Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I seem to be infected by Trojan win 32/patched.gb


  • This topic is locked This topic is locked
27 replies to this topic

#1 alligator

alligator

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 16 January 2011 - 12:23 PM

I am having a real problem and could use some help. I would appreciate any you could give me. Donít hesitate to talk to me as a total incompetent. When it comes to computers, Iím pretty helpless.

I started receiving alerts from my AVG free edition 2011 about six days ago. They say I have Trojan win 32/patched.gb and that it is whitelisted. I ran Mbam, and it found and removed one Trojan. I thought that would fix it, but the alerts from AVG keep popping up. I have run Mbam three more times, and it finds nothing more. I also downloaded and ran Superantispyware and Smitfraudfix. Both found and cleaned many things, but the AVG alerts have not stopped. I tried to download and run DDS and GMER, but my computer locked up mid-scan on both and required a hard shutdown. I am attaching the Mbam log from when it found and removed the Trojan. Please help me if you can, Thank You.


Here is the Mbam log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5497

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/10/2011 2:46:36 PM
mbam-log-2011-01-10 (14-46-35).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 206596
Time elapsed: 1 hour(s), 18 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\dell c610\application data\Sun\Java\deployment\cache\6.0\40\10711a28-4db49f56 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 17 January 2011 - 04:00 PM

Good evening. :)

Donít hesitate to talk to me as a total incompetent.

Du'h, are you sure that you aren't mistaking an Xbox for a PC?? :blink: :whistle:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cheap amusement aside, and it's the only form I specialise in, when AVG tells you that it has detected an infection, does it give any filename(s) as well?

So long, and thanks for all the fish.

 

 


#3 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 17 January 2011 - 04:39 PM

Thanks for replying.

All AVG said has said is the alert from resident shield: Trojan win 32/patched.gb, but I haven't run a separate full scan with it. Should I?

Malawarebytes said:

c:\documents and settings\dell c610\application data\Sun\Java\deployment\cache\6.0\40\10711a28-4db49f56 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Since it removed that, it has not found anything.

I wish I could run DDS and GMER, but I have tried 15 or more times now. They seem to make it 3/4 of the way through each time and then freeze up. I have run Defogger and turned off every script blocker I know of, but still the same results. Maybe there is a script blocker I can't find.

#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 17 January 2011 - 06:54 PM

Please download SystemLook by jpshortstuff from one of the links below and save it to your Desktop:

  • Linky #1
  • Linky #2

  • Double-click SystemLook.exe to run it.
  • Copy the contents of the following codebox into the main textfield:


    :filefind
    explorer.*
    hlp.dat
    nt.dll
    winlogon.*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan - the log can also be found on your Desktop entitled SystemLook.txt
  • Please post the contents of this log in your next reply.

So long, and thanks for all the fish.

 

 


#5 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 17 January 2011 - 07:13 PM

Here is the SystemLook log:


SystemLook 04.09.10 by jpshortstuff
Log created at 19:04 on 17/01/2011 by Dell C610
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.*"
C:\WINNT\explorer.exe --a---- 1033728 bytes [12:00 28/02/2006] [00:12 14/04/2008] 5C6DF4D9091F6551A60E8AACE7B1B07D
C:\WINNT\explorer.scf --a---- 80 bytes [12:00 28/02/2006] [12:00 28/02/2006] A3975A7D2C98B30A2AE010754FFB9392
C:\WINNT\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [13:19 21/10/2010] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINNT\SoftwareDistribution.old\Download\3c0bacd63e67d049a438275fd7b87f25\explorer.exe --a---- 1033728 bytes [22:09 08/06/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINNT\SoftwareDistribution.old\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe --a---- 1033216 bytes [10:23 13/06/2007] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINNT\SoftwareDistribution.old\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe --a---- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658

Searching for "hlp.dat"
No files found.

Searching for "nt.dll"
C:\WINNT\system32\nt.dll --a---- 3584 bytes [12:00 28/02/2006] [00:12 14/04/2008] D5908FF5B042AB21B931E7173BA1408B

Searching for "winlogon.*"
C:\WINNT\security\logs\winlogon.log --a---- 872820 bytes [13:17 30/05/2008] [14:41 17/01/2011] 2E55F0F81950C4B1649CB3D78B6E2311
C:\WINNT\ServicePackFiles\i386\winlogon.exe -----c- 507904 bytes [13:15 21/10/2010] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINNT\SoftwareDistribution.old\Download\3c0bacd63e67d049a438275fd7b87f25\winlogon.exe --a--c- 507904 bytes [22:14 08/06/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINNT\system32\winlogon.exe --a---- 507904 bytes [12:00 28/02/2006] [00:12 14/04/2008] D2E35BCDFBAB9D0390F140E6B50DB6C6

-= EOF =-

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 18 January 2011 - 02:32 PM

Good evening. :)

Do you have a flashdrive you could empty and use to install a little operating system to or failing that a blank disc you could burn the same to?

So long, and thanks for all the fish.

 

 


#7 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 18 January 2011 - 04:14 PM

I have an empty one GB flash drive, Noviciate. I also have another computer if it would be better to download the operating system separately from my infected one.

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 18 January 2011 - 04:59 PM

Grand - i'd use the clean machine, just as it cuts down on potential issues.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to your Desktop.
  • Insert your USB drive.
  • Click Start > My Computer, right click your USB drive and select Format > Quick format.
  • Double click the unetbootin-xpud-windows-latest.exe file that you just downloaded.
  • Click Run then OK - this will install a little bootable OS on your USB.
  • After it has completed, do not choose to reboot the clean computer; simply close the installer.

I'm a little tied up for the rest of this evening, but if you get the flashdrive up and running, i'll sort the rest of the instructions out and let you have them last thing tonight if I get the time, or tomorrow if not.

So long, and thanks for all the fish.

 

 


#9 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 18 January 2011 - 06:54 PM

Noviciate, I think I have the file on the flash drive. I wanted to double check: I was not to save the second file, the xSpud one to the flash drive, as well, right?

I appreciate all you have already done. Don't feel rushed by me. Whenever you can get to me is fine.

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 19 January 2011 - 02:27 PM

Good evening. :)

I was not to save the second file, the xSpud one to the flash drive, as well, right?

Not sure what you are asking here. You save both files to your Desktop, insert your flashdrive and then run unetbootin-xpud-windows-latest.exe.
Once that has completed it's task, the job is done and whatever you find on your desktop you can delete. The files on your flashdrive comprise the little operating system that you are about to use to fix your issues - see below.

The first part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work. If it doesn't, let me know and we'll go for a different angle.
  • If necessary insert the USB stick into the sick PC and then boot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB before Windows starts loading.
  • Follow the prompts
  • A Welcome to xPUD screen will appear

Assuming that you get this far, the rest is simply a version of actions you've no doubt carried out on Windows since you got the PC in the first place, just with a little Linux twist.

  • Click the File icon on the left.
  • Expand mnt by clicking the little arrow to it's left. I want you to identify the folder that corresponds to your hard drive, which is probably sda1, and double click it to open it.
  • Once you get that folder open, the contents will be those of your main drive - usually C:\.
  • The first file you want is: WINNT\ServicePackFiles\i386\explorer.exe - this is a clean copy of your infected one.
  • I want you to right click it and copy it - we'll keep the original where it is, just in case we need another copy for any reason.
  • You then need to go back to the WINNT folder and locate the existing copy of explorer.exe
  • Right click it and rename it to explorer.old - again we are keeping it safe, but disabled, just in case.
  • Now right click and paste the clean copy of explorer.exe into the same folder.
  • Now you need to go back and get a second file: WINNT\ServicePackFiles\i386\winlogon.exe and, again, copy it.
  • This time you need to head to the WINNT\system32 folder, locate winlogon.exe and rename it winlogon.old.
  • Paste the clean copy of winlogon.exe into the same folder and Bob should be your Auntie's husband.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and boot your PC into Normal Mode and let me know what happens.

So long, and thanks for all the fish.

 

 


#11 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 19 January 2011 - 04:08 PM

Good evening, Noviciate.

I am having troubles getting the computer to load from the flash drive. The drive shows as being recognized by the system; however, when I try to boot using f12, what I get is the following menu choices:

Internal HDD
CD/DVD/CD-RW Drive
Cardbus NIC
Onboard NIC
Diagnostics

I have tried most of these, but Windows just boots normally. Any suggestions?

I have looked at the flash drive, and it has one file on it "vesamenu.c32"

By the way, in a former life, I taught in London for a semester and a summer. I found that "Bob's your uncle" means about the same as the American "You can't miss it." Unfortunately, if there is a wrong turn to take, I usually seem to take that one, no matter which side of the road I am driving on.

I appreciate your patience.

#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 19 January 2011 - 05:27 PM

I have looked at the flash drive, and it has one file on it "vesamenu.c32"

Ooops! I guess that the reason all is not well is the lack of files on your flashdrive. I suggest you go back to the beginning, download the two files again in case one or other was corrupt, wipe the flashdrive again and reinstall xPUD as per the instructions.
You should a few more files and folders, although as I don't have a flashdrive to hand with it on, I can't say how many exactly - more than one though!

So long, and thanks for all the fish.

 

 


#13 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 19 January 2011 - 07:19 PM

Well, Noviciate,

I have tried six times total and used three different computers. I only get the one file saved to the flash drive, "vesamenu.c32." It is 142 kb, and I get no f12 menu choice for the flash drive when I try to boot. I don't know what is causing the problem. I'm starting to look for a heavy-duty trash bag.

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:09:24 AM

Posted 20 January 2011 - 03:12 PM

Good evening. :)

Confession time - wrong set of instructions! Sorry :whistle: . The installer has been updated sine I wrote that set and stupidly I haven't kept up. The following should work as i've just run through them myself:

  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox.
  • Browse to and then select the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify that the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.

Let me know if this leaves your flashdrive slightly more populated than previously. Sorry again.

So long, and thanks for all the fish.

 

 


#15 alligator

alligator
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 20 January 2011 - 05:26 PM

Good evening, and thanks for the new instructions, Noviciate. The good news is that I now have the files on my flash drive; the bad news is that, when I try to do a reboot using f12, I get exactly the same menu that I sent you before with no mention of a flash drive. I tried using the CD/DVD drive choice, but Windows just loaded normally. Is there any way you know of to make it reboot from the flash drive?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users