Inactive WIN64/Patched.A.Gen / Sirfefe.AN .AP / Conedex.b Trojans

S

ShagMiester

Hello all, I hope I am posting this correctly. any and all help would be greatly appreciated.

I read the post "[Solved] Win64/patched.a.gen trojan and sirefef" but somewhere else in the forum it says that I should create my own topic and go from there and not use scripts or steps from a previous post because it may brick my computer.

Step 1: Antivirus scanning

Antivirus scan is with ESET Smart Security. I keep getting these hits in my log file

8/31/2012 12:12:59 PM Real-time file system protection file C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
8/31/2012 12:09:00 PM Real-time file system protection file C:\windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\80000064.@ Win64/Sirefef.AN trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by

the application: C:\Windows\System32\services.exe.
8/31/2012 12:08:59 PM Real-time file system protection file C:\windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\80000000.@ Win64/Sirefef.AP trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
8/31/2012 12:08:42 PM Real-time file system protection file C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\000000cb.@ Win64/Conedex.B trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
8/31/2012 12:08:42 PM Real-time file system protection file C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\00000008.@ Win64/Agent.BA trojan cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Windows\System32\services.exe.
8/31/2012 12:07:22 PM Real-time file system protection file C:\windows\system32\services.exe Win64/Patched.A.Gen trojan unable to clean NT AUTHORITY\LOCAL SERVICE Event occurred during an attempt to access the file by the application: C:\Windows\System32\svchost.exe.

Step 2: Malwarebytes Anti-Malware

Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.31.04

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
ShagMiester :: SHAGGYS-LAPTOP [administrator]

Protection: Enabled

8/31/2012 12:27:56 PM
mbam-log-2012-08-31 (12-27-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 204896
Time elapsed: 6 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Installer\{c021d48a-fced-b1f8-3d9c-78c12e09b490}\U\80000032.@ (Rootkit.0Access) -> Quarantined and deleted successfully.

(end)

Step 3: GMER

this log came up empty, nothing was displayed

This is part one off logs post.
[LEFT][/LEFT]
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running any tools, fixes or applying any changes to your computer other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===================================================

I need all required logs.
 
Hello Broni, I have been trying to kill this thing for about a week, and have had some success. not completely removed yet, but I have removed/replaced the c:\windows\system32\services.exe file with the one that was in C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe.

like I asked in my last post, do you want the DDS logs posted in seven or eight 5,000 character posts or as an attachment?
 
Wow.. this thing is finding all sorts of problems... I think I will just wipe it and restore it to a back up I made 3 weeks ago on my WHS. Sorry to have wasted your time Broni, maybe some other time if ever it happens again.

thank you for your time.
Thomas
 
Hopefully your backup is not infected.
We're dealing here with a nasty rootkit so restoring may not work.

Good luck though...
 
You must log in or register to reply here.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
Nicki
Solved Must have picked up something... some COVID computer variant???
Replies
9
Views
3K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni

Latest posts

Back