Blog for hpHosts, and whatever else I feel like writing about ....

Monday 9 February 2009

ClamWin + Worm.Pinit-4 + User32.dll = disaster!

That is, if you've asked ClamWin to auto-remove/quarantine any files it finds as infected. Alas, this one is a false positive (confirmed on their forums and their sigs have apparently already been updated, so shouldn't occur as of today). Something I learnt AFTER it had taken out the gateway and my stepdads computer.

If you've had this happen and are stuck, all you need to do is;

1. Insert Windows CD
2. Press R to repair Windows
3. At the prompt, enter the following and press enter;

copy d:\i386\user32.dl_ c:\windows\system32\user32.dll

4. Remove the Windows CD, and re-start the computer

This of course, assumes C is your Windows drive, and D is your CD/DVD drive.

If you haven't got a Windows CD, either create a boot disk as per Microsoft's instructions, download http://www.ultimatebootcd.com/, or download DamnSmallLinux.

Note however, if you go with a boot CD other than the original Windows CD, you will need to ensure you are familiar with the location of the ClamWin quarantine folder (assuming you asked it to quarantine the infections and not automagically remove them), as you'll need this path to restore the user32.dll file. For example, on my computer, it is located at;

C:\Documents and Settings\All Users\.clamwin\quarantine\

The command to restore the file would then be;

copy "C:\Documents and Settings\All Users\.clamwin\quarantine\infected.USER32.dll" c:\windows\system32\user32.dll

Note, the quotes MUST be in place for the command to work.

If you asked it to auto-remove the infections it finds, I'm afraid you're going to need a little more work. Simply because you can't easily restore it without a copy of the file (and no, downloading it from a peer to peer network is NOT a good idea!!!!!! (where do you think most infections flourish?)). If this is the case, ask a friend (with the same version of Windows), to copy the user32.dll file to CD for you, and copy it from there (or better yet, ask them to create a boot disk for you and stick a copy of the user32.dll file onto the CD!!)

1 comment:

Fireblayde said...

just had this happen to me, although could have been a few days ago as the comp has been on for a while.
Clamwin has annoyed me for the last time. Uninstall button has been clicked.