Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: lister on September 24, 2008, 02:24:56 PM

Title: Win32:Patched-CK [trj] Explorer.EXE
Post by: lister on September 24, 2008, 02:24:56 PM

avast detects a virus in C:\WINDOWS\Explorer.EXE (Win32:Patched-CK [trj])
yet i cannot remove/repair/delete it, either in windows or at boot.

can anyone help?

ps: also lsass.exe

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: Maxx_original on September 24, 2008, 02:46:43 PM

can you send these two files to www.virustotal.com analysis?

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: lister on September 24, 2008, 03:02:47 PM

It's not just those two also in svchost.exe probably others but i stopped the boot scan as it couldn't fix anything.

The internet doesn't work on that laptop and i doubt it would my PC would allow copying infected sytem files.

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: Maxx_original on September 24, 2008, 04:14:14 PM

your system seems to be compromitted in a very dangerous way (necessary system files are infected).. have you tried to repair your installation from the restore point?

Title: Win32:PePatch-JV [Trj]
Post by: yoh on September 26, 2008, 04:35:27 PM

I got similar case
Trojan Horse was found in "C:\\WINDOWS\SYSTEM32\USER32.DLL file"

yet cannot move/rename, delete, or move to chest

please help....

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: Lisandro on September 26, 2008, 04:39:22 PM

Quote from: yoh on September 26, 2008, 04:35:27 PM

Trojan Horse was found in "C:\\WINDOWS\SYSTEM32\USER32.DLL file"
yet cannot move/rename, delete, or move to chest

Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

See also: http://www.digitalred.com/avast-boot-time.php

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: yoh on September 26, 2008, 05:11:18 PM

I'm using Window XP
whatever i choose (move to chest, or move/rename, or delete), either in windows or boot-time scanning,
it said "Cannot process "C:\\WINDOWS\SYSTEM32\USER32.DLL file" because the file is read only :(

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: Lisandro on September 26, 2008, 06:15:17 PM

Quote from: yoh on September 26, 2008, 05:11:18 PM

"Cannot process "C:\\WINDOWS\SYSTEM32\USER32.DLL file" because the file is read only :(

Is it C:\\ a typo of C:\ ?
At boot time, the scanner has fully access to the system, even the file is set as read-only.

Maybe if you follow the general cleaning procedures...

1. Use SUPERantispyware (http://www.superantispyware.com), MBAM (http://malwarebytes.org/mbam.php) or Spyware Terminator (http://www.spywareterminator.com/) to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
2. Test your machine with anti-rootkit applications (http://www.antirootkit.com/software/index.htm). I suggest avast! antirootkit (http://files.avast.com/files/beta/aswar.exe) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: stargazer on September 26, 2008, 07:09:18 PM

I'm getting the same Win32:Patched-CK reported in the following files.

explorer.exe
lsass.exe
regscanexe
services.exe
spoolsv.exe
svchost.exe

I'm not convinced that they are infected, as Windows File Protection (sfc /scannow) does not report that they are bad.

Doug

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: DavidR on September 26, 2008, 07:53:55 PM

What location are they in ?

If you want convincing (one way or the other), check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner (http://www.virustotal.com/) and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451 (http://forum.avast.com/index.php?topic=34950.msg293451#msg293451), how to report it to avast! and what to do to exclude them until the problem is corrected.

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: Lisandro on September 26, 2008, 09:21:30 PM

It does not seem a false positive event...
The location (path), as David said, is essential here: sfc won't correct files in other folders (than the original ones).

Title: Re: Win32:Patched-CK [trj] Explorer.EXE
Post by: wyrmrider on September 27, 2008, 01:58:43 AM

yoh
do the avast scan in safe mode then start on TECH's list
post any results in a new thread in the Virus and Worms forum
thanks


1. Use SUPERantispyware, update scan Clean Quarantine
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
post log in new thread

MBAM update scan put check next to any baddies and then click REMOVE SELECTED
post the log
while you are at the Malwarebytes.org website run the FREE Rogue Remover- post the log

Do you have any other good scanners on your system like Spybot?

2. Test your machine with anti-rootkit applications. Trend Micro RootkitBuster.
(you should already have run Avast with Boot time Scan)