ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Clamwin reports windows directory file "user32.dll"
scarlett_156


Joined: 06 Jun 2008
Posts: 24
Location: eastern rural Colorado (USA)
Reply with quote
This seems to be an error, and anyway one cannot delete the "user32.dll" file from c:\windows\system32.

Just letting everyone know. If anybody has any further feedback on this I would love to hear it.


~~~ yours in Chaos, Scarlett
View user's profileSend private messageSend e-mail
natoma


Joined: 09 Feb 2009
Posts: 1
Location: Italy
Reply with quote
Same thing here. Clamwin reports: C:\WINDOWS\system32\user32.dll: Worm.Pinit-4 FOUND but another online scan does not detect anything. False positive?
View user's profileSend private message
scarlett_156


Joined: 06 Jun 2008
Posts: 24
Location: eastern rural Colorado (USA)
Reply with quote
When I researched it I found that AVG has been doing the same thing and that it's a mistake. However, I would like to know for sure, of course.
View user's profileSend private messageSend e-mail
bazinou


Joined: 09 Feb 2009
Posts: 1
Location: Vienne (France)
Reply with quote
I have the same problem.
I try a scan on user32.dll with bitdefender (online), trendmicro (online), virscan.org and dr.web, but no one found a virus or nothing else. (Ouf ... Rolling Eyes)
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4552
Location: USA
Reply with quote
This was a false positive, and it has been fixed. This is a good reason not to have ClamWin set to quarantine or remove files it detects as infected initially. Always check it out (especially if it is a Windows system file) before you "lose" it!

If you think a file has a false positive detection, submit it to Clam (see the location on the Clamwin Antimalware page). They need more input from Windows users because ClamWin uses their virus detection engine and signature database., but Clam was designed for use on Linux mail servers.

Regards,
View user's profileSend private message
Antonio S.


Joined: 20 Apr 2008
Posts: 190
Location: Italy
Reply with quote
Hello All,

Had the same problem yetserday when scanning C:
C:\WINDOWS\$NtServicePackUninstall$\user32.dll: Worm.Pinit-4 FOUND
C:\WINDOWS\ServicePackFiles\i386\user32.dll: Worm.Pinit-4 FOUND
C:\WINDOWS\system32\user32.dll: Worm.Pinit-4 FOUND

All been fixed today. Recommend to keep the default option to 'Report only', thus to avoid problems.

Regards,
Antonio
View user's profileSend private message
ok well this is all well and good for the cautious people
ShaoLinR@73R


Joined: 09 Feb 2009
Posts: 3
Location: SoCal
Reply with quote
People who looked before they leapt, but I was not cautious. I had the file quarantined. Now I get a blue screen with "STOP: c0000135" smugly telling me that I was dumb for moving USER32.dll. Now what? I have a laptop and haven't seen my copy of the windows OS disk for years. Any ideas on how to get that USER32 back where it belongs? I already downloaded the file on another comp and burned it to a cdr, but what can I do now? Thanks for any help.
View user's profileSend private message
johndoe32102002


Joined: 09 Feb 2009
Posts: 2
Reply with quote
ShaoLinR,

Try these amule/emule links to download the user32.dll

ed2k://|file|user32.dll|578560|A1F2EFF854AABBCFBF10305FCC32B846|/
magnet:?dn=user32.dll&xt=urn:ed2k:a1f2eff854aabbcfbf10305fcc32b846&xl=578560

I have downloaded them and ran a virus scan on them and they are clean. They are for Windows XP.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4552
Location: USA
Reply with quote
All antivirus programs have false positives, but Clam is subject to a bit more false positives than a lot of the commercial AVs. The Clam AV program is primarily used on Linux-based email systems , and tje don't have to worry about Windows system files. Clam also doesn't have all Windows system files available to checks against for false positives before their signatures are released.

That's why I believe that the ClamWin Remove and Quarantine preferences should be changed to exclude files in the Windows directories and only Report them as infected. The user can then check them out and do a manual removal if they turn out to be infected. This entails some user "education," but it would save some users a lot of time/trouble.

Regards,
View user's profileSend private message
ShaoLinR@73R


Joined: 09 Feb 2009
Posts: 3
Location: SoCal
Reply with quote
johndoe32102002 wrote:
ShaoLinR,

Try these amule/emule links to download the user32.dll

ed2k://|file|user32.dll|578560|A1F2EFF854AABBCFBF10305FCC32B846|/
magnet:?dn=user32.dll&xt=urn:ed2k:a1f2eff854aabbcfbf10305fcc32b846&xl=578560

I have downloaded them and ran a virus scan on them and they are clean. They are for Windows XP.


Got that. I actually already have the file, I suppose I'm more asking if anyone has experience with installing files without access to Windows (it won't even start in SafeMode). You know...since I deleted a critical file for it to do so. Laughing

Anyone know?

Can I install it from DOS? If so how?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4552
Location: USA
Reply with quote
Can you get hold of a Windows boot disk for XP? That way you could boot up with the OS from the CD and then install the file where it needs to be.

Some of the AV companies have boot disk files you can make in case malware prevents Windows from working. The boot disks usually have a Linux boot OS with their AV and some "housekeeping" software. I've made and used the Dr. Web boot CD for virus scans. After you boot up from the CD, I think you will have the opportunity to bypass the virus scan and access the hard drive. You have to burn the file(s) available at the AV websites to an ISO file on CD. Files are available from Dr. Web, Bitdefender, Kaspersky, and F-Secure. I chose Dr. Web because it is 60 MB and the others are 150+ MB.

There is also the BART PE bootup CD you can make, but I've never been able to do it, and it zapped my XP-SP3 OS the last time I tried that.

Regards,
View user's profileSend private message
alch
Site Admin

Joined: 27 Nov 2005
Posts: 1751
Reply with quote
Sorry to hear that...
You need Windows XP/2003/Vista setup CD (borrow it form a friend if you don't have one), then use recovery console and copy the file using COPY command.
If your computer has a floppy drive then this page might be useful:
http://support.microsoft.com/kb/310994
View user's profileSend private message
Shawn_IO


Joined: 09 Feb 2009
Posts: 3
Location: Silicon Valley
Reply with quote
You could yank the hard drive, put it in a usb enclosure, attach to another computer, and then replace the file in question.

The other methods described above might be easier, depending on a number of factors.
View user's profileSend private message
Antonio S.


Joined: 20 Apr 2008
Posts: 190
Location: Italy
Reply with quote
Hello ShaoLinR@73R,


You can use Linux distro that runs on Live CD (means an OS that is booted from CD and does not need to be installed locally) to have access to your C: drive and copy the missing files back in their place.
Here are the steps I took to copy a .txt file from a USB drive to C: using a live CD. I Chose GOS for simplicity but there are many options around (all free software, so you don't have to bother about licences...)

1-Downloaded the image (.iso file) from http://www.thinkgos.com/gos/download.html and burnt it on CD as image file.
2-Booted machine from CD (Note: at least 384 MB of Ram are required)
3-Once the OS was loaded on RAM I had access to C: drive, then copied the file the the Documents and Settings folder.
4-Restarted the machine (CD was ejected)
5-Rebooted in Windows and checked the folder; file was there copied correctly.

If you need to recover more .dll files you should check @ http://www.dll-files.com. That worked for me some time ago when an Audio player wouldn't run...

Hope this helps,
Antonio
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4552
Location: USA
Reply with quote
Thanks for the information, Antonio. You must have larger CDs in Italy than we have in the states, however. The gOS download was larger than my 700 MB CD would hold, so I looked around for something else. There's a free Linux distro available at http://distro.ibiblio.org/pub/linux/distributions/damnsmall/current/ . It is a 50 MB version of Linux called Damn Small Linux (DSL) and it looks perfect for quick access to a dead system. Make sure you download the version named dsl-version.iso . There's also something called Knoppix Linux, which is much larger but it is still under 700 MB. For any bootable OS, make sure you get an ISO version and burn it with your CD burner as an ISO file.

Regards,
View user's profileSend private message
Clamwin reports windows directory file "user32.dll"
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  

  
  
 Reply to topic