Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Detected Virus cannot be eliminated


  • This topic is locked This topic is locked
1 reply to this topic

#1 healer

healer

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 19 April 2009 - 03:13 AM

I have just updated from AVG8 to AVG8.5 on my laptop running on XP Home system. When doing a complete scan after update on my computer I found the following viruses that cannot be eliminated. I used to take the hard drive out and connect to another computer and then run the anti-virus program for cleaning. I wonder if I need to be that drastic this time. In fact I never saw such stubborn viruses and wonder if I can remove them without reinstalling whole computer. When I had AVG8 before I didn't have the resident shield running. That was probably why I got the attack I supposed. Is there anyway I can eliminate them in situ.

They attached to the following files:
Windows\explorer.exe
Windows\System32\spoolsv.exe
Windows\System32\services.exe
Windows\System32\svchost.exe
Windows\System32\lsass.exe
Windows\System32\winlogon.exe

Below is some of what I exported from the program.
Resident Shield detection
Infection;"Object";"Result";"Detection time";"Object Type";"Process"
Trojan horse Win32/PEPatch.AO;"C:\WINDOWS\system32\winlogon.exe";"Object is white-listed (critical/system file that should not be removed)";"19/04/2009, 5:54:30 PM";"file";"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
Trojan horse Win32/PEPatch.AO;"C:\WINDOWS\system32\svchost.exe";"Object is white-listed (critical/system file that should not be removed)";"19/04/2009, 5:53:23 PM";"file";"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
Trojan horse Win32/PEPatch.AO;"C:\WINDOWS\system32\spoolsv.exe";"Object is white-listed (critical/system file that should not be removed)";"19/04/2009, 5:53:07 PM";"file";"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
Trojan horse Win32/PEPatch.AO;"C:\WINDOWS\system32\lsass.exe";"Object is white-listed (critical/system file that should not be removed)";"19/04/2009, 5:48:14 PM";"file";"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
Trojan horse Win32/PEPatch.AO;"C:\WINDOWS\explorer.exe";"Object is white-listed (critical/system file that should not be removed)";"19/04/2009, 5:38:10 PM";"file";"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

Edited by Pandy, 19 April 2009 - 09:14 AM.
MOved from AntiVirus, Firewall and Privacy Products and Protection Methods ~Pandy


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:59 PM

Posted 19 April 2009 - 10:44 AM

I see you posted a log to malware removal after posting here:
http://www.bleepingcomputer.com/forums/t/220569/trojan-horse-win32pepatchao/

To avoid confusion, this thread will be closed--and as soon as I contact a moderator.

I've glanced over your log and can tell you that there are signs of a very serious infection, so the malware removal forum is the best place for your issue. Unfortunately I don't have time to commit to working your topic there, but it appears to be a variant of, or kin to the Gromozon rootkit that involves a type of file that is very tough to remove. It can be done, but not every malware removal specialist knows how--I just looked at a couple of topics in other forums where the key file was overlooked or it was given up on deleting and they moved on to doing repair install of windows or a reformat.

So be prepared for a reformat--that may be your best bet anyway. In addition to the likely infection, you have installed four or five registry cleaners which usually hurts more than it helps and makes recovery even harder than it should be. Don't believe the advertising out there, when you have a problem or error, try to find out what is causing it first instead of just running a reg cleaner.

This is why we always advise that you not make any changes to your system--such as running reg cleaners. Also, as you probably already know, don't attempt to delete any of the following files, as they are important system files:

Windows\explorer.exe
Windows\System32\spoolsv.exe
Windows\System32\services.exe
Windows\System32\svchost.exe
Windows\System32\lsass.exe
Windows\System32\winlogon.exe

Windows File Protection probably wouldn't let you delete them anyway. A "Patch" malware usually means that more code has been added to an existing file--that's the patch.

If I were you I would be spending the time backing up important data--prepare for the worst and hope for the best.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users