Hi guys,

Greetings from Perth, Western Australia. New to the forum and would really like some help with this problem.

Just a quick background about what happened.
I’m using my wife’s PC here. The problem PC is mine which is running Windows XP SP3. Been using AVG Anti-Virus for a long time and all is well. However a few weeks ago I accidentally downloaded what I suspected a rogue AV software and ever since then my PC has been compromised. Downloaded MBAM and Super Anti-Spyware and those program seem to keep problems to an acceptable condition.

A few days ago I downloaded Avast (as I read it’s the best) and did a check. Found around 30-40 infections, all moved to chest with exception of explorer.exe & winlogon.exe which can’t be touched as they’re legit windows files. The next time I rebooted the PC only the desktop background showed up and I can only access files/programs through Ctrl+Alt+Del.
My web browsers (Firefox and Safari) also has problems as it can only open certain sites and strangely refuses to open this forum. Google Chrome which I got through Avast even refuses to open anything.

So what I need help most is the removal of Win32:Patched-RP from both explorer.exe and winlogon.exe. I’ve read through a couple very recent threads here on the forum by homerjay and Claire.A.Henry (both helped by essexboy) which describes the resolution of the very problem I’m having. It seems like I need to download Combofix & OTL both of which I’m very unfamiliar (particularly OTL I have no idea about and dont know what it stands for and where to download it), post some logs for essexboy to look through and then follow step-by-step instructions.

So I’m going to download Combofix first and then will wait for the recommended next step, is that ok?

Before that I’d like to thank for all the work you guys done in helping people throught his forum. It offered me some light at the end of the tunnel where I’ve been contemplating to just re-format the PC (which is a pain in the backside).

I’ll be waiting for your next instructions.

Regards,
Rizky

Follow this guide from our expert malware remover Essexboy, and post the log`s here
http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt.and Malwarebytes scan log )

Thanks for your reply, Pondus.

Here are the logs attached. For some reason I had an error while trying to update MBAM, so the latest one I have is database version 4796 dated 11th October 2010.

Thanks again and will be waiting for next instructions.

Rizky

Essexboy have been notified, he enters the forum late UK time

Thank you.

Hi - I will clear a few pieces first and then get you to run Combofix, when combofix runs you must install the recovery console as we may well need to use that for repairs. This malware is becoming resistant to Dr Web my usual tool of choice

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:50370 FF - prefs.js..network.proxy.http: "127.0.0.1" FF - prefs.js..network.proxy.http_port: 50370 NetSvcs: tgmjmpu - C:\WINDOWS\System32\vpcek.dll File not found

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi essexboy,

I pasted the quote in OTL and then Run Fix. Then I saw “Killing processes” on the bottom of the OTL window and then a few seconds later my PC rebooted itself. Is it supposed to be like that? Anyway I Quick Scan after the PC rebooted itself and the log is attached.

Btw, should I kill the processes avgrsx.exe and avgwdsvc.exe before I install ComboFix?

Thanks so much for the help
Rizky

Just run combofix - ignore any warnings but do not let Avast quarantine any files whilst it is running

Ran ComboFix as instructed, then there was a warning saying that both AVG and avast is running and could interfere with the process. Ignored it and pressed OK. Another warning came up saying combofix will run anyway, clicked OK. Then came up a small error message window with nothing in it, after that another error window saying “NIRCMD cannot be found” or something like that. Then PC rebooted itself.

Should I disable the processes for AVG (avgrsx.exe and avgwdscv.exe) and avast (AvastSvc.exe) before trying to run combofix again?

Thanks
Rizky

Will be away for the weekend to Sydney, so won’t be able to update for a few days. Will be back tuesday

Aye download a fresh copy - this time run it from safe mode please

Back again

Downloaded fresh copy of ComboFix as instructed, restarted in Safe Mode, then ran ComboFix. Then a blue command window showed up, followed by another window saying that this version of Combofix is expired and whether I want to run in reduced functionality mode. So I clicked “Yes”. Then nothing happened. So I now I’ve restarted in normal mode again.

Did I do anything wrong? Should I waited longer when nothing happened? Any suggestions?

Thank you for the help so far, much appreciated.

Can you check that the date and time is correct on your computer, as combofix gives that warning once it reaches 7 days old. If it is correct then download a fresh copy and retry

Ok i downloaded fresh copy of combofix, restarted again im safe mode (this time with networking), then ran combofix. The little combofix progress bar appeared and i could see that it was loading, then it disappeared amd nothing happened. I checked processes in task manager and there are two called mbr.cfxxe and cmd.cfxxe which i assume are combofix processes. Is combofix running in the background or is there something i didnt do right again?

Btw time on pc is correct

You will have to wait as essexboy will be in bed now as it is after 1:45am in the UK. So it will be tomorrow when he gets back from work when he is likely to be back on the forums.

OK lets change tack slightly here - once this has run can you update me on the current problems

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Ok here we go, MBAM log attached

Looks like you no longer have an update problem ;D

Could you run a fresh OTL for me please and let me know what problems you are still having

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

[b]netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[/b]

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Yeah I tried updating MBAM and it worked.

Ok, so I downloaded fresh OTL, checked “Scan All Users”, pasted the commands, then ran OTL. After around 30 seconds, an error message (Access violation at address 0040295B in module ‘OTL.exe’. Read of address 001B6000.) popped up and the scan stopped.

Umm what’s next?

OK lets use big brother

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - NetSvcs
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
File - Purity Scan

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.