yesterday i got a massage from avast that i got a worm virus called “win32:syspatch”
when i wanted to erase it,it said that this the file is read only and when i clicked OK the first massage appeared again…
i want to know how i can erase this file… and what this file already done yo my computer…
here the screen pictures:
in the first picture it’s the name of the file and where it is

http://www.upit.ws/uploads/aa00671315491.bmp

http://www.upit.ws/uploads/aa00671315491.bmp

the second picture showing the error when i want to erase in handily

http://www.upit.ws/uploads/5751394484822.bmp

http://www.upit.ws/uploads/5751394484822.bmp

the third picture showing the virus

http://www.upit.ws/uploads/cbc92ed350ccb.bmp

http://www.upit.ws/uploads/cbc92ed350ccb.bmp

the forth picture showing the massage after

http://www.upit.ws/uploads/65a6e707b9001.bmp

http://www.upit.ws/uploads/65a6e707b9001.bmp

THANKS.

Can you inform the file as being a false positive? (click on the bottom right of the virus warning message).

To know if a file is a false positive, please submit it to VirusTotal and let us know the result. VirusTotal has a file size limit of 10Mb. You can use VirScan also.
If it is indeed a false positive, send it in a password protected zip to virus@avast.com. Please, mention in the body of the message why you think it is a false positive and the password used. Thanks.

Maybe you need to disable Hide protected operating system files and enable View hidden files and folders to manage the file(s).

this is most probably not a false positive… are you able to enter the recovery console on your OS cd and replace the system32\user32.dll with the one from dllcache?

YES i doen it and it showed 14\38 and some anti viruses:

Avast Win32:SysPatch
DrWeb BackDoor.Zapinit
eTrust-Win32/Pruserinf
F-Secure Trojan.Win32.Patched.bb
GData Win32:SysPatch
Kaspersky Trojan.Win32.Patched.bb
Microsoft Virus:Win32/Mariofev.A
NOD32 Win32/Pinit
Panda W32/Patched.D
Rising Trojan.Win32.Patched.bi
SecureWeb-Gateway Win32.LooksLike.NewMalware
Sophos Troj/User32Hk-A
TrendMicro Possible_Patch 1

and MAXX i tried it and it said that somebody or some softwere using it

I had (and am having) Exactly the same thing on my computer today!

so what i need to do?

How exactly did avast allow this file to be infected? Does the signature was added later?

Maxx, won’t the command
sfc /scannow
replace that file with the original one in the CD?

yes…
and i tried to replace and it said that somebody or some softwere using it.

chenan: that’s not possible… you probably not entered the recovery console to do the cleaning…

anyway, you can try to rollback your system to some clean restore point…

Tech: i don’t know, haven’t tried it… the detection was added yesterday, becasuse we have had to wait for the ppl to upgrade to the latest version (highly important update of the server version and ADNM)… version 4.7 allowed to delete/chest the system files and we can’t offer this option to an average Joe…

btw: the file is infected via some strange exploit… i don’t have any detailed analysis and don’t know if the hole has already been fixed by MS update… but probably it was, cause MS catches the patched file…

MAXX:i downloaded from 3 sites this file and when i copied him to the file when the virus there it’s was showing that i can’t do this because someone is using it…
wait 2 minutes i will do screen picture for this…

and how did your fixed this problem?

EDITED:i successfuled to do something else and it showing me this now:
http://www.upit.ws/uploads/80dd07a38b8c1.JPG

http://www.upit.ws/uploads/80dd07a38b8c1.JPG

it’s still the same problem… you’re not in the recovery console (on your OS setup cd)… another choice is to mount the drive to another PC and do the replacement of user32

Hi Chenan,

As soon as the Trojan is activated, it leaves following files on the computer::

%Windir%\nview.dll

The virus furthermore creates the following file:

%System%\atmapi.sys

Then the virus creates the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows"zwpInit_Dlls" = “C:\WINDOWS\nview.dll”

The Trojan changes following files to start the threat every time the OS starts:

%System%\user32.dll
%System%\dllcache\user32.dll

The original legit file user32.dll the Trojan keeps within the following folder:

%System%[RANDOM FILE NAME]

The threat makes the computer restarts whenever the user32.dll file takes effect.

The virus creates the following encrypted DLL files:

%Windir%\Help\access.cni
%Windir%\Help\mwrem.cin

The virus saves the encrypted information especially in these DLL’s and then uses the following registry values to do so:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\”zwpInit_Dlls” = “C:\WINDOWS\nview.dll”
HKEY_LOCAL_MACHINE\SOFTWARE\1"Path" = “C:\WINDOWS\help\access.cni”
HKEY_LOCAL_MACHINE\SOFTWARE\1"Key" = “[ENCRYPTION KEY]”
HKEY_LOCAL_MACHINE\SOFTWARE\1"DLoad" = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\2"Path" = “C:\WINDOWS\help\mwrem.cin”
HKEY_LOCAL_MACHINE\SOFTWARE\2"Key" = “[ENCRYPTION KEY]”
HKEY_LOCAL_MACHINE\SOFTWARE\2"DLoad" = “0”

Finally the Trojan opens up a backdoor on the infected machine to access to address with IP-number 58.65.239.86 enabling the attacker to do the following:

Closing down processes
Monitoring network traffic
Downloading of executable files

To cleanse one should make a copy of the registry first, in case something should go wrong,
Disable temporarily system restore and cleanse running SafeMode, then re-enable system restore and
normal mode when the malware has left your computer, you can first try a full scan with DrWeb’s CureIt,

polonus

Maybe you can use http://www.softpedia.com/get/System/Boot-Manager-Disk/MoveOnBoot.shtml to move/copy the file.
Take care, you’re changing a system critical file. Be sure the version you’re adding/copying is the right one. Otherwise, you may be avoided to boot!

I DO suggest ERUNT http://www.larshederer.homepage.t-online.de/erunt/ for this work.

polonus, the registry key value is not always “zwpInit_Dlls”, it’s randomly changed…

im sorry it took me long time to reply…
i tried to copy to other file and erplace and it didn’t work.
i don’t realy understood what to do because i don’t speak very good english so someone can explain me that i will understand?
i need to download a softwere that will copy the file and another softwere to back up this file?
maybe someone else need to do this job someond proffesional because its something important?

One tool is for allowing you to change (copy and overwrite) the infected user32.dll file with a clean one that come with your Windows CD.
Other tool is to backup the registry (and recover it later if necessary).

For sure Polonus instructions can do so. A professional guy won’t be bad. This is a critical Windows file.

Hi Chenan,

What are the other languages you communicate in? There you might find the removal information.
We are an English speaking forum, but for a lot of languages you can find a Google translation service.
Or go to a virus forum that is in your language. (below the automatic translation)

מהן שפות אחרות אתה מתקשר ב? שם תוכל למצוא מידע על ההסרה.
אנחנו מדברים אנגלית של הפורום, אבל עבור הרבה שפות ניתן למצוא שירות Google התרגום.
או ללכת וירוס בפורום זה בשפה שלך:

שלום

polonus

Hi Maxx_original,

I wrote that here: %System%[RANDOM FILE NAME]
That is what you meant, isn’t it. Therefore it is a nasty virus, I say.
He can find the name looking it up in the registry,

Damian

This is my 2nd attempt to post. The first time my system restarted in the middle of me typing.

I am having the same problem as the first poster. I am pretty new to this type of stuff as I usually let the antivirus software do all the work. Unfortunately that isn’t working in this case. Can you tell me in pretty easy to understand terms what my options are. Thanks…