Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ws2_32.dll infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 tlee123

tlee123

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 25 June 2009 - 01:53 PM

Thanks for any help. I'm helping a relative thru Remote Assistance and have had limited experience with malware removal. Tried AVG, Avira, Superantispyware, combofix. No luck yet, so I'm hoping for your expert help!

AVG's Resident Shield Alert keeps popping up saying there's a threat in

c:\windows\system32\ws2_32.dll

here's my dds log


DDS (Ver_09-05-14.01) - NTFSx86
Run by Compaq_Owner at 14:41:28.53 on Thu 06/25/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1215.580 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\system32\RDSHOST.exe
C:\WINDOWS\system32\sessmgr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Compaq_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=presario&pf=desktop
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AOL Radio Toolbar Loader: {2abdb2f7-4cbf-4939-ba12-fddc827b6a2d} - c:\program files\aol radio toolbar\aolradiotb.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AOL Radio Toolbar: {9167da98-6f9b-46f1-991d-826cae46cab6} - c:\program files\aol radio toolbar\aolradiotb.dll
TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [License Manager] "c:\program files\license_manager\license_manager.exe " /silent
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: Add To Compaq Organize... - c:\progra~1\hewlet~1\compaq~1\bin/module.main/favorites\ie_add_to.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\compaq~1\applic~1\mozilla\firefox\profiles\bpn3mfas.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-aolradio-chromesbox-en-us&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50-ff-aolradio-ab-en-us&query=
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-15 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-6-15 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-15 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 908568]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-6-15 298776]
R2 PPCLASS;PPCLASS;c:\windows\system32\drivers\ppclass.sys [2006-1-29 85868]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-1-14 226656]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
S2 PPSCAN;PPSCAN;c:\windows\system32\drivers\ppscan.sys [2006-1-29 115136]

=============== Created Last 30 ================


==================== Find3M ====================

2009-06-25 13:41 11,990 a------- c:\windows\pchealth\helpctr\config\incstore.bin
2009-06-24 14:23 212,848 a------- c:\windows\pchealth\helpctr\config\cache\Personal_32_1033.dat
2009-06-12 13:14 17,092 a------- c:\docume~1\compaq~1\applic~1\wklnhst.dat
2009-05-16 09:01 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-16 09:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-16 09:00 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-07 11:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\dllcache\localspl.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\wininet.dll
2009-04-29 00:56 827,392 a------- c:\windows\system32\dllcache\cache\wininet.dll
2009-04-29 00:56 233,472 a------- c:\windows\system32\dllcache\webcheck.dll
2009-04-29 00:56 1,159,680 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-29 00:56 671,232 a------- c:\windows\system32\dllcache\mstime.dll
2009-04-29 00:56 105,984 a------- c:\windows\system32\dllcache\url.dll
2009-04-29 00:56 102,912 a------- c:\windows\system32\dllcache\occache.dll
2009-04-29 00:56 44,544 a------- c:\windows\system32\dllcache\pngfilt.dll
2009-04-29 00:56 3,596,288 a------- c:\windows\system32\dllcache\mshtml.dll
2009-04-29 00:56 477,696 a------- c:\windows\system32\dllcache\mshtmled.dll
2009-04-29 00:56 193,024 a------- c:\windows\system32\dllcache\msrating.dll
2009-04-28 05:05 70,656 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-28 05:05 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2009-04-25 01:27 636,088 a------- c:\windows\system32\dllcache\iexplore.exe
2009-04-25 01:26 161,792 a------- c:\windows\system32\dllcache\ieakui.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\dllcache\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 -------- c:\windows\system32\dllcache\rpcrt4.dll
2008-10-28 15:57 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008102820081029\index.dat

============= FINISH: 14:41:53.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Tokek

Tokek

    Bleepin' Gecko


  • Members
  • 1,213 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jakarta, Indonesia
  • Local time:06:34 AM

Posted 30 June 2009 - 12:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
If I have not replied back to your post in 3 days, please send me a PM.

Posted Image

#3 tlee123

tlee123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 02 July 2009 - 09:18 PM

Thanks for responding.

No, nothing has changed since the original post. The virus is still there and I can't figure out what to do next.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 04 July 2009 - 03:38 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Let's take a look at that file.

Download and Run OTScanIt
Download OTScanIt by OldTimer to your Desktop.
  • Double-click on OTScanIt.exe to start the program. If you are running on Vista then right-click the program and choose Run as Administrator.
  • Click the Extras button under "Additional Scans".
  • Copy the contents of the codebox below into the "Custom Scans" box.
    c:\ws2_32.dll /s
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
With Regards,
The Panda

#5 tlee123

tlee123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 05 July 2009 - 01:07 PM

OK I have run OTS and attached OTS.txt.

I was away yesterday so I didn't see your reply but I'll follow it closely now. I appreciate your help.

Tom

Attached Files

  • Attached File  OTS.Txt   157.43KB   7 downloads


#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 July 2009 - 01:50 PM

Hello.

All the copies of that file on your machine are legit.

Submit File to Online Scanner
There is a file that I would like you to check out for me using an online scanner.
  • Open VirusTotal, Jotti or VirSCAN. If one site is busy or down, try the other
  • At the top of the page you'll see a box. Paste in the following line(s) (do one line at a time).
  • C:\WINDOWS\System32\ws2_32.dll
  • Click Submit.
  • Wait for the scan to finish.
  • Copy Scanner Results into your next reply.
  • If more than one file was listed, repeat for each of them.
Please tell me what AVG says the file is infected with. If possible, provide a scan log or screnshot.

With Regards,
The Panda

#7 tlee123

tlee123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 05 July 2009 - 03:58 PM

From Virustotal:


Srpski | Македонски | العربية | Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe | Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar | Deutsch | Česky | Polski | Español
Virus Total
Virustotal is a service that analyzes suspicious files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware detected by antivirus engines. More information...
File ws2_32.dll received on 2009.07.05 20:58:50 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 8/41 (19.52%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Compact
Print results Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.07.05 Trojan.Win32.Patched!IK
AhnLab-V3 5.0.0.2 2009.07.05 -
AntiVir 7.9.0.204 2009.07.05 -
Antiy-AVL 2.0.3.1 2009.07.03 -
Authentium 5.1.2.4 2009.07.04 -
Avast 4.8.1335.0 2009.07.05 -
AVG 8.5.0.386 2009.07.05 Win32/Patched
BitDefender 7.2 2009.07.05 Trojan.Patched.EM
CAT-QuickHeal 10.00 2009.07.03 -
ClamAV 0.94.1 2009.07.03 -
Comodo 1538 2009.07.02 -
DrWeb 5.0.0.12182 2009.07.05 -
eSafe 7.0.17.0 2009.07.02 -
eTrust-Vet 31.6.6596 2009.07.03 -
F-Prot 4.4.4.56 2009.07.04 -
F-Secure 8.0.14470.0 2009.07.05 -
Fortinet 3.117.0.0 2009.07.03 -
GData 19 2009.07.05 Trojan.Patched.EM
Ikarus T3.1.1.64.0 2009.07.05 Trojan.Win32.Patched
Jiangmin 11.0.706 2009.07.05 -
K7AntiVirus 7.10.783 2009.07.03 -
Kaspersky 7.0.0.125 2009.07.05 -
McAfee 5667 2009.07.05 -
McAfee+Artemis 5667 2009.07.05 -
McAfee-GW-Edition 6.8.5 2009.07.05 Heuristic.LooksLike.Trojan.Patched.H
Microsoft 1.4803 2009.07.05 Trojan:Win32/Patched.L
NOD32 4219 2009.07.05 -
Norman 6.01.09 2009.07.04 -
nProtect 2009.1.8.0 2009.07.05 -
Panda 10.0.0.14 2009.07.05 -
PCTools 4.4.2.0 2009.07.05 -
Prevx 3.0 2009.07.05 -
Rising 21.36.62.00 2009.07.05 -
Sophos 4.43.0 2009.07.05 Mal/WSHack-A
Sunbelt 3.2.1858.2 2009.07.05 -
Symantec 1.4.4.12 2009.07.05 -
TheHacker 6.3.4.3.362 2009.07.04 -
TrendMicro 8.950.0.1094 2009.07.05 -
VBA32 3.12.10.7 2009.07.05 -
ViRobot 2009.7.3.1818 2009.07.03 -
VirusBuster 4.6.5.0 2009.07.05 -
Additional information
File size: 82432 bytes
MD5...: 42b9dcf1a50cd63bb519bda831098d72
SHA1..: a8d03612e676fafa5ea68778a9ee60a0732f333c
SHA256: f38d59efc5693814c8f3941a1c14614428cf20d23804f85d41dbd3d88a345f08
ssdeep: 1536:rRqRC3AJcBuyg2G1htxvSrqtkBx5sALnR4lxCyqNYb:rR0rJKBG1hrvSrMk
Bx5swR41q
PEiD..: -
TrID..: File type identification
Win64 Executable Generic (59.6%)
Win32 Executable MS Visual C++ (generic) (26.2%)
Win32 Executable Generic (5.9%)
Win32 Dynamic Link Library (generic) (5.2%)
Generic Win/DOS Executable (1.3%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x141a1
timedatestamp.....: 0x4802a164 (Mon Apr 14 00:12:20 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x12153 0x12200 6.48 bab7d3e1fe3328ffab1ecfa7bb6ab477
.data 0x14000 0x914 0xa00 5.88 2f95afef74042f4e707db7442420047f
.rsrc 0x15000 0x3f8 0x400 3.43 5ff68b649c14d167754073f671ef1ef1
.reloc 0x16000 0xdc8 0xe00 6.47 96a3b0536192dbaeb2acc06203c6d221

( 5 imports )
> ADVAPI32.dll: RegNotifyChangeKeyValue, RegDeleteKeyA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegCreateKeyExA, RegCloseKey, RegEnumKeyExA
> KERNEL32.dll: GetTickCount, QueryPerformanceCounter, lstrcmpA, HeapReAlloc, HeapFree, HeapAlloc, InterlockedCompareExchange, IsBadWritePtr, GetEnvironmentVariableA, GetComputerNameA, GetVersionExA, GetSystemDirectoryA, GetWindowsDirectoryA, WaitForMultipleObjectsEx, ResetEvent, IsBadReadPtr, TlsSetValue, GetHandleInformation, ExpandEnvironmentStringsA, InterlockedExchange, GetCurrentThreadId, TlsAlloc, GetSystemInfo, HeapCreate, GetProcessHeap, HeapDestroy, TlsFree, lstrlenA, lstrcpyA, IsBadCodePtr, GetProcAddress, CreateEventA, GetModuleFileNameA, LoadLibraryA, CreateThread, FreeLibrary, WaitForSingleObject, CloseHandle, FreeLibraryAndExitThread, EnterCriticalSection, SetEvent, GetCurrentProcessId, GetSystemTimeAsFileTime, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, SwitchToThread, SetLastError, DelayLoadFailureHook, TlsGetValue, InterlockedDecrement, GetLastError, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, DeleteCriticalSection, InterlockedIncrement, LeaveCriticalSection
> msvcrt.dll: __isascii, isspace, _except_handler3, sprintf, _adjust_fdiv, malloc, _initterm, free, _stricmp, fclose, fgets, atoi, strchr, fopen, wcscpy, strtoul, wcscmp, wcslen, wcschr
> ntdll.dll: RtlIpv4StringToAddressW, RtlIpv6StringToAddressExW, RtlIpv4StringToAddressA
> WS2HELP.dll: WahCompleteRequest, WahQueueUserApc, WahEnableNonIFSHandleSupport, WahDisableNonIFSHandleSupport, WahCreateSocketHandle, WahNotifyAllProcesses, WahCreateNotificationHandle, WahWaitForNotification, WahOpenCurrentThread, WahCloseThread, WahInsertHandleContext, WahRemoveHandleContext, WahDestroyHandleContextTable, WahCreateHandleContextTable, WahEnumerateHandleContexts, WahCloseApcHelper, WahCloseHandleHelper, WahCloseNotificationHandleHelper, WahOpenNotificationHandleHelper, WahOpenHandleHelper, WahOpenApcHelper, WahCloseSocketHandle, WahReferenceContextByHandle

( 117 exports )
FreeAddrInfoW, GetAddrInfoW, GetNameInfoW, WEP, WPUCompleteOverlappedRequest, WSAAccept, WSAAddressToStringA, WSAAddressToStringW, WSAAsyncGetHostByAddr, WSAAsyncGetHostByName, WSAAsyncGetProtoByName, WSAAsyncGetProtoByNumber, WSAAsyncGetServByName, WSAAsyncGetServByPort, WSAAsyncSelect, WSACancelAsyncRequest, WSACancelBlockingCall, WSACleanup, WSACloseEvent, WSAConnect, WSACreateEvent, WSADuplicateSocketA, WSADuplicateSocketW, WSAEnumNameSpaceProvidersA, WSAEnumNameSpaceProvidersW, WSAEnumNetworkEvents, WSAEnumProtocolsA, WSAEnumProtocolsW, WSAEventSelect, WSAGetLastError, WSAGetOverlappedResult, WSAGetQOSByName, WSAGetServiceClassInfoA, WSAGetServiceClassInfoW, WSAGetServiceClassNameByClassIdA, WSAGetServiceClassNameByClassIdW, WSAHtonl, WSAHtons, WSAInstallServiceClassA, WSAInstallServiceClassW, WSAIoctl, WSAIsBlocking, WSAJoinLeaf, WSALookupServiceBeginA, WSALookupServiceBeginW, WSALookupServiceEnd, WSALookupServiceNextA, WSALookupServiceNextW, WSANSPIoctl, WSANtohl, WSANtohs, WSAProviderConfigChange, WSARecv, WSARecvDisconnect, WSARecvFrom, WSARemoveServiceClass, WSAResetEvent, WSASend, WSASendDisconnect, WSASendTo, WSASetBlockingHook, WSASetEvent, WSASetLastError, WSASetServiceA, WSASetServiceW, WSASocketA, WSASocketW, WSAStartup, WSAStringToAddressA, WSAStringToAddressW, WSAUnhookBlockingHook, WSAWaitForMultipleEvents, WSApSetPostRoutine, WSCDeinstallProvider, WSCEnableNSProvider, WSCEnumProtocols, WSCGetProviderPath, WSCInstallNameSpace, WSCInstallProvider, WSCUnInstallNameSpace, WSCUpdateProvider, WSCWriteNameSpaceOrder, WSCWriteProviderOrder, __WSAFDIsSet, accept, bind, closesocket, connect, freeaddrinfo, getaddrinfo, gethostbyaddr, gethostbyname, gethostname, getnameinfo, getpeername, getprotobyname, getprotobynumber, getservbyname, getservbyport, getsockname, getsockopt, htonl, htons, inet_addr, inet_ntoa, ioctlsocket, listen, ntohl, ntohs, recv, recvfrom, select, send, sendto, setsockopt, shutdown, socket
PDFiD.: -
RDS...: NSRL Reference Data Set
-

ATENTION ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Scan another file
VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of Service & Privacy Policy

#8 tlee123

tlee123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 05 July 2009 - 04:05 PM

OK I just realized you asked for a virusscan from only one service. Well I already did it from the second and here are the results.

From Jotti:

Jotti logo


Jotti's malware scan
Filename: ws2_32.dll
Status:
Scan finished. 5 out of 20 scanners reported malware.
Scan taken on: Sun 5 Jul 2009 22:59:52 (CET) Permalink

Additional info
File size: 82432 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit
MD5: 42b9dcf1a50cd63bb519bda831098d72
SHA1: a8d03612e676fafa5ea68778a9ee60a0732f333c




Scanners
[ArcaVir]
2009-07-05 Found nothing
[G DATA]
2009-07-05 Trojan.Patched.EM
[A-Squared]
2009-07-05 Trojan.Win32.Patched!IK
[Ikarus]
2009-07-05 Trojan.Win32.Patched
[Avast! antivirus]
2009-07-05 Found nothing
[Kaspersky Anti-Virus]
2009-07-05 Found nothing
[Grisoft AVG Anti-Virus]
Operation timed out
[ESET NOD32]
2009-07-05 Found nothing
[Avira AntiVir]
2009-07-05 Found nothing
[Norman Virus Control]
2009-07-04 Found nothing
[Softwin BitDefender]
2009-07-05 Trojan.Patched.EM
[Panda Antivirus]
2009-07-04 Found nothing
[ClamAV]
2009-07-03 Found nothing
[Quick Heal]
2009-07-03 Found nothing
[CPsecure]
2009-07-05 Found nothing
[Sophos]
2009-07-05 Mal/WSHack-A
[Dr.Web]
2009-07-05 Found nothing
[VirusBlokAda VBA32]
2009-07-04 Found nothing
[Frisk F-Prot Antivirus]
2009-07-04 Found nothing
[VirusBuster]
2009-07-05 Found nothing
[F-Secure Anti-Virus]
2009-07-05 Found nothing



Scan a file - Hash search - Frequently Asked Questions - Privacy policy

© 2004-2009 Jotti <jotti@jotti.org>

Sponsored by Hotelscraper

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 05 July 2009 - 04:31 PM

Hello.

That's surprising. Let's check out the other copies of the file on your machine.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/236671/ws2-32dll-infection/
  • Click the Browse button. Locate and select the following files:
  • c:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
  • c:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
  • (If more than one file is listed, do one at a time.)
  • Under the comments section, say that Panda asked for the submission.
Please post a reply here when the files are submitted.

With Regards,
The Panda

#10 tlee123

tlee123
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:34 AM

Posted 11 July 2009 - 11:16 AM

OK I finally uploaded the files. I also uploaded the file from c:\windows\system32\ by accident.

Thanks,

Tom


Hello.

That's surprising. Let's check out the other copies of the file on your machine.

Submit File Sample

  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/236671/ws2-32dll-infection/
  • Click the Browse button. Locate and select the following files:
  • c:\WINDOWS\$NtServicePackUninstall$\ws2_32.dll
  • c:\WINDOWS\ServicePackFiles\i386\ws2_32.dll
  • (If more than one file is listed, do one at a time.)
  • Under the comments section, say that Panda asked for the submission.
Please post a reply here when the files are submitted.

With Regards,
The Panda



#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 11 July 2009 - 12:17 PM

Hello.

Do you have your Windows Vista installation disk that we can use the recovery console from? Also, is there another machine that you can communicate to me from in case something goes wrong?

Just want to verify the location of each file that was submitted.

We will probably proceed to replace the file next round.
  • Double click the OTS.exe icon in the OTScanIt folder on your desktop. If you are using Windows Vista, right click OTScanIt.exe and select Run as Administrator.
  • Copy the contents of the codebox below into the "Custom Scans" box.
    c:\windows\ws2_32.dll /s /md5
  • Close all windows except OTScanIt.
  • Click it Run Scan button.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Use the Add Reply button in the forum and Attach the scan back here (do not copy/paste it as it will be too big to fit into the post). It will be located in the OTScanIt folder and named OTScanIt.txt.
[/list]
With Regards,
The Panda

Edited by PropagandaPanda, 11 July 2009 - 12:19 PM.


#12 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 18 July 2009 - 08:35 AM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users