WORM VIRUS WIN32:SYSPATCH

[Leonhart]

Avast is accusing the same vírus here in my PC, i tried to use the command src scannow/ using the Windows XP profissional sp2 CD(my system is the same but with sp3, shoud i have used a cd with sp3 too?), and it didn't worked, when i rebooted the color configuration settings were set low and to restore that i reinstaled the driver from my graphics card.

Since i did that the PC almost aways freezes when the desktop appears, yesterday i tried like 20 times but coudn't use the pc, today it loaded ok i don't know why(my internet cable was not connected, i don't know if it has something to do with that).

I'm trying the other solutions posted here, although its hard for me because i don't have much knoledge about this type of problem.

How do i make a copy of my registry? Could i use the ccleaner(he makes that when i clean)? How do i use that copy if something wrong happen? I have a Many old registry copies i did with ccleaner, does it help in some way(like using a old one not infected)?

[Lisandro]

How do i make a copy of my registry?

How? Use ERUNT (http://www.larshederer.homepage.t-online.de/erunt/).
When? You should have done before, when you were clean...

Could i use the ccleaner(he makes that when i clean)?

It won't harm but I don't think it will help right now...

I have a Many old registry copies i did with ccleaner, does it help in some way(like using a old one not infected)?

The backups are only for the changed registry entries, cleaned by CCleaner, not the full registry... If you get infected, most probably they won't help.
I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Make a HijackThis log to post here or this analysis site. Or even submit the RunScanner log to to on-line analysis.
6. Disable System Restore and then reenable it again.
7. Immunize your system with SpywareBlaster.
8. Check if you have insecure applications with Secunia Software Inspector.

[Therion]

Hi Folks,

thank you for your suggestions !!!

I already expected I'd have to take such pains in one way or the other,
however, eventually (I think) I have successfully removed the worm using
Dr. Web Antivirus CureIt! - a free version taken from the web at

http://www.freedrweb.com

It left me with a very good impression and would be useful as a supplement
to Avast! which - despite the bug - I do like and recommend very much !!!

Happy New Year to all of you !!!  Hopefully without such filthy worms... ;-)

[Andy1972]

Therion,

Thanks for the link to Dr Web.

I used this also and it said c:\windows\system32\user.dll infected with BackDoor.Zapinit

And when i ran Avast it no longer detects the win32;SysPatch.

Thanks

[DavidR]

thank you for your suggestions !!!

I already expected I'd have to take such pains in one way or the other,
however, eventually (I think) I have successfully removed the worm using
Dr. Web Antivirus CureIt! - a free version taken from the web at
<snip>
Happy New Year to all of you !!!  Hopefully without such filthy worms... ;-)

Thanks for your feedback. It can take a little time for tools to catch up with new worms, etc.

A Happy New Year to you and welcome to the forums.

[Antioch]

Greetings to all in this thread.
Apologies for the length of this post.
I am a bit confused regarding this particular worm being detected by Avast.
I have done a fairly exhaustive search through Google, and for the moment it would appear that Avast is the only one to detect it.  I do realise that it can take some time for other software to get there but....
My son is the one with this problem - not me.
Brief background -
He came to me for Xmas - I was to D/L SP3 and all latest security/critical updates on his Acer Notebook running WINXP PRO. On Xmas morning, we had done SP3, and had got to the last of 5 updates, and had done a reboot for the last one - when ZA and Avast were enabled, we got an immediate alert re the thread subject.
I would add that all updates were done offline, on a cleaned system with all security software disabled and background running progs stopped.  D/L and install was via disc.  Avast had not indicated anything when used prior to any DL of the updates.

Despite Avast finding this worm, none of the options could fix it - perhaps that will come later???

My first action was GOOGLE and read a couple of suggestions that this was an FP, and then found this forum[which I was going to view anyhow] and I read that this worm showed itself around 23 Dec 2008.
2nd avenue to troubleshoot was with MS newsgroups security/virus.
At that time no other report/thread had been posted - and still has not - well not yet.
Searching was resumed over the next two days as and when time was available.

It was first suggested that -
Avast has indicated; %windir%\SYSTEM32\USER32.DLL  was patched.

compare files in...
%windir%\ServicePackFiles\i386
and
%windir%\SYSTEM32

If they are NOT the same, copy %windir%\ServicePackFiles\i386\USER32.DLL  to
%windir%\SYSTEM32

The result of looking at these two files was -
One is in C: Windows\system32 - in there I have found the file 'user32.DLL'
and gone to properties, which shows-
Size 565KB
Size on disk 568KB.
Created 8 March 2007
Modified 13 Dec 2008
Accessed 27 Dec 2008
Version 5.1.2600.5512

The other in Start/Run/ %windir%\ServicePackFiles\i386 - in there I have
found 'user32.dll' and going to properties, which shows-
Size 565KB
Size on disk 568KB
Created 11 Oct 2008
Modified 14 April 2008
Accessed 27 Dec 2008

The repair, done in safe mode failed.

The system was scanned with other AV/antimalware software, including Symantec, but all showed a clean result?

System Restore and Recovery Console proved negative and I cannot put the HD in another computer and perform a copy that way.
Various software was suggested - most of which I would not touch with a very long pole - others I tried but no positive results.

Not wishing to test post readers attention span, the computer was switched on on the computer was switched on on the following Saturday - it was used for three hours and NO ALERT came from Avast - double check to make sure it was enabled - it was - did a scan and nothing - phew, got rid of the worm.
My son returned to work on the Monday and up popped the warning again.
Oh SH-one-T!

My son is abroad the rest of this week - on his return I will get him to run the DrWeb prog.
Until then I shall sit, watch and wait here and in other places.
All the updates including SP3 were installed without a hitch and his computer is running as sweetly as it has since new in June 2008.
Observations - my son hardly ever uses the internet - that is confirmed by his TIF folder - he had not used it for a week prior to my DL the updates.  So when and how did this arrive in his system?  Surely not via an MS update - I know Black Tuesday can be a problem.

I think I will run this Doc thing on mine, just to see what it finds.

What would we computer challenged users do without these forums and newsgroups?

Rgds
Antioch

[CharleyO]

***

What would we computer challenged users do without these forums and newsgroups?

Rgds
Antioch

I think they would be in a world of hurt with too many infected computer which eventually become door stop worthy.


***

[Antioch]

Just an update

Using busted computers as door stops would certainly be a novel method of recycling.

I ran DrWeb on my computer and it found the following after just over 2 hrs of scanning.
For a start it accuses my AV of probably being a Backdoor Trojan

SktInstall.exe;C:\Program Files\Virgin Broadband\PCguard;Probably BACKDOOR.Trojan;

and then suggests that there is something wrong with Spybot S & D

RegUBP2b-Richard.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505

In addition there were 133 other StartPage.1505 entries - are these registry entries - they appear similar to the sort of results one gets from running those dangerous Reg Cleaners.

Was going to run Avast as well, but time ran out - anyway, I am not too sure I want to know if I have this wretched worm.

Rgds
Antioch

[DavidR]

Well firstly you shouldn't install two resident AV which PCGuard and avast would be.

I have no idea why DrWeb would detect PCGuard as a backdoor trojan, but then again I know nothing about hoe PCGuard works.

As far as finding Startpage trojans, it may be finding S&D's startpage protection as an attack rather than as as defence.

[Antioch]

Hello DavidR

Don't get me wrong - I always disable my resident AV[and all other anti stuff]  before running a guest AV - just to do a scan.  Plus I clean the computer of TIF, temp folders, disc clean and defrag.

PC Guard comes with Virgin Cable - its not bad - not better than the one that came with ntl - but its antispam is great.

Yes - but what about all the other StartPages it has found? An example is below:-

A0194643.reg;C:\System Volume Information\_restore{9C9D7C17-5A76-4CF9-AEF2-46203EBD666C}\RP681;Trojan.StartPage.1505;;

Speaking for myself, if these 1505's are reg entries, then I would not think of deleting any of them as per recommendation from DrWeb anymore than I would a registry entry suggested by a reg cleaner - I would not use one in any case - well not without expert assistance - I used a well known reg cleaner when I had WIN98 when I didn't know any better - never again - but then XP does not have the same reg problems that 98 had.
Running DrWeb just brought back memories of the 'pop-up' type snake-oil warnings that used to show when browsing, telling you that your computer is infected with hundreds of nasties.

I will scan with Avast over the weekend - prob do another Symantec as well.

Rgds
Antioch

[DavidR]

Don't get me wrong either, disabling simply isn't enough as that doesn't stop low level drivers being loaded to hook file so they can be scanned before being run, it is these low level drivers that are likely to conflict and the worst case scenario, it could lock your system.

the first part of the file name is randomly generated by system restore so it doesn't have the same name as the original, but the file type is retained and in this case, .reg means it is a file that can modify the registry. So it is entirely possible it was a startpage changer, etc.

Me I'm the reverse, if there is any doubt about items in the system volume information restore points, I would rather have them out that for them to bite me in the rear at some point in the future when using system restore you go back to a point that included any of these suspect restore points.

So what may be best (when you have resolved the initial issue) and your system is working OK is to create a new restore point and then clear the old ones.

Now you are clear of infection create a clean System Restore point:
1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:
1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button