Multiple threats detected: Win32/Patchload.A, 8000000.c0, other weird stuff happening

Hey guys,

All sorts of weird stuff is happening on my PC right now. It started yesterday when AVG and Avira both detected things called Win32/Patchload.A and 8000000.c0 and several other kinds of strange stuff. I ran MS Security Essentials and it found a heap of Win32/Patchload.A and a few other things which I clicked to remove. I rebooted my PC and suddenly MS Security Essentials just won't work any more. It says "Security Essentials isn't monitoring your computer because the program's service stopped. You should restart now." So I click Start Now and it comes up with an error message saying "The specified service does not exist as an installed service. Error code 0x80070424."

Also, Windows Update is now running constantly even though I previously had it set to notify me of updates but not actually download them. I got into the Task Manager and click to end wuauclt.exe but it just restarts itself again after a few seconds.

I ran Malwarebytes Antimalware using the latest update and it found about 8 different strange things so I clicked to remove them and rebooted but the problems are reoccuring. Windows Update is running constantly, MS SecEssentials won't work, AVG keeps throwing up Threat Detection messages and I've had to disable Avira altogether because it was just constantly going off.

Also, I'm running WinPatrol and every few minutes it keeps telling me that something called Watson Subscriber for SENS Network Notifications is trying to add itself to Startup. I keep denying it but it keeps popping up every 10 minutes or so.

Sounds like I've got a pretty serious infection, from what I can gather. Please help!!!

Chaoji

Please post the complete results of your last MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.

• Click the Logs Tab at the top.
• The log will be named by the date of scan in the following format: mbam-log-date(time).txt
  -- If you have previously used MBAM, there may be several logs showing in the list.
• Click on the log name to highlight it.
• Go to the bottom and click on Open.
• The log should automatically open in notepad as a text file.
• Go to Edit and choose Select all.
• Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
• Come back to this thread, click Add Reply, then right-click and choose Paste.
• Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.

Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd

Please download and scan with the Kaspersky Virus Removal Tool from one of the links provided below and save it to your desktop.
Link 1
Link 2
Link 3Be sure to print out and read the instructions provided in:How to Install Kaspersky Virus Removal Tool
How to use the Kaspersky Virus Removal Tool to automatically remove viruses

• Double-click the setup file (i.e. setup_9.0.0.722_22.01.2010_10-04.exe), select your language and install the utility.
  Vista/Windows 7 users right-click and select Run As Administrator.
• If you receive a UAC prompt asking if you would like to continue running the program, you should press the Continue button.
• At the 'Setup page', click Next, check the box to accept the license agreement and click Next twice more to extract the required files.
• Setup may recommend to scan the computer in Safe Mode. Click Ok.
• A window will open with a tab that says Autoscan. Click the green Start scan button on the Autoscan tab in the main window.
• If malware is detected, you will see the Scan Alert screen.
• Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
• After the scan finishes, if any threats are left unneutralized in the Scan window (Red exclamation point), click the Neutralize all button.
• Place a checkmark in the Apply to all box, and click Disinfect if the button is active.
• If advised that a special disinfection procedure is required which demands system reboot, click the Ok button to close the window.
• In the Scan window click the Reports button, choose Critical events and select Save to save the results to a file (name it avptool.txt).
• Copy and paste the report results of any threats detected. Do not include the longer list marked Events.
• When finished, follow these instructions on How to uninstall Kaspersky Virus Removal Tool 2011.

-- If you cannot run this tool in normal mode, then try using it in "safe mode".


IMPORTANT NOTE: You say your are using AVG, Avira and MS Security Essentials. Using more than one anti-virus program is not advisable. Why? The primary concern with doing so is due to conflicts that can arise when they are running in real-time mode simultaneously and issues with Windows resource management. Even if one of them is disabled for use as a stand-alone scanner, it can affect the other and cause conflicts. Anti-virus software components insert themselves into the operating systems core and using more than one can cause instability, crash your computer, slow performance and waste system resources. When actively running in the background while connected to the Internet, they both may try to update their definition databases at the same time. As the programs compete for resources required to download the necessary files this often can result in sluggish system performance or unresponsive behavior.

Each anti-virus may interpret the activity of the other as suspicious behavior and there is a greater chance of them alerting you to a "False Positive". If one finds a virus or a suspicious file and then the other also finds the same, both programs will be competing over exclusive rights on dealing with that virus or suspicious file. Each anti-virus may attempt to remove the offending file and quarantine it at the same time resulting in a resource management issue as to which program gets permission to act first. If one anit-virus finds and quarantines the file before the other one does, then you encounter the problem of both wanting to scan each other's zipped or archived files and each reporting the other's quarantined contents. This can lead to a repetitive cycle of endless alerts that continually warn you that a threat has been found when that is not the case.

Anti-virus scanners use virus definitions to check for malware and these can include a fragment of the virus code which may be recognized by other anti-virus programs as the virus itself. Because of this, many anti-virus vendors encrypt their definitions so that they do not trigger a false alarm when scanned by other security programs. Other vendors do not encrypt their definitions and they can trigger false alarms when detected by the resident anti-virus. Further, dual installation is not always possible because most of the newer anti-virus programs will detect the presence of others and may insist they be removed prior to download and installation of another. If the installation does complete with another anti-virus already installed, you may encounter issues like system freezing, unresponsiveness or similar symptoms while trying to use it.

To avoid these problems, use only one anti-virus solution. Deciding which one to remove is your choice. Be aware that you may lose your subscription to that anti-virus program's virus definitions once you uninstall that software.

Anti-virus vendors recommend that you install and run only one anti-virus program at a time

• Symantec's statement
• Eset's Statement
• Avast's statement
• AVG's statement
• Dell Support statement

You can always supplement your anti-virus by performing an Online Virus Scan.

Also, I'm running WinPatrol and every few minutes it keeps telling me that something called Watson Subscriber for SENS Network Notifications is trying to add itself to Startup.

Watson Subscriber for SENS (System Event Notification Service) is related to dwtrig20.exe and is used to launch Microsoft Error Reporting (DW20.exe). SENS is a Microsoft service that tracks system events related to Windows logon, network connection status, power changes, bandwidth, etc. It is also used when encountering errors while downloading database definition updates for MSE/Windows Defender so the user can send an error report to Microsoft for analysis.

Using SENS, an application can be notified when network connectivity changes, when available power decreases, when a user logs on/off or when there are changes in cache transmissions and bandwidth. SENS notifies COM+ of these events, which assigns them to any subscribing application (COM+ Event System subscribers). There are various ways to subscribe to SENS notifications. For a more technical explanation on how the SENS notification works, please refer to:

• Accessing System Power and Network Status Using SENS
• COM+ Subscription Viewer and
• Catching SENS Events in .NET.

Thankyou for your reply. Here's my latest MBAM log:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8363

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

13/12/2011 9:49:39 PM
mbam-log-2011-12-13 (21-49-39).txt

Scan type: Full scan (C:\|)
Objects scanned: 410499
Time elapsed: 3 hour(s), 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent.Gen) -> Value: Shell -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\trav and bec\local settings\application data\4380657d\U\80000000.@ (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\trav and bec\local settings\application data\4380657d\U\800000cb.@ (Backdoor.0Access) -> Quarantined and deleted successfully.
c:\documents and settings\trav and bec\local settings\application data\4380657d\U\800000cf.@ (Backdoor.0Access) -> Quarantined and deleted successfully.
c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Rootkit.0Access) -> Delete on reboot.


I now have Avira disabled. After I rebooted, AVG detected a threat from WINDOWS\assembly\GAC_MSIL\Desktop.ini again. I just closed the dialogue box, I didn't select "Heal" or anything. I don't want to accidentally allow this virus to disable MBAM or anything.

I have to go to work now, but I'll try that running Kaspersky tool as soon as I get home. I'll report back here in about 12 hours.

Chaoji

Ok.

OK, here's what's happened over the last few eventful hours.

I downloaded and ran Kaspersky. It found about 6 threats and each time a dialog box popped up in the right had lower corner of my screen asking me what I wanted to do. Each time, I selected the recommended option (which was sometimes delete and sometimes disinfect) and let it keep doing its thing. After it finished, it basically just rebooted the PC automatically. The computer booted with no threat detection messages from AVG this time, however a strange thing happened: Kaspersky started reinstalling itself automatically, and then gave me two options: resume the scan I had been doing before (which I had assumed was all finished) or start a new scan. I selected "resume." It ran for about another 10 minutes and detected one threat in that time. As soon as it finished, it automatically rebooted the PC, again with no warnings from AVG. However, there are several residual problems with my PC:

* I have no internet access. My Local Area Connection says "Connected", yet Firefox just won't go to any web page. I just get "Server not found" no matter which website I try to browse to. I'm writing this message on my Asus netbook, because strangely, it's able to connect to my wi-fi modem's signal. I'm having no trouble whatsoever surfing on my netbook, but I can't surf at all on my desktop PC. I ran Advanced Windows Care Personal on my desktop PC to see if it would do anything, but it didn't fix the problem. I rebooted my PC and modem a few times but to no avail. I just tried to open my Windows Firewall to see if it was blocking Firefox for some reason. The first message that came up was "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?" I click "Yes" and it says "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service."
* After running the Kaspersky scan, PeerBlock no longer works. I just get an error message that says, "PeerBlock is unable to load the packet filtering driver. This is likely the result of some strange bug. Please report this error, including all information that follows, to the PeerBlock team at http://forums.peerblock.com. Than you for helping us improve PeerBlock!" And then after that:

class win32_error
StartService
1068
The dependency service or group failed to start.

* MS Security Essentials is still totally inoperative.
* Kaspersky seems to have simply disappeared. There's no start menu folder for it, there's no desktop or quicklaunch icon, nothing, so unfortunately I'm unable to post a logfile here because there doesn't seem to be one. I was all prepared to follow your instructions and save a logfile called avptool.txt but I simply didn't get the opportunity.

These are the peculiarities I know of so far. Where to from here?

After running the Kaspersky scan, PeerBlock no longer works.

Most likely Kaspersky detected one of its files as a threat and removed it. PeerBlock is a P2P related program so I'm not surprised and you will probably have to reinstall it.

c:\WINDOWS\assembly\GAC_MSIL\Desktop.ini (Rootkit.0Access)

I reviewed the Malwarebytes' log and noted the above entry which I had overlooked the first time.

ZeroAccess (Max++) Rootkit (aka: Sirefef) is a sophisticated rootkit that uses advanced technology to hide its presence in a system and can infect both x86 and x64 platforms. ZeroAccess is similar to the TDSS rootkit but has more self-protection mechanisms that can be used to disable anti-virus software resulting in "Access Denied" messages whenever you run a security application. For more specific information about this infection, please refer to:

• Dissecting the ZeroAccess Rootkit
• ZeroAccess / Max++ / Smiscer Crimeware Rootkit
• MAX++ sets its sights on x64 platforms
• ZeroAccess (Max++) Rootkit
• ZeroAccess Gets Another Update
• ZeroAccess – an advanced kernel mode rootkit

You have a serious malware infection. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need to create and post a DDS log for further investigation.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.

• If you cannot complete a step, then skip it and continue with the next.
• In Step 7 there are instructions for downloading and running DDS which will create two logs.

When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. After doing this, it would be helpful if you replied back in this thread with a link to the new topic so we can closed this one.

If HelpBot replies to your topic, please follow Step One so it will report your topic to the team members.

Note: If you can produce at least some of the logs, create a new topic and explain what happened with those logs you tried to create but could not. If you cannot create any of the logs, then still post the topic and explain that you followed the Prep. Guide but were unable to create the required logs. Again, describe what happened when you tried to create them.