Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi, Need Help removing a virus found


  • Please log in to reply
9 replies to this topic

#1 benko916

benko916

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sacramento California
  • Local time:08:04 PM

Posted 19 August 2010 - 02:11 AM

Hi, I have had the best luck and service with this website, please help!!! I am not very good with computers but you guys are always really good with helping me and getting me to understand.

THE PROBLEM


I have AVG Internet Security currently installed on my PC and it keeps detecting A few Viruses I have never seen before. The resident shield keeps popping up telling me "THREAT DETECTED" Like every 10 seconds. the threats detected are...

"C:\WINDOWS\system32\winlogon.exe (928)";"Virus identified Win32/Patched.FM";"Reboot is required to finish the action"
"C:\WINDOWS\system32\winlogon.exe";"Virus identified Win32/Patched.FM";"Object is white-listed (critical/system file that should not be removed)"
"C:\WINDOWS\Explorer.EXE (2608)";"Virus identified Win32/Patched.FL";"Reboot is required to finish the action"
"C:\WINDOWS\explorer.exe";"Virus identified Win32/Patched.FL";"Object is white-listed (critical/system file that should not be removed)"
"Trojan horse BackDoor.Agent.AIDW";"c:\System Volume Information\_restore{F97D5EF5-E711-4274-96A9-2891900E8C83}\RP576\A0126381.dll";"Moved to Virus Vault";"8/19/2010, 12:15:11 AM";"file";"C:\Program Files\Malwarebytes' Anti-Malware\mbam11.exe"

No matter what I do I can not get rid of them. My resident shield has over 250 messages all saying the same thing. I am going crazy!! Please Help me!!! Every 10 seconds it keeps popping up telling me about these threats.

I start college again in 5 days and this is my only PC, please help me.

Thank you for your time, all the help is much appreciated!!!

I hope to hear from you guys soon,

I have MBAM but It will not update, AVG did update successfully but MBAM will not, my PC will not do a system restore, I never get Viruses so this is all new to me, PLease help and thank you

Sincerely your friend and biggest Fan,

Patrick Benko

I have read the other posts on this subject but have not tried any because I am not good with PC's and I do not want to mess any thing else up, all the help would be amazing!!!

Edited by Blade Zephon, 19 August 2010 - 09:02 AM.
Move to AII. ~BZ


BC AdBot (Login to Remove)

 


#2 DreadTech

DreadTech

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Here
  • Local time:09:04 PM

Posted 19 August 2010 - 08:04 AM

If you can get online @ all. Try downloading Avast Home and run a boot-time scan that may help your cause.

#3 benko916

benko916
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sacramento California
  • Local time:08:04 PM

Posted 19 August 2010 - 04:00 PM

Thank you for your response, unfortunately the Avast boot time scan did not work. My PC does not shut down or lock up. My AVG resident shield just keeps popping up every 10 seconds telling me I am infected... Really annoying. I need help lol. Thank you again for your reply and help :thumbsup: Much appreciated!!

#4 Kerbysaki

Kerbysaki

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 19 August 2010 - 04:49 PM

You have to boot to recovery and expand winlogon.ex_
This is done using the windows disk assuming you have xp.
Choose the recovery console and at the prompt type expand D:\i386\winlogon.ex_ c:\windows\system32\
Assuming your cd/dvd drive is D:
"""next remove the disk and slave it to another computer and remove c:\windows\EXPLORER.EXE and replace it with the one from the windows xP disk. Copy the EXPLORER.EX_ from the i386 folder of the xp disk and rename it to .exe <- in order to do this you have to have the show etensions of know file types checked in folder options. or be cmd dos.
Once this is done you want to delete the actuall virus which in my case was whaqilizo and found in the windows directory.""" <- Might be able to do this with UBCD but it takes so long to load easier to slave the drive to a usb enclosure if your in a shop enviroment...
Anyway I will give more detailed instructions tomorrow its time to go home.

I did run my homemade ssdt viewer and it doesnt appear to be a rootkit but the whaqizilo file is loaded when either avg combofix or mbam removes the rootkit.

It looks to be a toddler version of a previous rk which if i recall was tdss variant.

Anyone want to let me know if they found whaqilizo as well? or if theirs was a random name gen. Just sort the windows dir by date when it first comes up or check combofix log. It logs it but doesnt detect it yet.

Edited by Kerbysaki, 19 August 2010 - 05:04 PM.


#5 rikdewinter

rikdewinter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 19 August 2010 - 06:19 PM

I have the same virus. It is also called Patched.fm, and is also mainly a problem because AVG keeps nagging about it. It has infected explorer.exe and winlogon.exe. I tried to replace them with the same files from another pc, but that ofcourse doesn't work (should've known, explorer.exe is being used by the computer, so it can't be replaced, and you can't turn it off, because than you get a blank screen, with only a mouse arrow), so I'm guessing that the whole booting process is used to bypass that problem. Now, you may notice I'm not that good with computers, so that booting process is a problem for me. I could really use someone to explain it to me, like i'm a three-year-old :thumbsup:

Thank you

Edited by rikdewinter, 19 August 2010 - 06:21 PM.


#6 Kerbysaki

Kerbysaki

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:04 PM

Posted 19 August 2010 - 08:49 PM

At my time of writting this there is no defense or removal tool built for this since its a 0 day virii. If you don't do this for a living you can really screw up your P.C. trying to manually remove this. I wrote this for other techs who know their way around a registry and know what they are doing. If you don't know what your doing take it to a shop, if you delete one wrong system file your hosed and will be taking it there anyway.


Ok so your infected with this w32/Patched.FM or .FL Here it is in detail.
You will find upon reboot that you will get BSOD of Winlogon.exe
The reason your AVG is consantly going of is the virus is overwriting explorer.exe and winlogon.exe reinfecting it.
You will need to boot with the UBCD and open a command prompt.
You need to type cd c:\ then type cd\ which will root you to C:\ then type cd windows which should bring you to a prompt of c:\windows
You will type delete explorer.exe and hit enter. You shouldn't get an error just another c:\windows
type cd system32 hit enter and you should be in c:\windows\system32
type del winlogon.exe hit enter. You shouldn't get an error just a c:\windows\system32
This removes the infected files.
Now we expand the new files
On the desktop you will see what drive letter your cd is for this we are going to call it d:\ yours may be different.
from command prompt type cd d:\i386 hit enter
type expand d:\i386\explorer.ex_ c:\windows\ hit enter you shouldn't get an error
type expand d:\i386\winlogon.ex_ c:\windows\system32\ hit enter you shouldn't get an error.
This will allow a safe mode boot.
From safe mode navigate with explorer to the windows directory.
Sort by date modified and near the top you will find the virus name Mine was named whaqilizo.

The payload was not found in the registry


I would like to know if any other infections are named whaqilizo or if the coder used a random name gen script. I have a C code SSDT root kit viewer custom built by me that doesn't appear to be a root kit but rather to use one as a payload delievery system.

Edited by Kerbysaki, 20 August 2010 - 10:58 AM.


#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,199 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:04 PM

Posted 19 August 2010 - 10:53 PM

hello. firstly ,please do not use ComboFix on your own.

ComboFix usage, Questions, Help? - Look here

It is also aginst forum rules see... How do I get help? Who is helping me?, What advice can be given in this forum


I would like you to Run an online scan

ESET
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the ESET Online Scanner button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Eset Smart Installer icon on your desktop.
  • Check the "YES, I accept the Terms of Use"
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push "List of found threats"
  • Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the "< button.
  • Push Finish
In your next reply, please include the following:
  • Eset Scan Log


NOTE: In some instances if no malware is found there will be no log produced.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 rikdewinter

rikdewinter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 20 August 2010 - 08:32 AM

Right, I have my ESETlog for you.


C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E1HSUCTZ\upgrade[1].cab a variant of Win32/Adware.OneStep application deleted - quarantined
C:\Program Files\Everest Poker\cstart-tmp.exe a variant of Win32/Casino application cleaned by deleting - quarantined
C:\Program Files\Everest Poker\CStart.exe a variant of Win32/Casino application cleaned by deleting - quarantined
C:\Program Files\Everest Poker\Everest Poker.exe a variant of Win32/Casino application cleaned by deleting - quarantined
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DT trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\Temp\KEE18.tmp\upgrade.exe a variant of Win32/Adware.OneStep application deleted - quarantined

So as you can see, the only thing that did was mess up everest poker..

By the way, if anyone needs a fast way to check if the virus is still there, without being warned by avg every 10 seconds, press ctrl+alt+delete, search for the only avg-something-something with "administrator" behind it, and end that process. Now if you start up avg again, the warnings appear again, but if you close the screen, the messages stop returning.

Edited by rikdewinter, 20 August 2010 - 08:37 AM.


#9 benko916

benko916
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sacramento California
  • Local time:08:04 PM

Posted 25 August 2010 - 12:45 AM

Thank you for replying I started school and that's why I haven't responded sooner, I tried to reinstall a new version of windows that my friend gave me but for some reason now it is saying the windows is not validated. In my next post I will include the scan results. Sorry it took me so long. Running Scan Now, Will Edit this post once scan is complete, I'm off tomorrow and have all day to try and remove this bug. Thank you Again, I will edit this post once scan completes and post the log. I hope you didn't forget about me. Here is the log....

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=aa245e23e0fa3347b0be5efa21e099c4
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-25 06:29:10
# local_time=2010-08-24 11:29:10 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=1031 16777173 100 93 0 5484156 0 0
# compatibility_mode=6143 16777215 0 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=73675
# found=4
# cleaned=1
# scan_time=2411
C:\WINDOWS\explorer.exe Win32/Patched.FQ trojan (unable to clean) 00000000000000000000000000000000 I
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DT trojan (cleaned by deleting (after the next restart) - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\winlogon.exe Win32/Patched.FQ trojan (unable to clean) 00000000000000000000000000000000 I
${Memory} Win32/Patched.FQ trojan 00000000000000000000000000000000 I

I hope this is the log you wanted, it never said to export log, it just had the purchase or 30 day trial in it. This was the only log in the program files... I hope this is right. Thank you, Ill Check back in a few hours to see if I have a reply. Thank You again!!!

Edited by benko916, 25 August 2010 - 01:35 AM.


#10 benko916

benko916
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sacramento California
  • Local time:08:04 PM

Posted 25 August 2010 - 02:12 AM

When I restarted after running that scan, my PC will not let me log in. It says Fatal Error, Log in information has been terminated... I am using another PC in the house.. So it looks like my PC is toast. Wont even load up the log in screen...




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users