Win32: Patched-I [Trj] (C:\WINDOWS\$NtServicePackUninstall$)

Good evening ladies and gents. I posted on a similar thread but it was suggested that I start a new thread to avoid confusion.

So, here’s my vital info: I ran a bootime scan 4/24/07 and Avast! detected an Infected File. After I was told it was in a MS folder, I moved said file to the chest to be safe. Long story short, from what I have been able to glean, this may have been a FP. So I need folks smarter than I am to help me.

My OS is XP w/sp2. It is set to Automatic Update. Other security tools are as follows: Windows Defender, ZA Personal, Ad Aware, CCleaner, Ultra Wipe and Spyware Blaster. All programs not set to AU are updated on a regular basis.

From the Virus Chest file properties:

Name Value
Original file name kernel32.dll
Original folder C:\WINDOWS$NtServicePackUninstall$
Size of file 930816
Last modification time 6/17/2004
Time of transfer to the chest 4/24/2007
Category Infected files
Virus description Win32: Patched-I [Trj]
File ID 9

Sorry about the above. I am not real skilled at screen capture. Please suggest the best course of action from this point forward.

Thanks in advance. J

There were some false positives fixed today so you could try scanning the file again to see if its still detected as malware.

Right click the a-icon and click Program Settings. Make sure there’s a check mark next to Show Results of Explorer Extension and click OK.

Next, open the program and click the chest icon. In the Infected Files section right click the file in question and click Scan. Now click the Detailed Information tab and see what it says.

EDIT: Actually, the part about the explorer extension isn’t necessary for this. But its nice to have it set like this anyway.

Just pulling some of the stuff over from the other multi topic.

I also don’t have full confidence that it was a false positive, but it isn’t being detected in an active/working file, rather in what I would say is now a redundant uninstall function. That is where my being not being unduly concerned comes from.

If as you said you are unlikely every to require a roll back to pre service pack, then removal of the file would remove any nagging doubt that something in it might be infected. If however, you chose to use that file to revert to a pre service pack state then you may have an infected/suspect kernel32.dll file in use. This possibility would make me even more inclined to remove the uninstall service pack file.

However, it is your system I can only offer advice on what I would do, you have to choose what you would do.