I have a Trojan packed with PE_patch.PECompact, how do I get rid of it??

[aankha]

I was using an external hard drive of a friend and clicked on what looked like a folder icon. It turned out to be an exe file that has created havoc.
First, it made multiple copies of itself with the same name as the residing folder and distributed itself throughout all of my drives. It then blocked my Folder option, task manager, registry editor, command prompt, as well as system recovery. It doesn'y allow most antivirus softwares to install. In safe mode I can do nothing since a message comes as soon as I log on saying "corrupt boot sector" or something. I formatted the system, but the infected files are still here.

Hijackthis created this logfile.

Logfile of HijackThis v1.99.1
Scan saved at 5:43:54 PM, on 7/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system\wincirl.com
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svch0st.exe
C:\Documents and Settings\Nayana\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS/system32/SVCH0ST.EXE
F3 - REG:win.ini: load=C:\WINDOWS/system/wincirl.com
O4 - HKLM\..\Run: [Microsoft Agent] C:\WINDOWS\system32\SVCH0ST.exe
O4 - Startup: Microsoft Common Items.com
O4 - Global Startup: Microsoft Common Items.com
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe



Kaspersky identified the infected files as being packed with PE_patch.PECompact packer, but did not find it a threat. Please help, I am going spare.

[aankha]

the trojan files are svch0st ( with a zero for "O") and wincirl

[Ruby]

Hello and Welcome to HijackThis.eu, Aankha

Did you run HijackThis in Safe Mode? It's a very short logfile! We need HijackThis to be runned in Normal Mode. We only fix in safe Mode.

There are different very dangerous malwares on this system, some of them seems to be new ones. Did you use any erasing program after formatting this system? Did you scan your datafiles before using them on your fresh system? Did you run actualisized software before reconnecting to the Internet?

Well let's have a better look about what's going on...

1. Please load down the filelist.zip to your desktop.
2. Unzip this file to your desktop (free Zip-Tools)
   
3. Restart your system
4. Doubleclick onto the filelist.bat to run it
5. Your editor program will open
6. Highlight the content, chose copy & paste it to your following posting
7. Please note: we only need the last 30 days of every directory of this file

• Many Thanks to our Moderator Karl83 for creating this new tool.

-----------------------
For the greatest safety, it is recommended that
you may not do online-banking, file-sharing, mailing, messaging,
up and downloads behalve to security sites
until your system is of formatted or cleaned up.
Please remove the network cable/phone line from your machine
since you are not cleaning up your system.
Take a look to "Security Tips" in my signature.
-----------------------

[aankha]

Thank you for the quick return.

The logfile is from the normal mode. In safe mode, the system does not allow anything to be done, a dialog appears saying some boot sector is currupt and to defragment the disk.

The logfile is short because I just formatted the system and have not installed anything else. I killed most alien processes with hijackthis and then deleted all infected exes that I could find. It seems to have solved the problem for now. But I'm still not sure.

[Ruby]

Hello Aankha

I would like to see the files of the filelist.bat, please.
Then we or I can help you to clean up your system.

Thanks.