Jump to content

a-squared free detected Trojan.Win32.Patched.aa!A2 in explorer.exe !

Recommended Posts


Very people in internet have the same problem on last days (a-squared free detected Trojan.Win32.Patched.aa!A2 in C\windows\explorer.exe). It is false positive or is um malware patched in explorer.exe ?

This is my a-squared HiJackFree log :

Lista do Processo salvada em 01:32:54, ligada 9/12/2009

Plataforma: Windows XP Service Pack 3 (Windows NT 5.1.2600)

[pid] [caminho para o arquivo] [versão do arquivo] [empresa]

4076 C:\Arquivos de programas\a-squared HiJackFree\a2hijackfree.exe Emsi Software GmbH

244 C:\Arquivos de programas\a-squared Free\a2service.exe Emsi Software GmbH

1272 C:\Arquivos de programas\Lavasoft\Ad-Aware\aawservice.exe 7,1,0,12 Lavasoft

2256 C:\WINDOWS\System32\alg.exe 5.1.2600.5512 Microsoft Corporation

1048 C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

1496 C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

1104 C:\Arquivos de programas\COMODO\COMODO Internet Security\cfp.exe 3, 12, 111745, 560 COMODO

900 C:\Arquivos de programas\COMODO\COMODO Internet Security\cmdagent.exe 3, 12, 111745, 560 COMODO

560 C:\WINDOWS\system32\csrss.exe 5.1.2600.5512 Microsoft Corporation

1108 C:\WINDOWS\system32\ctfmon.exe 5.1.2600.5512 Microsoft Corporation

1784 C:\WINDOWS\Explorer.EXE 6.00.2900.5512 Microsoft Corporation

640 C:\WINDOWS\system32\lsass.exe 5.1.2600.5512 Microsoft Corporation

820 C:\WINDOWS\system32\pctspk.exe 1, 0, 0, 1

1408 C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

628 C:\WINDOWS\system32\services.exe 5.1.2600.5755 Microsoft Corporation

644 C:\Arquivos de programas\SiteAdvisor\6253\SiteAdv.exe

492 C:\WINDOWS\System32\smss.exe 5.1.2600.5512 Microsoft Corporation

1368 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.5512 Microsoft Corporation

812 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation

860 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation

928 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation

1192 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation

1232 C:\WINDOWS\system32\svchost.exe 5.1.2600.5512 Microsoft Corporation

1676 C:\WINDOWS\System32\svchost.exe 5.1.2600.5512 Microsoft Corporation

4 N/A

0 N/A

856 C:\Arquivos de programas\Spybot

1476 C:\Arquivos de programas\USBKVM Switcher\USBKVM.exe

412 C:\WINDOWS\system32\wdfmgr.exe 5.2.3790.1230 Microsoft Corporation

584 C:\WINDOWS\system32\winlogon.exe 5.1.2600.5512 Microsoft Corporation

2708 C:\WINDOWS\system32\wscntfy.exe 5.1.2600.5512 Microsoft Corporation

3004 C:\WINDOWS\system32\wuauclt.exe 7.4.7600.226 Microsoft Corporation

Link to post
Share on other sites

Hi ORGUMN, and welcome to the forum.

There is no such "problem" currently.

Can you please be more specific.

a-squared does not flag C:\windows\explorer.exe

As for HiJackFree you may mix the real detection and the yellow/red faced indications, which are just the notifications that "it could be" or was indeed flagged in the past as being infected.

Be very careful with this Tool - it is for experienced users only!

So, do not make the decisions based on what you are seeing unless you are sure and have such experience.

You may run on-line full scan;

provide the link to the result and ask the certified malware removal specialist to review the log file

What you showed is just a report of Processes List

Here is an extract from my report and the Explorer.exe

...652	C:\WINDOWS\Explorer.EXE		6.00.2900.5512	Microsoft Corporation
3744	C:\Program Files\Mozilla Firefox\firefox.exe	Mozilla Corporation...

Why you are concluding that it's infected based on what you posted?

It would be nice if you've saved a-squared scan report with "Trojan.Win32.Patched.aa!A2" detection

My regards

P.S. Please do not use Inline posting of reports (your report is incomplete anyway)

Attach log file(s) or the link as it was suggested above

Read Forum Posting Rules and provide information about the system as in #2)

Link to post
Share on other sites


There is this problem with various individuous in the internet.

The a-squared free show me this infection !!! but, i do not know to save the log of the a-squared free software then, i only posted: " a-squared free detected Trojan.Win32.Patched.aa!A2 in C\windows\explorer.exe " and the log of the a-squared HiJackFree for helpful.

Anothers detection softwares do not detect this malware in my system. The same occur with others friends here in Brazil.

Here in Brazil, everybody think that is a false positive but, i want to have conviction with you of the EMSI software.

I will to try a on-line scan, Thanks.

Link to post
Share on other sites

Hi ORGUMN, and thanks for reply.

I hope you understand that from what you posted & from my example - no conclusion can be made that Explorer was flagged

Sure please try on-line scan and saving that report bit be careful and do not make "fast decisions" as it was suggested above.

As for

...The a-squared free show me this infection !!! but, i do not know to save the log of the a-squared free...

Please see the attached image.

That is the button you have to use after the scan finished and then please save and attach the report here

Regarding the HiJackFree as in your initial request other 2 attached images are those "Yellow & Red Faces" I was talking about

My regards

Link to post
Share on other sites


Thanks. My a-squared free log:

a-squared Free - Version 4.5

Last update: 5/12/2009 19:07:54

Scan settings:

Scan type: Deep Scan

Objects: Memory, Traces, Cookies, C:\

Scan archives: On

Heuristics: Off

ADS Scan: On

Scan start: 11/12/2009 00:53:05

[1460] C:\WINDOWS\Explorer.EXE detected: Trojan.Win32.Patched.aa!A2


Files: 347

Traces: 652961

Cookies: 2

Processes: 31


Files: 0

Traces: 0

Cookies: 0

Processes: 1

Registry keys: 0

Scan end: 11/12/2009 00:56:28

Scan time: 0:03:23

Link to post
Share on other sites


Please follow the posting rules and attach the report instead of in-line posting.

Provide the info about the system as it was asked in the 1st reply.

The Deep Scan of just 347 files that lasts only 3 minutes(!?)

... that is something I've never seen yet :unsure:

Anyway the update of a-square was done

Last update: 5/12/2009 19:07:54
but the scan was run on

In addition the report was edited Please don't do that...

The Software has to be updated ... but irrespectively despite some questions about the report - submit the flagged Explorer to EMSI developers from the detection list for analysis - that is the only way to find the truth

My regards

Link to post
Share on other sites
  • 3 months later...

I have the same problem.

A-square reports only:

[1764] C:\WINDOWS\Explorer.EXE In Quarantaine Trojan.Win32.Patched.aa!A2

In Quarantaine

Bestanden: 0

Sporen: 0

Cookies: 0

Removing this infection is reported to be impossible.

Checks with other scanners (Ad-Aware, Malwarebyte's Anti-Malware, Spybot) do not report this infection.

I am using Wi XP prof servicepack 3, Eset NOD32 antivirus and a firewall.



Link to post
Share on other sites

Hi corneille, welcome to the forum

1) a-squared does not flag Explorer here.

Are you scanning with the latest updated signatures?

2) Irrespectively please submit the file to EMSI developers for analysis

3) be very careful and don't attempt to quarantine such vital system file even if it was compromised by malware. Read this Sticky

4) if you received a message from a2 about inability to quarantine/delete and or your system is misbehaving


Read the following instructions

START HERE, if you don't we are just going to send you back to this thread <--click

Prepare and post (attach) the required log files into Malware Removal section of the forum

(create new thread there)

Wait for reply from ShadowPuterDude, Katana, or JeanInMontana

for assistance and further instructions.


Translation Links for Forum Instructions

My regards

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...