Patchep!inf detected - now unable to boot

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by mprepunk, Jan 25, 2009.

  1. mprepunk

    mprepunk Private E-2

    Hi all,

    I am running Windows XP with SP2. I use Norton Antivirus as well as Windows Firewall.

    Norton Antivirus came across a threat 2 days ago called Trojan.Patchep!inf. I read up about it on the Symantec website, which told me it was easy to remove and a low-level threat. When I tried to use Norton to remove it, it didn't work - it was unable to remove the threat.

    I attempted to restart the computer in safe mode, and tried to remove it from there. Unfortunately, I received the same error message from Norton, and so it failed.

    I found a forum on Google which said to try SDFix to remove the virus. I ran the program, but it found no issues, and the threat was still showing up on Norton.

    I decided to give up and try again the next day. When I tried to turn on my computer, it reaches the Windows 'loading' screen, but then automatically restarts. I've tried using the boot system to launch Windows in safe mode, and tried launching using the last working settings, but it still has the same effect. It should be noted that my computer is being incredibly noisy everytime it is switched on - even after it had been left over night to cool.

    As I can't boot my computer, it isn't possible to do all of the bits and pieces required before posting. Sorry about that.

    Anyone able to help?

    Thanks
     
  2. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    [​IMG]Welcome! to MajorGeeks.com![​IMG]

    Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide


    Helpful Notes:

    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is advised that after completing the READ & RUN ME you also read this sticky:
    4. Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  3. mprepunk

    mprepunk Private E-2

    Thanks for your reply.

    I currently cannot boot my computer in Normal or Safe Mode, and so cannot complete any of the steps you have highlighted above.

    Since this security threat, I have been unable to boot - the system reaches the Windows loading screen, and then restarts.

    I also received error: "STOP C000021a (fatal system error)" at BSOD at one point. This only occurred once, though.
     
  4. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    This is one reason we recommend the free antivirus programs because they are free and actually do what their supposed to do as in removing the threats as Norton has tendency not to do.
     
  5. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    What does it do when you try to access Safe Mode?

    Do you have your WinXP disc?
     
  6. mprepunk

    mprepunk Private E-2

    Thanks again for your reply.

    As I live with my parents, as much as I tell them to get rid of Norton and use one of the free scanners, they refuse to!

    When I try to access Safe Mode, the computer continues to attempt to load, and then on reaching the Windows loading screen, it restarts the computer and goes back to my 'HP' boot screen. It doesn't matter which option I choose from the boot menu the same thing happens.

    What I've done in the meantime, is booted Ubuntu from a CD ROM, and I'm backing up vital files. I'm scanning them too for infection, but there's no reason they should be affected - reading about Patchep!inf informs me that this virus attacks Windows logon files such as Winlogon etc... which would account for the problems loading Windows.

    Is there anything useful I can do whilst using Ubuntu?
     
  7. mprepunk

    mprepunk Private E-2

    Ah, I forgot to add - I don't have my WinXP disc - it was installed when we bought the computer.
     
  8. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    At this point there isn't much we can do because you can't get into the system and you don't have a WinXP disc. I don't know anything about Ubuntu.

    The only option really is to purchase a copy of XP or take your computer to a local computer shop because you will need to repair your current install and then do a cleanup or format/reinstall but either way you will need a WinXP disc.
     
  9. mprepunk

    mprepunk Private E-2

    After discovering a HP disc I found at home, I was able to perform a 'restore' on my system. I can now load Windows. The problem is, when Windows loaded, I was asked to select one of the previous system restore points to use in the restore. There weren't any stored, but I can still access Windows.

    Furthermore, I can't open Norton AntiVirus to scan my computer, so there must be some kind of malware still remaining. The Norton system tray icon exists, but left/right clicking does nothing. I can't load the Norton program from the start menu, or from Program Files. I don't receive an error message; clicking the icons has no effect. It won't even let me kill navapsvc.exe, which is a Norton process.

    I have been able to run the processes as requested, but it should be noted that when I tried to run ComboFix, I was informed by my system that ComboFix had expired, and I could therefore only run in reduced functionality mode. Also, it informed me that Norton AntiVirus is open, and that I should close it before running. As mentioned previously, I'm unable to close the program.

    I have attached 3 logs to this post. SUPERAntiSpyware found no malicious software and so didn't produce a log.
     

    Attached Files:

  10. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your logs are clean! Are you having any current malware problems?

    As far as your Norton problems, that's just typical with Norton however to fix it I would suggest running their removal tool and reinstalling.
     
  11. mprepunk

    mprepunk Private E-2

    Everything appears to be back to normal. I've replaced Norton with AVG Free, and Windows Firewall is also active.

    The only thing I'll point out is that my computer seems a lot noisier now than it did before the infection - it periodically becomes pretty loud when it's loading something, and it hadn't used to. Could this be something as trivial as the fan overworking itself due to a dusty interior?

    Thanks for your help!
     
  12. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    It's always good to keep computers vacuumed because dust buildup can cause a system to overheat. The only way it could make a system noisier would be to collect around a fan in which case a cleaning would address it.

    Really, any noise other than the hard drive running is abnormal. Every once and a while your HDD may make a sound or too but that's simply because it's working harder.
     
  13. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. If we had you run Avenger, you can delete all files related to Avenger now.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to Add/Remove Programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
      • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds