Greetings to all in this thread.
Apologies for the length of this post.
I am a bit confused regarding this particular worm being detected by Avast.
I have done a fairly exhaustive search through Google, and for the moment it would appear that Avast is the only one to detect it. I do realise that it can take some time for other software to get there but....
My son is the one with this problem - not me.
Brief background -
He came to me for Xmas - I was to D/L SP3 and all latest security/critical updates on his Acer Notebook running WINXP PRO. On Xmas morning, we had done SP3, and had got to the last of 5 updates, and had done a reboot for the last one - when ZA and Avast were enabled, we got an immediate alert re the thread subject.
I would add that all updates were done offline, on a cleaned system with all security software disabled and background running progs stopped. D/L and install was via disc. Avast had not indicated anything when used prior to any DL of the updates.
Despite Avast finding this worm, none of the options could fix it - perhaps that will come later???
My first action was GOOGLE and read a couple of suggestions that this was an FP, and then found this forum[which I was going to view anyhow] and I read that this worm showed itself around 23 Dec 2008.
2nd avenue to troubleshoot was with MS newsgroups security/virus.
At that time no other report/thread had been posted - and still has not - well not yet.
Searching was resumed over the next two days as and when time was available.
It was first suggested that -
Avast has indicated; %windir%\SYSTEM32\USER32.DLL was patched.
compare files in...
%windir%\ServicePackFiles\i386
and
%windir%\SYSTEM32
If they are NOT the same, copy %windir%\ServicePackFiles\i386\USER32.DLL to
%windir%\SYSTEM32
The result of looking at these two files was -
One is in C: Windows\system32 - in there I have found the file 'user32.DLL'
and gone to properties, which shows-
Size 565KB
Size on disk 568KB.
Created 8 March 2007
Modified 13 Dec 2008
Accessed 27 Dec 2008
Version 5.1.2600.5512
The other in Start/Run/ %windir%\ServicePackFiles\i386 - in there I have
found 'user32.dll' and going to properties, which shows-
Size 565KB
Size on disk 568KB
Created 11 Oct 2008
Modified 14 April 2008
Accessed 27 Dec 2008
The repair, done in safe mode failed.
The system was scanned with other AV/antimalware software, including Symantec, but all showed a clean result?
System Restore and Recovery Console proved negative and I cannot put the HD in another computer and perform a copy that way.
Various software was suggested - most of which I would not touch with a very long pole - others I tried but no positive results.
Not wishing to test post readers attention span, the computer was switched on on the computer was switched on on the following Saturday - it was used for three hours and NO ALERT came from Avast - double check to make sure it was enabled - it was - did a scan and nothing - phew, got rid of the worm.
My son returned to work on the Monday and up popped the warning again.
Oh SH-one-T!
My son is abroad the rest of this week - on his return I will get him to run the DrWeb prog.
Until then I shall sit, watch and wait here and in other places.
All the updates including SP3 were installed without a hitch and his computer is running as sweetly as it has since new in June 2008.
Observations - my son hardly ever uses the internet - that is confirmed by his TIF folder - he had not used it for a week prior to my DL the updates. So when and how did this arrive in his system? Surely not via an MS update - I know Black Tuesday can be a problem.
I think I will run this Doc thing on mine, just to see what it finds.
What would we computer challenged users do without these forums and newsgroups?
Rgds
Antioch