Author Topic: Win32:Patched-CK [trj] Explorer.EXE  (Read 10735 times)

0 Members and 1 Guest are viewing this topic.

lister

  • Guest
Win32:Patched-CK [trj] Explorer.EXE
« on: September 24, 2008, 02:24:56 PM »
avast detects a virus in C:\WINDOWS\Explorer.EXE (Win32:Patched-CK [trj])
yet i cannot remove/repair/delete it, either in windows or at boot.

can anyone help?

ps: also lsass.exe
« Last Edit: September 24, 2008, 02:44:25 PM by lister »

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #1 on: September 24, 2008, 02:46:43 PM »
can you send these two files to www.virustotal.com analysis?

lister

  • Guest
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #2 on: September 24, 2008, 03:02:47 PM »
It's not just those two also in svchost.exe probably others but i stopped the boot scan as it couldn't fix anything.

The internet doesn't work on that laptop and i doubt it would my PC would allow copying infected sytem files.
« Last Edit: September 24, 2008, 03:05:06 PM by lister »

Offline Maxx_original

  • Avast team
  • Super Poster
  • *
  • Posts: 1479
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #3 on: September 24, 2008, 04:14:14 PM »
your system seems to be compromitted in a very dangerous way (necessary system files are infected).. have you tried to repair your installation from the restore point?

yoh

  • Guest
Win32:PePatch-JV [Trj]
« Reply #4 on: September 26, 2008, 04:35:27 PM »
I got similar case
Trojan Horse was found in "C:\\WINDOWS\SYSTEM32\USER32.DLL file"

yet cannot move/rename, delete, or move to chest

please help....

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #5 on: September 26, 2008, 04:39:22 PM »
Trojan Horse was found in "C:\\WINDOWS\SYSTEM32\USER32.DLL file"
yet cannot move/rename, delete, or move to chest
Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it's safer to send them to Chest instead of deleting them.
This way you can further analysis them.

See also: http://www.digitalred.com/avast-boot-time.php
The best things in life are free.

yoh

  • Guest
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #6 on: September 26, 2008, 05:11:18 PM »
I'm using Window XP
whatever i choose (move to chest, or move/rename, or delete), either in windows or boot-time scanning,
it said "Cannot process "C:\\WINDOWS\SYSTEM32\USER32.DLL file" because the file is read only :(

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #7 on: September 26, 2008, 06:15:17 PM »
"Cannot process "C:\\WINDOWS\SYSTEM32\USER32.DLL file" because the file is read only :(
Is it C:\\ a typo of C:\ ?
At boot time, the scanner has fully access to the system, even the file is set as read-only.

Maybe if you follow the general cleaning procedures...

1. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
2. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
The best things in life are free.

stargazer

  • Guest
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #8 on: September 26, 2008, 07:09:18 PM »
I'm getting the same Win32:Patched-CK reported in the following files.

explorer.exe
lsass.exe
regscanexe
services.exe
spoolsv.exe
svchost.exe

I'm not convinced that they are infected, as Windows File Protection (sfc /scannow) does not report that they are bad.

Doug

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #9 on: September 26, 2008, 07:53:55 PM »
What location are they in ?

If you want convincing (one way or the other), check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can't do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect\* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #10 on: September 26, 2008, 09:21:30 PM »
It does not seem a false positive event...
The location (path), as David said, is essential here: sfc won't correct files in other folders (than the original ones).
The best things in life are free.

wyrmrider

  • Guest
Re: Win32:Patched-CK [trj] Explorer.EXE
« Reply #11 on: September 27, 2008, 01:58:43 AM »
yoh
do the avast scan in safe mode then start on TECH's list
post any results in a new thread in the Virus and Worms forum
thanks


1. Use SUPERantispyware, update scan Clean Quarantine
If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
post log in new thread

MBAM update scan put check next to any baddies and then click REMOVE SELECTED
post the log
while you are at the Malwarebytes.org website run the FREE Rogue Remover- post the log

Do you have any other good scanners on your system like Spybot?

2. Test your machine with anti-rootkit applications. Trend Micro RootkitBuster.
(you should already have run Avast with Boot time Scan)