win32/patched.GB does not want to go away after running MAM

HI there,

My AVG started popping up warnings every few seconds about the win32/patched.gb virus. I have gone into safe maode with networking - and downloaded MAM and it reveals that there are no viruses on my PC. But when I install AVG again... the windows START POPPING UP. aNY IDEAS ?

sTEVE

Hi.Welcome.

You have a bad infection.Lets see what we can do.

ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them. If some of ComboFix's files are removed by AVG, it will not perform its routines properly and the developer has determined this can cause damaging or "unpredictable results". This is an issue with AVG and since it cannot be effectively disabled before running ComboFix, the developer has chosen not to allow his tool to run until AVG is uninstalled first in order to avoid any possible issues.


Run the AVG Removal tool.Read How to run AVG Remover Tool here.



Download Combofix from Bleepingcomputer or Geekstogo and place it on your Desktop

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Combofix may be slow to start and appear to be doing nothing before it starts scanning.Just leave it,it will start.

You can get help on disabling your protection programs here : http://www.bleepingcomputer.com/forums/topic114351.html

Please include the C:\ComboFix.txt in your next reply for further review.


Caution.....
Never use this program to remove files.Only use it with help from an experienced user.Wrongful use can damage your computer.This tool is not a toy and not for everyday use. ComboFix SHOULD NOT be used unless requested by a qualified helper

Hi, in my quest to remove the win32/pattern.gb virus I am running the combifix and it is still running after 3hrs. Is this normal. When can I expect it to end ? Steve

I think its best to try running it in safe mode.

How long should I expect it to take in the worst case scenario ?

About 10-15 minutes is about normal

HI there, I went into safe mode with networking... Ran the combifix and it started its thing and after an hour later... it was still doing it's thing.... Any other suggestions ?

S

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
  
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click Options > Change settings
  
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
  
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
  
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
  
• When done, a message will be displayed at the bottom advising if any viruses were found.
  
• Click "Yes to all" if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
  
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
  
• Save the DrWeb.csv report to your desktop.
  
• Exit Dr.Web Cureit when done.
  
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Running the dr web as we speak. So far 2 cured and 2 deleted :-) now doing the second scan. What software do you run to monitor malware in the future? Any recommendations? I am getting anew pc in about a week and it will be running ultimate 64 bit. Any suggestions? Steve

HI there,

Here is the report...
dll;I:\WINDOWS\system32;Trojan.Hottrend.34;Deleted.;
zx.dll;I:\WINDOWS\system32;Trojan.Starter.1602;Deleted.;
YugmaPlugin.dll;I:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\827568A28AD44457A81ABC08309D7D62\lib;Program.RemoteAdmin.352;Incurable.Moved.;


Steve

As for recomendations try Avira.


Please download Malwarebytes' Anti-Malware from one of these places:

Majorgeeks or Besttechie


Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.Do so.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5579

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

26/01/2011 12:20:05 AM
mbam-log-2011-01-26 (00-20-05).txt

Scan type: Quick scan
Objects scanned: 220937
Time elapsed: 25 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ok.All done.I see no more malware.Log looks good! All those detections are either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.


ComboFix /uninstall






Over the course of the fix you've used a variety of special tools to help with the cleaning process - none of these are of any use to you now that you're clean, and it's best not to have them hanging around on your computer. OTC is a small program that removes all the leftover tools and logs from cleanup of malware.


Please download OTC to your desktop.


Double-click OTC to run it. (Vista users, please right click on OTC and select "Run as an Administrator")

Click on the CleanUp! button and follow the prompts.

You will be asked to reboot the machine to finish the Cleanup process, choose Yes.

After the reboot all the tools we used should be gone.
Note: Some more recently created tools may not yet be removed by OTC. Feel free to manually delete any tools it leaves behind.


Here are some tips to reduce the potential for malware infection in the future; I strongly suggest that you read them and take them to heart so that you don't have to endure the process of cleaning your computer again.

Afterwork

Malware Prevention

How Did I Get Infected

More Tips on Prevention

=============================

HI there,

This part did not work
*
*
* Reply with quote
*
*
*
* Report post to moderator or admin
* Lock post for new reports

Post 13- Re: win32/patched.GB does not want to go away after running MAM

New post by Pancake Today at 8:48 pm
Ok.All done.I see no more malware.Log looks good! All those detections are either in quarantine or system restore, both of which we'll be cleaning out in just a minute. Congratulations, well done.


Go to :
Start > Run then copy and paste the following highlighted (blue) text below into the box and click OK.


ComboFix /uninstall



and OTC does not have a hyperlink so not sure what to download ?

S

Just click on the red OTC .