Trojan Horse Win32/PEPatch.AO
Results 1 to 10 of 14

Thread: Trojan Horse Win32/PEPatch.AO

Hybrid View

  1. #1
    Member
    Join Date
    Feb 2004
    Posts
    36

    Trojan Horse Win32/PEPatch.AO

    I need some guidance. Here is the story:
    Win XP 'puter
    missing the explorer.exe file due to ....??? It was causing me to only see the wallpaper at startup. NO icons, NO task bar. This was rectified. I now have full access to the desktop and task bar.(thanks to Nihil and others on the Operating system topic area.)
    System is running AVG 8.0.
    Now for the problem. AVG is detecting the above trojan in resident shield scan but it is always attached to a valid process. AVG only gives me the option to Ignore it also. I have run Spybot S&D, Malwarebytes Malware scan, AVG, and Hijackthis.
    Spybot and MWB both caught things but did not solve the problem.
    I thought of this afterwards and did not try it. But, everytime i would run a different virus/*ware scan, the AVG resident shield would detect the trojan. Everytime it would only allow me to ignore. Everytime it was attached to a valid process (in each case, the process was the virus/*ware scanner that I was running at the time. If i disable the Resident shield, then run the scans, will that clear it? or am I dealing with a special case. I cannot seem to find much info on it.
    Thanks in advance for the help.
    Len Q.

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    Dump AVG and install Avira AntiVir in its place. AVG's not what it used to be.

    edit - try running Killbox to end any rogue process: http://killbox.net/

    edit #2 - disable System Restore and empty ALL temp folders (you may need
    to toggle Folder Options to make some visible). Also search for any recently
    datestamped .exe's, .tmp's, .dll's and .~'s (null) files. Delete those, backup
    if necessary.
    Last edited by brokencrow; February 21st, 2009 at 03:38 AM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Have you managed to get hold of an XP installation CD for the same version and SP as the one on the infected machine?

    If so try running this: SFC.EXE /SCANNOW

    Windows should then replace corrupted/infected system files.

    I would also get CCleaner and run it to clear out rubbish.

    http://www.ccleaner.com/

    Also try using its registry cleaner to get rid of malware remnants.

    Follow brokencrow's advice and then re-scan in safe mode.

    You might also try scanning with this:

    http://www.emsisoft.com/en/software/free/

    In safe mode the interactive scan should be turned off by default. You should only be scanning with one tool at a time for best results.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Member
    Join Date
    Feb 2004
    Posts
    36
    Yes i have a copy of the install disk. I ran:
    sfc /scannow
    This is the first time i have run this program. Is something supposed to happen afterward? It ran but i did not see any change or difference. no addititional windows popped up or anything.
    i will do what brokencrow suggests and let everyone know.
    nihil, i will also try ccleaner and emisoft to see what happens.

    We are getting closer to getting this blasted thing fixed.
    Len

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi Len,

    I believe that you need to reboot afterwards.

    All you would expect to see is a progress bar. If you don't get that you can make a registry amendment:

    When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    the values available are: 0 = disabled, 1 = enabled
    It still works with or without the progress bar

    I would also think about downloading and installing SP3.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Member
    Join Date
    Feb 2004
    Posts
    36
    Going from bad to worse. Finally got back to this computer. Someone turned it off and now it will not even boot. It keeps restarting right after the Windows Xp screen. They are just going to buy a new one at this time. They want a laptop anyway.
    Still going to try to clean this one up though. install disk, repair, etc. We shall see what happens.
    Len

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 09:33 AM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 08:37 PM
  3. Trojan Horse
    By jin29_neci in forum AntiVirus Discussions
    Replies: 11
    Last Post: November 23rd, 2004, 05:10 PM
  4. The tutorial on Trojan Horse (amost everything)
    By d00dz Attackin in forum The Security Tutorials Forum
    Replies: 1
    Last Post: May 2nd, 2003, 04:47 AM
  5. My firewall block this attempt.. but need info
    By LordChaos in forum Firewall & Honeypot Discussions
    Replies: 19
    Last Post: October 4th, 2002, 11:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides