Win32:Patched-KO [Trj] - Help please!

Hey,
I’m fixing a computer for my friend and it has a virus. His avast says: “A Trojan Horse Was Found!” and when i press Delete… or Move to chest it says: "Cannot process “C\WINDOWS\SYSTEM32\KERNEL32.DLL” file. INFO: File name: C:\WINDOWS\SYSTEM32\KERNEL32.DLL, Malware name: Win32:Patched-KO [Trj], Malware type: Torjan Horse, VPS version: 091027-0, 27.10.2009.
Please help me!!
Kind regards gujo

hey and welcome to the forum gujo i suggest you scan your friends computer with MBAB and SAS.

http://filehippo.com/download_superantispyware/
http://filehippo.com/download_malwarebytes_anti_malware/

good luck and write back if you get problem.

Isn’t this what the system backup files are for?

Is there a repair option?
Can you restore the file from the virus chest?

I think this happens because the file is in use, maybe Avast Boot Scan can remove it http://www.digitalred.com/avast-boot-time.php
including the programs suggested by mikaelrask

Hi gujo,

I explain a bit on what spgSCOTT is aimin’ at.

This Trojan infected a system file Kernel32.dll

Infecting Kernel32.dll
Virus writers have written several Win32 viruses that attack kernel32.dll, which most PE applications load and use to access the most important Win32 API set, such as file functions. These viruses work by patching the export address of one exported API (e.g., GetFileAttributesA) to point into the virus code that the virus has appended to the end of the DLL image. Because 32-bit DLLs use the PE file format, virus writers can easily infect this type of file. These viruses can be per process resident (i.e., the viruses run actively as part of a process or several processes). As a result, each process that uses kernel32.dll, which is any process that uses the basic Win32 file functions and directory functions, links to the virus code. The infected DLL attaches to every program that has kernel32.dll imports. Whenever the application calls the API with the attached virus code, the virus code gets control in the address spaces of the infected application.

Every system DLL contains a pre-calculated checksum that the linker places in the DLL’s PE header. Unlike Win95, NT recalculates this checksum before it loads DLLs and drivers. If the calculated checksum doesn’t match the checksum in the DLL’s header, the system loader stops with an error message at the blue screen during system boot. However, this doesn’t mean that a virus writer can’t implement such a virus for NT. The Win32/Heretic virus was the first of its kind to implement proper kernel32.dll infection. As a result, the virus ran on NT. The Win32/Kriz virus also used this method and uses the CIH damage routine, but the damage routine doesn’t work under NT because the virus runs in Ring3 (user mode).

Best way turn of the system restore. Unplug the computer from the net from the back. Then place in safe mode and scan for a virus like normal. Then restart your computer. Turn your system restore back on. Then insert you OS cd - go to start - click on it - go to run. Click on run. Type sfc /scannow. Be sure after you type sfc you hit the space once. Then type the rest of the command.
It will repair any damage done to your OS. It will take a while so be patient,

Also read this: http://www.threatexpert.com/files/kernel32.dll.html

polonus