HELP!!! I’m not real computer literate but I did manage to find out that I have a Wi.32 SysPatch worm or something that I am having a hard time to delete.
I know someone here is computer savvy and can help me fix this one. Please keep in mind I may need pretty explicit details. SUPER THANKS!!!
Hi allmycats,
First go to this thread and read all the info there,
http://forum.avast.com/index.php?topic=41227.0
Win32:SysPatch injects the user32.dll file with its own data and forces it to load malicious DLLs.
These DLLs are intended to collect network traffic data
and are able to control locally running processes from a remote machine
and to download/send data through an open backdoor.
download malwarebytes and run it too and this should remove it.
it is also free http://www.malwarebytes.org/
Win32 SysPatch worm
Discovered: 16 October 2007
Updated: 6 December 2007 11:16:15 AM
Type: Trojan
Infection Length: 140,288 bytes
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
When the worm is executed, it drops the following file:
%Windir%\nview.dll
It also creates the following file:
%System%\drivers\atmapi.sys
It then creates the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.… NT\CurrentVersion\Windows"zwpInit_Dlls" = “C:\WINDOWS\nview.dll”
The worm modifies the following files so that it runs when Windows starts:
%System%\user32.dll
%System%\dllcache\user32.dll
Note: These files are detected as W32.Spamuzle!inf.
The original user32.dll is saved by the Trojan as the following file:
%System%[RANDOM FILE NAME]
It restarts the compromised computer so that the modified user32.dll takes effect.
The worm then creates the following encrypted DLL files:
%Windir%\Help\access.cni
%Windir%\Help\mwrem.cin
It also creates the following file:
%Windir%\task\sa.dat
The worm stores encryption information specific to these DLLs in the following registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\1"Path" = “C:\WINDOWS\help\access.cni”
HKEY_LOCAL_MACHINE\SOFTWARE\1"Key" = “[ENCRYPTION KEY]”
HKEY_LOCAL_MACHINE\SOFTWARE\1"DLoad" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\2"Path" = “C:\WINDOWS\help\mwrem.cin”
HKEY_LOCAL_MACHINE\SOFTWARE\2"Key" = “[ENCRYPTION KEY]”
HKEY_LOCAL_MACHINE\SOFTWARE\2"DLoad" = “0”
Note: [ENCRYPTION KEY] is the encryption key used to encrypt the DLL files and the threat uses this information to locate and decrypt these encrypted DLLs in memory.
The worm opens a back door that connects to 58.65.239.86 allowing a remote attacker to perform some of following actions:
End processes
Monitor network traffic
Download additional files
polonus
Easy! Get AVG Kill It Do a Happy dance
BUT that IS a hard one to get rid of…
I recommend you download Trial Anti virus Programs (usually Very powerful)
And do a COMPLETE Scan with BOTH
Hope this Helps!
Pika
Easy! Get AVG Kill It Do a Happy danceWhat is this program, "AVG Kill It"? Url, please.
I recommend you download Trial Anti virus Programs (usually Very powerful) And do a COMPLETE Scan with BOTHWho manufactures "Trial Anti Virus"? What are you recommending, here, to someone who has admitted they are not very computer literate? Think/post, please.
Missing commas/punctuation I believe (Easy! Get AVG, Kill It, Do a Happy dance) and if you follow his other posts (4 in 30 minutes after registration), disregard completely.
I agree.
I was attempting to make a point. I’m concerned that the OP (in one or two threads) might take this seriously.
Bit subtle?
I’m about as subtle as a Bull in a China shop at times and where advice however well intentioned, if it is likely to have an adverse impact on the OP or others reading it I generally come right out and say it ;D
Hi DavidR & Tarq57,
Agree here, some come here to give the most ludicrous comments to poison a thread, just yesterday there was one suggesting someone should install 2 active firewalls and 2 active resident scanners, completely wrong advice, and a sure way of running a victim further into the ground, doing more harm than good, contrary to rule one of malware cleansing do nothing to harm the victim’s computer or data,
polonus