Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Trojan Horse Win32/PEPatch.AO

  1. #1

    Trojan Horse Win32/PEPatch.AO

    I need some guidance. Here is the story:
    Win XP 'puter
    missing the explorer.exe file due to ....??? It was causing me to only see the wallpaper at startup. NO icons, NO task bar. This was rectified. I now have full access to the desktop and task bar.(thanks to Nihil and others on the Operating system topic area.)
    System is running AVG 8.0.
    Now for the problem. AVG is detecting the above trojan in resident shield scan but it is always attached to a valid process. AVG only gives me the option to Ignore it also. I have run Spybot S&D, Malwarebytes Malware scan, AVG, and Hijackthis.
    Spybot and MWB both caught things but did not solve the problem.
    I thought of this afterwards and did not try it. But, everytime i would run a different virus/*ware scan, the AVG resident shield would detect the trojan. Everytime it would only allow me to ignore. Everytime it was attached to a valid process (in each case, the process was the virus/*ware scanner that I was running at the time. If i disable the Resident shield, then run the scans, will that clear it? or am I dealing with a special case. I cannot seem to find much info on it.
    Thanks in advance for the help.
    Len Q.

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Dump AVG and install Avira AntiVir in its place. AVG's not what it used to be.

    edit - try running Killbox to end any rogue process: http://killbox.net/

    edit #2 - disable System Restore and empty ALL temp folders (you may need
    to toggle Folder Options to make some visible). Also search for any recently
    datestamped .exe's, .tmp's, .dll's and .~'s (null) files. Delete those, backup
    if necessary.
    Last edited by brokencrow; February 21st, 2009 at 04:38 AM.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Have you managed to get hold of an XP installation CD for the same version and SP as the one on the infected machine?

    If so try running this: SFC.EXE /SCANNOW

    Windows should then replace corrupted/infected system files.

    I would also get CCleaner and run it to clear out rubbish.

    http://www.ccleaner.com/

    Also try using its registry cleaner to get rid of malware remnants.

    Follow brokencrow's advice and then re-scan in safe mode.

    You might also try scanning with this:

    http://www.emsisoft.com/en/software/free/

    In safe mode the interactive scan should be turned off by default. You should only be scanning with one tool at a time for best results.

  4. #4
    Yes i have a copy of the install disk. I ran:
    sfc /scannow
    This is the first time i have run this program. Is something supposed to happen afterward? It ran but i did not see any change or difference. no addititional windows popped up or anything.
    i will do what brokencrow suggests and let everyone know.
    nihil, i will also try ccleaner and emisoft to see what happens.

    We are getting closer to getting this blasted thing fixed.
    Len

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi Len,

    I believe that you need to reboot afterwards.

    All you would expect to see is a progress bar. If you don't get that you can make a registry amendment:

    When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    the values available are: 0 = disabled, 1 = enabled
    It still works with or without the progress bar

    I would also think about downloading and installing SP3.

  6. #6
    Going from bad to worse. Finally got back to this computer. Someone turned it off and now it will not even boot. It keeps restarting right after the Windows Xp screen. They are just going to buy a new one at this time. They want a laptop anyway.
    Still going to try to clean this one up though. install disk, repair, etc. We shall see what happens.
    Len

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Format and reinstall is the fastest and best way to cure

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Quote Originally Posted by morganlefay View Post
    Format and reinstall is the fastest and best way to cure

    MLF
    I agree. You have been fighting this thing for quite some time now... I realize a reformat/reinstall can take a few hours, but that is nothing compared to the time you have invested/will invest in this.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Very true. When you are dealing with a trojan or badly infected machine then a reinstallation is the preferred method.

    I generally use DBAN (Darik's Boot & Nuke) or Eraser to do a one pass wipe (Vista will do this with a full format) before re-installation.

    You might also look at creating a slipstreamed CD/DVD of the OS to save having to download service packs and updates. Try nLite or vLite.

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Quote Originally Posted by raven955i View Post
    Going from bad to worse. Finally got back to this computer. Someone turned it off and now it will not even boot. It keeps restarting right after the Windows Xp screen.
    Sounds like it's got hardware issues too. It's not unusual to run into
    3-4-5-year-old PC's that haven't been serviced and come in with numerous
    issues. We used to call that restarting 'rolling reboots' and most often
    fixed it by running "chkdsk /r c:" from the command prompt. Might
    give that a try if you're desperate enough.




    OK, nihil, you can bash me now for reco'ing chkdsk.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Trojans - Ports
    By GbinaryR in forum AntiVirus Discussions
    Replies: 11
    Last Post: October 30th, 2008, 09:33 AM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Trojan Horse
    By jin29_neci in forum AntiVirus Discussions
    Replies: 11
    Last Post: November 23rd, 2004, 06:10 PM
  4. The tutorial on Trojan Horse (amost everything)
    By d00dz Attackin in forum The Security Tutorials Forum
    Replies: 1
    Last Post: May 2nd, 2003, 04:47 AM
  5. My firewall block this attempt.. but need info
    By LordChaos in forum Firewall & Honeypot Discussions
    Replies: 19
    Last Post: October 4th, 2002, 11:58 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •