Trojan.Patchep!sys or Trojan horse Dropper.Generic_c.MMI detecting services.exe as infection

Randomly got this virus, want to get rid of it??.
Antivirus programs detecting c:\WINDOWS\system32\services.exe as infection.

Randomly got this virus, want to get rid of it??.

How do I remove it. (I’m not rebooting my system completely.)

Virus is located in: C:\Windows\System32\services.exe
Name of virus: Trojan horse Dropper.Generic_c.MMI , Trojan.Patchep!sys
AVG scanner says: Object is white-listed (critical/system file that should not be removed)”
Norton Scan says Trojan.Patchep!sys (C:\Windows\System32\services.exe) not able to remove

To  fix the issue we need  to manually replace the file “services.exe” from winsxs folder (In Windows Vista and 7) . i386 folder(In Windows XP)

How to manually replace the file ?

Boot the computer in Safe Mode With Networking or Recovery Console. 

Search the file “services.exe” file in “c:\Windows\winsxs” folder and copy the file to “c:\”.

Note: services.exe should be 321 KB

 

Open the folder “c:\windows\system32” rename the file “services.exe” as “123.com”

 

 

Launch the cmd prompt with administrator rights and navigate to home drive “c:\”

 

Type the following cmd “copy services.exe c:\windows\system32” and you should get a message “1 file copied”.

Restart the computer in normal mode.

 

Delete the file “123.com” from system32.

 

Run the Norton Scan it should come up clean.


Every one Please check for one more infection on your computer…..Trojan.Zeroaccess.B & Trojan.gen.2

This 2 infections also coming with this services.exe infection.

http://123seminarsonly.com/Blog/fix-for-trojan-zeroaccess-b-trojan-gen-2

Kuttus

Kuttus is an IT professional and a part time blogger. He has started the 123seminarsonly to write his findings gained in daily work life. Kuttus writes articles which are mostly related to technology and Virus Removal. He has been interested in virus and Malware removal. He is working as a remote virus removal technician from the last 7 year.

More Posts - Website

36 comments to Trojan.Patchep!sys or Trojan horse Dropper.Generic_c.MMI detecting services.exe as infection

  • Nathanaêl

    Hello Everybody

    Well got the same problem, But i fidle a little reading or the simply change the service exe manually, and it seems to be not coming back, I am not sure as i had it a hour ago still there but since one hour no notification, strange or, anyway I think it ll come back at some point, so i was reading the tuto search for my services.exe in the folder winsxs and I found it, but it is like that : $$DeleteMe.services.exe.01cdae278487b1f7.0000 under it say pending delete ? So i don’t know if it’s gone or not, and my updates firewall are not working, azereus is not opening also. So do it do this manipulation or not ? thanks for any feed back

    • admin

      I am sorry to say it seems your computer is or was infected…. I will assist you to make sure there is no more problems remain on your computer.

      To check the presence of Trojan.Zeroaccess you have to do one thing.

      In Windows XP
      ———————-

      Click on the start meanu and press on Run.
      Inside the Run window type CMD and press on Okay.
      In the black Command Window type
      NETSH WINSOCK RESET and hit on enter.

      If you get a message
      “Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.” then you are safe.
      If not your computer is infected.

      In Windows Vista and Windows 7
      ————————————–…

      Click on the Start Menu and in the Search box type CMD
      At the top you can see a CMD file. Just right click on that file and select Run as

      Administrator.

      In the black Command Window type
      NETSH WINSOCK RESET and hit on enter.

      If you get a message
      “Sucessfully reset the Winsock Catalog. You must restart the machine in order to complete the reset.” then you are safe.

      If not your computer is infected.

      Please check it and revert back…

  • WPY

    wow, I was fussing over the virus all week! Was going to do some complicated steps and submit my problem to a tech forum. Then I stumbled on this post. Thank you soooo much for helping me get rid of the horrible Trojan horse, and for your clear, simple instructions. You have my respect and appreciation. Thanks again!

  • toni k

    Sorry about bad typing on earlier note, got a broke hand, type bad enough with two, be careful.

    • admin

      No issues Toni.. We do understand…….. I wish you good luck with your computer.
      Please do feel free to get back to us if you have any virus issues in future and we would be glad to help you out with it…

      There is some Solutions to fix the issues with the Windows Firewall and Windows Updates.. If you are okay with the Fresh installation I prefer to do that one so that you will get a Fresh Virus Free computer.

  • toni k

    This trojan horse dropper generic c.mmi, is a bear never sen nothin like it. far from a pro don’t use mine as much as yall, but never had a virus in my life that wasn’t stopped by the software we all pay to much for. but this got right in. as i thought but didn’t believe till i read other post it came into mine from the adobe flash 11 update, YES IT DID!!!! wasn’t even on internet just did my update when asked, then all he– broke lose. spent last 2 days reading and trying it all, this i couldn’t get to work. avg wouldn’t remove it, avast got it and all the others it lets in, but won’t get rid of it. spybot was no help,norton says manually remove, what a racket out there. i finally did house calls trend micro, 7.2 beta 64 bit for my win. 7 did the FULL scan, took 158 min. but it removed 3 and said would take the trojan off on rebbot, it seemed to work, but now an’t get firewall up or windows update, don’t know what else yet. just gonna recover or reinstall whole system to be safe. this took over my whole thing don’t really keep anything on here i think they could have stole but yall be careful! the trojan isn’t as bad as all the other virus it dumps into system. they or someone was in my internet or comp. even without my browser on etc. had to unplug modem. i uninstalled adobe and flash all of it and everytime opened browser it poped up and started reintalling it etc. I really caution anyone like i am and not a pro, watch your self with this one with the things it allows or puts in you could lose allot of info i am afraid of, adobe i believe owes aloot of people time and a big I’m Sorry. Yall take care and wish you better luck than i. hope i can find this site again to see how you all do will lose it on reinstall, guess i could write it down with the other 5000 notes i have on this.

    • admin

      I am really sorry to hear about your computer Toni… As you told this infection is really a bad one….

      This particular infection has come from some insecure website. When you visit an unsafe website, a message pops up and tells you to first download a newer version of Flash player to play the video or to view this website. You might get inclined to click on the pop up for the reason that it’s telling you to install a newer version of flash player, Please do not do this. It’s a virus.

      Sometimes it may be in the form of “install drivers (or) plug-in’s (or) active X controls etc”. If we click on these pop ups (knowingly or unknowingly), it will automatically install a malicious spy ware on your computer.

      These pop-ups may contain multiple options like Save, Run, Cancel, Yes, No etc. If we click on any of these options it will automatically install this spy ware. The best solution to avoid this spy ware is to close the browser window like internet explorer, fire fox etc.

      We should be aware of this situation and never download an Adobe Flash Player through any source other than the Adobe.com website. If you are ever uncertain of a Flash Player Update it may be best to cancel the operation and navigate to http://www.adobe.com and download the update.

      These spy wares send pop ups to purchase their products. If we enter the credit card details for purchasing these spy wares, they will hack our credit card information.

      Have you ever been prompted to download an Adobe Flash Player or Adobe Flash Player update through a website other than Adobe.com?

  • cspinn

    I get to the step where I need to rename the file 123.com. and it will not let renamed file and it wont let me and I am runnung under adminn it wont let me chainge any permission under file properties. Please help me

    • admin

      Just restart your computer. After a restart before opening any applications replace the services.exe file. It will work…

  • Michelle

    So I did all your sets, rebooted, and went to delete the 123.com file. My AVG alerted me of the dropper.generic threat. I then went to my recycle bin and cleared out the 123.com file. Should AVG have alerted me? Thanks for all your help!

    • admin

      Hi Michelle,
      Now your computer should be clean. Any way please run one more full system scan on your computer so that we can make sure there is no more threats remain on the computer……. If you need any more help feel free to get back to us, we will be happy to help you……

  • josh

    When performing this step: Type the following cmd “copy services.exe c:\windows\system32″ and you should get a message “1 file copied” , I get a message that says “The system cannot find the file specified”

  • Josh

    I followed instructions and virus seemed to be removed. A week later it came back.

  • Anthony

    Finally, within 15min following your instruction, I was able to remove that damn trojan horse patch. For the last 24 hrs I could not get it out of my mind.

    Thanks again for your help.

    Anthony Doan

    • admin

      Great to hear that your issues is resolved Anthony ..

      Please run a full system scan on your computer with your Antivirus program, so that we can make sure there is no more infection on the computer…

      Please feel free to get back to us if you need any more help……

  • Luan

    Everytime I try to copy services in the cmd prompt I get a message confirming if I wish to overwrite c:windowssystem32services.exe? I input yes but then it says “The process cannot access the file because it is being used by another process”
    0 files copied.

    Any help?

    • admin

      Hi Luan,

      Just restart your computer. After a restart before opening any applications replace the services.exe file. It will work…

  • bevan

    freakin legend cheers mate mite be time to back off the porn =) lol

  • Birdogg50

    Ur advice worked like a charm!! Thanks for ur help. Will keep this website in mind if or when the next POS decides to camp out in my computer

    • admin

      Nice to hear that your issues is resolved …. Please feel free to get back to us if you need any more help in the future…
      Don’t forgot to run a Full System Scan with your Antivirus program installed on the computer, so that we can make sure there is no more problems on the computer……..

      All the best……..

  • CenoByte

    FINALLY! A REAL solotion to that damned white-listed Trojan horse Patched_c.LYU problem! Thank you, much respect…

    • admin

      Great to hear that your issues are fixed. Please feel free to get back to us if you need any more help at any point of time…….. I wish you good luck with your computer…

  • Steven

    I’m trying this method, but when I get to the cmd portion, I get “the system cannot find the file specified.” What am i doing wrong?

    • admin

      Hi Steven,

      I think there you type the command in wrong place……..

      What you can see when you open the CMD? Is that C:\Windows\System32 or c:\Documents and Settings\ or something?

      Do you copy the services.exe file into the C drive?

  • admin

    Every one Please check for one more infection on your computer…..Trojan.Zeroaccess.B & Trojan.gen.2

    This 2 infections also coming with this services.exe infection.

    http://123seminarsonly.com/Blog/fix-for-trojan-zeroaccess-b-trojan-gen-2

  • Eustace Mullins

    I did as per instructions. In my win sxs folder there were 2 services exe files. I chose the oldest one as it was a different size, where the other file was identical to what was in the system32 folder.
    Everything works fine now. Created a new restore point. Thanks

  • Jerome

    my pc struggled to restart on the replaced and new services.exe. Win 7 was trying to repair over 6 attempts before it finally loaded Win7 back. I must say this is the best fix I have found out there for this Malware. Thanks heaps for your advice !!! Great 🙂

  • James

    I have vista, and yet i cant find a services.exe in my winsxs folder

    • admin

      Do you have any other Windows Vista computer? If you have any other window Vista computer copy the services.exe file from the location c:\WINDOWS\system32\services.exe and move it to this one………

  • Dave

    Hey, just wanted to say thanks for this page as well. This was the first problem my AVG couldn’t take care of, and your step by step method really helped someone computer illiterate like myself. The pics were great as well. Many thanks for helping me resolve the issue!

  • william

    it says i need permission from System to rename this file (services.exe)

    • admin

      Restart your computer one more time and Launch the cmd prompt with administrator rights and navigate to home drive “c:\windows\system32

      After that you need to type the command
      ren c:\windows\system32\services.exe services.exe1
      Hit on enter Then type
      copy c:\services.exe c:\windows\system32
      Hit on enter…