So, as many of you know I fix and repair computers. Well it just so happened that a person had the Patched-CK virus. Which is just about impossible to fix and usually needs a format and reinstall of windows, but I decided I want to clean this computer up without having to reformat, since i did not have the windows XP PRO cd. I am not sure where i left the CD, but hopefully i can find it soon.

Please do not attempt unless you know what you are doing and have EVERYTHING backed up.

Anyway, this virus infects the computer terribly bad, I think it even replaces main components of windows. Avast saw these files as infected:

c:\windows\system32\winlogon.exe
c:\windows\system32\svchost.exe
c:\windows\system32\services.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\lsass.exe
c:\windows\explorer.exe

I First used combofix to clean up the computer as much as possible. I then installed updated and ran SpyBot Search and Destroy. This cleared the system very well. I then ran Avast on boot. For some reason all the virus protectors would not boot well so i had to go into safe mode to run these.

That cleared the system up except for those 6 files i mentioned above. It was very irritating to try and figure out how to replace these files without having anything to really replace them with. The explorer was easy to replace and it seemed to have worked. I put in the windows XP home edition CD into the CD Drive and killed explorer.exe and replaced it with the one inside their, of course i backed up the virus explorer.exe just in case it didn’t work. it did work and explorer.exe was free from viruses.

For the rest, i could not do what i did with explorer.exe cause those files are running at all times. i did a search through all hidden folders throughout the hard drive for any file named lsass.ex*. it found 2 files. I then did a search for the rest while putting them in a folder called backup1 and backup2, since their were 2 files with the same name. I scanned backup1 folder which contained a copy of the windows\system32 files and it came up as a virus. i then scanned the backup2 folder which contained same files except from another directory. At this time i do not remember the directory they were in. They came up as not having a virus. So i decided I was going to replace these files.

I did a restart and booted from windows CD and hit “r” to going into the recovery console. It will look just like DOS. Oh yea, before going into this, i recommend erasing all passwords from all user accounts. I then set some rules in windows recovery to allow me to do whatever i feel. You can see the rules by typing in “set” without quotes then pressing enter. I typed in “SET AllowAllPaths = TRUE” without quotes, then entered. This allowed me to enter any place I wanted to in the hard drive. I then entered these commands:

delete "c:\windows\system32\winlogon.exe"
delete "c:\windows\system32\svchost.exe"
delete "c:\windows\system32\services.exe"
delete "c:\windows\system32\spoolsv.exe"
delete "c:\windows\system32\lsass.exe"

each one was came with no errors. I then replaced with the good copies i found by entering this:

copy "c:\backup2\winlogon.exe" "c:\windows\system32\winlogon.exe"
copy "c:\backup2\svchost.exe" "c:\windows\system32\svchost.exe"
copy "c:\backup2\services.exe" "c:\windows\system32\services.exe"
copy "c:\backup2\spoolsv.exe" "c:\windows\system32\spoolsv.exe"
copy "c:\backup2\lsass.exe" "c:\windows\system32\lsass.exe"

Then simply typed in “exit” without quotes and the computer restarted. Uninstalled Avast and reinstalled, and ran a scan. It did find those bad virus copies. I didn’t have the virus scanner delete them just yet, cause I want to do some testing on them.

After I did all of that the system was back up and running with no errors. You gotta love technology. This all took me awhile to figure out how to do it, but if you find that you where able to get rid of it too through my post here, let me know. But please be advised this is at your OWN risk. I do not want to be held liable for any actions you take. But let me know if you got it fixed!!!