Do you have a line from a detection log, or even the Event itself from EPO that you can post?
It looks like a file is being detected on your machines as infected, but not cleanable - which I've seen previously, but not sure what the Patched and User32 bits are.
This is a detection for legitimate user32.dll Windows file patched by W32/Mariofev.worm.
All the dynamic libraries listed in the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded automatically with every program linked against user32.dll.
W32/Mariofev.worm patches user32.dll to change the registry key mentioned above to another value, randomly generated. All dynamic libraries listed in this newly created registry key will then be injected automatically in every program linked against user32.dll.
This allows stealth automatic dynamic libraries injection.
So it is possible that you have a new variant of W32/Mariofev.worm. I would suggest the following steps:
1. Ensure you have the latest engine and dat files (5400 engine is latest engine, 5820 Dat files were released on Dec 2nd)
2. Run a full On-Demand Scan against the system so that all files are scanned and cleaned
If that doesn't find and clean up the culprit
3. Look in your Windows\System and System32 directory for any file created the day that these detections started occurring. If you find files there that were created that day and have a strange looking file extension, submit those to email@example.com.
Thanks for the response.
We are running VSE 8.7 patch 2 with 5400 engine and DAT file 5820. This is what I am getting!!
Threat Target File Path: C:\WINDOWS\SYSTEM32\USER32.DLL.EXE
Event Category: Malware (av.pup)
Event ID: 21284
Threat Severity: Critical
Threat Name: Patched User32
Threat Type: app_pua
Action Taken: access denied
Threat Handled: false
Analyzer Detection Method: OAS
Threat Event Descriptions
Event Description: unwanted program, clean error, delete failed
Do you want me to submit a few files to avert lab for research?