Need Help (Win32:Patched-I [Trj]

system · 2007-04-24T08:49:04.000Z

I was surfing a website and next thing you know my Avast picks up on a virus/trojan whatever, but before the pop-up option for me to take action would pop up, my system shut down and restarted. Everything seemed fine, so I restarted again, and that’s when my Avast picked up a virus:

KERNEL32.DLL contains sample of 'Win32:Patched-I [Trj]

I didn’t know what to do, so I moved it to the Chest. I spoke to a friend of mine, and he said Kernel32 was an important file. I called my Laptop provider and I restored it back to where it was. Later on, I ran Spybot Search and Destroy and it should’ve fixed everything, but unfortunately, it didn’t, and I had the same problem. A friend of mine that I know on Xbox Live told me I should probably reformat my system, but I told him I’ll leave that as the last available option, and I wanted to consult Avast and my Laptop manufacturer first before I did that. So is there anyway I can fix this problem without having to reformat my system? Because I really don’t know what to do.

FreewheelinFrank · 2007-04-24T11:08:46.000Z

Hi Balmung3000,

A Trojan should not be able to get onto your system while browsing if your OS and browser are up to date and you have a firewall up.

What is your OS- Win98, 2000, XP, Vista? What is your browser and is it up to date? Do you have Windows’ firewall up or a third-party firewall like Zone Alarm or Kerio?

KERNEL32.DLL is indeed an important system file- if found in the correct location. Malware often has the same name as a system file but is found in a different location. What location did avast! report for the malware? For example: C:\Windows\System32.

The fact that this was a Win32:patched detection suggests that the malware has infected the genuine windows file. Does avast! give you the option to repair?

Try the advice here:

http://www.f-secure.com/v-descs/trojan_win32_patched.shtml

(There is a clean version of Kernel32.dll backed up in the avast virus chest: if you can access your HD from another computer, you could replace the infected file with the clean backup, but try a System Restore first, if possible.)

EDIT: Re-reading your post, I see it’s a laptop, so removing the HD and running it as a slave in another computer won’t be an option.

Other options are to scan with AVG Anti-Spyware, a-Squared and DrWeb CureIT!, and see if they give you the option of repairing the infected file.

http://www.ewido.net/en/

http://www.emsisoft.com/en/software/free/

http://download.drweb.com/drweb+cureit/

Good luck!

PS: Secunia Software Inspector is an excellent way to check for outdated and vulnerable software that can allow Trojans onto your system via drive-by downloads:

http://secunia.com/software_inspector/

system · 2007-04-24T17:16:42.000Z

Avast quarantined a kernal32.dll on one of our PCs today as well. It was located here: c:\windows$NtServicePackUninstall$\kernal32.dll.

Could this be a false positive? I ran the file through http://www.virustotal.com/en/indexx.html, and only Avast claimed it was infected.

system · 2007-04-24T17:38:15.000Z

I’m using Windows XP. The Browser I’m using is Mozilla Firefox, and my firefox is up to date. The location of the Virus/Trojan/Malware is in C:\Windows\System32. So it is using the Kernel32.dll, Avast! does not give me the option to repair, it gives me the option to “Move/Rename” “Delete” or “Move to Chest”.

I haven’t used the programs you provided me with as of yet. Right now I’m going through all of my options, including contacting my Laptop Manufacturer to help me with System Restore, and to ask them on what I’ll need for formatting my Laptop. The only programs I’ve used so far are Spybot Search and Destroy, it scanned my system, and I marked to fix the errors or whatever it says to help me get rid of the malware/trojans whatever, and I restarted and still had the problem with Kernel32. I also used adaware to help me out, and that didn’t seem to work either. I haven’t used the programs you provided me yet, but I’ll try to use them.

@JBulcher

I don’t believe it’s a False Positive, I think maybe it depends on what infected the kernel32.dll. Last night I left my laptop on while I was sleeping to see what would happen, and I woke up in time to see that Internet Explorer opened up and tried to take me to some spam page maybe. This is something that has NEVER happened to me before, and it might have something to do with whatever is infecting the kernel32. Not only that, but after I woke up from a full night’s sleep. I came to the Avast Forum to see the response I got, and tried to download the programs that FreewheelinFrank provided me, but it would not allow me to download anything, not even through a download manager. I asked a friend of mine if he could download it for me, and send it to me through a chat program mIRC, but that didn’t work either. So I believe whatever might be infecting the kernel32.dll on my system might be using up my system resources as well over time, or it’s relying completely on my Internet Connection.

If I start up my laptop, and when the startup items on my desktop are loading up, my Avast will detect the Kernel32.dll problem IF my Internet is connected. I’m on a Cable Modem so I have connection all the time. However, if I disconnect my modem, and start it up, Avast won’t detect it, however, if I go into the folder where it’s located and scan the Kernel32.dll itself, it will detect the problem even offline. So that’s why I’m replying again to see if anyone else could help as well. However, I still haven’t done a System Restore yet and I’m trying to contact my System Manufacturer as well to help me out.

DavidR · 2007-04-24T18:00:23.000Z

@ JBulcher
Well the path looks somewhat strange as none of my security update NtUninstal files are in this format, see image, they relate to security update KBs. The file name is also wrong should be C:\windows$NtServicePackUninstall$\kernel32.dll not kernal32.dll unless this is a typo ?

It may well be an FP but possibly not, at worst it would mean you can’t uninstall a legitimate security update. Personally I weed out old security updates a few months after their installation if there are no problems with the update.

So long as the main C:\Windows\system32\kernel32.dll isn’t infected, then no real problem

FreewheelinFrank · 2007-04-24T18:00:43.000Z

System Restore is probably the thing to try first. It’s really not that difficult:

http://www.bleepingcomputer.com/tutorials/tutorial56.html

Spybot and Ad-Aware are more for spyware/adware infections; a-Squared, AVG Anti-spyware and CureIT! are more targeted at this sort of Trojan.

It really would be a good idea to scan with the Secunia scanner to check for the vulnerable application that might’ve allowed a drive-by install like this.

system · 2007-04-24T21:35:58.000Z

@ DavidR

I did mean kernel32.dll. Sorry for the confusion.

I think we’re just going to let this go. The directory may have been created during the install of service pack two (not sure on this, just positing it). It’s doubtful that we would need to roll back to service pack 1.

Good luck, Balmung3000!

DavidR · 2007-04-24T22:04:48.000Z

Your welcome.

If you ever have to roll back to SP1, you really are in trouble.
It may well be an FP but as you say the likelihood of needing to use it to uninstall a service pack is very, very slim. Removing it may well save you some considerable HDD space.

You will either need to add it to the avast exceptions or remove the uninstall entry or it could be detected again.

system · 2007-04-25T01:20:00.000Z

I think I’m going to reformat my system. My Laptap Manufacturer (IBM) said they could help me by reformatting my system to it’s Factory State, or something like that. I’m not really sure and can’t remember what exactly they said. I don’t have a Windows XP disc on me, so I’ll have to reformat my system using the method they told me. Still though, if there’s anyone here who have any ideas on what I could do, I’m still open to them.

system · 2007-04-25T01:39:06.000Z

Are you able to boot the computer to safe mode?

@ FreewheelinFrank & DavidR

What if the computer is booted to safe mode, kernel;32.dll is deleted with something like killbox or ice sword and immediately replaced with the copy in the chest? Would it work, or would we lose function before the file can be replaced? It would have to be killed with something that doesn’t require a reboot, I think.

system · 2007-04-25T04:26:35.000Z

DavidR post:5:

It may well be an FP but possibly not, at worst it would mean you can’t uninstall a legitimate security update. Personally I weed out old security updates a few months after their installation if there are no problems with the update.

This comment made me feel somewhat better. But not confident this was a FP or something about which I should have no concern.

I was “infected” yesterday, also. My first (detected) virus in almost a year. My OS is XP, I have ZA Personal, Ad Aware and Avast! and keep all updated. I also have various other security tools I run like CCleaner, Spyware Blaster, etc.

I run Avast! boot scans about once a week, sometimes more often. And My MS is set to automatic updates. So, I am pretty secure in that regard. As secure as one can be, anyway.

I hope Avast! issues more info on this particular detection. Thanks for the information thus far.

DavidR · 2007-04-25T11:54:51.000Z

mauserme post:10:

@ FreewheelinFrank & DavidR
What if the computer is booted to safe mode, kernel;32.dll is deleted with something like killbox or ice sword and immediately replaced with the copy in the chest? Would it work, or would we lose function before the file can be replaced? It would have to be killed with something that doesn’t require a reboot, I think.

If you check it isn’t the system32\kernel32.dll that is being reported as infected, but one contained in C:\windows$NtServicePackUninstall$\kernel32.dll, so there is no need to replace anything.

system · 2007-04-25T12:02:41.000Z

Balmung3000 post:4:

The location of the Virus/Trojan/Malware is in C:\Windows\System32.

I was thinking of Balmung3000’s situation : JBulcher’s path is as you posted.

That’s the difficulty with trying to work out more than one person’s problem in a single thread …

DavidR · 2007-04-25T12:09:23.000Z

Justinian post:11:

DavidR post:5:

It may well be an FP but possibly not, at worst it would mean you can’t uninstall a legitimate security update. Personally I weed out old security updates a few months after their installation if there are no problems with the update.

This comment made me feel somewhat better. But not confident this was a FP or something about which I should have no concern.

I also don’t have full confidence that it was a false positive, but it isn’t being detected in an active/working file, rather in what I would say is now a redundant uninstall function. That is where my being not being unduly concerned comes from.

If as you said you are unlikely every to require a roll back to pre service pack, then removal of the file would remove any nagging doubt that something in it might be infected. If however, you chose to use that file to revert to a pre service pack state then you may have an infected/suspect kernel32.dll file in use. This possibility would make me even more inclined to remove the uninstall service pack file.

However, it is your system I can only offer advice on what I would do, you have to choose what you would do.

Justinian post:11:

I was “infected” yesterday, also. My first (detected) virus in almost a year. My OS is XP, I have ZA Personal, Ad Aware and Avast! and keep all updated. I also have various other security tools I run like CCleaner, Spyware Blaster, etc.

I hope Avast! issues more info on this particular detection. Thanks for the information thus far.

Well you could start with some information like the malware name detected, the infected file name and its location, e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast icon), Warning section, this contains information on all avast detections.

From that it might be possible to find some information, but without it impossible. However with the multiple issues going on in this topic it would probably be best in a topic of its own to avoid further confusion.

DavidR · 2007-04-25T12:10:11.000Z

mauserme post:13:

Balmung3000 post:4:

The location of the Virus/Trojan/Malware is in C:\Windows\System32.

I was thinking of Balmung3000’s situation : JBulcher’s path is as you posted.

That’s the difficulty with trying to work out more than one person’s problem in a single thread …

Sorry your right it is getting confusing in the topic.

system · 2007-04-25T22:00:44.000Z

According to ADMN, this virus was found on 11 of 56 systems on my company’s weekly scan last night. The infection has been consistent: 1-3 copies of kernel32.dll on the system that wasn’t the in-use system32 copy. If it was a false positive, I would believe it would’ve appeared on most to all of the systems. The fact that it also infected files not in use is also telling, as well as the fact that Google searches on this virus indicate the false positive outbreak occurring back in January, not April. Use of Firefox vs. IE appears to not be a factor either, unless they tried to run something.

???

Announcements