-
February 20th, 2009, 12:46 PM
#1
Member
Trojan Horse Win32/PEPatch.AO
I need some guidance. Here is the story:
Win XP 'puter
missing the explorer.exe file due to ....??? It was causing me to only see the wallpaper at startup. NO icons, NO task bar. This was rectified. I now have full access to the desktop and task bar.(thanks to Nihil and others on the Operating system topic area.)
System is running AVG 8.0.
Now for the problem. AVG is detecting the above trojan in resident shield scan but it is always attached to a valid process. AVG only gives me the option to Ignore it also. I have run Spybot S&D, Malwarebytes Malware scan, AVG, and Hijackthis.
Spybot and MWB both caught things but did not solve the problem.
I thought of this afterwards and did not try it. But, everytime i would run a different virus/*ware scan, the AVG resident shield would detect the trojan. Everytime it would only allow me to ignore. Everytime it was attached to a valid process (in each case, the process was the virus/*ware scanner that I was running at the time. If i disable the Resident shield, then run the scans, will that clear it? or am I dealing with a special case. I cannot seem to find much info on it.
Thanks in advance for the help.
Len Q.
-
February 21st, 2009, 03:54 AM
#2
Dump AVG and install Avira AntiVir in its place. AVG's not what it used to be.
edit - try running Killbox to end any rogue process: http://killbox.net/
edit #2 - disable System Restore and empty ALL temp folders (you may need
to toggle Folder Options to make some visible). Also search for any recently
datestamped .exe's, .tmp's, .dll's and .~'s (null) files. Delete those, backup
if necessary.
Last edited by brokencrow; February 21st, 2009 at 04:38 AM.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
February 21st, 2009, 12:21 PM
#3
Have you managed to get hold of an XP installation CD for the same version and SP as the one on the infected machine?
If so try running this: SFC.EXE /SCANNOW
Windows should then replace corrupted/infected system files.
I would also get CCleaner and run it to clear out rubbish.
http://www.ccleaner.com/
Also try using its registry cleaner to get rid of malware remnants.
Follow brokencrow's advice and then re-scan in safe mode.
You might also try scanning with this:
http://www.emsisoft.com/en/software/free/
In safe mode the interactive scan should be turned off by default. You should only be scanning with one tool at a time for best results.
-
February 21st, 2009, 04:23 PM
#4
Member
Yes i have a copy of the install disk. I ran:
sfc /scannow
This is the first time i have run this program. Is something supposed to happen afterward? It ran but i did not see any change or difference. no addititional windows popped up or anything.
i will do what brokencrow suggests and let everyone know.
nihil, i will also try ccleaner and emisoft to see what happens.
We are getting closer to getting this blasted thing fixed.
Len
-
February 21st, 2009, 05:21 PM
#5
Hi Len,
I believe that you need to reboot afterwards.
All you would expect to see is a progress bar. If you don't get that you can make a registry amendment:
When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
the values available are: 0 = disabled, 1 = enabled
It still works with or without the progress bar
I would also think about downloading and installing SP3.
-
February 25th, 2009, 08:04 PM
#6
Member
Going from bad to worse. Finally got back to this computer. Someone turned it off and now it will not even boot. It keeps restarting right after the Windows Xp screen. They are just going to buy a new one at this time. They want a laptop anyway.
Still going to try to clean this one up though. install disk, repair, etc. We shall see what happens.
Len
-
February 25th, 2009, 09:10 PM
#7
Format and reinstall is the fastest and best way to cure
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
February 25th, 2009, 09:48 PM
#8
Originally Posted by morganlefay
Format and reinstall is the fastest and best way to cure
MLF
I agree. You have been fighting this thing for quite some time now... I realize a reformat/reinstall can take a few hours, but that is nothing compared to the time you have invested/will invest in this.
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
February 26th, 2009, 02:48 AM
#9
Very true. When you are dealing with a trojan or badly infected machine then a reinstallation is the preferred method.
I generally use DBAN (Darik's Boot & Nuke) or Eraser to do a one pass wipe (Vista will do this with a full format) before re-installation.
You might also look at creating a slipstreamed CD/DVD of the OS to save having to download service packs and updates. Try nLite or vLite.
-
February 26th, 2009, 03:16 AM
#10
Originally Posted by raven955i
Going from bad to worse. Finally got back to this computer. Someone turned it off and now it will not even boot. It keeps restarting right after the Windows Xp screen.
Sounds like it's got hardware issues too. It's not unusual to run into
3-4-5-year-old PC's that haven't been serviced and come in with numerous
issues. We used to call that restarting 'rolling reboots' and most often
fixed it by running "chkdsk /r c:" from the command prompt. Might
give that a try if you're desperate enough.
OK, nihil, you can bash me now for reco'ing chkdsk.
“Everybody is ignorant, only on different subjects.” — Will Rogers
Similar Threads
-
By GbinaryR in forum AntiVirus Discussions
Replies: 11
Last Post: October 30th, 2008, 09:33 AM
-
By ThePreacher in forum Miscellaneous Security Discussions
Replies: 17
Last Post: December 14th, 2006, 09:37 PM
-
By jin29_neci in forum AntiVirus Discussions
Replies: 11
Last Post: November 23rd, 2004, 06:10 PM
-
By d00dz Attackin in forum The Security Tutorials Forum
Replies: 1
Last Post: May 2nd, 2003, 04:47 AM
-
By LordChaos in forum Firewall & Honeypot Discussions
Replies: 19
Last Post: October 4th, 2002, 11:58 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|