Suspect Virus-USER 32.DLL

Discussion in 'Virus Information' started by antioch, Dec 26, 2008.

  1. From: "Geoff" <>

    | On Sat, 27 Dec 2008 11:52:01 -0500, "David H. Lipman"

    | Can't be done on a live system. The DLL is locked.

    | Suggest GiPo Utilities MoveOnBoot:

    | Allows movement/copy of files at system boot before the system locks things
    | like DLLs.

    But can be done in the Recovery Console or on a surrogate PC.
    David H. Lipman, Dec 28, 2008
    1. Advertisements

  2. What about safe mode command prompt only

    copy %windir%\ServicePackFiles\i386\user32.dll %windir%\SYSTEM32\user32.DLL

    With no GUI is that dll still locked?
    FromTheRafters, Dec 28, 2008
    1. Advertisements

  3. antioch

    Geoff Guest

    Unlikely, user32.dll is Windows API code so in Safe Mode Command Prompt
    only it might not be used since the GUI is down but the last time I started
    up in Safe Mode CP it started a GUI login so user32.dll was essential. The
    system blue screens if it is corrupted or missing.

    tasklist /m user32.dll

    at the command prompt will tell you if it is in use and by which programs.
    When the GUI is up, he is a very busy boy.

    If in Safe Mode the only module calling for user32.dll is tasklist.exe then
    it can probably be replaced in that mode but the only other way I know to
    update it is to do it while the system is still ramping up. This is the
    method Windows Update uses.
    Geoff, Dec 28, 2008
  4. antioch

    antioch Guest

    So it looks as if the infection came in quite a while ago, when looking at
    the Created and Modified dates. Seems strange that it only just activated -
    I do wonder if the 20 odd security updates had anything to do with it????
    But these were all being done off-line and from disc with all anti stuff

    I tried Safe Mode - and no - I still could not get the blasted file to save
    I tried all the suggested methods to get rid of it late last night and after
    reboot I switched off.
    I also did System Restore whilst SM and went back to a time just before I
    started all the Black Tuesday updates. This was completed OK.
    So far this morning, the computer gave no warning on start-up and has been
    running for half an hour now - but I aint counting any chickens yet.

    If I get time later today, I will have a look in the Avast/forum and see if
    there is anything in there.

    antioch, Dec 28, 2008
  5. antioch

    antioch Guest

    Thank you for your input - will consider it when all other avenues have been

    antioch, Dec 28, 2008
  6. antioch

    antioch Guest

    Recovery Console is still under consideration - I will research it in MS.

    antioch, Dec 28, 2008
  7. antioch

    antioch Guest

    Thank you, FTR, for adding to the discussion - it would appear that it is
    still locked - see my reply to Dave L.
    antioch, Dec 28, 2008
  8. I have always used it as my "first" option when deleting a locked system
    file. I don't like to waste time.
    Richard Urban, Dec 29, 2008
  9. antioch

    antioch Guest

    Hello Richard Urban
    Is the 'IT' in your advice "GiPo Utilities MoveOnBoot:"?

    antioch, Dec 30, 2008
  10. antioch

    antioch Guest

    Update - in case there is anybody following this thread -
    My son's computer did not throw up any warnings after trying the advice
    given - the computer was on for 3 hours.
    However, when he started it up yesterday, he immediately got the same
    warning - what a bugger. I still do not understand how/when his computer
    got infected? He says that he can see nothing abnormal happening while he
    uses the computer.
    It does seem a bit strange that this seems to be something only connected
    with Avast - or has a similar/same problem already appeared in this group.
    Most of the advice given to me here has been tried in the Avast Forum, but
    has failed.
    There is a discussion going on, at the below - exact same problem - from
    posters all around the world - started just before Xmas. They might come up
    with a solution - bit difficult to follow what they are talking about.

    Further to the above, I have checked my own computer and the two files are
    different on mine. I have spent most of the day scanning with just about
    anything that is safe, in addition to my own resident AV etc - so far

    Happy New Year to everybody.

    antioch, Dec 30, 2008
  11. antioch

    John Doe Guest

    I'll repeat the solution one more time, as it is one I've successfully used
    countless dozens of times on my customer's computers. I'll take your future
    ignorings of this solution to mean you aren't really interested in a
    solution but rather just looking for a shoulder to cry on.

    In safe mode:
    1. run the latest version of combofix
    2. run the latest version of malwarebytes
    3. run the latest version of spybot

    repeat in "normal" mode

    run the latest version of AVG.

    All is well.
    John Doe, Dec 31, 2008
  12. antioch

    Kayman Guest

    Good advice but Combofix log should be examined by experts found here:
    Kayman, Dec 31, 2008
  13. antioch

    antioch Guest

    Hello John Doe
    Thank you for your suggestion, albeit condescending and rude, considering
    this is your first reply to me in this thread. Perhaps in your frustration
    at your advice being ignored, this caused you to post incorrectly - perhaps
    a case of 'engaging fingers before brain'.
    However, since this is the first time I have seen this bit of advice, I will
    pass it on to my son for him to look at with his 'in-house' tech team where
    he works.
    Your three most recent 'bits of advice' to appear in this group since 1 Nov
    2008, seem to me to have nothing to do with this subject.
    The problem is not mine, so I fail to see why you should think I want a
    shoulder to cry on.
    If I had this problem on my computer, I would find it a minor annoyance -
    certainly for the moment, nothing to cry about.
    If you are here to help, it is a shame that you have not been able to
    cultivate a more patient attitude towards those in trouble, as DHL and
    others, to whom I/we look to for expert guidance - yes and sometimes we like
    to be held by the hand.
    Is combofix fit to use these days?
    To date I have not had any result back from my son re his performing HJT.
    Malwarebytes & Spybot SD have already been run with negative results.
    The former, together with AVG Antispy, are permanent scanners on my son's

    antioch, Dec 31, 2008
  14. antioch

    antioch Guest

    Hello Kayman
    I could not agree with you more - I did remind my son to ensure he posts the
    log from HJT in an appropriate forum for an expert to check - here as well.

    antioch, Dec 31, 2008
  15. Recommending a virus to fix a virus is just wrong especially when there are
    clean virus free tools that work.
    The Real Truth MVP, Dec 31, 2008
  16. From: "John Doe" <>

    | I'll repeat the solution one more time, as it is one I've successfully used
    | countless dozens of times on my customer's computers. I'll take your future
    | ignorings of this solution to mean you aren't really interested in a
    | solution but rather just looking for a shoulder to cry on.

    | In safe mode:
    | 1. run the latest version of combofix
    | 2. run the latest version of malwarebytes
    | 3. run the latest version of spybot

    | repeat in "normal" mode

    | run the latest version of AVG.

    | All is well.

    Please ignore Butts and his moronic rants such as "Recommending a virus to fix a virus is
    just wrong...".

    First remember a virus is self replicating malicious code.
    Nothing about combofix implies it is self replicating malicious code. It is NOT a virus.
    This is worth repeating... *ComboFix is NOT a virus.* and is pure FUD.

    While it (the utility) may be caught in a VT report, it is because of the action(s) it
    performs. The tool is NOT malicious but can be used maliciously and can be dangerous with
    detremental effects and thus should not be used casually. It should be used only under
    the direction of a qualified anti malware professional in an Expert Forum.

    AntiVir 2008.12.19 SPR/Tool.Hide.A
    Authentium 2008.12.21 W32/Trojan3.OD
    F-Prot 2008.12.21 W32/Trojan3.OD
    McAfee 5470 2008.12.20 potentially unwanted program RemAdm-ProcLaunch!171
    McAfee+Artemis 5470 2008.12.20 Generic!Artemis
    Microsoft 1.4205 2008.12.21 Trojan:Win32/AgentBypass.gen!K
    Panda 2008.12.21 Suspicious file
    SecureWeb-Gateway 6.7.6 2008.12.19 Riskware.Tool.Hide.A
    Sophos 4.37.0 2008.12.21 NirCmd
    Sunbelt 3.2.1801.2 2008.12.11 VIPRE.Suspicious
    TrendMicro 8.700.0.1004 2008.12.19 PAK_Generic.001

    Butts would try to have you think that Remove-It is pristine and NOT such a tool. The
    fact is Remove-It is distributed in a packaged INNO Packed file. The packaged installer
    file does not get any hits on VT. However the plagiarized code he uses has been modified
    by Butts to use the utility Process.exe. Process.exe is a tool used to kill running
    processes and thus it too can be dangerous if used maliciously and it too gets flagged on

    a-squared 2008.12.31 Riskware.RiskTool.Win32.Processor.20!A2
    ClamAV 0.94.1 2008.12.31 Trojan.Killproc-1
    DrWeb 2008.12.31 Tool.Prockill
    Fortinet 2008.12.31 Misc/PrcViewer
    McAfee 5480 2008.12.31 potentially unwanted program PrcViewer
    McAfee+Artemis 5479 2008.12.30 potentially unwanted program PrcViewer
    NOD32 3725 2008.12.31 Win32/PrcView
    TheHacker 2008.12.30 Aplicacion/Processor.20

    This only proves once again that Butts has NO knowledge on this subject matter or about
    malware in general.
    David H. Lipman, Dec 31, 2008
  17. antioch

    antioch Guest

    Hello again Dave
    I hope this post comes across OK - just got in from a rather heavy
    night/morning - all the best for 2009.
    My replies are in-line.
    Thanks again for your input.

    Sad to say I missed the above post - messages for my 'PLONKER FILE' must be
    working. No doubt he came up with suggestions of a cure from his web site.
    I must have at least six different names/suspect names for that person.
    The name 'combofix' rang a bell - I checked 'My Docs' and in the AV/Malware
    folder and saw that a couple of years ago it had been the carrier or similar
    for nasty stuff. So I Googled it and the prog itself seems to be safe to
    use now - but as you say with expert guidance.
    It is indeed interesting to read in VT what established AV/Antimalware progs
    think of/how they treat, similar software in the market place.

    The difference between the two files that you tried to help me clean/move,
    are also different on two other computers, as well as mine, but none run
    Avast, and the computers themselves do not appear to be suffering from any
    infection - well not yet.
    No doubt you are correct - but then, I believe he has been accused of
    'stealing' before. Plagiarize is just a softer term for it. If Mrs
    Malaprop were alive today, she would no doubt have called that person ' A
    antioch, Jan 1, 2009
  18. antioch

    Rinnousuke Guest


    I am currently having the same problem as well, except that my user32.dll
    file in i386 is also infected with ""

    The file in system32 has also been renamed to "user32.0ll" and seems unable
    to be changed back.

    Would my computer be able to function normally after restarting without
    user32.dll? And where would I be able to find a clean copy of user32.dll?

    Rinnousuke, Feb 19, 2009
  19. Start a new thread stating *your* specific problem. If you
    want, you can make the subject line read "I have the same
    thing only different.."
    FromTheRafters, Feb 19, 2009
  20. antioch

    ~BD~ Guest

    This site has helped me with problem .dlls They have .dlls that you can
    download for free.

    (This post 'stolen' from Max Wachtel in the thread above yours!)

    ~BD~, Feb 19, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.