Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected trojan horse patched_c.lzi affecting services.exe


  • Please log in to reply
5 replies to this topic

#1 Mendetus

Mendetus

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 29 July 2012 - 01:16 PM

I have a virus I could use a hand with. AVG picks it up as trojan horse patched_c.lzi. Windows firewall service is now disabled as well as security center & SSL services. I've tried using a couple scanners already with no luck. Any help is appreciated

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:43 PM

Posted 29 July 2012 - 01:19 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 Mendetus

Mendetus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 29 July 2012 - 05:59 PM

Followed the steps but ran into some problems with asw. It got stuck on one of my legit files (eve online app data). At first I thought it was due to the file's size but checked it and it's only 360KB and was sitting for over 10 minutes so I thought it was hung. I saved a log, suddenly the scan immediately moved on for a certain amount of time but got stuck on a different legit app folder of small size.However, it did find something. I can let asw run over night if you want. The eset scan finished without issue and found some threats - thanks for your time on this; here's the logs:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-29 14:17:45
-----------------------------
14:17:45.594 OS Version: Windows x64 6.0.6002 Service Pack 2
14:17:45.595 Number of processors: 2 586 0x6B02
14:17:45.595 ComputerName: RICK-PC UserName: Rick
14:17:47.295 Initialize success
14:18:01.532 AVAST engine defs: 12072901
14:18:04.472 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:18:04.475 Disk 0 Vendor: MAXTOR_STM3500630AS 3.AAE Size: 476940MB BusType: 3
14:18:04.568 Disk 0 MBR read successfully
14:18:04.571 Disk 0 MBR scan
14:18:04.576 Disk 0 Windows XP default MBR code
14:18:04.595 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
14:18:04.797 Disk 0 scanning C:\Windows\system32\drivers
14:18:35.240 Service scanning
14:18:57.966 Modules scanning
14:18:57.975 Disk 0 trace - called modules:
14:18:58.013 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:18:58.018 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004e04060]
14:18:58.023 3 CLASSPNP.SYS[fffffa60007bbc33] -> nt!IofCallDriver -> [0xfffffa8004bbe4f0]
14:18:58.367 5 acpi.sys[fffffa60008f7fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004114940]
14:19:00.349 AVAST engine scan C:\Windows
14:19:22.212 AVAST engine scan C:\Windows\system32
14:22:20.051 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
14:22:24.654 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
14:24:34.734 AVAST engine scan C:\Windows\system32\drivers
14:25:04.365 AVAST engine scan C:\Users\Administrator
14:36:15.052 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
14:36:15.054 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-07-29 14:17:45
-----------------------------
14:17:45.594 OS Version: Windows x64 6.0.6002 Service Pack 2
14:17:45.595 Number of processors: 2 586 0x6B02
14:17:45.595 ComputerName: RICK-PC UserName: Rick
14:17:47.295 Initialize success
14:18:01.532 AVAST engine defs: 12072901
14:18:04.472 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:18:04.475 Disk 0 Vendor: MAXTOR_STM3500630AS 3.AAE Size: 476940MB BusType: 3
14:18:04.568 Disk 0 MBR read successfully
14:18:04.571 Disk 0 MBR scan
14:18:04.576 Disk 0 Windows XP default MBR code
14:18:04.595 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
14:18:04.797 Disk 0 scanning C:\Windows\system32\drivers
14:18:35.240 Service scanning
14:18:57.966 Modules scanning
14:18:57.975 Disk 0 trace - called modules:
14:18:58.013 ntoskrnl.exe CLASSPNP.SYS disk.sys acpi.sys ataport.SYS pciide.sys PCIIDEX.SYS hal.dll atapi.sys
14:18:58.018 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004e04060]
14:18:58.023 3 CLASSPNP.SYS[fffffa60007bbc33] -> nt!IofCallDriver -> [0xfffffa8004bbe4f0]
14:18:58.367 5 acpi.sys[fffffa60008f7fde] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa8004114940]
14:19:00.349 AVAST engine scan C:\Windows
14:19:22.212 AVAST engine scan C:\Windows\system32
14:22:20.051 File: C:\Windows\assembly\GAC_32\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
14:22:24.654 File: C:\Windows\assembly\GAC_64\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
14:24:34.734 AVAST engine scan C:\Windows\system32\drivers
14:25:04.365 AVAST engine scan C:\Users\Administrator
14:36:15.052 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
14:36:15.054 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
14:54:45.123 Disk 0 MBR has been saved successfully to "C:\Users\Administrator\Desktop\MBR.dat"
14:54:45.124 The log file has been saved successfully to "C:\Users\Administrator\Desktop\aswMBR.txt"
-----------------------------------------
C:\Users\Administrator\Desktop\pe\mpeiso\PROGRAMS\UTILITIES\OUTLOOKER.EXE probably a variant of Win32/Agent.DSXQTSL trojan cleaned by deleting - quarantined
C:\Users\Administrator\Desktop\RK_Quarantine\00000008.@.vir Win64/Agent.BA trojan cleaned by deleting - quarantined
C:\Users\Administrator\Desktop\RK_Quarantine\000000cb.@.vir Win64/Conedex.B trojan cleaned by deleting - quarantined
C:\Users\Administrator\Desktop\RK_Quarantine\80000032.@.vir a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\Users\Administrator\Downloads\cnet_pcdwulite_exe.exe a variant of Win32/InstallCore.D application cleaned by deleting - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7YIFQAVE\EN[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CWCD6GD2\EN[1].htm HTML/ScrInject.B.Gen virus deleted - quarantined
C:\Windows\winsxs\Temp\PendingDeletes\$$DeleteMe.services.exe.01cd653ff043bc94.0000 Win64/Patched.B trojan deleted - quarantined
Operating memory a variant of Win32/Sirefef.EZ trojan

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:43 PM

Posted 29 July 2012 - 06:06 PM

We need advanced tools to remove this one

Read the guide here

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck

#5 Mendetus

Mendetus
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:01:43 PM

Posted 29 July 2012 - 06:17 PM

Thanks Naren

#6 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:12:43 PM

Posted 29 July 2012 - 06:20 PM

you're welcome :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users