Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/PEPatch virus detected but not removed


  • This topic is locked This topic is locked
13 replies to this topic

#1 mike=)).

mike=)).

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 20 February 2009 - 05:13 AM

Hi...

Yesterday evening I had problems with my PC... Windows XP ground to a halt. Task manager showed me that explorer.exe was consuming 100% CPU even though I didn't have anything open.
I rebooted, updated antivir (AVG Free) and firewall (Comodo Pro), and let the usual nightly full-scan run.

This morning checked the results and found 4 infections:

Infections
File;"Infection";"Result"
C:\Program Files\COMODO\Firewall\cmdagent.exe (1272);"Virus found Win32/PEPatch";"Infected"
C:\Program Files\COMODO\Firewall\Repair\heur.cav;"Virus found Win32/PEPatch";"Moved to Virus Vault"
C:\Program Files\COMODO\Firewall\SCANNERS\heur.cav;"Virus found Win32/PEPatch";"Infected"
C:\Program Files\COMODO\Firewall\scanners\heur.cav;"Virus found Win32/PEPatch";"Infected"

I have not attemted to move or remove the infections yet.

I suspect that the Win32/PEPatch may possibly be a false positive, as the late AVG updates have not always been fully trustworthy. But I'd like to check for sure....

Any help would be appreciated, thanks in advance!!

Michael.

(Please let me know if more information is needed - versions, updates etc.)

Edited by mike=))., 20 February 2009 - 05:16 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 AM

Posted 20 February 2009 - 12:16 PM

HEllo,OK let's get a second opinion..
SAS

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Please ask any needed questions,post log and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 21 February 2009 - 01:43 AM

..completed!

First a few comments, then the log:

- tip: save the instructions as word or text document on your desktop for easy access in safe mode.
- I have another problem at startup: I get a prompt Windows wants to run chkdsk on C:\. Not wanting to do this (yet), i press the space-bar within 10 seconds to prevent an automatic scan. However, in safe mode I did not get the prompt. So the screen remained black while the scan started. Rebooted then hit the space-bar 'blind' to disable the scan and started fine in safe mode.
- I wanted to save passwords etc, so I checked the box. However only realised later that this applied to firefox only. I usually browse with IE6, meaning I have lost all my passwords. Is there any way to prevent this from happening?
- during the scan I recieved a message:
SUPERAntiSpyware.exe - Corrupt file
"The file or directory C:\Documents and Settings\{myusername}\Application Data\Comodo\Personal Firewall\Data\ResFiles is corrupt and unreadable. Please run the Chkdsk utility." This may be the reason chkdsk wants to run, but I have very bad experiences with chkdsk. Advice?

Now the log...hmmm... no virus found, only tracking cookies (too much porn Mike, lol). Strange that AVG free didn't find and remove these during the night. Most seem to be firefox related, and I hardly ever use that browser.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/21/2009 at 07:12 AM

Application Version : 4.25.1012

Core Rules Database Version : 3769
Trace Rules Database Version: 1729

Scan type : Complete Scan
Total Scan Time : 01:22:17

Memory items scanned : 229
Memory threats detected : 0
Registry items scanned : 5035
Registry threats detected : 0
File items scanned : 63534
File threats detected : 27

Adware.Tracking Cookie
.image.masterstats.com [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.apmebf.com [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
...{etc}...
.adinterax.com [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.adinterax.com [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.005.free-counters.co.uk [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.005.free-counters.co.uk [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.www.helpmefindmortgages.com [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.xiti.com [ C:\Documents and Settings\Michael.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\rib6yohx.default\cookies.txt ]
.avgtechnologies.112.2o7.net [ C:\Documents and Settings\TEMP.OXANABABY-AFEA4\Application Data\Mozilla\Firefox\Profiles\v6g55bcd.default\cookies.txt ]

Edited by mike=))., 21 February 2009 - 10:41 PM.


#4 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 21 February 2009 - 10:57 PM

One more piece of information:

- AVG free is still finding the same Win32/PEPatch infection
- Comodo firewall is getting requests to let through 'avgscanx.exe' to modify keys in the directories:
COMODO\Firewall\Scanners\heur.cav
HKLM\SYSTEM\ControlSet001\Services\AvgLdx86\Delete

I've checked the avgscanx.exe application, but I can't verify it's authenticity. It is not avgscan.exe.
So I'm blocking the requests until I'm sure it's ok.

I'll be checking back here later.
Thanks for your help so far boopme !!

Michael.

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 AM

Posted 21 February 2009 - 11:05 PM

OK I'll have to see if I can get alittle bit more info on those password and the corrupt file .

EDIT: I see from your other post....>> updated antivir (AVG Free) . If you have 2 AV's running(both active) you will have conflicts,false positives and slowness.
What version of AVG is running? 7 or 8? 'avgscanx is apparently the legitimate AVG file but I cannot confirm the actual proper path yet. They changed the executable name a little in the newer version.

Identification
In addition to the file name, avgscanx.exe, the following version information is used to identify the file. If the file does not match this information, it may be a different file.
Vendor contains: AVG Technologies CZ, s.r.o
Product contains: AVG Internet Security
File name contains: AVG\AVG8\

PC Pitstop Analysis
To view version information with Windows Explorer, right-click the file and click Properties, Version.


Run this next from normal mode.. It won't remove passwords and may clear up the other problem.

MBAM:
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Edited by boopme, 21 February 2009 - 11:28 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 22 February 2009 - 02:28 AM

Done... see log below.
I guess that leaves the avgscanx.exe issue, and the corrupt file?
(btw it looks like a more recent version of Malwarebytes: 1.34, not v1.32)


Malwarebytes' Anti-Malware 1.34
Database version: 1792
Windows 5.1.2600 Service Pack 2

2/22/2009 8:26:22 AM
mbam-log-2009-02-22 (08-26-22).txt

Scan type: Quick Scan
Objects scanned: 93122
Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Edited by mike=))., 22 February 2009 - 02:30 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 AM

Posted 22 February 2009 - 02:34 PM

Ok ,I think that perhaps uninstalling thru Control Panel of AVG and Super then reinstalling both, if you want both, will fix the file issues.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 23 February 2009 - 02:39 AM

I'll do that...

...but before doing that, I allowed avgscanx.exe access at the COMODO firewall warning prompt. Reason for this is that the prompt appeared right at the scheduled time for the AVG scan.

The scan now found and moved to the virus vault;
C:\Program Files\COMODO\Firewall\SCANNERS\heur.cav;"Virus found Win32/PEPatch";"Infected"
C:\Program Files\COMODO\Firewall\scanners\heur.cav;"Virus found Win32/PEPatch";"Infected"

and found and didn't move:
C:\Program Files\COMODO\Firewall\cmdagent.exe (1256);"Virus found Win32/PEPatch";"Infected"

cmdagent.exe is a Comodo Agent Service for the Comodo Firewall.
I am guessing there should be a way to check and verify and if necessary replace that particular file?

Thanks again for your help boopme

Michael

PS. cmdagent.exe appears to be responsible for the occasional 100% CPU uses that cause everything else to grind to a standstill. More about that can be found here: https://forums.comodo.com/help_for_v2/cmdag...n-t18341.0.html

Edited by mike=))., 23 February 2009 - 03:17 AM.


#9 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 27 February 2009 - 04:46 AM

Ok ,I think that perhaps uninstalling thru Control Panel of AVG and Super then reinstalling both, if you want both, will fix the file issues.


The last problem is persisting.

The automatic updater for AVG fails.
Manual updating appears to work, but after completing the required re-boot, and checking the status of the databases, they continue to be out-of-date (17 Feb. 2007). Plus I get an AVG message every few hours: "this system needs a restart" (for the updates to complete installation)

I tried uninstalling AVG thru the control panel without success:

Local machine: installation failed
Installation:
Error: Action failed for file avg.snu: creating backup....
Error 0x80070002 %DESTINATION% = "C:\Program Files\AVG\AVG8\avg.snu.install_backup_1", %SOURCE% = "C:\Program Files\AVG\AVG8\avg.snu"


Super has no "uninstall" option in the control panel.

So I want to uninstall both AVG and Super, then re-install and reset AVG....
I'll check back here later... thanks in advance!!!

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 AM

Posted 28 February 2009 - 09:59 PM

Hello sorry to get back so late ,I was out of the country. SAS should have an Uninstall in All Programs..

If still no good try running Revo Uninstaller
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 01 March 2009 - 01:12 AM

Welcome back!!

SAS is now removed, but I'm still stuck with the AVG update issue, and the Win32/PEPatch virus issue.
It seems that AVG is partially uninstalled, as the icon is no longer in the tray, and I no longer get the "update/restart PC" messages. However, the nightly scans still continue, still with the same results. And the databases are out of date.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 AM

Posted 01 March 2009 - 12:13 PM

Thanks, well it seems this malware is being protected and we will need to use the tools in the HJT forum.

So now we need to run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if you were successful in posting.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 mike=)).

mike=)).
  • Topic Starter

  • Members
  • 111 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:somewhere near Amsterdam
  • Local time:02:09 PM

Posted 01 March 2009 - 02:18 PM

DDS tool used and logs created. Posted here:

http://www.bleepingcomputer.com/forums/t/207516/win32pepatch-virus-avg-free-update-problem/

I have not run a hijackthis scan yet...

thanks for you help so far Boopme!!!

Michael

Edited by mike=))., 01 March 2009 - 02:19 PM.


#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:09 AM

Posted 01 March 2009 - 02:43 PM

That's good they will tell you what to do next.
Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Post in this thread when you haven't received an answer in five days.".

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users