Hi I’m looking for some assistance to remove a virus or trojan. If anyone can point me in the correct direction or give me some suggested steps to follow to get rid of this, that would be great! Please find below a summary of the problem, scan results from virus total and a hijack this scan of my system.
Thanks! -Alex

Avast detected a virus during a background scan yesterday. This is the message it gave:
File name: C:\WINDOWS\SYSTEM32\USER32.DLL
Malware name: Win32:SysPatch [Wrm]
Malware type: Virus/Worm
VPS version: 081224-0, 24/12/2008
Recommended action: Move to chest
I get the same message each time it runs.

The problem that I’m having is that when I click ‘move to chest’ in avast, it says ‘cannot process “C:\WINDOWS\SYSTEM32\USER32.DLL” file’. The same message appears when I try to delete so I can’t get rid of the infection with avast seemingly.

I’m not sure where the infected file USER32.DLL came from. It shows the last date modified as 7 December 2008.

I also got a message stating that avast has detected a virus in the operating memory. Since it is very dangerous to work with the computer while the virus is active, it is strongly recommended that you restart the computer and let avast scan all your data in the boot phase, before the virus can be activated. Do you want to schedule the boot-time scan and restart the computer?

What I’ve tried so far is to disable system restore and let avast run a scan in boot-scan mode. I also tried running avast with windows in safe mode. It still could not move or remove the infected file.

This is the log file from avast:
7/12/2008 10:39:44 AM SYSTEM 1080 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\nvaux32.dll” file.
23/12/2008 5:45:29 PM SYSTEM 1140 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
23/12/2008 5:50:06 PM SYSTEM 1140 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
23/12/2008 11:38:14 PM SYSTEM 1132 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
24/12/2008 7:56:32 AM SYSTEM 1080 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
24/12/2008 11:30:07 AM SYSTEM 1080 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
24/12/2008 2:00:16 PM 3baws 1832 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\3baws\Local Settings\Temp\wJQs.exe” file.
24/12/2008 9:24:55 PM 3baws 1832 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\system32\aston.mt” file.
24/12/2008 9:25:31 PM 3baws 1832 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\system32\dllcache\user32.dll” file.
24/12/2008 9:26:59 PM 3baws 1832 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\system32\user32.DLL” file.
25/12/2008 6:05:40 AM SYSTEM 1008 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
25/12/2008 6:09:13 AM 3baws 216 Sign of “Win32:SysPatch [Wrm]” has been found in “c:\windows\system32\user32.dll” file.
25/12/2008 6:09:46 AM SYSTEM 1008 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
25/12/2008 7:39:48 AM SYSTEM 784 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
25/12/2008 7:42:50 AM 3baws 612 Sign of “Win32:SysPatch [Wrm]” has been found in “c:\windows\system32\user32.dll” file.
25/12/2008 7:45:49 AM SYSTEM 784 Sign of “Win32:SysPatch [Wrm]” has been found in “C:\WINDOWS\SYSTEM32\USER32.DLL” file.
25/12/2008 9:53:53 AM 3baws 1080 Sign of “Win32:SysPatch [Wrm]” has been found in “c:\windows\system32\user32.dll” file.

The first item (nvaux32.dll) is in the virus vault. I’m not sure if it has any connection to the current problem.

I tried to scan the file USER32.DLL with Jotti and it came back ‘The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file’

These are the results from virus vault:
File user32.DLL received on 12.24.2008 22:06:35 (CET)
Antivirus Version Last Update Result
a-squared 4.0.0.73 2008.12.24 -
AhnLab-V3 2008.12.25.0 2008.12.24 Win-Trojan/User32Hk
AntiVir 7.9.0.45 2008.12.24 -
Authentium 5.1.0.4 2008.12.24 -
Avast 4.8.1281.0 2008.12.24 Win32:SysPatch
AVG 8.0.0.199 2008.12.24 -
BitDefender 7.2 2008.12.24 -
CAT-QuickHeal 10.00 2008.12.24 -
ClamAV 0.94.1 2008.12.24 -
Comodo 809 2008.12.24 -
DrWeb 4.44.0.09170 2008.12.24 BackDoor.Zapinit
eSafe 7.0.17.0 2008.12.24 -
eTrust-Vet 31.6.6276 2008.12.24 Win32/Pruserinf
Ewido 4.0 2008.12.24 -
F-Prot 4.4.4.56 2008.12.24 -
F-Secure 8.0.14332.0 2008.12.24 Trojan.Win32.Patched.bb
Fortinet 3.117.0.0 2008.12.24 -
GData 19 2008.12.24 Win32:SysPatch
Ikarus T3.1.1.45.0 2008.12.24 -
K7AntiVirus 7.10.564 2008.12.24 -
Kaspersky 7.0.0.125 2008.12.24 Trojan.Win32.Patched.bb
McAfee 5474 2008.12.24 -
McAfee+Artemis 5474 2008.12.24 potentially unwanted program Patched User32
Microsoft 1.4205 2008.12.24 Virus:Win32/Mariofev.A
NOD32 3716 2008.12.24 Win32/Pinit
Norman 5.80.02 2008.12.24 -
Panda 9.0.0.4 2008.12.24 W32/Patched.D
PCTools 4.4.2.0 2008.12.24 -
Prevx1 V2 2008.12.24 -
Rising 21.09.22.00 2008.12.24 Trojan.Win32.Patched.bi
SecureWeb-Gateway 6.7.6 2008.12.24 -
Sophos 4.37.0 2008.12.24 Troj/User32Hk-A
Sunbelt 3.2.1809.2 2008.12.22 -
Symantec 10 2008.12.24 -
TheHacker 6.3.1.4.199 2008.12.23 -
TrendMicro 8.700.0.1004 2008.12.24 Possible_Patch-1
VBA32 3.12.8.10 2008.12.24 -
ViRobot 2008.12.24.1534 2008.12.24 -
VirusBuster 4.5.11.0 2008.12.24 -
Additional information
File size: 578560 bytes
MD5…: e85618a52bacf75e2b98da7ece62ebc4
SHA1…: c631b19a5a723df64cd5b9db453c31761ca82547
SHA256: b90de578d642b9c0247f50cee79d26133ee633fd5fa45b8c69164ad326538e4a
SHA512: 9a522510e234d7e092f02aa2d85fe9dcacddfa4e1b496e90307c90f20280c33e
b2526fefe0d9c2149955cc5cd57d8c59b45db9ab5db97bbd36fd8c927e1228b4

ssdeep: 6144:QAML7NoIlCGJPY2Z2AlptXbgz0+Q4odCGfTnpbEdd/fudqsa0jucQgBMacC
GNoEd:qoHEHblpWz0jPLhEfgP6WMDoEJY

PEiD…: -
TrID…: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x7e41b217
timedatestamp…: 0x4802a11b (Mon Apr 14 00:11:07 2008)
machinetype…: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x5f283 0x5f400 6.65 0a84fb2f4fe16a3910644665532e522c
.data 0x61000 0x1180 0xc00 2.38 28fc1d764bf4ed37bb349bca5991a1ff
.rsrc 0x63000 0x2a088 0x2a200 4.97 818c69d1407c2f66058a8171086b2fba
.reloc 0x8e000 0x2de4 0x2e00 6.77 68ebe5a2d822be0663a3e935b39d0bae

( 3 imports )
> GDI32.dll: GetClipRgn, ExtSelectClipRgn, … [rest deleted as too long]

I’ll post the hijack this file in a separate post because the message is over the 10000 character limit

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:01 AM, on 25/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
C:\Program Files\WinFast\WFDTV\WFWIZ.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\3baws\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.vicnet.net.au/~alex/links/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [WinFastDTV] C:\Program Files\WinFast\WFDTV\DTVSchdl.exe
O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFDTV\WFWIZ.exe
O4 - HKLM..\Run: [ISTray] “C:\Program Files\Spyware Doctor\pctsTray.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\3baws\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191333827562
O17 - HKLM\System\CCS\Services\Tcpip..{F361699F-3D95-46EB-A9BD-DCC51436DC3E}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: schmap-help - {2CF664A0-5EA6-47B5-884C-433A60145F78} - C:\Program Files\Schmap\Schmap Player\SchmapDocLib.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

End of file - 10135 bytes

See here.

http://forum.avast.com/index.php?topic=41227.0

Looks like the Win32:SysPatch worm is infecting everyone’s PCs.

Hi alex1,

The hjt does not show up the infection you have there.

I posted a proposed cleansing routine for this worm malware here:http://forum.avast.com/index.php?topic=41238.msg346121#msg346121

With System Restore disabled and in SafeMode try to cleanse in the way I proposed and delete the other files that avast gave for the malware in hand and do a full scan using DrWebCureIt, download from here: ftp://ftp.drweb.com/pub/drweb/cureit/launch.exe

polonus

Hi Jtaylor83,

TECHNICAL DETAILS
When executed, the worm copies itself as the following files:
%System%\ntpl.bin
%System%\sbmf.ln

It also drops the following files, which are copies of Backdoor.Zapinit:
%System%\cc.ln
%System%\lght.ln
%System%\msnf.ln
%System%\nvrsma.dll
%System%\pryx.ln

It also creates the following log file:
%Windir%\sys.log

Next, the worm modifies the following files so that it changes which registry entries are queried when Windows starts:
%System%\dllcache\user32.dll
%System%\user32.dll

It then creates the following registry entry so that it runs whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"pjpInit_Dlls" = “nvrsma”

Note: The above registry entry is queried by the modified user32.dll files.

Note: The original user32.dll files are copied as the following file:
%System%[RANDOM FILE NAME]

It also creates the following registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"st" = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"mid" = “[HEXADECIMAL CHARACTERS]”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"dwn" = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"ccnt" = “1”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"nhr" = “1”

It also creates the following registry subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\1
HKEY_LOCAL_MACHINE\SOFTWARE\6
HKEY_LOCAL_MACHINE\SOFTWARE\7
HKEY_LOCAL_MACHINE\SOFTWARE\8
HKEY_LOCAL_MACHINE\SOFTWARE\9

The worm then attempts to connect to the following URLs:
[http://]66.36.241.45/sdb/gate/[REMOVED]
[http://]66.36.241.45/sdb/gate/data[REMOVED]

The worm spreads by copying itself to network shares using the following logon details:
User name:
Administrator
Password:
One of the following:
!@#
0
00
1
11
1212
123
123456
13
1313
666
777
adm
admin
administrator
asa
pass
password
q
qaz
qazxsw
qqq
qwerty
test
zaq
zaqwsx
zzz
/////////////////////////////
pol

Hi Polonus,

Thanks very much for the suggested steps!

I’ve backed up the registry.

So just to confirm, I should now delete the suspect file USER32.DLL from the computer while it’s running in safe mode. Is it okay to just delete that file or do I need to replace it from my windows CD for the computer to function properly? The other suspect file that had been in the temp folder I already managed to delete.

Then I should restart the computer and scan with DrWebCureIt?

Thanks again!

-Alex

I tried to follow the steps suggested. I made a backup of the registry. System restore is disabled. I ran Windows in safe mode. But I still couldn’t delete the suspect file- C:\WINDOWS\SYSTEM32\USER32.DLL

When I navigate to the file and try to delete it, I get a message saying it can’t be deleted because it’s in use:

http://img126.imageshack.us/img126/1572/user32ty8.th.jpg

I’m not sure what I should do now.

Thanks for the help so far!

Even though I couldn’t delete that file, I just ran Dr Web anyway. After it ran, it said the infection of the file user32.dll is cured!

http://img384.imageshack.us/img384/5058/77081669dt9.th.jpg

Is there anything else I should do?

Thanks very much for the help!!

Hi alex1,

If that is what you got, you are out of the woods, so the basic concept is, you start to cleanse the crap of the machine, while your machine uses the right user32.dll from the recovery CD, then you have done that with system restore disabled and in safe mode. When you sufficiently took off the offending files and malicious registry changes, you can reboot normally and you are passed the infection, the malcreant has complicated the removal of his malware only because of the fact that user32.dll is a necessary file to run the system and has to be in use, by using the recovery CD his chess-game is over, can you follow my lines of explanations what happened here during the worm infection and what that did? This nastiness has been spotted before and for these cases we had a series of recovery “diskettes” in the days of “olem” or ancient Win 98 SE, enjoy your XMas holidays and surf safe during the New Season,

Oh yes and install Secunia PSI on your box to keep all your third party software up to date:
http://secunia.com/PSISetup.exe

pol