Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Corrupt wsock32.dll = TR/Trash.Gen?


  • This topic is locked This topic is locked
6 replies to this topic

#1 staydetuned

staydetuned

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 06 October 2009 - 09:25 PM

Hello everyone, and first of all a huge THANK YOU for the helpers out there and those taking the time to read this. I'm very, very impressed with this site, this forum, and the ability and willingness of others to help out us less informed and fortunate souls out there. THANK YOU!

This has been more than a month in the works, with much time spent researching and trying every avenue I could find to solve what at first appeared to be a simple problem. The story goes something like this:

One day I turned on my computer, a laptop PC running Windows XP, to the following message: "-128: iTunesHelper.exe - Unable to locate component. This application has failed to start because WSOCK32.DLL was not found. Re-installing the application may fix this problem." And a balloon in the lower right: "-128: iTunesHelper.exe (other times jucheck.exe) - Corrupt File. The file or directory C:\WINDOWS\system32\wsock32.dll is corrupt and unreadable. Please run the chkdsk utility."

Ok, let's try that. chkdsk /f. "The type of file system is NTFS. Cannot lock the current drive. Checkdisk cannot run because the volume is in use by another process. Would you like to schedule this volume to be checked the next time the system restarts? (Y/N)" Sure. Nope, nothing on restart. Long story short, I followed a lot of different directions to run a chkdsk, but could never get it to happen. Got it to run on restart eventually with this message: "Checking file system on C: The type of file system is NTFS. Cannot open the volume for access. Windows has finished checking the disk.........." Ok, well, let's just replace the file with a good copy of wsock32.dll...

As you may have guessed, I cannot Move, Delete, Replace, Rename or otherwise edit the file. The computer says it's "Corrupt and Unreadable." Malwarebytes' FileAssassin says the file is deleted, but it still remains after reboot. Same with HijackThis delete and RootRepeal Wipe.

(An interesting aside - HijackThis had an error during installation and closed, yet seemed to be fully installed afterward. It seemed a little strange. Also, a few weeks before this problem I had tried to install both Avira and Malwarebytes antivirus programs. When I attempted to navigate to their web sites to download the software, I was redirected by (what I'm assuming was/is) some sort of malware/virus to some other site. I had to download the install files from another computer and transfer them to my infected laptop, renaming the install files as the installation was somehow corrupted on my first try, with their preexisting names (or am I just being REALLY paranoid here?!?) Regardless, after these were installed a number of viruses/malware was found and supposedly removed. It's all this, and one other thing, that leads me to believe this current problem is virus related.)

Next I tried the Winsock XP Fix program that is suggested for repairing winsock. During the initial ReGBackup I got the following error message: "Error saving file C:\ERDNT\SECURITY!, C:\ERDNT\software, ...\system, ...\default, ...\SAM, ...\users" etc. Hmm... So I hit "FIX", reboot, and... nothing.

When I try to access regedit (with no intention of touching it just yet) and Export Backup, I get the blue error screen, only a flash, and something about "prevent damage", REGISTRY ERROR... I also now get a popup error message on bootup: "Windows - Registry Recovery. One of the files containing the system's Registry data had to be recovered by use of a log or alternate copy. The recovery was successful." Well, that's good...

Also tried Microsoft FixIt #50203. Nothing...

netsh winsock reset. Nothing.

Everything in Safe Mode. Nothing.

And I get errors whenever I try a System Restore, from any point.

So here's the interesting thing: An Avira scan of the file identifies it as TR/Trash.Gen trojan. (Or it has for the last month, until this very second! Only thing different was running the scan after attempting a RootRepeal Wipe on the file. Now Avira doesn't register it as a trojan. But the file's still there, and still "corrupt and unreadable." Malwarebytes, on the other hand, doesn't see it at all.

And one more interesting tidbit: When I tried to run the RootRepeal report it crashed. Here's what I saw beforehand on the report screen:

C:\hiberfil.sys

Locked to the Windows API!

C:\WINDOWS\system32\eventcls.dll

Locked to the Windows API!

C:\WINDOWS\system32\wsock32.dll

Locked to the Windows API!


And then a popup error message: "RootRepeal Error - Attempt to read from address: 0x12377b4a"

So, I ran the RootRepeal report excluding "Files" from the scan. That is what is attached to this post as otherwise the program crashes.

Well, there's my story so far. I know there's probably a good deal of much more useful information you guys can use, but maybe this will lead somewhere? I apologize for the confusion ahead of time. I'll be watching each and every day for any replies and responses, and will do anything and everything you guys may need to help me out. THANK YOU THANK YOU THANK YOU in advance!!!

By the way, I've also considered this could simply be hardware related, a failing hard drive... What do you think?


Pasted below please find the DSS report, followed by the most recent HijackThis report, the brief Avira report that IDs wsock32.dll as the TR/Trash.Gen trojan, and the RootRepeal crash report. (Sorry if this is too much info; I figure the more the better.)

Attached please find the DSS attachment and (partial; see above) RootRepeal report.


DSS Report:

DDS (Ver_09-09-29.01) - NTFSx86
Run by Jayson at 17:21:01.46 on Tue 10/06/2009
Internet Explorer: 6.0.2900.2180

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: H - No File
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [eabconfg.cpl] c:\program files\hpq\quick launch buttons\EabServr.exe /Start
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\vira\avira\antivir desktop\avgnt.exe" /min
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxp://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -
Handler: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - c:\program files\lizardtech\express view\expressview.dll
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================


==================== Find3M ====================

2009-07-10 13:36 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2008-10-16 15:01 59,464 a------- c:\docume~1\jayson\applic~1\GDIPFONTCACHEV1.DAT
2008-07-21 23:02 101,641 a------- c:\program files\INSTALL.LOG
2001-09-28 17:00 164,864 a------- c:\program files\UNWISE.EXE

============= FINISH: 17:21:41.98 ===============



HiJack This report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:23:00 PM, on 10/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\vira\Avira\AntiVir Desktop\sched.exe
C:\Program Files\vira\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\vira\Avira\AntiVir Desktop\avgnt.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThisxx\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\vira\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKUS\S-1-5-21-1198181831-3885620261-4041246677-1006\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=laptop
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ss/sa...abs/tgctlsr.cab
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Program Files\LizardTech\Express View\expressview.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\vira\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\vira\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

--
End of file - 7724 bytes



Avira Log:

Avira AntiVir Personal
Report file date: Tuesday, October 06, 2009 16:27

Scanning for 1639416 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : Jayson
Computer name : DOLORES

Version information:
BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00
AVSCAN.EXE : 9.0.3.7 466689 Bytes 8/5/2009 21:58:16
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 18:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 19:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 18:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 20:30:36
ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 08:31:28
ANTIVIR2.VDF : 7.1.5.88 2668032 Bytes 8/10/2009 21:49:36
ANTIVIR3.VDF : 7.1.5.117 290304 Bytes 8/14/2009 21:49:28
Engineversion : 8.2.1.1
AEVDF.DLL : 8.1.1.1 106868 Bytes 4/30/2009 19:52:04
AESCRIPT.DLL : 8.1.2.25 459130 Bytes 8/12/2009 21:48:28
AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 08:29:51
AERDL.DLL : 8.1.2.4 430452 Bytes 7/22/2009 08:31:48
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/28/2009 00:07:20
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/22/2009 08:31:46
AEHEUR.DLL : 8.1.0.154 1917302 Bytes 8/7/2009 21:57:09
AEHELP.DLL : 8.1.5.3 233846 Bytes 7/23/2009 08:29:50
AEGEN.DLL : 8.1.1.56 356725 Bytes 8/11/2009 21:49:38
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 22:32:40
AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 08:29:48
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 22:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 16:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 18:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 22:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 18:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 23:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 18:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 23:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 16:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 18:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 23:39:58
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 18:19:48

Configuration settings for the scan:
Jobname.............................: ShlExt
Configuration file..................: C:\DOCUME~1\Jayson\LOCALS~1\Temp\68e8caa4.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: off
Scan registry.......................: off
Search for rootkits.................: off
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: high
Deviating risk categories...........: +APPL,+PCK,+SPR,

Start of the scan: Tuesday, October 06, 2009 16:27

Starting the file scan:

Begin scan in 'C:\WINDOWS\system32\wsock32.dll'
C:\WINDOWS\system32\wsock32.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] The file could not be opened!

Beginning disinfection:
C:\WINDOWS\system32\wsock32.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26004
[WARNING] The source file could not be found.
[NOTE] Attempting to perform action using the ARK library.
[NOTE] The file was moved to '4b3ad35b.qua'!


End of the scan: Tuesday, October 06, 2009 16:29
Used time: 00:01 Minute(s)

The scan has been done completely.

0 Scanned directories
2 Files were scanned
1 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
1 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
0 Files not concerned
0 Archives were scanned
1 Warnings
1 Notes



RootRepeal crash report:
ROOTREPEAL CRASH REPORT
-------------------------
Windows Version: Windows XP SP2
Exception Code: 0xc0000005
Exception Address: 0x0041102f
Attempt to read from address: 0x12377b4a


THANK YOU!

Attached Files


Edited by staydetuned, 06 October 2009 - 09:37 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 23 October 2009 - 03:42 PM

Hi

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems just let me know in your next reply or simply post a Hijackthis log.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 staydetuned

staydetuned
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 24 October 2009 - 03:23 PM

Thank you for your response EB! And no problem with the delay, I know you guys are busy and I appreciate the help.

I'm on another computer at the moment and so unable to generate the new logs right now. I will however post them by tomorrow so we can get this project started.

Again, thank you, and I will have the info for you ASAP!

Regards,

Jayson

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 24 October 2009 - 09:13 PM

No problem. Thanks for letting me know then. :(
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 26 October 2009 - 07:04 PM

Is Everything okay?
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 staydetuned

staydetuned
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:34 PM

Posted 26 October 2009 - 10:40 PM

Hi EB. I apologize for the late reply; I've been busy preparing for a two week trip to Costa Rica :( I wanted to get on my computer and get the logs to you this morning, but when I tried to run DDS it wouldn't run, and said there were corrupt files. I had no Internet access and only a few minutes before I had to be at the airport, so there was nothing I could do. As for the Root Repeal, it still runs into an error during the scan, as described in my first post.

So I'm nit sure we can do anything until I return in two weeks. I'm sorry for the inconvenience EB. Please let me know what you think, if it be worthwhile to address the original problem, or carry on when I return.

Thank you!

#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 PM

Posted 28 October 2009 - 03:43 PM

In this case, please PM me back after you return from your trip, and I'll reopen this topic. I'll close it in the meantime.

~Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users