Guest antioch Posted December 26, 2008 Posted December 26, 2008 Acer Extensa 5620z running WIN XP PRO SP3 updated to Oct. I am part way though installing security/criticals on my son's notebook. Avast Home 4.8 Free has thrown up a virus alert - File name C:\WINDOWS\SYSTEM32\USER32.DLL. Malware name Win32.SysPatch[Wm] I have done a Google but cannot spot anything of meaningful consequence. Avast's suggested recommendation is to place it in the 'chest' - when attempted I am told that this cannot be done because the file is 'read only' There was no trace of this suspected virus prior to starting updating and the computer has not been connected to any website since the last virus scan. I have looked in the event viewer which is showing nothing since June 2008 - seems strange? Is this what might be called a 'false positive' ? Rgds Antioch Quote
Guest David H. Lipman Posted December 26, 2008 Posted December 26, 2008 From: "antioch" <antioch@home.com> | Acer Extensa 5620z running WIN XP PRO SP3 updated to Oct. | I am part way though installing security/criticals on my son's notebook. | Avast Home 4.8 Free has thrown up a virus alert - File name | C:\WINDOWS\SYSTEM32\USER32.DLL. | Malware name Win32.SysPatch[Wm] | I have done a Google but cannot spot anything of meaningful consequence. | Avast's suggested recommendation is to place it in the 'chest' - when | attempted I am told that this cannot be done because the file is 'read only' | There was no trace of this suspected virus prior to starting updating and | the computer has not been connected to any website since the last virus | scan. | I have looked in the event viewer which is showing nothing since June 2008 - | seems strange? | Is this what might be called a 'false positive' ? | Rgds | Antioch The name "Win32.SysPatch" indicates that the USER32.DLL file was trojanized. That is the file was patched. You have to obtain a clean copy and replace it. You may find a clean copy in; %windir%\ServicePackFiles\i386 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 26, 2008 Posted December 26, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uIPKtT1ZJHA.4424@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > | Acer Extensa 5620z running WIN XP PRO SP3 updated to Oct. > | I am part way though installing security/criticals on my son's notebook. > > | Avast Home 4.8 Free has thrown up a virus alert - File name > | C:WINDOWSSYSTEM32USER32.DLL. > | Malware name Win32.SysPatch[Wm] > | I have done a Google but cannot spot anything of meaningful consequence. > | Avast's suggested recommendation is to place it in the 'chest' - when > | attempted I am told that this cannot be done because the file is 'read > only' > > | There was no trace of this suspected virus prior to starting updating > and > | the computer has not been connected to any website since the last virus > | scan. > | I have looked in the event viewer which is showing nothing since June > 2008 - > | seems strange? > | Is this what might be called a 'false positive' ? > > | Rgds > | Antioch > > The name "Win32.SysPatch" indicates that the USER32.DLL file was > trojanized. That is the > file was patched. > > You have to obtain a clean copy and replace it. > You may find a clean copy in; %windir%ServicePackFilesi386 > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Hello David I hope you have had a good Xmas so far. I have just been 'invaded' by relatives - if you don't mind I will get back to you once they have gone :-) Not too sure what what you mean by the above. Thanks for the quick response. Rgds Antioch Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uIPKtT1ZJHA.4424@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > | Acer Extensa 5620z running WIN XP PRO SP3 updated to Oct. > | I am part way though installing security/criticals on my son's notebook. > > | Avast Home 4.8 Free has thrown up a virus alert - File name > | C:WINDOWSSYSTEM32USER32.DLL. > | Malware name Win32.SysPatch[Wm] > | I have done a Google but cannot spot anything of meaningful consequence. > | Avast's suggested recommendation is to place it in the 'chest' - when > | attempted I am told that this cannot be done because the file is 'read > only' > > | There was no trace of this suspected virus prior to starting updating > and > | the computer has not been connected to any website since the last virus > | scan. > | I have looked in the event viewer which is showing nothing since June > 2008 - > | seems strange? > | Is this what might be called a 'false positive' ? > > | Rgds > | Antioch > > The name "Win32.SysPatch" indicates that the USER32.DLL file was > trojanized. That is the > file was patched. > > You have to obtain a clean copy and replace it. > You may find a clean copy in; %windir%ServicePackFilesi386 > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Hello Dave I am now in a position to concentrate at last on this little problem. I have gone into i386 and have found the item 'user32.dll'. Whether this is a clean copy etc I am not able to tell - nor how one would go about replacing it. Your assistance as to the next move would be appreciated. Rgds Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | Hello Dave | I am now in a position to concentrate at last on this little problem. | I have gone into i386 and have found the item 'user32.dll'. | Whether this is a clean copy etc I am not able to tell - nor how one would | go about replacing it. | Your assistance as to the next move would be appreciated. | Rgds | Antioch Avast indicated; %windir%\SYSTEM32\USER32.DLL was patched. compare files in... %windir%\ServicePackFiles\i386 and %windir%\SYSTEM32 If they are NOT the same, copy %windir%\ServicePackFiles\i386\USER32.DLL to %windir%\SYSTEM32 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:ud30vaCaJHA.3548@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | Hello Dave > | I am now in a position to concentrate at last on this little problem. > | I have gone into i386 and have found the item 'user32.dll'. > | Whether this is a clean copy etc I am not able to tell - nor how one > would > | go about replacing it. > | Your assistance as to the next move would be appreciated. > > | Rgds > | Antioch > > Avast indicated; %windir%SYSTEM32USER32.DLL was patched. > > compare files in... > %windir%ServicePackFilesi386 > and > %windir%SYSTEM32 > > If they are NOT the same, copy %windir%ServicePackFilesi386USER32.DLL > to > %windir%SYSTEM32</span> <span style="color:blue"> > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Hello Dave Excuse my total lack of comprehension here - I have gone into the ServicePackFiles\i386 and SYSTEM32 - I have the windows showing their content side by side - one is i386 and the other SYSTEM32. In the main I can see very little that is the same in both. I have missed your point somewhere. Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | Hello Dave | Excuse my total lack of comprehension here - | I have gone into the ServicePackFiles\i386 and SYSTEM32 - I have the windows | showing their content side by side - one is i386 and the other SYSTEM32. In | the main I can see very little that is the same in both. | I have missed your point somewhere. | Antioch Compare size and dates of the files. Presumably, the patched file will be larger. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:eeGn84CaJHA.4068@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | Hello Dave > | Excuse my total lack of comprehension here - > | I have gone into the ServicePackFilesi386 and SYSTEM32 - I have the > windows > | showing their content side by side - one is i386 and the other SYSTEM32. > In > | the main I can see very little that is the same in both. > | I have missed your point somewhere. > > | Antioch > > > Compare size and dates of the files. Presumably, the patched file will be > larger. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> I think I may be in the wrong place - I accessed the above via Start/Run - should I be looking at the two folders via C: Windows? If not then I am sorry, but I am at a complete loss as to which two items I should be comparing. Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | I think I may be in the wrong place - I accessed the above via Start/Run - | should I be looking at the two folders via C: Windows? | If not then I am sorry, but I am at a complete loss as to which two items I | should be comparing. | Antioch Yes ! Compare the two files in the two folders in Explorer in full details. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uin0KdDaJHA.1328@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | I think I may be in the wrong place - I accessed the above via > Start/Run - > | should I be looking at the two folders via C: Windows? > | If not then I am sorry, but I am at a complete loss as to which two > items I > | should be comparing. > | Antioch > > Yes ! > > Compare the two files in the two folders in Explorer in full details. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Right - I have two 'user32.DLL' One is in C: Windows\system32 - in there I have found the file 'user32.DLL' and gone to properties, which shows- Size 565KB Size on disk 568KB. Created 8 March 2007 Modified 13 Dec 2008 Accessed 27 Dec 2008 Version 5.1.2600.5512 The other in Start/Run/ %windir%\ServicePackFiles\i386 - in there I have found 'user32.dll' and going to properties, which shows- Size 565KB Size on disk 568KB Created 11 Oct 2008 Modified 14 April 2008 Accessed 27 Dec 2008 The sizes appear the same, but the dates are different. The only other difference appears to be their titles - one had .DLL and the other .dll I hope these are the files/folders wanted. Rgds Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message | news:uin0KdDaJHA.1328@TK2MSFTNGP02.phx.gbl...<span style="color:blue"><span style="color:green"> >> From: "antioch" <antioch@home.com></span></span> <span style="color:blue"><span style="color:green"> >> | I think I may be in the wrong place - I accessed the above via >> Start/Run - >> | should I be looking at the two folders via C: Windows? >> | If not then I am sorry, but I am at a complete loss as to which two >> items I >> | should be comparing. >> | Antioch</span></span> <span style="color:blue"><span style="color:green"> >> Yes !</span></span> <span style="color:blue"><span style="color:green"> >> Compare the two files in the two folders in Explorer in full details.</span></span> <span style="color:blue"><span style="color:green"> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp</span></span> | Right - I have two 'user32.DLL' | One is in C: Windows\system32 - in there I have found the file 'user32.DLL' | and gone to properties, which shows- | Size 565KB | Size on disk 568KB. | Created 8 March 2007 | Modified 13 Dec 2008 | Accessed 27 Dec 2008 | Version 5.1.2600.5512 | The other in Start/Run/ %windir%\ServicePackFiles\i386 - in there I have | found 'user32.dll' and going to properties, which shows- | Size 565KB | Size on disk 568KB | Created 11 Oct 2008 | Modified 14 April 2008 | Accessed 27 Dec 2008 | The sizes appear the same, but the dates are different. The only other | difference appears to be their titles - one had .DLL and the other .dll | I hope these are the files/folders wanted. | Rgds | Antioch copy %windir%\ServicePackFiles\i386\USER32.DLL to %windir%\SYSTEM32 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23brWK9DaJHA.5488@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message > | news:uin0KdDaJHA.1328@TK2MSFTNGP02.phx.gbl...<span style="color:green"><span style="color:darkred"> >>> From: "antioch" <antioch@home.com></span></span> > ><span style="color:green"><span style="color:darkred"> >>> | I think I may be in the wrong place - I accessed the above via >>> Start/Run - >>> | should I be looking at the two folders via C: Windows? >>> | If not then I am sorry, but I am at a complete loss as to which two >>> items I >>> | should be comparing. >>> | Antioch</span></span> ><span style="color:green"><span style="color:darkred"> >>> Yes !</span></span> ><span style="color:green"><span style="color:darkred"> >>> Compare the two files in the two folders in Explorer in full details.</span></span> > ><span style="color:green"><span style="color:darkred"> >>> -- >>> Dave >>> http://www.claymania.com/removal-trojan-adware.html >>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp</span></span> > > > | Right - I have two 'user32.DLL' > | One is in C: Windowssystem32 - in there I have found the file > 'user32.DLL' > | and gone to properties, which shows- > | Size 565KB > | Size on disk 568KB. > | Created 8 March 2007 > | Modified 13 Dec 2008 > | Accessed 27 Dec 2008 > | Version 5.1.2600.5512 > > | The other in Start/Run/ %windir%ServicePackFilesi386 - in there I have > | found 'user32.dll' and going to properties, which shows- > | Size 565KB > | Size on disk 568KB > | Created 11 Oct 2008 > | Modified 14 April 2008 > | Accessed 27 Dec 2008 > > | The sizes appear the same, but the dates are different. The only other > | difference appears to be their titles - one had .DLL and the other .dll > > | I hope these are the files/folders wanted. > > | Rgds > | Antioch > > > copy %windir%ServicePackFilesi386USER32.DLL to > %windir%SYSTEM32 > > > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> May I confirm your instructions- don't want to cause more mess than I already have :-) Do you mean copy the whole folder or just the 'user32.DLL' file from the i386 folder? And you do mean copy/paste rather than drag/drop. Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | May I confirm your instructions- don't want to cause more mess than I | already have :-) | Do you mean copy the whole folder or just the 'user32.DLL' file from the | i386 folder? And you do mean copy/paste rather than drag/drop. | Antioch Copy the file 'user32.DLL' from %windir%\ServicePackFiles\i386 to %windir%\SYSTEM32 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:%23ynmxNEaJHA.684@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | May I confirm your instructions- don't want to cause more mess than I > | already have :-) > | Do you mean copy the whole folder or just the 'user32.DLL' file from the > | i386 folder? And you do mean copy/paste rather than drag/drop. > | Antioch > > Copy the file 'user32.DLL' from > > %windir%ServicePackFilesi386 > > to > > %windir%SYSTEM32 > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> I have tried - when I copy/paste to the SYSTEM folder I am asked if I want to replace the modified 13 December with the modified 14 April. Then I am told that it cannot copy cos its being used by another prog or person. Sorry to drag this on and on - should I delete the 'user32DLL' in SYSTEM32 first? The one I am copying is 'user32dll' [Windows XP USER API Client DLL]and not DLL - in case that makes a difference or there is another in this folder that I have not spotted - its a large folder with lots of alphabetised groups. Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | I have tried - when I copy/paste to the SYSTEM folder I am asked if I want | to replace the modified 13 December with the modified 14 April. Then I am | told that it cannot copy cos its being used by another prog or person. | Sorry to drag this on and on - should I delete the 'user32DLL' in SYSTEM32 | first? | The one I am copying is 'user32dll' [Windows XP USER API Client DLL]and not | DLL - in case that makes a difference or there is another in this folder | that I have not spotted - its a large folder with lots of alphabetised | groups. | Antioch Then it will have to be done in the Recovery Console or put the drive in a surrogate PC and perform the copy. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:e%23HjNsEaJHA.2124@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | I have tried - when I copy/paste to the SYSTEM folder I am asked if I > want > | to replace the modified 13 December with the modified 14 April. Then I > am > | told that it cannot copy cos its being used by another prog or person. > | Sorry to drag this on and on - should I delete the 'user32DLL' in > SYSTEM32 > | first? > | The one I am copying is 'user32dll' [Windows XP USER API Client DLL]and > not > | DLL - in case that makes a difference or there is another in this folder > | that I have not spotted - its a large folder with lots of alphabetised > | groups. > > | Antioch > > Then it will have to be done in the Recovery Console or put the drive in a > surrogate PC > and perform the copy. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Many thanks for your patience and help. I fear neither, at this moment, can be done - the problem is on a notebook and there is no start-up disc or XP Disc - recovery is on the D: hard drive. Taking out the hard drive from the notebook is out of the question. I have an OEM XP but the notebook has XP PRO. Would System Restore be of any use - I can go back to Oct 2008 - this would mean reinstalling SP3 etc etc. I note that Avast has the recommendation as move to chest - but there are others Move/rename; Delete; Repair. I am just worried that any of these might cause more problems. What I do not understand, is how this got onto the computer, since there was no warning of it from Avast despite half a dozen or more scans since the computer was last connected to the internet. And since then, it has not been connected to the net. This also means that Avast has not been updated either - so how has it found something between times - the only additions to the computer have been two months of Black Tuesday updates which I have been installing and down loading over the previous two days - unless of course Avast has read something from one of these as a Trojan when it is not. I see there have been a few occasions linking Avast with this Trojan - I've read one in which you were involved - but too much tech-speak for me. So is this a real Trojan or not - cannot say I have read anything as definite or not. I will get this computer connected to the net and update Avast and see what happens. I will also contact Avast and see what they have to say. Many thanks again - I wish you a very Happy New Year - long may your valued support be read here in this group. You along with 5 others, from other groups, have named folders in My Documents, in which I keep anything I feel of value. Rgds Antioch Quote
Guest David H. Lipman Posted December 27, 2008 Posted December 27, 2008 From: "antioch" <antioch@home.com> | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message | news:e%23HjNsEaJHA.2124@TK2MSFTNGP04.phx.gbl...<span style="color:blue"><span style="color:green"> >> From: "antioch" <antioch@home.com></span></span> <span style="color:blue"><span style="color:green"> >> | I have tried - when I copy/paste to the SYSTEM folder I am asked if I >> want >> | to replace the modified 13 December with the modified 14 April. Then I >> am >> | told that it cannot copy cos its being used by another prog or person. >> | Sorry to drag this on and on - should I delete the 'user32DLL' in >> SYSTEM32 >> | first? >> | The one I am copying is 'user32dll' [Windows XP USER API Client DLL]and >> not >> | DLL - in case that makes a difference or there is another in this folder >> | that I have not spotted - its a large folder with lots of alphabetised >> | groups.</span></span> <span style="color:blue"><span style="color:green"> >> | Antioch</span></span> <span style="color:blue"><span style="color:green"> >> Then it will have to be done in the Recovery Console or put the drive in a >> surrogate PC >> and perform the copy.</span></span> <span style="color:blue"><span style="color:green"> >> -- >> Dave >> http://www.claymania.com/removal-trojan-adware.html >> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp</span></span> | Many thanks for your patience and help. | I fear neither, at this moment, can be done - the problem is on a notebook | and there is no start-up disc or XP Disc - recovery is on the D: hard drive. | Taking out the hard drive from the notebook is out of the question. | I have an OEM XP but the notebook has XP PRO. | Would System Restore be of any use - I can go back to Oct 2008 - this would | mean reinstalling SP3 etc etc. | I note that Avast has the recommendation as move to chest - but there are | others Move/rename; Delete; Repair. I am just worried that any of these | might cause more problems. | What I do not understand, is how this got onto the computer, since there was | no warning of it from Avast despite half a dozen or more scans since the | computer was last connected to the internet. And since then, it has not | been connected to the net. This also means that Avast has not been updated | either - so how has it found something between times - the only additions to | the computer have been two months of Black Tuesday updates which I have been | installing and down loading over the previous two days - unless of course | Avast has read something from one of these as a Trojan when it is not. | I see there have been a few occasions linking Avast with this Trojan - I've | read one in which you were involved - but too much tech-speak for me. | So is this a real Trojan or not - cannot say I have read anything as | definite or not. | I will get this computer connected to the net and update Avast and see what | happens. | I will also contact Avast and see what they have to say. | Many thanks again - I wish you a very Happy New Year - long may your valued | support be read here in this group. You along with 5 others, from other | groups, have named folders in My Documents, in which I keep anything I feel | of value. | Rgds | Antioch You can try a System Restore but do it in Safe Mode. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted December 27, 2008 Posted December 27, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:e%23IgC2GaJHA.4424@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message > | news:e%23HjNsEaJHA.2124@TK2MSFTNGP04.phx.gbl...<span style="color:green"><span style="color:darkred"> >>> From: "antioch" <antioch@home.com></span></span> > ><span style="color:green"><span style="color:darkred"> >>> | I have tried - when I copy/paste to the SYSTEM folder I am asked if I >>> want >>> | to replace the modified 13 December with the modified 14 April. Then >>> I >>> am >>> | told that it cannot copy cos its being used by another prog or person. >>> | Sorry to drag this on and on - should I delete the 'user32DLL' in >>> SYSTEM32 >>> | first? >>> | The one I am copying is 'user32dll' [Windows XP USER API Client >>> DLL]and >>> not >>> | DLL - in case that makes a difference or there is another in this >>> folder >>> | that I have not spotted - its a large folder with lots of alphabetised >>> | groups.</span></span> ><span style="color:green"><span style="color:darkred"> >>> | Antioch</span></span> ><span style="color:green"><span style="color:darkred"> >>> Then it will have to be done in the Recovery Console or put the drive in >>> a >>> surrogate PC >>> and perform the copy.</span></span> > ><span style="color:green"><span style="color:darkred"> >>> -- >>> Dave >>> http://www.claymania.com/removal-trojan-adware.html >>> Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp</span></span> > > > | Many thanks for your patience and help. > | I fear neither, at this moment, can be done - the problem is on a > notebook > | and there is no start-up disc or XP Disc - recovery is on the D: hard > drive. > | Taking out the hard drive from the notebook is out of the question. > | I have an OEM XP but the notebook has XP PRO. > > | Would System Restore be of any use - I can go back to Oct 2008 - this > would > | mean reinstalling SP3 etc etc. > | I note that Avast has the recommendation as move to chest - but there > are > | others Move/rename; Delete; Repair. I am just worried that any of these > | might cause more problems. > > | What I do not understand, is how this got onto the computer, since there > was > | no warning of it from Avast despite half a dozen or more scans since the > | computer was last connected to the internet. And since then, it has not > | been connected to the net. This also means that Avast has not been > updated > | either - so how has it found something between times - the only > additions to > | the computer have been two months of Black Tuesday updates which I have > been > | installing and down loading over the previous two days - unless of > course > | Avast has read something from one of these as a Trojan when it is not. > | I see there have been a few occasions linking Avast with this Trojan - > I've > | read one in which you were involved - but too much tech-speak for me. > | So is this a real Trojan or not - cannot say I have read anything as > | definite or not. > | I will get this computer connected to the net and update Avast and see > what > | happens. > | I will also contact Avast and see what they have to say. > | Many thanks again - I wish you a very Happy New Year - long may your > valued > | support be read here in this group. You along with 5 others, from other > | groups, have named folders in My Documents, in which I keep anything I > feel > | of value. > > | Rgds > | Antioch > > > You can try a System Restore but do it in Safe Mode. > > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> OK -will try that. I forgot to ask if the dates in either of the files indicated when this Trojan arrived - then I will pick a date prior to that. Antioch Quote
Guest David H. Lipman Posted December 28, 2008 Posted December 28, 2008 From: "antioch" <antioch@home.com> | OK -will try that. | I forgot to ask if the dates in either of the files indicated when this | Trojan arrived - then I will pick a date prior to that. | Antioch Sometimes, but not always, the date of the file is indicative of the infection date. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted December 28, 2008 Posted December 28, 2008 On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> >Copy the file 'user32.DLL' from > >%windir%ServicePackFilesi386 > >to > >%windir%SYSTEM32 ></span> Can't be done on a live system. The DLL is locked. Suggest GiPo Utilities MoveOnBoot: http://www.gibinsoft.net/gipoutils/ Allows movement/copy of files at system boot before the system locks things like DLLs. Quote
Guest David H. Lipman Posted December 28, 2008 Posted December 28, 2008 From: "Geoff" <geoff@invalid.invalid> | On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" | <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"><span style="color:green"> >>Copy the file 'user32.DLL' from</span></span> <span style="color:blue"><span style="color:green"> >>%windir%ServicePackFilesi386</span></span> <span style="color:blue"><span style="color:green"> >>to</span></span> <span style="color:blue"><span style="color:green"> >>%windir%SYSTEM32</span></span> | Can't be done on a live system. The DLL is locked. | Suggest GiPo Utilities MoveOnBoot: | http://www.gibinsoft.net/gipoutils/ | Allows movement/copy of files at system boot before the system locks things | like DLLs. But can be done in the Recovery Console or on a surrogate PC. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest FromTheRafters Posted December 28, 2008 Posted December 28, 2008 "Geoff" <geoff@invalid.invalid> wrote in message news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com...<span style="color:blue"> > On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" > <DLipman~nospam~@Verizon.Net> wrote: ><span style="color:green"> >>Copy the file 'user32.DLL' from >> >>%windir%ServicePackFilesi386 >> >>to >> >>%windir%SYSTEM32 >></span> > > Can't be done on a live system. The DLL is locked. > > Suggest GiPo Utilities MoveOnBoot: > http://www.gibinsoft.net/gipoutils/ > > Allows movement/copy of files at system boot before the system locks > things > like DLLs.</span> What about safe mode command prompt only copy %windir%\ServicePackFiles\i386\user32.dll %windir%\SYSTEM32\user32.DLL With no GUI is that dll still locked? Quote
Guest Geoff Posted December 28, 2008 Posted December 28, 2008 On Sat, 27 Dec 2008 21:02:26 -0500, "FromTheRafters" <erratic@nomail.afraid.org> wrote: <span style="color:blue"> >"Geoff" <geoff@invalid.invalid> wrote in message >news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com...<span style="color:green"> >> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >> <DLipman~nospam~@Verizon.Net> wrote: >><span style="color:darkred"> >>>Copy the file 'user32.DLL' from >>> >>>%windir%ServicePackFilesi386 >>> >>>to >>> >>>%windir%SYSTEM32 >>></span> >> >> Can't be done on a live system. The DLL is locked. >> >> Suggest GiPo Utilities MoveOnBoot: >> http://www.gibinsoft.net/gipoutils/ >> >> Allows movement/copy of files at system boot before the system locks >> things >> like DLLs.</span> > >What about safe mode command prompt only > >copy %windir%ServicePackFilesi386user32.dll %windir%SYSTEM32user32.DLL > >With no GUI is that dll still locked? ></span> Unlikely, user32.dll is Windows API code so in Safe Mode Command Prompt only it might not be used since the GUI is down but the last time I started up in Safe Mode CP it started a GUI login so user32.dll was essential. The system blue screens if it is corrupted or missing. tasklist /m user32.dll at the command prompt will tell you if it is in use and by which programs. When the GUI is up, he is a very busy boy. If in Safe Mode the only module calling for user32.dll is tasklist.exe then it can probably be replaced in that mode but the only other way I know to update it is to do it while the system is still ramping up. This is the method Windows Update uses. Quote
Guest antioch Posted December 28, 2008 Posted December 28, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:e918l$HaJHA.4072@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "antioch" <antioch@home.com> > > > | OK -will try that. > | I forgot to ask if the dates in either of the files indicated when this > | Trojan arrived - then I will pick a date prior to that. > | Antioch > > Sometimes, but not always, the date of the file is indicative of the > infection date. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Dave So it looks as if the infection came in quite a while ago, when looking at the Created and Modified dates. Seems strange that it only just activated - I do wonder if the 20 odd security updates had anything to do with it???? But these were all being done off-line and from disc with all anti stuff off/disabled. I tried Safe Mode - and no - I still could not get the blasted file to save :-( I tried all the suggested methods to get rid of it late last night and after reboot I switched off. I also did System Restore whilst SM and went back to a time just before I started all the Black Tuesday updates. This was completed OK. So far this morning, the computer gave no warning on start-up and has been running for half an hour now - but I aint counting any chickens yet. If I get time later today, I will have a look in the Avast/forum and see if there is anything in there. Rgds Antioch Quote
Guest antioch Posted December 28, 2008 Posted December 28, 2008 "Geoff" <geoff@invalid.invalid> wrote in message news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com...<span style="color:blue"> > On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" > <DLipman~nospam~@Verizon.Net> wrote: ><span style="color:green"> >>Copy the file 'user32.DLL' from >> >>%windir%ServicePackFilesi386 >> >>to >> >>%windir%SYSTEM32 >></span> > > Can't be done on a live system. The DLL is locked. > > Suggest GiPo Utilities MoveOnBoot: > http://www.gibinsoft.net/gipoutils/ > > Allows movement/copy of files at system boot before the system locks > things > like DLLs.</span> Geoff Thank you for your input - will consider it when all other avenues have been exhausted. Rgds Antioch Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.