3 Replies Latest reply on Dec 3, 2009 3:44 PM by CIPHENT.com

    Patched User32 - Failed to clean, not deleted

      I am getting events more than 10,000/day and most of them are patched user32. I can see McAfee catching it, but the action says "failed to clean, file not deleted". Can anyone please help how to remove these type of threats totally.


      VSE 8.7 and 8.5 in use. ePO 4.5


      - AB

        • 1. Re: Patched User32 - Failed to clean, not deleted

          Do you have a line from a detection log, or even the Event itself from EPO that you can post?


          It looks like a file is being detected on your machines as infected, but not cleanable - which I've seen previously, but not sure what the Patched and User32 bits are.

          • 2. Re: Patched User32 - Failed to clean, not deleted

            This is a detection for legitimate user32.dll Windows file patched by W32/Mariofev.worm.


            All the dynamic libraries listed in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded automatically with every program linked against user32.dll.


            W32/Mariofev.worm patches user32.dll to change the registry key mentioned above to another value, randomly generated. All dynamic libraries listed in this newly created registry key will then be injected automatically in every program linked against user32.dll.

            This allows stealth automatic dynamic libraries injection.


            So it is possible that you have a new variant of W32/Mariofev.worm.  I would suggest the following steps:


            1.  Ensure you have the latest engine and dat files (5400 engine is latest engine, 5820 Dat files were released on Dec 2nd)


            2.  Run a full On-Demand Scan against the system so that all files are scanned and cleaned


            If that doesn't find and clean up the culprit


            3.  Look in your Windows\System and System32 directory for any file created the day that these detections started occurring.  If you find files there that were created that day and have a strange looking file extension, submit those to virus_research@avertlabs.com.

            • 3. Re: Patched User32 - Failed to clean, not deleted

              Thanks for the response.


              We are running VSE 8.7 patch 2 with 5400 engine and DAT file 5820. This is what I am getting!!


              Threat Target File Path:  C:\WINDOWS\SYSTEM32\USER32.DLL.EXE
              Event Category:   Malware (av.pup)
              Event ID:    21284
              Threat Severity:   Critical
              Threat Name:    Patched User32
              Threat Type:    app_pua
              Action Taken:    access denied
              Threat Handled:   false
              Analyzer Detection Method:  OAS

              Threat Event Descriptions 

              Event Description: unwanted program, clean error, delete failed


              Do you want me to submit a few files to avert lab for research?


              - AB