Jump to content

Services.exe zeroaccess infection

Recommended Posts

My services.exe seems to be infected with a Zeroaccess rootkit, resulting in a reboot one minute after powering up, with the message:

"You are about to be logged off. Windows has encountered a critical problem and will restart automatically in one minute. Please save your work now."

As a result of investigation, I have tried running the Kaspersky rescue CD, which removed some trojans, and FRST.exe, which in particular gave the following in its log:

C:\Windows\System32\services.exe C5488EA6408AD0C3CC3E3CB876CBBED4 ZeroAccess <==== ATTENTION!.

I have also tried running Symantec's FixZeroAccess.exe which results in a message stating that pre-boot changes have failed, and TDDSKiller which completes with a clean scan.

The PC is running 32bit Vista Home Basic, and the infection is apparent in Safe Mode too. Due to the 1 minute window before reboot, investigation and use of tools is limited.

Please advise how this infection can be tackled.

Below is the Kaspersky log, and attached is the FRST log:


Status: Deleted (events: 4)

8/29/12 2:57 PM Deleted Trojan program Trojan-Ransom.Win32.PornoAsset.iea /mnt/MountedDevices/PD-FED5FED5-0000000000007E00/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{D84881A1-0985-02E2-04ED-AEA31846D1AF}-n High

8/29/12 2:57 PM Deleted Trojan program Trojan-Ransom.Win32.PornoAsset.iea /mnt/MountedDevices/PD-FED5FED5-0000000000007E00/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{D84881A1-0985-02E2-04ED-AEA31846D1AF}-n//PE-Crypt.XorPE High

8/29/12 2:58 PM Deleted Trojan program Backdoor.Win32.ZAccess.xpv sda1/WINDOWS/assembly/GAC/Desktop.ini High

8/29/12 2:58 PM Deleted Trojan program Trojan-Ransom.Win32.PornoAsset.iea sda1/WINDOWS/Installer/{a3c2ee17-c104-d547-bc40-c3fe90c24405}/n High

Status: Absent (events: 1)

8/29/12 2:58 PM Not found Trojan program Trojan-Ransom.Win32.PornoAsset.iea sda1/ProgramData/Microsoft/Microsoft Antimalware/LocalCopy/{D84881A1-0985-02E2-04ED-AEA31846D1AF}-n//PE-Crypt.XorPE High

Status: Disinfected (events: 1)

8/29/12 2:58 PM Disinfected virus Virus.Win32.ZAccess.m sda1/WINDOWS/System32/services.exe High


Link to post
Share on other sites

Welcome to the forum.

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller to your desktop.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system.

When the scan completes > Close out the program > Don't Fix anything!

Don't run any other options, they're not all bad!!!!!!!

Post back the report which should be located on your desktop.


Link to post
Share on other sites

There wasn't enought time to run the RogueKiller scan before the PC rebooted - it got about half way through the startup scan.

However, I copied a services.exe from another PC which then enabled me to run Combofix and MBAM. All now appears to be OK.

Thank you for your help.

Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.