Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is "missing MSWSOCK.DLL" OK???


  • Please log in to reply
3 replies to this topic

#1 mhaase

mhaase

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 21 January 2010 - 01:22 PM

Hi All!

I'm reposting this from another group (this one may be more appropriate), and with a better subject line.

Got a Windows 2003 Server machine that had a Malware infection awhile ago. I cleaned it up, and all seems to be OK, except for one naggy issue -- Remote access software (PCAnywhere, VNC, etc) is painfully slow and brings the machine to a crawl when/if somebody logs on. However, the MS Remote Desktop (and terminal services) works fine.

This hasn't been a huge issue - but I finally have a little time, and since it's been nagging me, I thought I'd try to track it down and see if it's a leftover from the Infection. FWIW, I opened a case with MS Support about it, and since the MS RDP works fine, they won't/can't do anything since they "don't support third party software (PCAnywhere/VNC/Etc)".

Only thing I find suspicious on a HJT log is this:


O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\mswsock.dll' missing


Now this obviously IS something leftover from an infection - but:

1) Internet access is fine

2) the correct MSWSOCK.DLL is in place where it should be (C:\windows\system32 & C:\windows\system32\dllcache)

3) The entire c:\documents and settings\administrator\windows\system32 directory was removed as part of the Malware fix.


My initial reaction to this is that this is probably a non-issue leftover scrap from the infection and nothing to be concerned about - however I've been wrong before <grin>.

I'm reluctant to run a Winsock Fix because I'm only able to access the machine remotely for a week or so, and don't want to accidentally screw-up the Internet connection.

Thoughts?

Ideas?

Edited by garmanma, 21 January 2010 - 02:59 PM.
A duplicate topic has been deleted-MG


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:57 PM

Posted 21 January 2010 - 02:18 PM

mswsock.dll is a legit file. See here.

Be aware that running HijackThis on Windows 2003 Server and 64-bit machines may show log entries which indicate (file missing) when that is NOT always the case. You need to verify that the file is actually missing. Since you verified it is there, then leave it alone.

Winsock (Windows sockets) are files that allow Windows programs to connect to the Internet and other computers but they can be related to legitimate files as well as malware. With older versions of HijackThis it was recommended not to fix O10 entries since it could break an Internet connection. With the newer version however, Hijackthis will not even try to fix these entries.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 mhaase

mhaase
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 21 January 2010 - 08:40 PM

Yeah - I know it's a legit file where it is, but I don't THINK the version that WAS in the c:\documents and settings\administrator\windows\system32 directory was legit. My thought was that something related to the winsock had been changed/corrupted by the malware infection of awhile ago, and when I cleaned it out, I didn't "get it all" -- leaving a "not quite right" Winsock instalation. I thought that might explain the weird PCAnywhere/VNC issue.

So your feeling is that it's probably a non-issue?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:57 PM

Posted 21 January 2010 - 11:15 PM

I don't have access to Windows 2003 Server so I had to search for other logs with that entry and those I found show the same location.

http://www.spywareinfoforum.com/index.php?showtopic=48052
http://www.lavasoftsupport.com/index.php?showtopic=9197
http://www.computerhope.com/forum/index.ph...pic=62457.0;all
http://www.suggestafix.com/index.php?showtopic=32384
http://www.cybertechhelp.com/forums/showthread.php?p=1133757
http://www.malwareremoval.com/forum/viewto...=11&t=36837
http://www.freedomlist.com/forum/viewtopic.php?t=31467
http://forums.whatthetech.com/Citrix_Server_Help_t82968.html

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. We are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system. Further, most helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users