cant remove virus

[Farhan]

i been reported by avast a virus found in kernel32.dll named
win32atched-KX[Tn] trojan horse.
but i cant remove it using move/rename/delete/move to chest options. only i
can do is NO ACTION.
generally it activates if i start a program i.e. browser, notepad etc.


what do i do?

thanx in advance


Farhan

 

[Cari \(MS-MVP\)]

Format the hard drive and reinstall.

You can also try an online virus scan at other antivirus manufacturers'
websites.

 

[Mark Adams]

i been reported by avast a virus found in kernel32.dll named
win32atched-KX[Tn] trojan horse.
but i cant remove it using move/rename/delete/move to chest options. only i
can do is NO ACTION.
generally it activates if i start a program i.e. browser, notepad etc.

Run antivirus scans from Safe Mode. Download Malwarebytes and Spybot Search
and Destroy as well.

 

[Kayman]

i been reported by avast a virus found in kernel32.dll named
win32atched-KX[Tn] trojan horse.
but i cant remove it using move/rename/delete/move to chest options. only i
can do is NO ACTION.
generally it activates if i start a program i.e. browser, notepad etc.

what do i do?

There aren't any 'good' on-line scanners out there!
On-line scanners are the most unsafe and next to useless. Because by the
time you've started your infected Windows and connected to the Internet via
this infected code base, and start to look for scanning sites through
infected DNS, you are almost certain to have the malware perfectly
positioned to overrule your attempts to clean it. What happens if active
malware is found? Don't expect that the on-line scanner will do anything
about it. Most of them are just just marketing tools for selling you their
products. Quite often, malware removal on the NT based OS (Win 2K and XP)
is far from easy. Sometimes a (good) resident AV can deal with it in Safe
Mode.

Other reasons to stay away from on-line scanners are:
1. You have to use IE on very low security setting - ActiveX is required.
2. Many users will lower security in the Internet Zone to use the service
and then forget to set the Internet Zone back to highest possible security
- which is the only way that IE should be set.
3.Scanning should be performed while off-line.
4.Vulnerabilities in several virus scanners
http://www.heise-online.co.uk/secur...n-several-virus-scanners-Update--/news/112301

Also, according to Trend Micro, a surfer using a search engine such as
Google, with a search string such as, ´free online virus scan by Trend
Micro¡, can end up on a spoofed version of HouseCall by clicking the link
returned by Google. Not surprisingly, the spoofed site informs users their
computers are infected with malware, and then teases them to purchase a
fake anti-virus application in order to remove the fake threat.

Therefore:
'Stand-Alone' Anti-Virus scanning tools are *impressively better and
safer*, because you don't have to be on-line to use them (they have no
dependencies on using a web browser to perform their function), and they
also can be used in Safe Mode.

Download David's MULTI_AV.EXE directly:
http://www.pctip.ch/ds/28400/28470/Multi_AV.exe
or
http://212.98.39.7/ds/28400/28470/Multi_AV.exe
or
http://www.pctip.ch/downloads/dl/35905.asp
or
http://212.98.39.7/downloads/dl/35905.asp
or
English:
http://www.raymond.cc/blog/archives/2008/01/09/scan-your-computer-with-multiple-anti-virus-for-free/

Download/execute
Malwarebytes© Corporation - Anti-Malware
http://www.malwarebytes.org/mbam/program/mbam-setup.exe
--and--
SuperAntispyware - Free
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
--and/optional--
Kaspersky® Virus Removal Tool
http://devbuilds.kaspersky-labs.com/devbuilds/AVPTool/
http://www.kaspersky.com/support/viruses/avptool?level=2
--and/optional--
Dr.Web CureIt!® Utility - FREE
http://www.freedrweb.com/cureit/
--and/optional--
a-squared Free or a-squared Command Line Scanner
http://www.emsisoft.com/en/software/download/
--and/optional--
BitDefender10 Free Edition (*NOT FOR VISTA*)
http://www.bitdefender.com/site/Downloads/browseEvaluationVersion/1/42/

NOTE:
Kaspersky® Virus Removal Tool, Dr.Web CureIt!®' the free version of
Malwarebytes© and SuperAntispyware are not capable for real-time protection
of your computer.
Kaspersky® Virus Removal Tool, Dr.Web CureIt!® have no update feature (so
they don't turn into full blown scanners). As soon as your computer is
cleaned you are supposed to remove these tools from your operating system
and revert back to your (updated) resident (real-time) AV application.
Re: Kaspersky® Virus Removal Tool; To uninstall/move this program 'enable
self-defense' must be unchecked!
The free version of Malwarebytes© and SuperAntispyware have an update
feature, keep them installed in addtion to your resident AV/A-S
applications and scan frequently.

To scan your computer with the most up-to-date Kaspersky® AVPTool and
Dr.Web CureIT!® virus databases next time you should download new
Kaspersky® AVPTool and Dr.Web CureIt!® packages.

After the software is updated, it is suggested scanning the system in both
Normal Mode and Safe Mode (note: according to D. Cook, co-author of MBAM,
"Malwarebytes actually performs better in Normal Mode").
How to start Windows in Safe Mode?
By pressing/tabbing F8 (or F5 on some keyboards) during re-boot.
A description of the Safe Mode Boot options in Windows XP
http://support.microsoft.com/default.aspx?scid=315222
Start your computer in safe mode (Vista)
http://windowshelp.microsoft.com/Windows/en-us/help/323ef48f-7b93-4079-a48a-5c58eec904a11033.mspx
http://www.bleepingcomputer.com/tutorials/tutorial61.html

Alternatively:
Click Start==>Run... then type (or copy/paste) "msconfig" (without
quotation marks), click OK. Then click onto BOOT.INI tab and 'check'
/SAFEBOOT then OK and click Restart. To go back to Normal Mode, you must
access the System Configuration utility again and click the General tab
then click/check the radio button 'Normal Startup'- load all device drivers
and services'.

Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Good luck

 

[David H. Lipman]

From: "Farhan" <[email protected]>

| i been reported by avast a virus found in kernel32.dll named
win32:atched-KX[Tn] trojan horse.
| but i cant remove it using move/rename/delete/move to chest options. only i
| can do is NO ACTION.
| generally it activates if i start a program i.e. browser, notepad etc.


| what do i do?

| thanx in advance

| Farhan

This is not a virus. Even then name indicates that to be a "trojan horse" and not a
virus.

The .DLL was patched meaning code was inserted, prepended or appended to the DLL.

The DLL needs to be REPLACED with a known good clean DLL.

This may be done in the Recovery Console or by placeing the drive in a surrogate PC as a
"D:" drive.

 

[Guest]

What are you talking about Cari? Utter nonsense

--
SPAMCOP User

Format the hard drive and reinstall.

You can also try an online virus scan at other antivirus manufacturers'
websites.


--
Cari (MS-MVP)
Windows Technologies - Printing & Imaging
http://www.coribright.com/windows

i been reported by avast a virus found in kernel32.dll named
win32atched-KX[Tn] trojan horse.
but i cant remove it using move/rename/delete/move to chest options. only
i
can do is NO ACTION.
generally it activates if i start a program i.e. browser, notepad etc.


what do i do?

thanx in advance


Farhan

 

[Guest]

The trojan has plugged itself into Winlogon hence when you run explorer...
it activtes it

As Dave said, replace with one that is safe however the recovery console
won't allow you to do that as the kernel will be in-use. So, the second
suggestion of plugging it into as a slave device is the simplist option you
have

You will probably need to regiser the new dll after unregistering the
existing one as the registry information will be different

Another way, is to suspend the Kernal with System Internal's Process
Explorer the change the DLL, but this method may just shut the machine down

 

[Elmo]

I been reported by Avast a virus found in kernel32.dll named
win32atched-KX[Tn] trojan horse.
But I can't remove it using move/rename/delete/move to chest options. Only I
can do is NO ACTION.
Generally it activates if I start a program i.e. browser, notepad etc.


What do I do?

thanx in advance

Though I can't guarantee this will resplace the corrupted file, here's
something else you can try:

Burn BitDefender, or another program listed at the link below, to a CD
(using a working machine) and test the infected machine with it:

http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/

Then run this program:

Malwarebytes© Corporation
http://www.malwarebytes.org/mbam/program/mbam-setup.exe

 

[Twayne]

i been reported by avast a virus found in kernel32.dll named
win32atched-KX[Tn] trojan horse.
but i cant remove it using move/rename/delete/move to chest options.
only i can do is NO ACTION.
generally it activates if i start a program i.e. browser, notepad etc.


what do i do?

thanx in advance


Farhan

If I've pieced it together right, and I may not have, this is a
previously "fake" trojan used to infect machines to get people to buy
removal tools and has recently been revised to become an actual trojan.
In most places it seems to be a trojan, not a virus.

From the lack of data around for it, I'd guess this is a fairly new
event. The rotten part is, if I'm right, it has modified/replaced or
otherwise damaged one or more DLL's your system needs to run. Many AV
programs reportedly won't offer to fix the problem since quarantine etc.
of those DLLs would crash the machine.

F-Secure seems to have the most data on it, at least from my meager
research:

http://www.f-secure.com/v-descs/trojan_win32_patched.shtml :
Trojan:W32/Patched

Name : Trojan:W32/Patched
Category: Malware
Type: Trojan
Platform: W32

Summary
Files detected as "Trojan.Win32.Patched" are usually Windows components
that are patched by a malicious application. The purpose of patching
varies. For example, certain malware patches system components in order
to disable security, such as the Windows Safe File Check feature. Other
malware can add parts of its code to a system component and then patch
certain functions of the original file to point to an appended code. The
most frequently patched components are:

winlogon.exe
wininet.dll
kernel32.dll
iexplore.exe

Disinfection
It is not advised to delete, rename or quarantine patched Windows
components because it may affect system stability. Even though Windows
locks its main files while it is active, it might be still possible to
affect them.

If your F-Secure Anti-Virus detected a certain file as
Trojan.Win32.Patched, please first try to select the "Disinfect" action.
In this case, F-Secure Anti-Virus will create a copy of a patched file,
try to restore its contents, and then it will add a renaming command
into the Windows Registry in order to replace the patched file with a
cleaned one during the next Windows startup.

In case the approach described above fails, try to restore one of the
recent System Restore points. In many cases a patched system component
will be replaced with a clean one. Before restoring a System Restore
point it is advised to backup all personal data to avoid loosing it when
Windows rolls back to a previously saved state.

Windows Installation discs contain a repair option. Boot from the CD and
select the option to repair. Again, it is advised to backup your
personal data.

If nothing helps to clean an patched system component, the last resort
is to attach a hard drive with a patched file as slave to a similar
Windows-based system, boot up and to replace a patched file with a file
taken from a clean system. Note that a file used for replacement must be
the same version as a patched file! This operation should be done by an
experienced computer technician only.
Additional Details
Achtung: False Positive Notification

The 2008-11-04_04 database contained a false positive on a German
language Windows XP Service Pack 2 file called User32.dll.

The detection was named Trojan.Win32.Patched.dn and is resolved in the
2008-11-04_06 update.

If you were alerted to Trojan.Win32.Patched.dn, please make sure that
you have the most current update, and that User32.dll has not been
renamed.

The User32.dll is located in the C:\WINDOWS\system32 folder.

------------------------------------

At this point I would recommend the malwarebytes etc. that have already
been mentioned since this is primarily a trojan and not really a virus.
They may be faster and better at finding it. BEWARE: DO NOT quarantine
or delete .dll files until you have replacements or known good originals
for them or have a boot disk to let you reinstall them.

If those failed, then I'd say visit a few reputable web sites like
Symantec, McAfee and F-Secure, find their online scans and run those.
I'd do them last because they're rather time consuming.

Much as I hate to say it, if none of the above helps, it's probably time
to consider rebuilding the whole drive from scratch, delete & recreate
partitions and start over.

HTH,

Twayne`