[rkhunter]

yes i did that but desktop.ini returns back.

Yep, key with {CLSID} that respond to it autorun.
For remove key you can use Xuetr tool with block access to all parent keys after {CLSID} key deletion, coz it rewrite key before reboot.
Also look http://www.kernelmode.info/forum/viewto ... 310#p13380

[malwarian]

rkhunter

Thanks for the tool but i used another way.Services.exe was infected on the customer PC.Replaced it and now system is clean.

Appreciate your help

[erikloman]

rkhunter

Thanks for the tool but i used another way.Services.exe was infected on the customer PC.Replaced it and now system is clean.

Appreciate your help

To date I haven't found a sample that infects the services.exe. Anyone has a working sample that is infecting services.exe?

[thisisu]

Another...
MD5: 8c813b4e05a36a78c54049a18565ca8f
https://www.virustotal.com/file/0207686 ... /analysis/

[spandexednaps]

rkhunter

Thanks for the tool but i used another way.Services.exe was infected on the customer PC.Replaced it and now system is clean.

Appreciate your help

From what I have seen, Services.exe is not infected but has the Sirefef file system from C:\Windows\Installer\{GUID} loaded into it. After correcting the CLSIDs and rebooting, sometimes Services.exe is still loading the Sirefef filesystem. Killing Services.exe, safe mode seems to be most effective, and then deleting the C:\Windows\Installer\{GUID} should solve your issue. Process explorer can kill Services.exe but be aware that the computer will reboot shortly there after.

Although if there is a variant which does truly infect the Services.exe and someone has a sample they can post, it would be most appreciated.

[Quads]

That didn't work for my user even after restarts and the removal of the CLSID, I had to copy over a legit copy of services.exe (correct MD5) then zeroaccess in the memory stopped.

Combofix after removing the CLSID so combofix will run now detects and disinfects services.exe even if the cat at it :)

Symantec / Norton detects it as Trojan.Patchep!sys

Quads

[malwarian]

spandexednaps

Issue is not with C:\windows\installer\GUID or C:\users\username\appdata\local folders :D .Problem was deleting desktop.ini files hooking to every process

Quads

Exactly same here.Had to replace services.exe.

Virustotal:(This was after i removed the folders ;) )

https://www.virustotal.com/file/9bb8671 ... /analysis/

[EP_X0FF]

Can someone upload infected services.exe?

[Quads]

You mean like this MD5 here http://www.kernelmode.info/forum/viewto ... 320#p13604

Quads

[Quads]

Another MD5 is

[-] 2009-07-14 . 014A9CB92514E27C0107614DF764BC06 . 328704 . . [6.1.7600.16385] .. c:\windows\system32\services.exe

Quads