TechSpot

WIN64/Patched.A.Gen / Sirfefe.AN .AP / Conedex.b Trojans

Inactive
By ShagMiester
Aug 31, 2012
  1. Hello all, I hope I am posting this correctly. any and all help would be greatly appreciated.

    I read the post "[Solved] Win64/patched.a.gen trojan and sirefef" but somewhere else in the forum it says that I should create my own topic and go from there and not use scripts or steps from a previous post because it may brick my computer.

    Step 1: Antivirus scanning

    Antivirus scan is with ESET Smart Security. I keep getting these hits in my log file

    8/31/2012 12:12:59 PM Real-time file system protection file C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
    8/31/2012 12:09:00 PM Real-time file system protection file C:\windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\80000064.@ Win64/Sirefef.AN trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by

    the application: C:\Windows\System32\services.exe.
    8/31/2012 12:08:59 PM Real-time file system protection file C:\windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
    8/31/2012 12:08:42 PM Real-time file system protection file C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
    8/31/2012 12:08:42 PM Real-time file system protection file C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
    8/31/2012 12:07:22 PM Real-time file system protection file C:\windows\system32\services.exe Win64/Patched.A.Gen trojan unable to clean NT AUTHORITY\LOCAL SERVICE Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

    Step 2: Malwarebytes Anti-Malware

    Malwarebytes Anti-Malware (Trial) 1.62.0.1300
    www.malwarebytes.org

    Database version: v2012.08.31.04

    Windows 7 Service Pack 1 x64 NTFS
    Internet Explorer 9.0.8112.16421
    ShagMiester :: SHAGGYS-LAPTOP [administrator]

    Protection: Enabled

    8/31/2012 12:27:56 PM
    mbam-log-2012-08-31 (12-27-56).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 204896
    Time elapsed: 6 minute(s), 7 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 1
    C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

    (end)

    Step 3: GMER

    this log came up empty, nothing was displayed

    This is part one off logs post.
     
  2. ShagMiester

    ShagMiester TS Rookie Topic Starter

    The DDS.txt file has over 31K in characters.. that will take about 7 posts I think. let me know when you need it please.
     
  3. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================

    I need all required logs.
     
  4. ShagMiester

    ShagMiester TS Rookie Topic Starter

    Hello Broni, I have been trying to kill this thing for about a week, and have had some success. not completely removed yet, but I have removed/replaced the c:\windows\system32\services.exe file with the one that was in C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe.

    like I asked in my last post, do you want the DDS logs posted in seven or eight 5,000 character posts or as an attachment?
     
  5. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Yes.
     
  6. ShagMiester

    ShagMiester TS Rookie Topic Starter

    Wow.. this thing is finding all sorts of problems... I think I will just wipe it and restore it to a back up I made 3 weeks ago on my WHS. Sorry to have wasted your time Broni, maybe some other time if ever it happens again.

    thank you for your time.
    Thomas
     
  7. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Hopefully your backup is not infected.
    We're dealing here with a nasty rootkit so restoring may not work.

    Good luck though...
     


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.