Win32:Patched-CK [trj] Explorer.EXE

avast detects a virus in C:\WINDOWS\Explorer.EXE (Win32:Patched-CK [trj])
yet i cannot remove/repair/delete it, either in windows or at boot.

can anyone help?

ps: also lsass.exe

can you send these two files to www.virustotal.com analysis?

It’s not just those two also in svchost.exe probably others but i stopped the boot scan as it couldn’t fix anything.

The internet doesn’t work on that laptop and i doubt it would my PC would allow copying infected sytem files.

your system seems to be compromitted in a very dangerous way (necessary system files are infected)… have you tried to repair your installation from the restore point?

I got similar case
Trojan Horse was found in “C:\WINDOWS\SYSTEM32\USER32.DLL file”

yet cannot move/rename, delete, or move to chest

please help…

Are you using Windows XP/Vista?
Can you schedule a boot-time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning.
Select for scanning archives.
Boot.
If infected files are found, it’s safer to send them to Chest instead of deleting them.
This way you can further analysis them.

See also: http://www.digitalred.com/avast-boot-time.php

I’m using Window XP
whatever i choose (move to chest, or move/rename, or delete), either in windows or boot-time scanning,
it said "Cannot process “C:\WINDOWS\SYSTEM32\USER32.DLL file” because the file is read only :frowning:

Is it C:\ a typo of C:\ ?
At boot time, the scanner has fully access to the system, even the file is set as read-only.

Maybe if you follow the general cleaning procedures…

  1. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  2. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

I’m getting the same Win32:Patched-CK reported in the following files.

explorer.exe
lsass.exe
regscanexe
services.exe
spoolsv.exe
svchost.exe

I’m not convinced that they are infected, as Windows File Protection (sfc /scannow) does not report that they are bad.

Doug

What location are they in ?

If you want convincing (one way or the other), check the offending/suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.

Create a folder called Suspect in the C:\ drive, e.g. C:\Suspect. Now exclude that folder in the Standard Shield, Customize, Advanced, Add, type (or copy and paste) C:\Suspect* That will stop the standard shield scanning any file you put in that folder. You should now be able to export any file in the chest to this folder and upload it to VirusTotal without avast alerting.

If it is indeed a false positive, see http://forum.avast.com/index.php?topic=34950.msg293451#msg293451, how to report it to avast! and what to do to exclude them until the problem is corrected.

It does not seem a false positive event…
The location (path), as David said, is essential here: sfc won’t correct files in other folders (than the original ones).

yoh
do the avast scan in safe mode then start on TECH’s list
post any results in a new thread in the Virus and Worms forum
thanks

  1. Use SUPERantispyware, update scan Clean Quarantine
    If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
    post log in new thread

MBAM update scan put check next to any baddies and then click REMOVE SELECTED
post the log
while you are at the Malwarebytes.org website run the FREE Rogue Remover- post the log

Do you have any other good scanners on your system like Spybot?

  1. Test your machine with anti-rootkit applications. Trend Micro RootkitBuster.
    (you should already have run Avast with Boot time Scan)