Author Topic: Virus identified Win64/Patched.A  (Read 3502 times)

Offline johnd991

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Virus identified Win64/Patched.A
« on: April 09, 2013, 12:11:38 AM »
Hi

I suddenly got this nasty virus... and need help removing it.

AVG says:

"Virus identified Win64/Patched.A, C:\Windows\System32\services.exe";"Cannot be cleaned Remove manually"

I'm aa=ttahcing OTL.txt, Extras.txt and aswMBR.txt.

MalwareBytes doesn't find anything anymore, all cookies were deleted a few scans ago.

Please advise what to do...

Thanx!


Offline mikaelrask

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1303
  • Gender: Male
    • Personal Message (Offline)
Re: Virus identified Win64/Patched.A
« Reply #1 on: April 09, 2013, 06:22:49 AM »
hey and welcome to the forum. could you attach the latest malware antimalware scan you have made too.

a malware expert will help you when on is online later today.
new computer
windows 8 Intel core I-3 64 bit
6 gb ram 500 gb hardrive. avast 9 MBAM

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3249
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Re: Virus identified Win64/Patched.A
« Reply #2 on: April 09, 2013, 09:35:06 AM »
@johnd991

Hello and welcome to avast.
--------------------------------




Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit

    Please note: This is a beta version so please be sure to read the disclaimer and note of it.

  • Unzip/unrar MBAR in a folder to your Desktop
  • Open the folder where the contents were unzipped to run mbar.exe

  • Click on Next > then on Update button to download fresh definitions.
  • When database updates click Next
  • In the following window ensure "Targets" scan for Drivers; Sectors; System are ticked. Then select "Scan button"

  • If an infection/s are found ensure "Create Restore Point" is checked, then select the "Cleanup Button" to remove threats.
    Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

  • The Clean up procedure will be Scheduled for process.
  • When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.
>> Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.




--------------------------------



Please download zoek.exe and save it to your desktop.

  • Close any open browsers.
  •   Temporarily disable your AntiVirus program. (If necessary)
    If you are unsure how to do this please read this or this Instruction.



  • Double click on zoek.exe to run the tool .
    Please wait while the tool does not start...


  • Copy the text present inside the code box below and paste it into the large window in the zoek tool:
Code: [Select]

firefoxlook;
chromelook;
C:\Windows\assembly\GAC_32\Desktop.ini;f
C:\Windows\assembly\GAC_64\Desktop.ini;f
C:\Users\Tilen\AppData\Roaming\Mozilla\Firefox\Profiles\4g4im7rk.default\searchplugins\askcom.xml;f
C:\Windows\Installer\{bf8081d8-c18c-3d3a-4071-697bc4cafbd0};f
autoclean;

  • Click on Run script button
    Please wait until a logreport will open (this can be after reboot)

  • Save notepad to your Desktop and attach here zoek-results.log

    Note: It will also create a log in the C:\ directory named "zoek-results.log"


« Last Edit: April 09, 2013, 09:45:25 AM by magna86 »

Offline johnd991

  • Newbie
  • *
  • Posts: 5
    • Personal Message (Offline)
Re: Virus identified Win64/Patched.A
« Reply #3 on: April 09, 2013, 02:43:38 PM »
Thank you, guys! But I managed to get it cleaned up... at 4am my computer was clean :)

It is my work computer, so I couldn't wait and started running AVG, aswMBR.exe, tdsskiller.exe, Spybot a few times and eventually it got all cleaned up... then I thought I would try another suggestion that /I found, use Combofix... and it messed up my computer! The network connection was down... after a few hours of going nuts of what is going on, a command 'sf /scannow' fixed all my corrupt dlls and now it works great!

Still running AVG, mbar and Spybot constantly to make sure it is all clean and they all report zero threats.

I'm attaching the latest logs.

What do you think, is my system clean?

Thanx!

Offline magna86

  • Anti Malware Fighter
  • avast! Evangelist
  • Massive Poster
  • ***
  • Posts: 3249
  • Gender: Male
    • Ambulanta MyCity Forum - ASAP Member
    • Personal Message (Offline)
Re: Virus identified Win64/Patched.A
« Reply #4 on: April 09, 2013, 08:04:03 PM »
Hi,

Quote
...use Combofix... and it messed up my computer! The network connection was down... after a few hours of going nuts of what is going on, a command 'sf /scannow' fixed all my corrupt dlls and now it works great!

For this reason we all + sUBs, continuously suggesting to all users to do not run ComboFix unsupervised, but hardly anyone is listening us or alert.

http://www.techsupportforum.com/1829551-post6.html
http://www.bleepingcomputer.com/forums/topic273628.html


Attach here C:\ComboFix.txt log.

PS: It's "sfc /scannow" as it stand for systemfilechecker.



Quote
It is my work computer
I didn't know that becouse i'm not offer free help for firm's computers. Now I see that in the logs ...


------------------------------


This how you can uninstall ComboFix:
  • Click Start (or ) then Run.


    On Windows7 or Vista you may use Start Search field if Run is not available.

  • In the line of text type in (Copy) the following:
Code: [Select]
ComboFix /Uninstall
    Note that there is a space between " ComboFix " and " /Uninstall " .

    • then click OK (or press Enter ).
    Wait for the uninstall process is complete.

    ---------------------------


    Re-run Malwarebytes AntiRootkit one more time to remove some remaining.


    --------------------------


    Delete zoek.exe ;

    Attach here:
    C:\ComboFix.txt
    fresh Malwarebytes AntiRootkit's  system-log.txt

    Offline johnd991

    • Newbie
    • *
    • Posts: 5
      • Personal Message (Offline)
    Re: Virus identified Win64/Patched.A
    « Reply #5 on: April 09, 2013, 08:44:26 PM »
    Thank you, I'm attaching latest system-log.txt file.

    All combofix files have been deleted - now I know not to use it unless instructed so!

    Well, self employed, so work computer is personal computer... but it doesn't matter. I appreciate your time anyway.


    Log file looks OK, right?

    Offline magna86

    • Anti Malware Fighter
    • avast! Evangelist
    • Massive Poster
    • ***
    • Posts: 3249
    • Gender: Male
      • Ambulanta MyCity Forum - ASAP Member
      • Personal Message (Offline)
    Re: Virus identified Win64/Patched.A
    « Reply #6 on: April 09, 2013, 09:09:06 PM »
    Let's run one more check,



    Re-run OTL.exe.

    • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

    Code: [Select]


    dir /s /a "C:\Windows\Installer\{bf8081d8-c18c-3d3a-4071-697bc4cafbd0}" /c
    C:\Windows\System32\services.exe /md5

    • Then click the RUN SCAN button at the top.
    • Attach here fresh OTL.txt  logreport.

    Offline johnd991

    • Newbie
    • *
    • Posts: 5
      • Personal Message (Offline)
    Re: Virus identified Win64/Patched.A
    « Reply #7 on: April 09, 2013, 09:17:55 PM »
    Here are 2 files, one without 'Scan all users' checked and one with - I wasn't sure if you perhaps forgot to write to check the box... so I ran both options.

    Thanx!

    Offline magna86

    • Anti Malware Fighter
    • avast! Evangelist
    • Massive Poster
    • ***
    • Posts: 3249
    • Gender: Male
      • Ambulanta MyCity Forum - ASAP Member
      • Personal Message (Offline)
    Re: Virus identified Win64/Patched.A
    « Reply #8 on: April 09, 2013, 09:29:33 PM »
    I still see some Combofix leftovers. Download this and run it ...
    http://download.bleepingcomputer.com/sUBs/CF_UNINST.EXE


    -----------------------------------------

    Run quick OTLFix


    Re-run OTL.exe.

    • Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

    Code: [Select]

    :files
    C:\WINDOWS\INSTALLER\{BF8081D8-C18C-3D3A-4071-697BC4CAFBD0}

    • Then click the Run Fix button at the top.
    I don't need that reports.


    **********************




    > Re-run OTL and click on CleanUp! button.

    You will be asked to reboot the machine to finish the cleanup process, choose Yes.
    After the reboot all the tools we used should be gone.
    Note: Some more recently created tools may not yet be removed by OTL. Feel free to manually delete any tools it leaves behind.




    *************************


    I see you working with USB's


    O32 - AutoRun File - [2013.03.20 08:31:06 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
    O32 - AutoRun File - [2011.04.12 05:38:58 | 000,000,122 | R--- | M] () - D:\autorun.inf -- [ UDF ]





    I recommended to use MCShield if you will.
    You may download MCShield from one of the following links:

    MyCity -  Official download link
    Softpedija - Mirror download link

    It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
    And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.


    Offline johnd991

    • Newbie
    • *
    • Posts: 5
      • Personal Message (Offline)
    Re: Virus identified Win64/Patched.A
    « Reply #9 on: April 09, 2013, 09:41:31 PM »
    Thank you, all tasks done!

    Installed MCShield...


    I have 3 external usb disks and a couple of usb keys... if I have MCShield running, can I just plug them in and run scanners (antivirus, mam, spybot)  through them? Or what you suggest to do to check if they have virueses, trojans on them?

    Thanx!!!

     

    Google Chrome

    AVAST recommends using the FREE Google Chrome™ browser.

    Download Google Chrome Now