Yes, in that folder is services, services.mof and services.ptxml
You may have to change the folder options so you can see (show) known file extensions so that you see the .exe
So
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
Quads
yes, services.exe is in that folder
I want you to right click it and in the popup menu select copy.
Then Copy the file to a handful of extra locations like say Documents (My Documents) etc by pasting , this so so we have more than one good (legit) copy as backup for your system. Even better if one is placed say on Flash drive and kept.
When we only have one good copy, if we use it , but something goes wrong, and don't have another copy we would have dug a bigger hole.
Here is a report one the bad MD5 http://pedump.me/50bea589f7d7958bdd2528a8f69d05cc/#pe Notice the TLS section
Before People are complaining Norton / Symantec doesn't detect this look at the Virustotal report below
A 0/41
Quads
Ok, I made 2 copies on the harddrive and one on a flash drive.
dibrown
Ok take out the Flash Drive
Then Run OTL with the script again, see if it gives me the extras in the list.
Quads
I ran the script again. Here is the output:
OK
Delete your desktop copy of Combofix as it is at least a couple of days old now and download a Fresh copy from the Instructions thread a couple of pages ago on this thread.
If you have forgotten the Combofix instructions with added info. go back and read them
Then use this script attached with combofix I have given it extra instructions of what to do.
Quads
I ran combofix with the script. There was no SEM notification after my computer rebooted, and combofix said it uploaded some files. All the copies of services.exe that I copied on harddrives are gone now. Attached is the combofix log. Does this mean the computer is clean now?
Ok
You had the Flash drive plugged in?? F:\ services.exe I said to unplug it
We still have cleanup and removal of items ESET, OTL and combofix has in their logs, first thing to do was to break zeroaccess
Now Take a copy of the legit nice and new c:\windows\system32\services.exe
Then go back into the location
c:\windows\winsxs\amd64_microsoft-windows-s..s servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe and make sure a copy is back in thereor still in there.
Quads
No, F:\ is another hard drive where I made a copy of the file. I did not have my flash drive plugged in.
I checked both locations and there is a services.exe in both locations. Do you want me to make copies of these files?
dibrown
No that's OK
Now Run Combofix without any script, I just want to make sure the Desktop.ini's are gone It will still give a log at the end.
Then Run a scan with OTL (blue button) also no script in box, this will also give a new log.
All going well I will use those 2 logs and the ESET log to start OTL scripting to clean up items on your Hard drive.
Quads
Here is the Combofix log. Next I will run OTL.
Here is the OTL log.
OK
While I cross reference the 3 logs to create a OTL script, could take a bit of time, please Uninstall Spybot S&D and Malwarebytes.
YAY!! Zeroaccess no longer shows up DEAD!! still have the quarantine files to shift via the script though.
Quads
I have uninstalled Spybot and Malwarebytes.
dibrown
What is your H:\ drive??
Quads
H:\ is a 10,000 rpm hard drive
With OTL using the red "Run Fix" button use the script attached remember about the : in front of the OTL (:OTL)
Quads
ok, I ran that script and rebooted.