aston.mt and user32.dll... false positive?

Viruses and worms
1

hi all
today avast allert me than C:\WINDOWS\system32\user32.dll is infect by Win32:SysPatch and C:\WINDOWS\system32\aston.mt is infect by Win32:Trojan-gen {Other}, it’s that possible? or it’s a false positive?

tnx

2

yes, it’s quite possible (you can send the user32.dll to www.virustotal.com and post the results here)… don’t remove anything… replace the current user32.dll with a clean one from the rescue disc…

3

when i try to upload the user32.dll virus total say: “0 bytes size received / Se ha recibido un archivo vacio”
what does it means?

4

how about www.virscan.org? the same error?

5

tnx for u help max :smiley:

viruscan say “ERROR: Can’t find upload file!”
no comment man…

6

that’s pretty strange… are you able to copy the user32.dll file from the \system32\ folder to desktop e.g.?

7

i can’t rar, copy,send, or do similar operation… user32 is complety locked…
format c:?..

8

format c:? i think it’s not necessary… let’s try to fix it first… can you try to rollback your system to some clean restore point?

9

ok in ADMIN mode i can upload user32.dll
log from VIRUSTOTAL

14/38 (36.85%)
AhnLab-V3	 2008.12.22.0	              2008.12.23	Win-Trojan/User32Hk
AntiVir	7.9.0.45	                      2008.12.23	-
Authentium	5.1.0.4	                      2008.12.23	-
Avast	4.8.1281.0	                              2008.12.23	Win32:SysPatch
AVG	8.0.0.199	                              2008.12.22	-
BitDefender	7.2	                              2008.12.23	-
CAT-QuickHeal	10.00	                      2008.12.23	-
ClamAV	0.94.1	                      2008.12.23	-
Comodo	800	                              2008.12.22	-
DrWeb	4.44.0.09170	              2008.12.23	BackDoor.Zapinit
eSafe	7.0.17.0	2008.12.21	-
eTrust-Vet	31.6.6274	                      2008.12.22	Win32/Pruserinf
Ewido	4.0	2008.12.22	-
F-Prot	4.4.4.56	                      2008.12.22	-
F-Secure	8.0.14332.0	                      2008.12.23	Trojan.Win32.Patched.bb
Fortinet	3.117.0.0	                      2008.12.23	-
GData	19	                              2008.12.23	Win32:SysPatch
Ikarus	T3.1.1.45.0	                      2008.12.23	-
K7AntiVirus	7.10.562	                      2008.12.22	-
Kaspersky	7.0.0.125	                      2008.12.23	Trojan.Win32.Patched.bb
McAfee	5472	                              2008.12.22	-
McAfee+Artemis	5472	                      2008.12.22	potentially unwanted program Patched User32
Microsoft	1.4205	                      2008.12.23	Virus:Win32/Mariofev.A
NOD32	3712	                              2008.12.22	Win32/Pinit
Norman	5.80.02	                      2008.12.22	-
Panda	9.0.0.4	                      2008.12.23	W32/Patched.D
PCTools	4.4.2.0	                      2008.12.22	-
Prevx1	V2	                              2008.12.23	-
Rising	21.09.12.00	                              2008.12.23	Trojan.Win32.Patched.bi
SecureWeb-Gateway	6.7.6	              2008.12.23	-
Sophos	4.37.0	                      2008.12.23	Troj/User32Hk-A
Sunbelt	3.2.1809.2	                      2008.12.22	-
Symantec	10	                              2008.12.23	-
TheHacker	6.3.1.4.195	                      2008.12.20	-
TrendMicro	8.700.0.1004	              2008.12.23	Possible_Patch-1
VBA32	3.12.8.10	                      2008.12.22	-
ViRobot	2008.12.23.1532	              2008.12.23	-
VirusBuster	4.5.11.0	                      2008.12.22	-

i don’t found C:\WINDOWS\system32\aston.mt to do a scan

10

ook… how about the system restore?

11

i have disable it 2-3 week ago

12

ook… try the repair option from your OS cd…

13

but user32.dll is corrupt?

14

yes… it’s patched and loads some nasty to all user-mode processes…