WIN32/PePatch virus

[aastratech]

Hi,

I have a virus WIN32/PePatch detected by my AVG software but it keeps coming back .
The symptoms are my pc is running slow and the web browser closes after around 15 mins and i have to reconnect.
Any ideas how to kill this virus.

thanks in advance !!

 

[electronicsfreak]

Download the 3 programs below

eusing free registry cleaner

http://www.download.com/Eusing-Free-Registry-Cleaner/3000-2094_4-10658410.html?tag=lst-0-1

avg anti spyware

http://www.ewido.net

ccleaner

http://www.ccleaner.com/

Run ccleaner first, then avg anti spyware and delete anything it finds. disable system restore and then run the registry cleaner. Restart in normal mode and download hijackthis from the link below.

http://www.download.com/HijackThis/3000-8022_4-10379544.html

Open it up, choose do a system scan and save a logfile and post the logfile on here. Do not attempt to fix anything on hijackthis unless you know what you are doing as not everything it shows is bad.

There is a point in wisdom and knowledge that when you reach it, you exceed what is considered possible - Jason Schoon

 

[aastratech]

hope this helps;

Logfile of HijackThis v1.99.1
Scan saved at 16:04:40, on 22/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ericsson\BMS\Server\bmsService.exe
C:\Program Files\Ericsson\BMS\Server\_jvm\bin\javaw.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Ericsson\CLink\MD30COMM.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\Common

Files\EricssonShare\DMI\ServiceProvider\bin\Win32sl.exe
C:\Program Files\Ericsson\CLink\CLINK.EXE
C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE
C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlagent.EXE
C:\Program Files\Common Files\EricssonShare\DMI\CIManager\CiMgrLdr.exe
C:\Program Files\Common Files\EricssonShare\DMI\CIManager\CIMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TFNF5.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intuwave Ltd\Shared\mRouterRunTime\mRouterConfig.exe
C:\Program Files\BitTorrent_DNA\dna.exe
c:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\mRouterRuntime.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/ig?hl=en

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = 172.28.128.30:8080
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-

0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet Helper - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} -

C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-

5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-

0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0

\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE

/Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3

\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network

Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -

servicehelper
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program

Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony

Ericsson\Mobile4\Application Launcher\Application Launcher.exe"

/startoptions
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software

Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-

Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel

AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Norton Ghost 2003

\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program

Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Spybot - Search &

Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [mRouterConfig] "c:\Program Files\Intuwave

Ltd\Shared\mRouterRunTime\mRouterConfig.exe"
O4 - HKCU\..\Run: [Sky Alerts] "C:\Program Files\Sky Alerts\skinker.exe"
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet -

res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet -

res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Search - ?p=ZNxmk696YYGB
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-

C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E

-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan

Control) -

http://downloads.ewido.net/ewidoOnlineScan.cab

O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN

Manager) -

https://vpn1.nottscc.gov.uk/vdesk/terminal/urxvpn.cab#version=5400,0,50316

,1
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -

C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel)

-

https://vpn1.nottscc.gov.uk/vdesk/terminal/urTermProxy.cab#version=5400,0,

50412,1
O16 - DPF: {6EE191E2-27A7-4036-AA79-D9AA6C98C5E2} -

http://scs-svr-

md/ecc%5Finstall/default.cab
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client

Control (redist)) -

https://vpn1.nottscc.gov.uk/vdesk/terminal/msrdp.cab#version=5,2,3790,0

O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client

Components) -

https://rcnras2.rcn.org.uk/InternalSite/WhlCompMgr.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab

O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client

Control (redist)) -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} -
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost

Class) -

https://vpn1.nottscc.gov.uk/vdesk/terminal/urxshost.cab

O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host

Control) -

https://vpn1.nottscc.gov.uk/vdesk/terminal/urxhost.cab#version=5400,0,5031

6,1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

SONNET.SONERIC.COM
O17 - HKLM\Software\..\Telephony: DomainName = SONNET.SONERIC.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

SONNET.SONERIC.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

SONNET.SONERIC.COM,SONERIC.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

SONNET.SONERIC.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

SONNET.SONERIC.COM,SONERIC.COM
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

SONNET.SONERIC.COM,SONERIC.COM
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program

Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation -

C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BusinessPhone Management Suite (BMSService) - Ericsson

Austria GmbH - C:\Program Files\Ericsson\BMS\Server\bmsService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM Inc. - (no file)
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION -

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Ericsson ClockSync (ClockSync) - Ericsson Enterprise AB -

C:\Program Files\Common Files\EricssonShare\ClokSync.exe
O23 - Service: CTI Link - Ericsson, Inc. - C:\Program

Files\Ericsson\CLink\CLINK.EXE
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd.

- C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Ericsson BackStage Server - - c:\program

files\ericsson\backstageserver80\bsserver80.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Norton Ghost

2003\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: Intel CI Manager - Unknown owner - C:\Program Files\Common

Files\EricssonShare\DMI\CIManager\CiMgrLdr.exe
O23 - Service: Ericsson IP Service (IP Service) - Ericsson Enterprise AB -

C:\DNA_C\SHARE\BIN\ipservice.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Ericsson LDS (LDS) - Ericsson Enterprise AB -

C:\DNA_C\SHARE\BIN\lds.exe
O23 - Service: Ericsson LFS (LFS) - Ericsson Enterprise AB -

C:\DNA_C\SHARE\BIN\lfs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network

Associates, Inc. - C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network

Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network

Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\VsTskMgr.exe
O23 - Service: MD30 Communications Server - Ericsson, Inc. - C:\Program

Files\Ericsson\CLink\MD30COMM.EXE
O23 - Service: Ericsson PBX Service (PBXService) - Ericsson Enterprise AB

- C:\DNA_C\OWS\BIN\PBXService.exe
O23 - Service: RVS CommCenter (RvsCC) - Living Byte Software GmbH, Munich

- C:\Program Files\RVS\WCOM\SYSTEM\RVSCC.EXE
O23 - Service: RvscomSv - Living Byte Software GmbH, Munich - C:\Program

Files\RVS\WCOM\SYSTEM\RVSCOMSV.EXE
O23 - Service: RVS Installer (RVSINST) - Living Byte Software GmbH, Munich

- C:\Program Files\RVS\WCOM\SYSTEM\RVSINST.EXE
O23 - Service: Ericsson SCS (SCS) - Ericsson Enterprise AB -

C:\DNA_C\SHARE\BIN\scs.exe
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program

Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
O23 - Service: Win32sl - Intel - C:\Program Files\Common

Files\EricssonShare\DMI\ServiceProvider\bin\Win32sl.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program

Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)