avast detects a virus in C:\WINDOWS\Explorer.EXE (Win32:Patched-CK [trj])
yet i cannot remove/repair/delete it, either in windows or at boot.
can anyone help?
ps: also lsass.exe
avast detects a virus in C:\WINDOWS\Explorer.EXE (Win32:Patched-CK [trj])
yet i cannot remove/repair/delete it, either in windows or at boot.
can anyone help?
ps: also lsass.exe
can you send these two files to www.virustotal.com analysis?
It’s not just those two also in svchost.exe probably others but i stopped the boot scan as it couldn’t fix anything.
The internet doesn’t work on that laptop and i doubt it would my PC would allow copying infected sytem files.
your system seems to be compromitted in a very dangerous way (necessary system files are infected)… have you tried to repair your installation from the restore point?
I got similar case
Trojan Horse was found in “C:\WINDOWS\SYSTEM32\USER32.DLL file”
yet cannot move/rename, delete, or move to chest
please help…
Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.
I’m using Window XP
whatever i choose (move to chest, or move/rename, or delete), either in windows or boot-time scanning,
it said "Cannot process “C:\WINDOWS\SYSTEM32\USER32.DLL file” because the file is read only
Is it C:\ a typo of C:\ ?
At boot time, the scanner has fully access to the system, even the file is set as read-only.
Maybe if you follow the general cleaning procedures…
I’m getting the same Win32:Patched-CK reported in the following files.
explorer.exe
lsass.exe
regscanexe
services.exe
spoolsv.exe
svchost.exe
I’m not convinced that they are infected, as Windows File Protection (sfc /scannow) does not report that they are bad.
Doug
What location are they in ?
If you want convincing (one way or the other), check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.
If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.
It does not seem a false positive event…
The location (path), as David said, is essential here: sfc won’t correct files in other folders (than the original ones).
yoh
do the avast scan in safe mode then start on TECH’s list
post any results in a new thread in the Virus and Worms forum
thanks
MBAM update scan put check next to any baddies and then click REMOVE SELECTED
post the log
while you are at the Malwarebytes.org website run the FREE Rogue Remover- post the log
Do you have any other good scanners on your system like Spybot?