Malware Infection

[ThomasTheXPUser]

I ran a scan, and Avira AntiVir found TR/Patched.GY.12. When I search the net for this piece of malware, no results come up. I click the link Avira gives me and it says no results found. Any info about this malware is greatly appreciated. Thank you

[evilfantasy]

TR/Patched is a generic description and could be multiple different threats. It's probably something found by Avira's behavior detection.

http://betatest.avira.com/products/products.php
Avira AntiVir ProActive is a new Avira technology for detecting malware based on its behavior. AntiVir ProActive is monitoring on-access those areas of your system, which are usually attacked by malware...

Can you get a log?

[ThomasTheXPUser]

Yes, sir. here is the log

Avira AntiVir Personal
Report file date: Saturday, July 25, 2009  16:54

Scanning for 1567743 virus strains and unwanted programs.

Licensee        : Avira AntiVir Personal - FREE Antivirus
Serial number   : 0000149996-ADJIE-0000001
Platform        : Windows XP
Windows version : (Service Pack 3)  [5.1.2600]
Boot mode       : Normally booted
Username        : SYSTEM
Computer name   : OWNER-0977B156A

Version information:
BUILD.DAT       : 9.0.0.403     17961 Bytes    6/3/2009 17:05:00
AVSCAN.EXE      : 9.0.3.6      466689 Bytes   5/11/2009 17:14:47
AVSCAN.DLL      : 9.0.3.0       40705 Bytes   2/27/2009 18:58:24
LUKE.DLL        : 9.0.3.2      209665 Bytes   2/20/2009 19:35:49
LUKERES.DLL     : 9.0.2.0       12033 Bytes   2/27/2009 18:58:52
ANTIVIR0.VDF    : 7.1.0.0    15603712 Bytes  10/27/2008 20:30:36
ANTIVIR1.VDF    : 7.1.4.132   5707264 Bytes   6/24/2009 17:08:54
ANTIVIR2.VDF    : 7.1.4.253   1779200 Bytes   7/19/2009 17:09:16
ANTIVIR3.VDF    : 7.1.5.28     214528 Bytes   7/24/2009 17:09:20
Engineversion   : 8.2.0.228
AEVDF.DLL       : 8.1.1.1      106868 Bytes   4/30/2009 19:52:04
AESCRIPT.DLL    : 8.1.2.18     442746 Bytes   7/25/2009 17:09:43
AESCN.DLL       : 8.1.2.4      127348 Bytes   7/25/2009 17:09:41
AERDL.DLL       : 8.1.2.4      430452 Bytes   7/25/2009 17:09:40
AEPACK.DLL      : 8.1.3.18     401783 Bytes   5/28/2009 00:07:20
AEOFFICE.DLL    : 8.1.0.38     196987 Bytes   7/25/2009 17:09:37
AEHEUR.DLL      : 8.1.0.143   1864055 Bytes   7/25/2009 17:09:35
AEHELP.DLL      : 8.1.5.3      233846 Bytes   7/25/2009 17:09:25
AEGEN.DLL       : 8.1.1.50     352629 Bytes   7/25/2009 17:09:24
AEEMU.DLL       : 8.1.0.9      393588 Bytes   10/9/2008 22:32:40
AECORE.DLL      : 8.1.7.6      184694 Bytes   7/25/2009 17:09:21
AEBB.DLL        : 8.1.0.3       53618 Bytes   10/9/2008 22:32:40
AVWINLL.DLL     : 9.0.0.3       18177 Bytes  12/12/2008 16:47:59
AVPREF.DLL      : 9.0.0.1       43777 Bytes   12/5/2008 18:32:15
AVREP.DLL       : 8.0.0.3      155905 Bytes   1/20/2009 22:34:28
AVREG.DLL       : 9.0.0.0       36609 Bytes   12/5/2008 18:32:09
AVARKT.DLL      : 9.0.0.3      292609 Bytes   3/24/2009 23:05:41
AVEVTLOG.DLL    : 9.0.0.7      167169 Bytes   1/30/2009 18:37:08
SQLITE3.DLL     : 3.6.1.0      326401 Bytes   1/28/2009 23:03:49
SMTPLIB.DLL     : 9.2.0.25      28417 Bytes    2/2/2009 16:21:33
NETNT.DLL       : 9.0.0.0       11521 Bytes   12/5/2008 18:32:10
RCIMAGE.DLL     : 9.0.0.25    2438913 Bytes   5/15/2009 23:39:58
RCTEXT.DLL      : 9.0.37.0      86785 Bytes   4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, H:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium
Deviating risk categories...........: +SPR,

Start of the scan: Saturday, July 25, 2009  16:54

Starting search for hidden objects.
'66608' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '0' Module(s) have been scanned
Scan process 'sapisvr.exe' - '0' Module(s) have been scanned
Scan process 'soffice.exe' - '0' Module(s) have been scanned
Scan process 'firefox.exe' - '0' Module(s) have been scanned
Scan process 'oahlp.exe' - '0' Module(s) have been scanned
Scan process 'avgnt.exe' - '0' Module(s) have been scanned
Scan process 'oaui.exe' - '0' Module(s) have been scanned
Scan process 'ctfmon.exe' - '0' Module(s) have been scanned
Scan process 'explorer.exe' - '0' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '0' Module(s) have been scanned
Scan process 'alg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '0' Module(s) have been scanned
Scan process 'spoolsv.exe' - '0' Module(s) have been scanned
Scan process 'oasrv.exe' - '0' Module(s) have been scanned
Scan process 'oacat.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned
1 processes with 1 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
    [INFO]      No virus was found!
Master boot sector HD1
    [INFO]      No virus was found!
Master boot sector HD2
    [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
    [INFO]      No virus was found!
Boot sector 'H:\'
    [INFO]      No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '59' files ).


Starting the file scan:

Begin scan in 'C:\' <Windows XP>
C:\pagefile.sys
    [WARNING]   The file could not be opened!
    [NOTE]      This file is a Windows system file.
    [NOTE]      This file cannot be opened for scanning.
C:\Documents and Settings\User\Ricks sidebaer\Sidebar.cab
 

• Archive type: CAB (Microsoft)

    --> wlsrvc.dll
      [DETECTION] Is the TR/Patched.GY.12 Trojan

Beginning disinfection:
C:\Documents and Settings\User\VistaSidebarReplica\Sidebar.cab
    [NOTE]      The file was moved to '4acfaa5a.qua'!


End of the scan: Saturday, July 25, 2009  17:57
Used time:  1:02:28 Hour(s)

The scan has been canceled!

   7785 Scanned directories
 278911 Files were scanned
      1 Viruses and/or unwanted programs were found
      0 Files were classified as suspicious
      0 files were deleted
      0 Viruses and unwanted programs were repaired
      1 Files were moved to quarantine
      0 Files were renamed
      1 Files cannot be scanned
 278909 Files not concerned
   2803 Archives were scanned
      1 Warnings
      2 Notes
  66608 Objects were scanned with rootkit scan
      0 Hidden objects were found

Ps, the scan cancelled because I accidentally pulled the plug on my PC. the cord is by a bed. I should probably redo the scan

[evilfantasy]

*  Archive type: CAB (Microsoft)
--> wlsrvc.dll
[DETECTION] Is the TR/Patched.GY.12 Trojan

I don't know how to read Avira logs but this looks like the culprit, wlsrvc.dll: http://www.threatexpert.com/files/wlsrvc.dll.html

Across all ThreatExpert reports, the file "wlsrvc.dll" has never been identified as a threat.

Have a look here: Suspicious Files and Miscellaneous Uploads. Look under False Positives for the instructions. I would submit the file to them for closer analysis. It's part of your Vista Sidebar.

[ThomasTheXPUser]

I thought  removed the Vista Sidebar Clone. OK, thanks evilfantasy

[evilfantasy]

Delete these two folders.

C:\Documents and Settings\User\Ricks sidebaer
C:\Documents and Settings\User\VistaSidebarReplica

[ThomasTheXPUser]

Deleted!