Guest antioch Posted December 28, 2008 Posted December 28, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uKssOBJaJHA.5772@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "Geoff" <geoff@invalid.invalid> > > | On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" > | <DLipman~nospam~@Verizon.Net> wrote: ><span style="color:green"><span style="color:darkred"> >>>Copy the file 'user32.DLL' from</span></span> ><span style="color:green"><span style="color:darkred"> >>>%windir%ServicePackFilesi386</span></span> ><span style="color:green"><span style="color:darkred"> >>>to</span></span> ><span style="color:green"><span style="color:darkred"> >>>%windir%SYSTEM32</span></span> > > > | Can't be done on a live system. The DLL is locked. > > | Suggest GiPo Utilities MoveOnBoot: > | http://www.gibinsoft.net/gipoutils/ > > | Allows movement/copy of files at system boot before the system locks > things > | like DLLs. > > But can be done in the Recovery Console or on a surrogate PC. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > ></span> Dave Recovery Console is still under consideration - I will research it in MS. Antioch Quote
Guest antioch Posted December 28, 2008 Posted December 28, 2008 "FromTheRafters" <erratic@nomail.afraid.org> wrote in message news:etovWBJaJHA.3908@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > "Geoff" <geoff@invalid.invalid> wrote in message > news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com...<span style="color:green"> >> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >> <DLipman~nospam~@Verizon.Net> wrote: >><span style="color:darkred"> >>>Copy the file 'user32.DLL' from >>> >>>%windir%ServicePackFilesi386 >>> >>>to >>> >>>%windir%SYSTEM32 >>></span> >> >> Can't be done on a live system. The DLL is locked. >> >> Suggest GiPo Utilities MoveOnBoot: >> http://www.gibinsoft.net/gipoutils/ >> >> Allows movement/copy of files at system boot before the system locks >> things >> like DLLs.</span> > > What about safe mode command prompt only > > copy %windir%ServicePackFilesi386user32.dll > %windir%SYSTEM32user32.DLL > > With no GUI is that dll still locked? > ></span> Thank you, FTR, for adding to the discussion - it would appear that it is still locked - see my reply to Dave L. Rgds Antioch Quote
Guest Richard Urban Posted December 29, 2008 Posted December 29, 2008 I have always used it as my "first" option when deleting a locked system file. I don't like to waste time. -- Richard Urban Microsoft MVP Windows Desktop Experience "antioch" <antioch@home.com> wrote in message news:e3ZEDKOaJHA.1964@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > > "Geoff" <geoff@invalid.invalid> wrote in message > news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com...<span style="color:green"> >> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >> <DLipman~nospam~@Verizon.Net> wrote: >><span style="color:darkred"> >>>Copy the file 'user32.DLL' from >>> >>>%windir%ServicePackFilesi386 >>> >>>to >>> >>>%windir%SYSTEM32 >>></span> >> >> Can't be done on a live system. The DLL is locked. >> >> Suggest GiPo Utilities MoveOnBoot: >> http://www.gibinsoft.net/gipoutils/ >> >> Allows movement/copy of files at system boot before the system locks >> things >> like DLLs.</span> > > Geoff > Thank you for your input - will consider it when all other avenues have > been exhausted. > > Rgds > Antioch > </span> Quote
Guest antioch Posted December 30, 2008 Posted December 30, 2008 "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message news:ujehPdYaJHA.6036@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> >I have always used it as my "first" option when deleting a locked system >file. I don't like to waste time. > > -- > > Richard Urban > Microsoft MVP > Windows Desktop Experience > > > "antioch" <antioch@home.com> wrote in message > news:e3ZEDKOaJHA.1964@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> >> "Geoff" <geoff@invalid.invalid> wrote in message >> news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com...<span style="color:darkred"> >>> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >>> <DLipman~nospam~@Verizon.Net> wrote: >>> >>>>Copy the file 'user32.DLL' from >>>> >>>>%windir%ServicePackFilesi386 >>>> >>>>to >>>> >>>>%windir%SYSTEM32 >>>> >>> >>> Can't be done on a live system. The DLL is locked. >>> >>> Suggest GiPo Utilities MoveOnBoot: >>> http://www.gibinsoft.net/gipoutils/ >>> >>> Allows movement/copy of files at system boot before the system locks >>> things >>> like DLLs.</span> >> >> Geoff >> Thank you for your input - will consider it when all other avenues have >> been exhausted. >> >> Rgds >> Antioch >></span> ></span> Hello Richard Urban Is the 'IT' in your advice "GiPo Utilities MoveOnBoot:"? Rgds Antioch Quote
Guest antioch Posted December 30, 2008 Posted December 30, 2008 UPDATE - Suspect Virus-USER 32.DLL Update - in case there is anybody following this thread - My son's computer did not throw up any warnings after trying the advice given - the computer was on for 3 hours. However, when he started it up yesterday, he immediately got the same warning - what a bugger. I still do not understand how/when his computer got infected? He says that he can see nothing abnormal happening while he uses the computer. It does seem a bit strange that this seems to be something only connected with Avast - or has a similar/same problem already appeared in this group. Most of the advice given to me here has been tried in the Avast Forum, but has failed. There is a discussion going on, at the below - exact same problem - from posters all around the world - started just before Xmas. They might come up with a solution - bit difficult to follow what they are talking about. http://forum.avast.com/index.php?topic=41227.0 Further to the above, I have checked my own computer and the two files are different on mine. I have spent most of the day scanning with just about anything that is safe, in addition to my own resident AV etc - so far nothing. Happy New Year to everybody. Rgds Antioch "antioch" <antioch@home.com> wrote in message news:%23MTx2xmaJHA.1336@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > > "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message > news:ujehPdYaJHA.6036@TK2MSFTNGP05.phx.gbl...<span style="color:green"> >>I have always used it as my "first" option when deleting a locked system >>file. I don't like to waste time. >> >> -- >> >> Richard Urban >> Microsoft MVP >> Windows Desktop Experience >> >> >> "antioch" <antioch@home.com> wrote in message >> news:e3ZEDKOaJHA.1964@TK2MSFTNGP02.phx.gbl...<span style="color:darkred"> >>> >>> "Geoff" <geoff@invalid.invalid> wrote in message >>> news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com... >>>> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >>>> <DLipman~nospam~@Verizon.Net> wrote: >>>> >>>>>Copy the file 'user32.DLL' from >>>>> >>>>>%windir%ServicePackFilesi386 >>>>> >>>>>to >>>>> >>>>>%windir%SYSTEM32 >>>>> >>>> >>>> Can't be done on a live system. The DLL is locked. >>>> >>>> Suggest GiPo Utilities MoveOnBoot: >>>> http://www.gibinsoft.net/gipoutils/ >>>> >>>> Allows movement/copy of files at system boot before the system locks >>>> things >>>> like DLLs. >>> >>> Geoff >>> Thank you for your input - will consider it when all other avenues have >>> been exhausted. >>> >>> Rgds >>> Antioch >>></span> >></span> > Hello Richard Urban > Is the 'IT' in your advice "GiPo Utilities MoveOnBoot:"? > > Rgds > Antioch > > </span> Quote
Guest John Doe Posted December 31, 2008 Posted December 31, 2008 Re: UPDATE - Suspect Virus-USER 32.DLL I'll repeat the solution one more time, as it is one I've successfully used countless dozens of times on my customer's computers. I'll take your future ignorings of this solution to mean you aren't really interested in a solution but rather just looking for a shoulder to cry on. In safe mode: 1. run the latest version of combofix 2. run the latest version of malwarebytes 3. run the latest version of spybot repeat in "normal" mode run the latest version of AVG. All is well. "antioch" <antioch@home.com> wrote in message news:OJiPhkqaJHA.2124@TK2MSFTNGP04.phx.gbl...<span style="color:blue"> > Update - in case there is anybody following this thread - > My son's computer did not throw up any warnings after trying the advice > given - the computer was on for 3 hours. > However, when he started it up yesterday, he immediately got the same > warning - what a bugger. I still do not understand how/when his computer > got infected? He says that he can see nothing abnormal happening while he > uses the computer. > It does seem a bit strange that this seems to be something only connected > with Avast - or has a similar/same problem already appeared in this group. > Most of the advice given to me here has been tried in the Avast Forum, but > has failed. > There is a discussion going on, at the below - exact same problem - from > posters all around the world - started just before Xmas. They might come > up with a solution - bit difficult to follow what they are talking about. > > http://forum.avast.com/index.php?topic=41227.0 > > Further to the above, I have checked my own computer and the two files are > different on mine. I have spent most of the day scanning with just about > anything that is safe, in addition to my own resident AV etc - so far > nothing. > > Happy New Year to everybody. > > Rgds > Antioch > > > > > > "antioch" <antioch@home.com> wrote in message > news:%23MTx2xmaJHA.1336@TK2MSFTNGP02.phx.gbl...<span style="color:green"> >> >> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message >> news:ujehPdYaJHA.6036@TK2MSFTNGP05.phx.gbl...<span style="color:darkred"> >>>I have always used it as my "first" option when deleting a locked system >>>file. I don't like to waste time. >>> >>> -- >>> >>> Richard Urban >>> Microsoft MVP >>> Windows Desktop Experience >>> >>> >>> "antioch" <antioch@home.com> wrote in message >>> news:e3ZEDKOaJHA.1964@TK2MSFTNGP02.phx.gbl... >>>> >>>> "Geoff" <geoff@invalid.invalid> wrote in message >>>> news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com... >>>>> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >>>>> <DLipman~nospam~@Verizon.Net> wrote: >>>>> >>>>>>Copy the file 'user32.DLL' from >>>>>> >>>>>>%windir%ServicePackFilesi386 >>>>>> >>>>>>to >>>>>> >>>>>>%windir%SYSTEM32 >>>>>> >>>>> >>>>> Can't be done on a live system. The DLL is locked. >>>>> >>>>> Suggest GiPo Utilities MoveOnBoot: >>>>> http://www.gibinsoft.net/gipoutils/ >>>>> >>>>> Allows movement/copy of files at system boot before the system locks >>>>> things >>>>> like DLLs. >>>> >>>> Geoff >>>> Thank you for your input - will consider it when all other avenues have >>>> been exhausted. >>>> >>>> Rgds >>>> Antioch >>>> >>></span> >> Hello Richard Urban >> Is the 'IT' in your advice "GiPo Utilities MoveOnBoot:"? >> >> Rgds >> Antioch >> >></span> > > </span> Quote
Guest Kayman Posted December 31, 2008 Posted December 31, 2008 Re: UPDATE - Suspect Virus-USER 32.DLL On Tue, 30 Dec 2008 22:08:50 -0500, John Doe wrote: <span style="color:blue"> > I'll repeat the solution one more time, as it is one I've successfully used > countless dozens of times on my customer's computers. I'll take your future > ignorings of this solution to mean you aren't really interested in a > solution but rather just looking for a shoulder to cry on. > > In safe mode: > 1. run the latest version of combofix > 2. run the latest version of malwarebytes > 3. run the latest version of spybot > > repeat in "normal" mode > > run the latest version of AVG. > > All is well.</span> Good advice but Combofix log should be examined by experts found here: http://www.thespykiller.co.uk/index.php?board=3.0 http://www.bleepingcomputer.com/forums/forum22.html http://www.malwarebytes.org/forums/index.php?showforum=7 Quote
Guest antioch Posted December 31, 2008 Posted December 31, 2008 Re: UPDATE - Suspect Virus-USER 32.DLL Hello John Doe Thank you for your suggestion, albeit condescending and rude, considering this is your first reply to me in this thread. Perhaps in your frustration at your advice being ignored, this caused you to post incorrectly - perhaps a case of 'engaging fingers before brain'. However, since this is the first time I have seen this bit of advice, I will pass it on to my son for him to look at with his 'in-house' tech team where he works. Your three most recent 'bits of advice' to appear in this group since 1 Nov 2008, seem to me to have nothing to do with this subject. The problem is not mine, so I fail to see why you should think I want a shoulder to cry on. If I had this problem on my computer, I would find it a minor annoyance - certainly for the moment, nothing to cry about. If you are here to help, it is a shame that you have not been able to cultivate a more patient attitude towards those in trouble, as DHL and others, to whom I/we look to for expert guidance - yes and sometimes we like to be held by the hand. Is combofix fit to use these days? To date I have not had any result back from my son re his performing HJT. Malwarebytes & Spybot SD have already been run with negative results. The former, together with AVG Antispy, are permanent scanners on my son's system. Rgds Antioch "John Doe" <johndoe@microsoft.com> wrote in message news:OSKmcUvaJHA.5056@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > I'll repeat the solution one more time, as it is one I've successfully > used countless dozens of times on my customer's computers. I'll take your > future ignorings of this solution to mean you aren't really interested in > a solution but rather just looking for a shoulder to cry on. > > In safe mode: > 1. run the latest version of combofix > 2. run the latest version of malwarebytes > 3. run the latest version of spybot > > repeat in "normal" mode > > run the latest version of AVG. > > All is well. > > "antioch" <antioch@home.com> wrote in message > news:OJiPhkqaJHA.2124@TK2MSFTNGP04.phx.gbl...<span style="color:green"> >> Update - in case there is anybody following this thread - >> My son's computer did not throw up any warnings after trying the advice >> given - the computer was on for 3 hours. >> However, when he started it up yesterday, he immediately got the same >> warning - what a bugger. I still do not understand how/when his computer >> got infected? He says that he can see nothing abnormal happening while >> he uses the computer. >> It does seem a bit strange that this seems to be something only connected >> with Avast - or has a similar/same problem already appeared in this >> group. >> Most of the advice given to me here has been tried in the Avast Forum, >> but has failed. >> There is a discussion going on, at the below - exact same problem - from >> posters all around the world - started just before Xmas. They might come >> up with a solution - bit difficult to follow what they are talking about. >> >> http://forum.avast.com/index.php?topic=41227.0 >> >> Further to the above, I have checked my own computer and the two files >> are different on mine. I have spent most of the day scanning with just >> about anything that is safe, in addition to my own resident AV etc - so >> far nothing. >> >> Happy New Year to everybody. >> >> Rgds >> Antioch >> >> >> >> >> >> "antioch" <antioch@home.com> wrote in message >> news:%23MTx2xmaJHA.1336@TK2MSFTNGP02.phx.gbl...<span style="color:darkred"> >>> >>> "Richard Urban" <richardurbanREMOVETHIS@hotmail.com> wrote in message >>> news:ujehPdYaJHA.6036@TK2MSFTNGP05.phx.gbl... >>>>I have always used it as my "first" option when deleting a locked system >>>>file. I don't like to waste time. >>>> >>>> -- >>>> >>>> Richard Urban >>>> Microsoft MVP >>>> Windows Desktop Experience >>>> >>>> >>>> "antioch" <antioch@home.com> wrote in message >>>> news:e3ZEDKOaJHA.1964@TK2MSFTNGP02.phx.gbl... >>>>> >>>>> "Geoff" <geoff@invalid.invalid> wrote in message >>>>> news:25mdl4tsa8sc1a119d02ceul7oqr1u6mo1@4ax.com... >>>>>> On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman" >>>>>> <DLipman~nospam~@Verizon.Net> wrote: >>>>>> >>>>>>>Copy the file 'user32.DLL' from >>>>>>> >>>>>>>%windir%ServicePackFilesi386 >>>>>>> >>>>>>>to >>>>>>> >>>>>>>%windir%SYSTEM32 >>>>>>> >>>>>> >>>>>> Can't be done on a live system. The DLL is locked. >>>>>> >>>>>> Suggest GiPo Utilities MoveOnBoot: >>>>>> http://www.gibinsoft.net/gipoutils/ >>>>>> >>>>>> Allows movement/copy of files at system boot before the system locks >>>>>> things >>>>>> like DLLs. >>>>> >>>>> Geoff >>>>> Thank you for your input - will consider it when all other avenues >>>>> have been exhausted. >>>>> >>>>> Rgds >>>>> Antioch >>>>> >>>> >>> Hello Richard Urban >>> Is the 'IT' in your advice "GiPo Utilities MoveOnBoot:"? >>> >>> Rgds >>> Antioch >>> >>></span> >> >></span> > > </span> Quote
Guest antioch Posted December 31, 2008 Posted December 31, 2008 Re: UPDATE - Suspect Virus-USER 32.DLL "Kayman" <kayhkay-nospam-@operamail.com> wrote in message news:ljyja6c6o4wt.vrldjr15xfq5$.dlg@40tude.net...<span style="color:blue"> > On Tue, 30 Dec 2008 22:08:50 -0500, John Doe wrote: ><span style="color:green"> >> I'll repeat the solution one more time, as it is one I've successfully >> used >> countless dozens of times on my customer's computers. I'll take your >> future >> ignorings of this solution to mean you aren't really interested in a >> solution but rather just looking for a shoulder to cry on. >> >> In safe mode: >> 1. run the latest version of combofix >> 2. run the latest version of malwarebytes >> 3. run the latest version of spybot >> >> repeat in "normal" mode >> >> run the latest version of AVG. >> >> All is well.</span> > > Good advice but Combofix log should be examined by experts found here: > http://www.thespykiller.co.uk/index.php?board=3.0 > http://www.bleepingcomputer.com/forums/forum22.html > http://www.malwarebytes.org/forums/index.php?showforum=7</span> Hello Kayman I could not agree with you more - I did remind my son to ensure he posts the log from HJT in an appropriate forum for an expert to check - here as well. http://spywarehammer.com/simplemachinesfor....php?board=10.0 Rgds Antioch Quote
Guest The Real Truth MVP Posted December 31, 2008 Posted December 31, 2008 Re: UPDATE - Suspect Virus-USER 32.DLL Recommending a virus to fix a virus is just wrong especially when there are clean virus free tools that work. Combofix.exe http://www.virustotal.com/analisis/015d713...14ba16da3459bd9 Remove-it http://www.virustotal.com/analisis/fbf3afe...5a574f0cfee6fdd -- The Real Truth http://pcbutts1-therealtruth.blogspot.com/ "Kayman" <kayhkay-nospam-@operamail.com> wrote in message news:ljyja6c6o4wt.vrldjr15xfq5$.dlg@40tude.net...<span style="color:blue"> > On Tue, 30 Dec 2008 22:08:50 -0500, John Doe wrote: ><span style="color:green"> >> I'll repeat the solution one more time, as it is one I've successfully >> used >> countless dozens of times on my customer's computers. I'll take your >> future >> ignorings of this solution to mean you aren't really interested in a >> solution but rather just looking for a shoulder to cry on. >> >> In safe mode: >> 1. run the latest version of combofix >> 2. run the latest version of malwarebytes >> 3. run the latest version of spybot >> >> repeat in "normal" mode >> >> run the latest version of AVG. >> >> All is well.</span> > > Good advice but Combofix log should be examined by experts found here: > http://www.thespykiller.co.uk/index.php?board=3.0 > http://www.bleepingcomputer.com/forums/forum22.html > http://www.malwarebytes.org/forums/index.php?showforum=7 </span> Quote
Guest David H. Lipman Posted December 31, 2008 Posted December 31, 2008 Re: UPDATE - Suspect Virus-USER 32.DLL From: "John Doe" <johndoe@microsoft.com> | I'll repeat the solution one more time, as it is one I've successfully used | countless dozens of times on my customer's computers. I'll take your future | ignorings of this solution to mean you aren't really interested in a | solution but rather just looking for a shoulder to cry on. | In safe mode: | 1. run the latest version of combofix | 2. run the latest version of malwarebytes | 3. run the latest version of spybot | repeat in "normal" mode | run the latest version of AVG. | All is well. Please ignore Butts and his moronic rants such as "Recommending a virus to fix a virus is just wrong...". First remember a virus is self replicating malicious code. Nothing about combofix implies it is self replicating malicious code. It is NOT a virus. This is worth repeating... ComboFix is NOT a virus. and is pure FUD. While it (the utility) may be caught in a VT report, it is because of the action(s) it performs. The tool is NOT malicious but can be used maliciously and can be dangerous with detremental effects and thus should not be used casually. It should be used only under the direction of a qualified anti malware professional in an Expert Forum. http://www.virustotal.com/analisis/015d713...14ba16da3459bd9 AntiVir 7.9.0.45 2008.12.19 SPR/Tool.Hide.A Authentium 5.1.0.4 2008.12.21 W32/Trojan3.OD F-Prot 4.4.4.56 2008.12.21 W32/Trojan3.OD McAfee 5470 2008.12.20 potentially unwanted program RemAdm-ProcLaunch!171 McAfee+Artemis 5470 2008.12.20 Generic!Artemis Microsoft 1.4205 2008.12.21 Trojan:Win32/AgentBypass.gen!K Panda 9.0.0.4 2008.12.21 Suspicious file SecureWeb-Gateway 6.7.6 2008.12.19 Riskware.Tool.Hide.A Sophos 4.37.0 2008.12.21 NirCmd Sunbelt 3.2.1801.2 2008.12.11 VIPRE.Suspicious TrendMicro 8.700.0.1004 2008.12.19 PAK_Generic.001 Butts would try to have you think that Remove-It is pristine and NOT such a tool. The fact is Remove-It is distributed in a packaged INNO Packed file. The packaged installer file does not get any hits on VT. However the plagiarized code he uses has been modified by Butts to use the utility Process.exe. Process.exe is a tool used to kill running processes and thus it too can be dangerous if used maliciously and it too gets flagged on VT. http://www.virustotal.com/analisis/d89a080...c7b995e8ff4c173 a-squared 4.0.0.73 2008.12.31 Riskware.RiskTool.Win32.Processor.20!A2 ClamAV 0.94.1 2008.12.31 Trojan.Killproc-1 DrWeb 4.44.0.09170 2008.12.31 Tool.Prockill Fortinet 3.117.0.0 2008.12.31 Misc/PrcViewer McAfee 5480 2008.12.31 potentially unwanted program PrcViewer McAfee+Artemis 5479 2008.12.30 potentially unwanted program PrcViewer NOD32 3725 2008.12.31 Win32/PrcView TheHacker 6.3.1.4.202 2008.12.30 Aplicacion/Processor.20 This only proves once again that Butts has NO knowledge on this subject matter or about malware in general. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest antioch Posted January 1, 2009 Posted January 1, 2009 Re: UPDATE - Suspect Virus-USER 32.DLL Hello again Dave I hope this post comes across OK - just got in from a rather heavy night/morning - all the best for 2009. My replies are in-line. Thanks again for your input. Rgds Antioch "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:ObdrnP4aJHA.1184@TK2MSFTNGP05.phx.gbl...<span style="color:blue"> > From: "John Doe" <johndoe@microsoft.com> > > | I'll repeat the solution one more time, as it is one I've successfully > used > | countless dozens of times on my customer's computers. I'll take your > future > | ignorings of this solution to mean you aren't really interested in a > | solution but rather just looking for a shoulder to cry on. > > | In safe mode: > | 1. run the latest version of combofix > | 2. run the latest version of malwarebytes > | 3. run the latest version of spybot > > | repeat in "normal" mode > > | run the latest version of AVG. > > | All is well. > > Please ignore Butts and his moronic rants such as "Recommending a virus to > fix a virus is > just wrong...".</span> Sad to say I missed the above post - messages for my 'PLONKER FILE' must be working. No doubt he came up with suggestions of a cure from his web site. I must have at least six different names/suspect names for that person. <span style="color:blue"> > First remember a virus is self replicating malicious code. > Nothing about combofix implies it is self replicating malicious code. It > is NOT a virus. > This is worth repeating... ComboFix is NOT a virus. and is pure FUD. > > While it (the utility) may be caught in a VT report, it is because of the > action(s) it > performs. The tool is NOT malicious but can be used maliciously and can > be dangerous with > detremental effects and thus should not be used casually. It should be > used only under > the direction of a qualified anti malware professional in an Expert Forum. ></span> The name 'combofix' rang a bell - I checked 'My Docs' and in the AV/Malware folder and saw that a couple of years ago it had been the carrier or similar for nasty stuff. So I Googled it and the prog itself seems to be safe to use now - but as you say with expert guidance. http://www.virustotal.com/analisis/015d713...14ba16da3459bd9<span style="color:blue"> > > AntiVir 7.9.0.45 2008.12.19 SPR/Tool.Hide.A > Authentium 5.1.0.4 2008.12.21 W32/Trojan3.OD > F-Prot 4.4.4.56 2008.12.21 W32/Trojan3.OD > McAfee 5470 2008.12.20 potentially unwanted program > RemAdm-ProcLaunch!171 > McAfee+Artemis 5470 2008.12.20 Generic!Artemis > Microsoft 1.4205 2008.12.21 Trojan:Win32/AgentBypass.gen!K > Panda 9.0.0.4 2008.12.21 Suspicious file > SecureWeb-Gateway 6.7.6 2008.12.19 Riskware.Tool.Hide.A > Sophos 4.37.0 2008.12.21 NirCmd > Sunbelt 3.2.1801.2 2008.12.11 VIPRE.Suspicious > TrendMicro 8.700.0.1004 2008.12.19 PAK_Generic.001 > > Butts would try to have you think that Remove-It is pristine and NOT such > a tool. The > fact is Remove-It is distributed in a packaged INNO Packed file. The > packaged installer > file does not get any hits on VT. However the plagiarized code he uses > has been modified > by Butts to use the utility Process.exe. Process.exe is a tool used to > kill running > processes and thus it too can be dangerous if used maliciously and it too > gets flagged on > VT. > > http://www.virustotal.com/analisis/d89a080...c7b995e8ff4c173 > > a-squared 4.0.0.73 2008.12.31 Riskware.RiskTool.Win32.Processor.20!A2 > ClamAV 0.94.1 2008.12.31 Trojan.Killproc-1 > DrWeb 4.44.0.09170 2008.12.31 Tool.Prockill > Fortinet 3.117.0.0 2008.12.31 Misc/PrcViewer > McAfee 5480 2008.12.31 potentially unwanted program PrcViewer > McAfee+Artemis 5479 2008.12.30 potentially unwanted program PrcViewer > NOD32 3725 2008.12.31 Win32/PrcView > TheHacker 6.3.1.4.202 2008.12.30 Aplicacion/Processor.20 ></span> It is indeed interesting to read in VT what established AV/Antimalware progs think of/how they treat, similar software in the market place. The difference between the two files that you tried to help me clean/move, are also different on two other computers, as well as mine, but none run Avast, and the computers themselves do not appear to be suffering from any infection - well not yet. <span style="color:blue"> > This only proves once again that Butts has NO knowledge on this subject > matter or about > malware in general.</span> No doubt you are correct - but then, I believe he has been accused of 'stealing' before. Plagiarize is just a softer term for it. If Mrs Malaprop were alive today, she would no doubt have called that person ' A Plaguerist'. <span style="color:blue"> > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > > </span> Quote
Guest Rinnousuke Posted February 19, 2009 Posted February 19, 2009 Re: UPDATE - Suspect Virus-USER 32.DLL Hello I am currently having the same problem as well, except that my user32.dll file in i386 is also infected with "Trojan.Win32.Patched.fk" The file in system32 has also been renamed to "user32.0ll" and seems unable to be changed back. Would my computer be able to function normally after restarting without user32.dll? And where would I be able to find a clean copy of user32.dll? Regards Rinnousuke Quote
Guest FromTheRafters Posted February 19, 2009 Posted February 19, 2009 Re: UPDATE - Suspect Virus-USER 32.DLL Start a new thread stating your specific problem. If you want, you can make the subject line read "I have the same thing only different.." "Rinnousuke" <Rinnousuke@discussions.microsoft.com> wrote in message news:1892920C-7FA8-459C-87D2-50CAD4C1B567@microsoft.com...<span style="color:blue"> > Hello > > I am currently having the same problem as well, except > that my user32.dll > file in i386 is also infected with > "Trojan.Win32.Patched.fk" > > The file in system32 has also been renamed to "user32.0ll" > and seems unable > to be changed back. > > Would my computer be able to function normally after > restarting without > user32.dll? And where would I be able to find a clean copy > of user32.dll? > > Regards > Rinnousuke </span> Quote
Guest ~BD~ Posted February 19, 2009 Posted February 19, 2009 Re: UPDATE - Suspect Virus-USER 32.DLL This site has helped me with problem .dlls They have .dlls that you can download for free. http://www.dll-files.com/dllindex/dll-files.shtml?user32 (This post 'stolen' from Max Wachtel in the thread above yours!) HTH -- Dave "Rinnousuke" <Rinnousuke@discussions.microsoft.com> wrote in message news:1892920C-7FA8-459C-87D2-50CAD4C1B567@microsoft.com...<span style="color:blue"> > Hello > > I am currently having the same problem as well, except that my > user32.dll > file in i386 is also infected with "Trojan.Win32.Patched.fk" > > The file in system32 has also been renamed to "user32.0ll" and seems > unable > to be changed back. > > Would my computer be able to function normally after restarting > without > user32.dll? And where would I be able to find a clean copy of > user32.dll? > > Regards > Rinnousuke </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.