Cannot delete win32.patched-ADQ - files read-only

After a full system scan on my PC (windows XP), Avast found the win32.patched-ADQ trojan in 6 files (below). It cannot delete them, saying that they are all read-only. I’m a little confused in that it lists duplicate files:

C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\winlogon.exe

Is there any way I can remove this threat?

Thanks,
CM

Whatever you do, DO NOT remove these (or run any other removal tools) it could turn your system into a paper weight. Whilst these files are infected the system is still bootable/working, though infected.

The files have to be replaced with clean copies, but before that happens the underlying infection also has to be dealt with and for that you need the computer working.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the logs here, not in the LOGS topic.

Ok, doing as you said - when I dbl click on otl.exe, I get this prompt box:

The NTVDM CPU has encountered an illegal instruction. Choose ‘Close’ to termination the application.
[Close] [Ignore]

Is this because I have Windows running in Safe mode?

OTL should run in safe mode.

I haven’t encountered the NTVDM CPU has encountered an illegal instruction error before, and doing a search for this brings up lots of hits (one of them http://support.microsoft.com/kb/245184) and they seem weird in relation to OTL as some say it is about running 16bit programs so that would also be a bit weird on an XP (32bit OS) system which should be able to handle 16bit applications.

I’m not even sure if OTL has any 16bit elements, so I will have to wait to see if essexboy can work this one out.

EDIT
? Did you try to run OTL in normal mode with avast disabled (right click on the avast tray icon, avast! shield control) for a period of time ?

I haven’t - because if I start windows in normal mode, I get a blue screen, but task manager still shows all services running. It’s looking like I’m going to have to reformat and reinstall.

Stick with it for a while and hopefully essexboy can join the topic.

That error refers to a 16bit programme, pretty archaic

Lets see if we can get you intoi normal windows first

Step 1:

Start the System Configuration Utility
Click Start, click Run, type msconfig, and then click OK.
The System Configuration Utility dialog box is displayed.

Step 2:

Configure selective startup options
In the System Configuration Utility dialog box, click the General tab, and then click Selective Startup.
Click to clear the Process SYSTEM.INI File check box.
Click to clear the Process WIN.INI File check box.
Click to clear the Load Startup Items check box. Verify that Load System Services and Use Original BOOT.INI are checked.
Click the Services tab.
Click to select the Hide All Microsoft Services check box.
Click Disable All, and then click OK.
When you are prompted, click Restart to restart the computer.

Step 3: Log on to Windows

If you are prompted, log on to Windows.
When you receive the following message, click to select the Don’t show this message or launch the System Configuration Utility when Windows start check box, and then click OK.

You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.

Now we get to the tedious part,:

If windows behaves itself then do the following

Restart MSConfig and select half of the disabled services and reboot

Is the problem still present ?

If Yes then deselect half of the services that you resumed and reboot

If no then select half of the remaining services and reboot

The intention here is to isolate the one service/driver that is causing the problem

Idea is to zero in - got it.

Okay, I’ve just followed everything up to the “Click don’t show this message” part, and windows is in normal mode (I’ve physically detached my ethernet cable to ensure pc has no access to the web or my network, because the virus always tries to open ie, ff, or chrome on a malicious site when Windows starts, even when in safe mode with networking).

Windows appears to be behaving itself, but there’s one thing I’m concerned about - in the first post of this topic I show the results of an Avast scan - it showed that 3 important Windows files are infected and Avast can’t remove the virus. Looking in task manager, I see that among the items running are those 3: winlogon.exe (user name=System), svchost.exe (6 instances - user name=System, Local Service, Local Service, Network Service, System, Network Service), and explorer.exe (username=My Username).

I know these files have to be running for Windows to run, but before I proceed, does any of this sound abnormal?

OK now you are in normal mode could you retry OTL

We can do the detailed investigation once we are sure you are clear of malware

Edit, no it is not totally abnormal

Just tried OTL.exe with Windows in normal mode, and got the same error prompt.

As a test I plugged in my ethernet cable - immediately multiple instances of iexplore.exe started popping up in task manager (but no visible browser windows).

OTL.exe - I actually do have it running. Will post the logs in a minute.

Ok saves me suggesting a rename to OTL.scr ;D

OTL.txt and Extras.txt attached. Note that my network cable is unplugged - else Windows would not be behaving well…

(By “not behaving well”, I mean the virus would be going into action opening iexplore.exe and trying to hit malicious sites. Not the blue screen I was getting before whenever I tried to get in Windows normal mode.)

Nothing visible in the log which would indicate either a patched file or an MBR baddie

Download aswMBR.exe ( 1.8mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Okay, aswMBR.txt is attached. I’m running Combofix - it stopped saying that it finds Avast antivirus to be active and asks me to disable it, but I don’t see how - Avast is not running, and that link didn’t show me anything about Avast.

I closed the Avast UI, but Task Manager shows AvastUI.exe to be running still. I try to stop it, but it tells me action could not be completed, access is denied.

Okay, so here’s where I am at the moment - it looked to me as though Avast was already disabled - I didn’t see an Avast icon in the tray. Combofix stopped, told me Avast realtime scanners were active and asked me to deactivate. I looked in admin tools > Services, and saw that Avast was already disabled.

So I started Avast and the UI came up, I checked to make sure the shields were not active, and closed it. So now the Avast icon is in the tray. I right clicked, I right-clicked on the icon in the tray, selected avast shields control, disabled all for 1 hour. Hoping I didn’t screw something up by opening the Avast UI.

right click avast tray icon…disable shields

I did right click on icon and disabled shields, but Combofix still thinks they’re running. Tells me Avast scanner is still active but Combofix will continue to run, and this is at my risk. Is there a way to abort the scan? hate to come this far and screw my pc up…

You can proceed with the combofix scan if you have disabled avast as mentioned, ignore the combofix notice, the avast shields are disabled, but the services are running, without the shields there shouldn’t be an issue. We have seen this before and no problem.

Proceeding with Combofix scan. Combofix is telling me that I do not have MS Windows Recovery Console Installed, or that it’s present but requires updating. Note - I have System Restore in Windows turned off, as part of previous troubleshooting. Is this why Combofix thinks the console isn’t installed? Should I turn it back on?

Also, Combofix wants to download and install the Recovery Console.

Hmm…I stand corrected. It looked like System Restore is on, And, that this has nothing to do with the Recovery Console

Even so, I’m not sure I should reconnect my pc to the internet, because the virus will immediately start trying to open ie and navigate to a malicious site.

At last, combofix.txt attached. From a quick lookover, it looks like it fixed svchost.exe and winlogon.exe, but couldn’t fix explorer.exe.