WORM VIRUS WIN32:SYSPATCH

[28ToM47]

Hi everybody !

I'm infected by the same virus. Win32:sysPatch.
I've read all this post, and made some others researches on the web, but i didnt find any fix.
Unfortunaly, i can't send USER32.dll to VirusTotal, because my antivirus block it.
I have some reboots, instant close applications, freeze.
I understood what u explained about the virus Polonus, but i didnt understand what u suggest to delete it.
If i just copy a new and safe version of user32.dll, it will be reinfected after, beacause the trojan will be still there.
So, how to delete this virus pls ?

thx for your help !

[wing06]

David R
Is the cleanest  through method a format + reinstall?
again- can't i at least connect infected drive as non system drive and copy user data files to another drive?

thanks
z
These people should be imprisoned!  This is such a damn waste of time!  Let's stop w/ the AV software, find and prosecute them to the fullest extent of the law.

[Ren1282]

where does this virus come from anyway?

[28ToM47]

hmm .. im suspecting everest poker for me. This is the only thing i installed since my comp crashed.

[DavidR]

David R
Is the cleanest  through method a format + reinstall?
again- can't i at least connect infected drive as non system drive and copy user data files to another drive?

Whilst it is undoubtedly the cleanest and thorough method.

For me a format is a very serious and last course of action (it can take huge amounts of time getting back to where you were before infection) and I don't know if this is yet that time. Mainly because I simply don't know enough about this infection. There are some prolific file infectors out there that can infect hundreds of exe files and often the only way to recover is a format and install.

There is also no guarantee that after a format and reinstall this couldn't happen again when you try to bring your OS and applications up to date. Though now avast has a detection for it it should hopefully stop the file from becoming infected, though it will be catch up if there is another variant of the malware.

[Ren1282]

I feel like this problem is way over my head - does anyone know how much it would cost (in the US) to have something like this fixed by a professional?

[wing06]

david R,
Thanks
This may sound extreme-
Install os on new hd.   connect infected os hd as storage.  Run Avast scan against new os drive and infected drive.  At this point I should be safe right? 
If not or just as precaution why not delete win system files?  Then I should be ok to retrieve my user data files, no?

I've got 3 other computers and have purchased most components to build a MS Home server and don't want this to spread At All!

Thanks
z

[polonus]

Hi folks,

This is a infection with a modified version of the user32.dll created by a worm infection. Protection could be found by updating your Java version.
The cleansing method to be preferred is:
Deleting Malware Files using Recovery Console
On Windows NT, 2000, XP, and Server 2003 systems
This procedure allows the computer to restart by using the Windows installation CD.
1. Insert your Windows Installation CD in your CD-rom.
2. Press the restart button of your computer.
3. When prompted, press any key to boot from the CD.
4. When prompted on the Main Menu, type r to enter the recovery console.
(Note: On Windows 2000, after pressing r, type c to choose the Recovery Console in the repair options screen.)
5. When prompted, type your administrator password to log on.
6. Once logged in, type the drive that contains Windows in the command prompt that appears, then press Enter.
7. Type the drive that contains Windows, then press Enter.
8. Type the following, then press Enter:
del {Malware path and file name}
9. Repeat the above procedure for all files detected earlier.
10. Type exit to restart the system.
Removing Malware Keys from the Registry
This solution deletes registry keys/entries added by this malware. Before performing the steps below, make sure you know how to back up the registry and how to restore it if a problem occurs. Refer to this Microsoft article for more information about modifying your computer's registry.
1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter. /li>
2. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE
3. Still in the left panel, locate and delete the following keys:
o 1
o 3
o 8
o 9
4. Again in the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion>Windows
5. In the right panel, locate and delete the entry:
{3 random characters}Init_Dlls = "nvaux32"
6. In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Windows NT>
CurrentVersion
7. In the right panel, locate and delete the following entry:
MID = "{random characters}"
8. Close Registry Editor.
Deleting the Malware File(s)
1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
2. In the Named input box, type:
%System%\adj.j
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
4. Once located, select the file then press SHIFT+DELETE.
5. Repeat steps 2-4 for the following file(s):
o %System%\devh.e2
o %System%\e.spa
o %System%\nvaux32.dll
o %System%\rdxz.e
o %System%\dllcache\user32.dll
Important Windows ME/XP Cleaning Instructions
Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers,

polonus

[codehelp]

I feel like this problem is way over my head - does anyone know how much it would cost (in the US) to have something like this fixed by a professional?

I have had this happen to myself and a friend. It took me a couple of hours with asprin and something around that I could sqeeze the crap out of it before I figured out how to fix it. Needless to say if you are not comfortable in doing this by going through your registry and using your xp cd to get back to normal by all means pay someone. I charged my friend fifty bucks cheap by all means but remember it takes some time for things to go through the scans and registry. If you feel comfortable then I would suggest taking and printing off the instructions and sit in a quite room and really pay attention to everything you are doing. Good luck and remember we are always around here if you screw something up bad.

[polonus]

Hi you codehelp,

There are really not many alternatives for cleansing this nastiness from your machine(s). People should be alert as to what java version is running on their system, sun java now also puts a new version download that takes older (=vulnerable) version off (in the old days the user had to do that themselves, which was a sure way of many infections), the initial infection is a worm that hides the original file somewhere else and replaces it.
The system won't run without user32.dll (so we need the genuine user32.dll in the recovery console) and then we can take out the impostering one and the registry crap that caused this, we can also use a legit version of user32.dll as it resides in the cab file (scanning for the right dll as MS knows it should be in the system).
Maybe the malcreant got some inspiration from the recent incidents where av scanners saw user32.dll as a trojan, but the finding was a false positive, so users could loose their user32.dll file, and you know now what that means,

polonus

[caruccis]

I have same problem. I had replace file user32.dll from OS disk in safe-mode and restarted pc.
It's not false positive?
Now what do I do?

[CHENAN]

Ty everybody for your help..
this is what i understood and if you all can correct me if i wrong.

because it is such an important file i cant erase it from the computer.
to erase this file i need to replace this file with a correct and unarmful file by a special softwere called MoceOnBoot.
if i doen already this thing...
where did the infection file go and by doing this process i erased him from the computer?

[polonus]

Chenan,

The worm took the original MS system file user32.dll and manipulated it somewhere else, so that the system still will starts up, because without it it won't and starts aking for it. But this all works in a malicious way. Using a good system file in the right path while booting from a CD or with a program with the right systems file for boot-up (  a bit just like in the old days when we booted from a "diskette" (remember)) the system starts with user32.dll from the CD. Now you have to cleanse all the malware files (one is a random file (it can be anything with random letters and ciphers, but it should been detected by avast), as summed up in my instructions, and make the registry correct again. That we all do with System Restore disables and in SafeMode, because of the vulnerability all the malware comes back up like the "digital golem", so it is not going "chip=chip" and gone, later you have cleansed and go back enable System Restore, and boot normal mode,

pol

[wing06]

Polonus,
Thanks for your time and assistance.
I used dr.web livecd and it didn't find the virus.  Anyway, was able to run the dr.webcureit after boot of infected os and he found 2 files- nvaux32 and user32.  Then I remembered to disable system restore.

Next I booted MS XP cd and entered R for recovery console- no request for admin pw...entered logon cmd and blank c:\ response  -  Tried to perform del cmd  but Access is denied msg.
   
Why isn't my valid OS being found?
What can I do next?
I will try a chkdsk then try recovery console again....

If word got out that these AH were caught and imprisoned maybe this activity would diminish...
You or I do not need to waste our time with this crap, your programming skills could be used for much more important productive activities...Just venting on the holidays with better things to do.
 

[polonus]

Howdy wing06,

You did the right thing, while cleansing do that in safe mode and with system restore disabled, after cleansing you can turn these back on and make a new restore point, another thing you could try is, try to take out the file with the random file name (that was found initially by the scanner), check on the registry changes and revert them (make a copy of the registry first in case anything would work out wrong), then try to restore the original User32.dll file from the cab as described here:

Method 2: Use the System File Checker tool to repair User32.dll

System File Checker lets you scan all protected files to verify their versions. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the cache folder (%Systemroot%\System32\Dllcache) or from the Windows installation source files, and then replaces the incorrect file. You must be logged on as an administrator or as a member of the Administrators group to run System File Checker,

Have a nice Christmas and a malware free 2009,

polonus