At wits end with a trojan/virus

Post by **Gromm** » Thu Aug 16, 2012 11:28 pm

Webroot and Trendmicro say I have a trojan in my c:\windows\system32\services.exe file. Every time I start EQ it just crashes I am thinking they go hand in hand. Both programs won't delete the virus, it is there regardless, anyone had any luck in getting rid of this and pointing me in the right direction. I am stuck.

Post by **Iane_Blaidd** » Thu Aug 16, 2012 11:31 pm

Kaspersky

iz just saying i have had it for 3 years now

Post by **Chitiwok** » Fri Aug 17, 2012 12:55 am

When does EQ crash? If it's right after you select your character and you're zoning in, and you're using a custom UI, try switching it to default. I had the same problem after the last patch.

Post by **Timothian** » Fri Aug 17, 2012 11:08 am

Regarding the Trojan, I have had several on my daughter's computer that were not removed or detected by the anti-adware/anti virus programs I was using at the time. The definition files lag what are in the wild, and that is the most likely time you will get them.

I have successfully, though painfully, manually gotten rid of trojans (I have some boring threads on it elsewhere on EQ board). Not something that you can walk a person through, and it has risks of messing up machine. The hardest part is figuring out what files to delete as you do not want to accidently delete legitimate files. If you are computer savy, you can delete he trojan from your registry and the associated files from your hard disk. Do all this without rebooting and also delete all the files in your windows prefetch directory (this is safe to do, just delete them all). If you leave a peice of the trojan running or on your computer, it may repopulate itself on your PC. Sometimes the registry entry gives clues as to what files to delete, and often there are file name changes to make them hard to delete. One time, I only figured out the starting point by using Wireshark on the computer and found that my daughter's PC was communicating with a computer in the Netherlands.

It is often better to just reformat and start over as you can spend many hours chasing these things down.

Post by **Zargut** » Fri Aug 17, 2012 11:36 am

I use MSE and malwarebytes and have never had this sort of problem, if they can find it they can delete it, I hope?.

c:\windows\system32\services.exe file

This is the Services Control Manager, which is responsible for running, ending, and interacting with system services. Use this program to start services, stop them, or change their default from automatic to manual startup.

Note: The services.exe file is located in the folder C:\Windows\System32. In other cases, services.exe is a virus, spyware, trojan or worm!

Virus with same file name:
W32/Leave.B (service.exe) - Symantec Corporation
W32.Randex.R (service.exe) - Symantec Corporation
W32.HLLW.Kazping (service.exe) - Symantec Corporation
W32.XTC.Worm (service.exe) - Symantec Corporation
and many others.

You'll notice that the real deal says services, the virus says service without the plural S.

http://www.neuber.com/taskmanager/proce ... s.exe.html

Tug

Post by **Noircogi** » Sat Aug 18, 2012 3:52 pm

System restore is your friend. Roll your system back to a time when you know it was clean and then re-patch.

I use MS security essentials for basic protection. It's very fast, lightweight and free.

Post by **Lorai** » Sat Aug 18, 2012 4:57 pm

I recently had the same problem, and just restored back to a previous restore date, which fortunately was a MS update that had just happened before I clicked on a bad link and started being bombarded by "Your machine is affected! Download System Security bs...".

In safe mode I backed up recent documents I had saved before I did the restore, but turned out I didn't need to because they were not eliminated in the restore. A Windows 7 thing I guess...

I think I will try that MS Security Essentials Noir.