Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How Can I Get Rid Of Trojan.win32.patched.i ?


  • This topic is locked This topic is locked
9 replies to this topic

#1 2nsane

2nsane

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 15 January 2007 - 02:09 AM

good evning

I ran A Square tonight and found Trojan.Win32.Patched.i on my computer, I have gone into safe mode, ran A square deleated the file and it still comes back.
I also ran AVG AS and nothing came up neither did VundoFix.

here is a copy of the jijackthis
any help would be great.
Thank you for your help.

Dan,

Logfile of HijackThis v1.99.1
Scan saved at 11:06:38 PM, on 1/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\a-squared Free\a2free.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R3 - URLSearchHook: (no name) - - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [FJUPDNV_Chitose] C:\Program Files\Fujitsu\fjdvrupd\fjdvrupd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB002" /M "Stylus CX4800"
O4 - HKLM\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [DisableWinXPWZCS] C:\Program Files\Atheros\DisableWinXPWZCS.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZNxmk788LBUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.computers.us.fujitsu.com/
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/loaders/SAXFile.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {FD163A9A-A3D8-4F7D-8224-32F81AC29EDA} (VPlayer Control) - http://video.vividas.com/CDN1/5029_paramou.../vivid_ocx.jpeg
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Moved from the "I am infected" Forum. ~acklan~

Edited by acklan, 15 January 2007 - 03:56 AM.


BC AdBot (Login to Remove)

 


#2 2nsane

2nsane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 15 January 2007 - 12:01 PM

:thumbsup: anybody have any idea's

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:18 AM

Posted 15 January 2007 - 06:45 PM

Hi 2nsane,

Welcome to Bleeping Computer. :thumbsup:

I have some ideas but I cannot guarantee success. This is a new infection and there are no specialized removal tools for it as yet.

You are dealing with a trojan that infects a vital Windows system file. If that file is erased or quarantined or if an antivirus program unsuccessfully attempts to repair it, your computer will become unbootable.

For that reason, before doing anything else, please back up your data files now to an external media -- a USB drive, or CD-R(s).

Also, do not shut down or reboot your computer until we are finished. Norton Antivirus may ask for a reboot in order to quarantine or repair a file. Don't allow this! We have to take the infection out manually.

Final general instruction: keep the computer disconnected from the internet as much as possible. Obviously if I ask you to submit a file for scanning, or some similar task, you'll have to connect to the internet to do that. If you have no other computer you will have to check for and post replies here. But otherwise, stay offline.

Print or save these instructions.

First, run a quick check for me.

Unhide files and folders

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Now, Use Windows Explorer to navigate to your C:\Windows\system32 folder, and look for the following files:

main.sys
wsys.dll


Let me know if you find either or both.

Also, unless you know that Winlogon.exe has been identified as infected, please confirm by submitting it to the Kaspersky file scanner. Go to that website, you will see a text box near the top. Next to the box, click Browse and browse to the following:

C:\Windows\system32\Winlogon.exe

Select that file, and submit it. After scanning you will get a report, probably confirming the file is infected with the Patched trojan.

If Kaspersky says it's clean, post back here with that information. Otherwise, we need to see what we can do about finding a clean copy of Winlogon.exe to replace your infected one. It needs to be the same version as what you have, so please search your hard drive for a folder named i386. It may be inside a Service Pack Files folder or it may be in your root (C:\) folder or elsewhere. In that i386 folder you should find a file named Winlogon.exe or Winlogon.ex_.

Let me know if you find the folder (it may not exist) and if so, which file you find.

Also tell me whether you are running Windows XP Home, Pro, or Media Center; and whether you have a Windows install CD. I believe your Fujitsu only comes with a Restore CD or DVD, if you have a regular Windows CD for it tell me. Otherwise do some exploring on the Restore disk, if it has an \i386 folder let me know.

Good luck,

Dave

#4 2nsane

2nsane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 15 January 2007 - 07:28 PM

OK today I went and purchased a WD my book 160GB external HD and am in the process of transfering all my pics and music. What else besides these items should I transfer over to the EHD.

I am using my wifes Macbook to talk back and forth now.
As for what I am using I beleive it jus Wn XP with SP2. I have a Restore Disck for my compjter its a widows xp home edition, I also have drivers adn applications restore CD, and a microsoft works 8cd.

Edited by 2nsane, 15 January 2007 - 07:39 PM.


#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:18 AM

Posted 15 January 2007 - 08:33 PM

Hi 2nsane,

Backups: e-mail, financial records, documents of any kind that you do not wish to lose.

After you get your documents backed up please do those checks I asked for.

I'm especially interested in that restore CD. If you find an i386 folder on it let me know, but look on your hard drive as well.

If you find one, right click on the winlogon.exe or winlogon.ex_ file and select Properties. Give me the date modified, date created, and size of the file (in KB).

Edit: Your wife has a MacBook? How does she like it? My wife has a Mac Mini and is yearning for a Mac laptop.

Dave

Edited by DaveM59, 15 January 2007 - 08:35 PM.


#6 2nsane

2nsane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 15 January 2007 - 09:19 PM

Dave you have been an incredible help. Thank you for the support. Turns out Emsoft was having a false positive in their system and allot of people were having the same thing as me. http://forum.emsisoft.com/Default.aspx?g=posts&t=1757 I updated the files as they requested and its gone. Can I get a hell yea :thumbsup: or like the Fonz used to say Allriiiiiiight.
OK now that my panic attack is over and I have spent $100 on an external hard drive, all is well (for now)

ok on to the MacBook. my wife loves it its great for school as thats all she real uses it for. its small and light not like my Fujitsu Life book 17" monster I use for gaming and am using now.

once again thank you very much.

Dan.

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:18 AM

Posted 15 January 2007 - 09:52 PM

Hi Dan,

Just been doing some research and discovered, as you did, that that A-Squared is a false positive. I went back to your topic to post only to find that you had already made the same discovery.

This is a new infection, as I said, and the AV/antimalware people are just putting it into their databases, so I guess it's not surprising that some of them haven't quite got their detection routines perfected yet.

In retrospect the one thing I should not have told you was this:

unless you know that Winlogon.exe has been identified as infected, please confirm


Should have asked for confirmation regardless. Kaspersky does ID it correctly.

Sorry you bought a backup drive you didn't need at the moment, but trust me, sometime or other you'll be glad to have it. Be sure you update the backups regularly.

Thanks for the report on the MacBook.

Cheers,

Dave

#8 2nsane

2nsane
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:18 AM

Posted 15 January 2007 - 09:56 PM

your the second person to talk about saving backups on a reg basis. Not sure what this is or does. please tell me more. :thumbsup:

#9 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:18 AM

Posted 15 January 2007 - 10:38 PM

Hi Dan,

I'm not sure whether you mean the rationale or the implementation. The rationale is simple: components fail. Operating systems crash.Some failures result in data loss. This is the one thing on your computer that is irreplaceable. So you need to have backups.

As to how, the easiest way, which I have taken is to get an imaging program (Acronis True Image) and set it up to do a weekly incremental backup of all data folders that I don't want to lose. For an alternative, take a look at this tutorial explaining the use of a freeware backup program that does most of the same things as Acronis.

Hope this answers your question.

Dave

#10 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:10:18 AM

Posted 22 January 2007 - 09:31 PM

Since this issue appears to be resolved, this topic is now closed. If you need it re-opened, please PM me and include the URL in your message.

This applies to the original poster only. Everyone else start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users