Virus: Win32/patched.dx

Posted on 2010-11-30
Last Modified: 2013-12-06
Hi everyone,
I have a lenovo ideapad s10 with windows XP. Yesterday, my computer was running very slow so I went to task manager and killed some of the processes( on hindsight, I should not have)..the problem started like this: I would google something and when I clicked on the link, it would always redirect me to some weird pages. I had the Avg free edition version 9.0.872 
So when I proceeded to scan my computer for infections, I got the pop up and this threat detection in the virus vault:

file name: c:\windows\system32\drivers\IPSec.sys
threat name: virus identified Win32/Patched.DX
Object type: file
sdk type: core
result: object is white-listed(critical/system file that should not be removed)

moreover, now I cannot connect to the Internet. Additionally, OneKeyRecovery feature does not work. When I press the button (with computer turned off) , it simply turns it on..without the recovery options..

Please help! 
Question by:spirose
  • 3
  • 2
  • 2
  • +4
LVL 14

Expert Comment

ID: 34241047

Author Comment

ID: 34241229
I cannot connect to the Internet- is the Trojan limiting my access to the Internet?
LVL 14

Expert Comment

ID: 34241249
it could be...

i would say, do a boot scan with some anti virus (i use avast, that' pretty good boot scan)

or attach this hard drive to some other pc and scan through windows
LVL 23

Expert Comment

ID: 34241418
Try booting to Safe Mode with Networking, and then try to connect.

If you can, I would suggest a scan with Hitman Pro:

and TDSSKiller:

Then try to connect in normal mode. If you can, try an online scan with Eset:

Post the scan log here.
LVL 25

Expert Comment

ID: 34241509
as said before try do a boot scan with AV rescue CD, have  look @ Bootable antivirus Rescue CD

Bootable antivirus Rescue CD method consider as the most effective way to remove the virus, trojan and malware because it track down some viruses, trojans and other malware are embedded so tightly into your operating system that when you boot Windows the normal way.
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.


Author Comment

ID: 34242304
Thanks for the suggestions. Right now, I am in safe mode but I was still not able to access the Internet. I am using avg(as I had already installed it in my pc) 9.0 anti-virus command line scanner. How do I go on the links provided by some of you if I even can't connect to the Internet..
P.s I have a netbook hence no cd drive

Author Comment

ID: 34242779
Here is the gist of the log file avgrep.txt
(please bear with me as I am typing this via my phone)

AVG 9.0 Anti-Virus command line scanner
Copyright (c) 1992 - 2010 AVG Technologies
Program version 9.0.870, engine 9.0.871
Virus Database: Version 271.1.1/3287 2010-11-29

C:\Windows\system32\drivers\IPSec.sys virus identified Win32/Patched.DX
C:\Documents and Settings\MainUser\Local Settings\Temp\F1.tmp Trojan horse Agent2.BLQU object was moved to virus vault.
C:\Documents and Settings\MainUser\Local Settings\Temporary Internet Files\Content.IE5\7J4VK8EH\sun[1].db Trojan horse Generic19.ADXU  object was moved to virus vault.

Objects scanned: 228420
Found infections: 3
Found PUPS: 0
Healed infections: 2
Healed PUPS: 0
Warnings: 0

LVL 23

Accepted Solution

phototropic earned 500 total points
ID: 34244395
"...Right now, I am in safe mode ..."  My suggestion was Safe Mode with Networking, assuming you are behind a router.

AVG 9.0 is an old version of AVG - the latest version is AVG 10.0.1170. When you get connected again, you should upgrade.

You will need to download the tools I suggested in my first post using another working computer. Save them to a flash drive, then run them on the infected pc.

Another tool which would help is Combofix:

This tool will not run if AVG is installed. But you need to update your AVG, so you could uninstall it prior to running Combofix.
When you save it to a flash drive, be sure to rename it. Under "File Name" type "cf.bat" (without the quotes), and then change "Save as Type" from "Application" to "All Files".

When Combofix has completed, please post the log here.  And then install AVG 2011:

This is AVG's downloader. If you are installing from a flash drive, you will need the full exe file:

Please post any scan logs here.

Right now here in the UK it is 1.00am. I will check in again in 8 hours time.

Good luck!!!

LVL 31

Expert Comment

by:Paul Sauvé
ID: 34244579
Just out of curiosity, if you cannot access the Internet, how have you managed to get your questions posted? Another computer? ;-)

I am assuming that you must have limited Internet access, so you can go to HijackThis (or on a friend's computer) & download the application. Then install it on your laptop and run it. Copy the resulting log file & post it. Perhaps we can give you some guidance. Also, you can download & install some of the other suggested solutions, but most AVs' apps virus definitions are not up to date when you do a fresh install...


LVL 29

Expert Comment

by:Sudeep Sharma
ID: 34250601
I would recommend running sfc /scannow on command prompt.

Just make sure you have the Windows Media CD ready with you before you hit that command. That would replace/add any corrupted files/missing files on your system.


Expert Comment

by:Moose Mclinn
ID: 34251770

I've seen this before some trojens and bots will change your proxy settings to make you think you can't get to the internet.

1.Open Internet Explorer, click "Tools" and then click "Internet Options."

2.Click the "Connections" tab and then click on "LAN Settings."

3.Uncheck the box marked "Use a proxy server for this connection" and then hit the "OK" button. The changes you made will be immediately applied and IE will no longer use a proxy server to connect to the Internet.

... what some trojens do is set the proxy to  which is a loopback to the same machine.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article summarizes using a simple matrix to map the different type of phishing attempts and its targeted victims. It also run through many scam scheme scenario with "real" phished emails. There are safeguards highlighted to stay vigilance and h…
This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
A short film showing how OnPage and Connectwise integration works.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

929 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now