Win64/Patched.A and Generic29.ANPX

TorontoHenry · Feb 1, 2013

Hello,

From surfing through your site, it looks like you guys are pretty good at helping fix Win64/Patched.A trojans. I hope you can help another poor user AVG first warned me I was infected, but was unable to remove it, and same goes for Kaspersky. From reading other users, it looks like this Trojan needs a customized approach, so here goes!

I can still access the Internet with the infected computer, but I've disconnected it until I am sure that it's clean.

Logs attached, and any help would be greatly appreciated!

Thanks,
Henry

TimW · Feb 2, 2013

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Files/folders tab and locate these detections:

[ZeroAccess][FILE] @ : C:\Windows\Installer\{916d3865-0642-e3aa-1f7f-a6d4069b44a2}\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\Windows\Installer\{916d3865-0642-e3aa-1f7f-a6d4069b44a2}\U --> FOUND
[ZeroAccess][FOLDER] L : C:\Windows\Installer\{916d3865-0642-e3aa-1f7f-a6d4069b44a2}\L --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Now re-run Hitman, when it finds services.exe - Virus, allow it to Replace by clicking the down arrow next to the detection and choosing Replace.
Ignore all other detections.
Afterwards, click the Next button.
HitmanPro may want to reboot the PC in order for the changes to take affect, please do so.

Now re-scan with both RogueKiller and Hitman and attach those logs as well.

TorontoHenry · Feb 3, 2013

Trouble logging in and posting

Hello,

I tried logging in and posting a reply to TimW this morning, but for some reason my account no longer existed... my previous post shows up as a "guest" post, and my email account was not registered to the site. So I just created a brand new account with the identical email address... except now I can't post in my old thread, even though I can apparently create this thread here.

I am very confused

TorontoHenry

TorontoHenry · Feb 3, 2013

Re: Trouble logging in and posting

In case a mod sees this reply, please move this message as a reply to TimW's response in the first thread I started (at http://forums.majorgeeks.com/showthread.php?t=272895)

Hi TimW, thanks for the super quick reply!

I ran RogueKiller twice (second time since I couldn't figure out how to select multiple files to delete) and Hitman once, then rebooted my computer as instructed by Hitman. I've also attached the RogueKiller and Hitman logs after the reboot (renamed with _after in the filename).

Hitman no longer seems to see anything wrong, but RogueKiller still sees Desktop.ini as infected... what should I do next? I also suspect that UAC has turned back on since I didn't disable it again...

Thanks,
Henry

TimW · Feb 3, 2013

Make sure UAC is turned off.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Files/folders tab and locate these detections:

[ZeroAccess][FOLDER] U : C:\Windows\Installer\{916d3865-0642-e3aa-1f7f-a6d4069b44a2}\U --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_32\Desktop.ini --> FOUND
[ZeroAccess][FILE] Desktop.ini : C:\Windows\Assembly\GAC_64\Desktop.ini --> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Now rescan with RogueKiller and attach that new log.

Reboot and rescan again with RogueKiller and attach that log as well.

NOTE: I have merged your threads. I don't know why you lost your previous account.

TorontoHenry · Feb 3, 2013

Trouble logging in and posting #2

Ii TimW, sorry to post here again.... I'm still having trouble replying directly to the other thread at http://forums.majorgeeks.com/showthread.php?t=272895 since it says I don't have sufficient access yet :-o But at least this time my user account hasn't been deleted

Attached please find RKreport[6] and RKreport[7] from before the reboot, and RKreport[8] from after the reboot (when I turn off UAC this time). RogueKiller file scan doesn't seem to show anything else now, but there were still some files in the registry after reboot.

Thanks,
Henry

TimW · Feb 3, 2013

Your log came up clean. What issues are you still having?

Log in or Sign up

Win64/Patched.A and Generic29.ANPX

TorontoHenry Guest

Attached Files:

HitmanPro_20130201_2038.log

mbam-log-2013-02-01 (20-18-59).txt

MGlogs.zip

RKreport[1]_S_02012013_02d2009.txt

TDSSKiller.2.8.15.0_01.02.2013_20.22.09_log.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TorontoHenry Private E-2

TorontoHenry Private E-2

Attached Files:

RKreport[3]_D_02032013_02d1400.txt

RKreport[4]_D_02032013_02d1404.txt

HitmanPro_20130203_1410.log

RKreport[5]_S_02032013_02d1416_after.txt

HitmanPro_20130203_1421_after.log

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

TorontoHenry Private E-2

Attached Files:

RKreport[6]_S_02032013_02d1641.txt

RKreport[7]_D_02032013_02d1642.txt

RKreport[8]_S_02032013_02d1647_after.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member