Results 1 to 13 of 13

Thread: Virus: Win32/PEPatch (creating a newexe.exe)

  1. #1

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Arrow Virus: Win32/PEPatch (creating a newexe.exe)

    This machine have an AVG free edition and it is always detecting the above virus. OS is Win2000 Pro and I'm currently downloading he updates right now but it's so long because of the slow internet connection and there is always a restart for for most of the updates....

    Anyone here who could provide a permanent solution for this virus? Earlier upon googling I've tried installing Ewido anti-malware but suffered the blue screen of death and some other problems so I uninstalled it. This machine also have SpyBot and XoftSpy...

    I am not the owner of this machine hence I cannot really tell when does the virus comes to life, its just that I am being called whenever the AVG promps for its existence and I've advised them to move it to vault everytime (no heal for it) but it's really bothering that it still comes out every now and then...

    Thanks for any help...
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  2. #2
    PowerPoster kfcSmitty's Avatar
    Join Date
    May 2005
    Posts
    2,248

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Try using Avast. It scans during boot time, so any crap that's running can still be scanned/removed.

    If you dont want to do that, you could always find the infected file and delete it. Then, go through the registry and find any entries you dont recognize (not really recommended unless you know the computer well). Once that is done, go into msconfig, and remove any programs from startup you dont recognize.

    Thats usually how I fix viruses on my computer, and so far, it has never failed

  3. #3

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    I am already contemplating of using Avast on this machine but it may be a little heavy so I am still trying to permanently clean the virus with any 'light' remedies since this machine is somewhat slow. Problem is I am not sure what is the infeted file, it just seem that it produces the newexe.exe. I've tried looking in the start-up programs listed in the registry but there is nothing suspicious among them. I'll try downloading msconfig since Win2000 doesn't have them. Just finished the online scan of panda and it didn't caught anything...
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  4. #4

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Curiously (I have not been able to observe this on other machines) MSConfig lists 2 IExplore.exe in the startup tab, 1 in HKLM and 1 in HKCU, is this even normal?
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  5. #5
    PowerPoster kfcSmitty's Avatar
    Join Date
    May 2005
    Posts
    2,248

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    2 Iexplore's? My msconfig doesnt list them at all.... It really shouldn't unless your friend has it set to run as soon as he logs in...

    Are you sure its not like Iexploer.exe or something?

  6. #6

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Here's the screeshot, do you find it disturbing?
    Attached Images Attached Images  
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  7. #7
    Frenzied Member litlewiki's Avatar
    Join Date
    Dec 2005
    Location
    Zeta Reticuli Distro:Ubuntu Fiesty
    Posts
    1,162

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    try start>run>msconfig>services and check for unknown services that have been checked ,if u find one boot in safe mode ,uncheck the option and try to find the file that is registered against that service

    also check sysinternals.com they have a light weight scanner that lists suspicious services and startup programs

  8. #8
    PowerPoster kfcSmitty's Avatar
    Join Date
    May 2005
    Posts
    2,248

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    thats iexpl0re with a zero.

    There is your culprit (atleast one of them)


    I would also recommend deleting that registry entry

  9. #9

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Quote Originally Posted by kfcSmitty
    thats iexpl0re with a zero.

    There is your culprit (atleast one of them)


    I would also recommend deleting that registry entry
    Nice catch, didn't notice it, will try to remove them and observe if it will still pop-out in the future...
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  10. #10

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Removing those registry entries didn't still solve the problem, as I am about to browse the avg prompt me again for the presence of the virus....
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  11. #11

    Thread Starter
    Software Carpenter dee-u's Avatar
    Join Date
    Feb 2005
    Location
    Pinas
    Posts
    11,123

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Huh, Avast doesn't seem to recognize the virus, this is the result of the online test of Kaspersky, tried deleting all those exe's and their registry entries but to no avail, anyone got a hint on what should I do next? Aside from reformatting?

    --------------------------------------------------------------------------
    -----
    KASPERSKY ON-LINE SCANNER REPORT
    Monday, May 29, 2006 10:42:36 PM
    Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
    Kaspersky On-line Scanner version: 5.0.78.0
    Kaspersky Anti-Virus database last update: 29/05/2006
    Kaspersky Anti-Virus database records: 185117
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: false
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 24895
    Number of viruses found: 1
    Number of infected objects: 6
    Number of suspicious objects: 0
    Duration of the scan process: 00:34:06

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\01234567\chubsy[1].exe Infected: Backdoor.Win32.Agobot.agw skipped
    C:\Documents and Settings\Administrator\Desktop\newexe.exe Infected: Backdoor.Win32.Agobot.agw skipped
    C:\WINNT\system32\lat.exe Infected: Backdoor.Win32.Agobot.agw skipped
    C:\WINNT\system32\Perflib_Perfdata_484.dat Infected: Backdoor.Win32.Agobot.agw skipped
    C:\WINNT\system32\newexe.exe Infected: Backdoor.Win32.Agobot.agw skipped
    C:\lat.exe Infected: Backdoor.Win32.Agobot.agw skipped

    Scan process completed.
    Regards,


    As a gesture of gratitude please consider rating helpful posts. c",)

    Some stuffs: Mouse Hotkey | Compress file using SQL Server! | WPF - Rounded Combobox | WPF - Notify Icon and Balloon | NetVerser - a WPF chatting system

  12. #12
    Ex-Super Mod RobDog888's Avatar
    Join Date
    Apr 2001
    Location
    LA, Calif. Raiders #1 AKA:Gangsta Yoda™
    Posts
    60,710

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    Do an online scan at trendmicro , mcaffee or norton sites. hey are free.
    VB/Office Guru™ (AKA: Gangsta Yoda®)
    I dont answer coding questions via PM. Please post a thread in the appropriate forum.

    Microsoft MVP 2006-2011
    Office Development FAQ (C#, VB.NET, VB 6, VBA)
    Senior Jedi Software Engineer MCP (VB 6 & .NET), BSEE, CET
    If a post has helped you then Please Rate it!
    Reps & Rating PostsVS.NET on Vista Multiple .NET Framework Versions Office Primary Interop AssembliesVB/Office Guru™ Word SpellChecker™.NETVB/Office Guru™ Word SpellChecker™ VB6VB.NET Attributes Ex.Outlook Global Address ListAPI Viewer utility.NET API Viewer Utility
    System: Intel i7 6850K, Geforce GTX1060, Samsung M.2 1 TB & SATA 500 GB, 32 GBs DDR4 3300 Quad Channel RAM, 2 Viewsonic 24" LCDs, Windows 10, Office 2016, VS 2019, VB6 SP6

  13. #13
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,173

    Re: Virus: Win32/PEPatch (creating a newexe.exe)

    I found this on a forum I cannot link you to because it's in google's cache.

    turn off system restore...delete the"SRDISKID.DAT" in the _restore folder...either the one on c:\, d:\, e:\, ect. depends how many partitions and drives you have.
    check your msconfig startup items. Make sure there is not 2 IEXPLORE's running there. If there is, look to see if one has a zero (0) instead of an oh (o). Delete/disable it if it has a zero, as well as delete it's corresponding registry key.restart the computer.
    make sure you have a good software firewall to make sure it is not "sending out" any info.

    Virus Name: Rbot.FAY
    Pervasiveness:
    3 of 5
    Destructiveness:
    3 of 5
    Wildness:
    2 of 5
    Type: Worm
    Aliases: [Win32/]Rbot.FAY; [Win32/]Spybot.4wq!Worm (InoculateIT); [Win32/]Packed.Win32.PePatch.aw (Kaspersky); [Win32/]Rbot.FAY;

    Date Modified: 11-May-2006
    Date Published: 11-May-2006

    Description:

    Win32.Rbot.FAY is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.

    This particular variant of Rbot is distributed as a 71,578 byte, Win32 executable that exhibits the following specific characteristics:

    When executed this variant copies itself to the %System% directory as W1nUpdate.exe and makes the following modifications to the registry to ensure that this file is executed at each Windows system start:

    HKLM\Software\Microsoft\Wind ows\CurrentVersion\Run\Microsoft Windows Update Service = "w1nupdate.exe"
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\Microsoft Windows Update Service = "w1nupdate.exe"

    Note: '%System%' and '%Windows%' are variable locations. The determines the location of these folders by querying the operating system. The default location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width