look thro' this link http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=209835 particularly post #210193 & the last post #212044. If the issue persists provide the required info.. Also have a look @ Weekly Overview: 30/2012.. A system file is infected. Subscribe to this RSS feed if you want to be notified about new Weekly Overviews.




I have the same issue and the threat is far from over. I thought I got this virus from a game I bought on steam as it popped up a few mins later.

I ran AVG and it found some Virus's belonging to the virus that infected services.exe, Only reason I am going over this like a mad man even tho everything seems to be running with no real red flags is because this virus is a key logger. last thing I need is someone stealing my account numbers as i type them in.

So I ran AVG and fix a few of them, Ran a System File Checker on services.exe and had it removed. Ran AVG again and picked up the old services.exe file in the system file checker removal folder and did away with it through AVG. I then ran a rootkit, and scan on my computer again.

It took 3 scans for AVG to find another 2 viruses related to this one in 2 core Java files (it only found it then I believe becauce I was in Safe Mode). This little pest is tricky. I took care of them. Then updated Jav after a reboot. Now AVG says all is well. However I notice something that puts me on the edge. I don't think AVG has taken care of this Virus as it should of. I am thinking it is still missing part of it just like it did with them two java files.

When I boot up and log in, iexplore.exe *32 is runing in Task Manager and shows up two times. Yet I am not in or running IE9 and you can sit and wait for it to pop up but it wont. It just loads up on startup and hides in the background. So is this normal or am I still infected and this is the virus using IE to log what I type ?

Please help as formating is a problem for me. I don't got the bandwidth or the time for reinstalling everything.

EDIT: Running Malwarebytes at the monment and AVG detected another 2 trojans when Malwarebytes was scanning the files.

These don't want to be healed either. This is just another sign that says "all is not well" when it comes this this virus that caused issues within services.exe. It may look like your PC are clean but they're are not. AVG keeps saying all is well when I do scans yet signs of issues like iexplore.exe running in the background more then once when it was never started to begin with. More trojans being found but only during safe mode scanning and when other anti-virus programs prob files and turns the code active does AVG find it.

I really like to get some help on cleaning this mess up. It got to be very new that AVG skips right pass the trojans like this and makes it look like all is well.
virus1.jpg
July 25, 2012 03:48 Re: Trojan: Windows\Win32\services.exe #213254
Top
Elochai

Avatar

Novice
Join Date: 24.7.2012
Posts: 20
Medfos.a trojan..

wow not a single bit of help on this at all, and after digging into my issue which was caused by the same issue posted here. I know what trojan is causing my IE9 issues. It also looks like I was right about this trojan being used as a keylogger and that AVG along with other AV programs skip right over it as it's very new.

Medfos.a is what it goes by and from the looks of it on the web, only McAfee has took the time to find it and remove it.

I hope I can get a trial copy that will get rid of mine, because if I got to buy it then I will be thinking about wheater I should move my 5 systems over instead of renewing AVG.
July 25, 2012 14:09 Re: Trojan: Windows\Win32\services.exe #213287
Top
_malchys_

Avatar

Administrator
Join Date: 2.5.2012
Posts: 1875
Hello Elochai,

Please provide us with more information (AVG scan result export, Msinfo output, GMER scan results) regarding this issue.

We would like to also request samples of files which are not detected by AVG as described here.

Note that the trial version of AVG is available here.

Thank you.



AVG Team
How-To articles | FAQ | Free Support

July 25, 2012 15:53 Re: Trojan: Windows\Win32\services.exe #213308
Top
Elochai

Avatar

Novice
Join Date: 24.7.2012
Posts: 20
_malchys_ wrote
Hello Elochai,

Please provide us with more information (AVG scan result export, Msinfo output, GMER scan results) regarding this issue.

We would like to also request samples of files which are not detected by AVG as described here.

Note that the trial version of AVG is available here.

Thank you.




Well most of what AVG didn't get that I was able to find is taken care of already. But this issue caused by that services.exe Trojan droping a keylogger and redirect Trojan is not fixed or found.

As looking up my issue I came across many sites saying AVG, MalwareBytes, and many other AV can't find it to deal with it. So far they are right as I got the full version of AVG 2012 and MalwareByte. I even ran MRT.

They all say tho that McAfee can find it and remove it. I was going to try that but I hear McAfee can conflict with AVG. what I don't understand is why McAfee can find and fix this virus yet AVG can't yet.

Anyway I got another site that I'm going to use to try and get rid of this virus using some steps. Bad news is, if it works then I won't be able to send you the file(s) of this virus as it will be wiped out.

Steps I found on this site to try later today: http://q.gs/1ZG60

Before I do them steps, I will try to find the virus file(s) again, and if I get it, I will be happy to send it to AVG to add it into the database.

Issues to look for to find out if services.exe virus has infected you with this keylogger and redirect Trojan., IE9 processes are running in task manager when you boot your computer. They start back up when ended and IE9 is not even running they are still these.

Your on the web and when you search something your browser redirects you to an unwanted page. Your browser closes off when using it or when you search terms to do with virus removal.

If you have MalwearBytes, run it with AVG on and you may find trojans in desktop.ini files. AVG won't pick up on them till MalwearBytes try's to scan them.

Run AVG in safe mode by comand line. You may have a few trojans hiding in java core files that are keyloggers. AVG never found them for me until safe mode with command line.

Everyone who had this trojan that infected services.exe and dropped other Trojans should check for this IE9 one and the others as AVG has been having issues finding them. So you could be being misleaded by AVG saying your PC is clean. These viruses are very new and are not 100% found and taken care of yet by AV programs. So best to check and if you do have these issues, you should post. If we can get these virus to AVG detection team for removal we and many others can be protected from this pest.
July 25, 2012 22:41 Re: Trojan: Windows\Win32\services.exe #213335
Top
Elochai

Avatar

Novice
Join Date: 24.7.2012
Posts: 20
Found It, Now lets kill it..

I found the virus, it still on my computer as I don't know how to get rid of it and as I said AVG does not detect it.

I went into MSCONFIG and shut all services and startup programs down. I then went through the list till I pin pointed the service that starts up IE9 at start in the background. It also starts up rundll32 2 times as well. This is it, and I hope it's all of it.

The fake service that this virus is using. (can't find anything on pavcmd.dll so I think that the virus file)

Startup Item: AEFltrs Application
Manufacturer: Andrea Electronics Corporation
Command: "C:\Windows\System32\rundll32.exe" "C:\Users\(my username)\AppData\Roaming\pavcmd.dll",WriteAttributeDefinition
Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Should I send the pavcmd.dll file to AVG, and if so, where and how, can I get help now on removing it now that I know what it looks like and where it seems to be hiding ?

See picture for what it looks like in task manager.

EDIT: I went to that link above and did a test on the virus file. I was right, pavcmd.dll is in fact a virus, and I was also right about the type of virus it is (Medfos). And AVG along with a lot of others can't find it. Here the test results: http://virusscan.jotti.org/en/scanresult/27c275a2feff93ee88afbd0f729798a6d5da5281
virus_task1.jpg
July 26, 2012 06:39 Re: Trojan: Windows\Win32\services.exe #213352
Top
Keymaker

Avatar

AVG fan
Join Date: 10.10.2009
Posts: 118
Hi Scott,

thank you for letting us know. The file has been added to detection. The

Command: "C:\Windows\System32\rundll32.exe" "C:\Users\(my username)\AppData\Roaming\pavcmd.dll",WriteAttributeDefinition

was particulary useful, thanks. You should receive official email soon.

Have a nice day.

A virus lab guy.
July 26, 2012 13:39 Re: Trojan: Windows\Win32\services.exe #213401
Top
Elochai

Avatar

Novice
Join Date: 24.7.2012
Posts: 20
Good to hear..

That's good, so AVG should get rid of this thing for me with the next update then ?

As I said it still on my computer as I don't know how I should remove it. Right now I got it's service for starting shut off.

Also when you say it been added, is that just the file name or is that the code of the file for detection ?

I ask because I believe it file naming could be random and if that the case it could be on others computers under a new name with .dll at the end.

I wasn't able to attach the file to the email as hotmail wouldn't allow it. But I did provide a download like to the passworded archive with this virus inside. I hope you were able to get it to add this virus for detection no matter what name it uses.
July 26, 2012 16:04 Re: Trojan: Windows\Win32\services.exe #213420
Top
Keymaker

Avatar

AVG fan
Join Date: 10.10.2009
Posts: 118
Elochai wrote
That's good, so AVG should get rid of this thing for me with the next update then ?

Yep.

As I said it still on my computer as I don't know how I should remove it. Right now I got it's service for starting shut off.

If malware doesnt employ self protection techniques it is usually enough to rename malware file & restart PC in order to deactive them (there are exceptions when renaming "hurts" but its not definitely this case)

Also when you say it been added, is that just the file name or is that the code of the file for detection ?

You are right, file names are quite random. Detections are not file-name based.

I hope you were able to get it to add this virus for detection no matter what name it uses.

Sure.

Regards,

Keymaker
Page 1 of 2 12››