I think it’s a false alarm because I looked on two computers (both Windows XP SP2)

The first computer gave the alarm after waking up from hibernating and updating Avast, the other computer didn’t do anything after stating and updating only when I scanned the file the alarm came.

On both computer the dll was changed in March 2007 (if there’s a virus in there Avast has a problem if it only recognizes it after such a long time)

It’s in C:\windows\system32\user32.dll

Just try this: scan the file with Avast (right click on file and scan)

So my real question is if this is a real trojan or just as it looks like a false alarm?

After the latest update a few minutes ago no alarm anymore when I scan the file.

it’s a false positive in some language versions of windows valid library user32.dll… the dutch version was fixed already and the german version will be fixed with next VPS update… sorry for the annoying situation…

Good to hear

Better one false alarm then one virus slipped thru.

hello avast!-team !

we have a few customers, where windows wants to have the installation-cd
in order to fix the user32.dll.

there are a lot workstations (15) and so i don´t want to go to every workstation
and use the installation-cd …

with the next vps-update … will it automatically restore the moved user32.dll, or
do i still have to fix it with the windows-cd ?

thanks for soon reply.

greetings marco.

you can repair the library from chest or from default windows file protection service… the restoration from CD is also possible…

If you are using ADNM, you can find this in the Client side task / Auxiliary task / Virus Chest – restore all uninfected files.

To restore the dll in the chest directory, means
i have to get this file on a 2nd computer first,
since windows wont boot.

Hmmm. Ubuntu and USB stick maybe?
I’ll try.

who made this thread “solved” btw?

Unbelievable that they don’t allow a way to restore files from Chest at boot time. If avast can work at boot time, maybe a countdown message before logon (like some defragmenting tools) will allow to access the Chest and restore any file needed to boot.

I am getting an alarm that says this user32.dll has a [wrm] and have tried scanning it multiple times to remove it. Each time the scan returns a “file is read only” and will not allow it to be deleted, repaired or moved to the chest.

What do I need to do to remove it? I’ve read the discussion in the thread and am still uncertain as to what to do.

It’s a necessary file to boot.
Maybe you need to restore it from Windows CD\DVD using the command:
sfc /scannow

I’m not sure… but there is long threads about this problem in the forums.

you’re probably talking about Win32:SysPatch [Wrm]… it is not a false positive…

Yes, how do I get rid of the Win32:SysPatch [Wrm]?

someone told, that a simple renaming and letting windows re-create the file would help… the other way is to use DrWeb CureIt or to replace the file with a clean one from the recovery console of your OS setup CD…