Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WS_32.dll Infection


  • Please log in to reply
5 replies to this topic

#1 zdanov

zdanov

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 09 February 2010 - 12:12 PM

Greetings!
I am a new user of this forum, just registered actually, and I am looking for help from the gurus of malware/virus/spyware protection and removal techniques. I have recently started getting constant alerts from my EsetNOD32 utility, saying that I have something like a patched trojan, that my system32/WS_32.dll is infected. If I scan my entire system with Eset, it finds a couple of infections, but cannot delete them.
I keep getting "Error while deleting", and the tool cannot remove this problem.

I tried going online to search for help, but every time I try to launch firefox, i get the same infection allert, and I cannot start the browser. I uninstalled firefox and tried via IE, but the same crap happened, so I am unable to get online. I am writing this from my work, currently. I have downloaded ComboFix, Mbam.exe, and MGtools, since I've seen people have been instructed to use these tools in order to remove this type of malware. I only use EsetNOD32 as the anti-crap application.

I would very much appreciate any help you could provide.
Thank you!!

Regards,
Serge.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 AM

Posted 09 February 2010 - 01:28 PM

Welcome to BC.

From my experience, if ws2_32.dll is showing as infected, then chances are that atapi.sys is infected too and both will need to be replaced with backup copies stored elsewhere on your machine. In addition, there likely is a rootkit present which will render conventional tools useless. Disinfection will probably require the use of more powerful tools than we recommend in this forum. ComboFix is one such tool but do not use it on your own. Why?Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 zdanov

zdanov
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 10 February 2010 - 09:24 AM

Hi,
sorry for a bit of a late reply...I tried resolving this via Repair utility, booted from the CD and used repair to expand the ws2_32.dll file from cd to c:\windows, and it took care of it. I then scanned the system again with malwarebytes, which found few extra bugs and was able to delete it. I used EsetNOD32 as my only virus protection tool; I scanned the system with that as well, and it was clean. Do you suggest I use something additional to these two anti-crap aplications? I used to have spybot and avg, but since I'm running Eset, I figured I don't need them....

Once again, thank you very much for your time and assistance.

Regards,
Serge.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 AM

Posted 10 February 2010 - 09:51 AM

That's good news. You were fortunate in that atapi.sys too was not affected or you probably would still be having issues.

So if there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

I used EsetNOD32 as my only virus protection tool...Do you suggest I use something additional to these two anti-crap aplications?

I use NOD32 combined with MBAM's realtime protection module.

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

As a general rule, using more than one anti-spyware program like Malwarebytes' Anti-Malware, SuperAntispyware, Spybot S&D, Ad-Aware, etc will not conflict with each other or your anti-virus if using only one of them for real time protection and others as stand-alone scanners. In fact, doing so increases your protection coverage without causing the same kind of conflicts or affecting the stability of your system that can occur when using more than one anti-virus. The overlap of protection from using different signature databases will aid in detection and removal of more threats when scanning your system for malware. However, if using all their real-time resident shields (TeaTimer, Ad-Watch, MBAM Protection Module, Spyware Terminator Shields, etc) together at the same time, there can be conflicts when each application tries to compete for resources and exclusive rights to perform an action. Additionally, competing tools may even provide redundant alerts which can be annoying and/or confusing.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 zdanov

zdanov
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 10 February 2010 - 10:19 AM

Thank you very much for this info and suggestions; it is very informative and helpful!!!

Regards!

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,941 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 AM

Posted 10 February 2010 - 10:44 AM

You're welcome.

:thumbsup: Tips to protect yourself against malware and reduce the potential for re-infection:

Keep Windows and Internet Explorer current with all critical updates from Microsoft which will patch many of the security holes through which attackers can gain access to your computer. If you're not sure how to do this, see Microsoft Update helps keep your computer current.

Avoid gaming sites, porn sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs (i.e. Limewire, eMule, uTorrent). They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Malicious worms, backdoor Trojans IRCBots, and rootkits spread across P2P file sharing networks, gaming, porn and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans, and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. Porn sites can lead to the Trojan.Mebroot MBR rootkit and other dangerous malware. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.Beware of Rogue Security software as they are one of the most common sources of malware infection. They infect machines by using social engineering and scams to trick a user into spending money to buy a an application which claims to remove malware. For more specific information on how these types of rogue programs and infections install themselves, read:Keeping Autorun enabled on USB (pen, thumb, jump) and other removable drives has become a significant security risk as they are one of the most common infection vectors for malware which can transfer the infection to your computer. To learn more about this risk, please read:Many security experts recommend you disable Autorun asap as a method of prevention. Microsoft recommends doing the same.

...Disabling Autorun functionality can help protect customers from attack vectors that involve the execution of arbitrary code by Autorun when inserting a CD-ROM device, USB device, network shares, or other media containing a file system with an Autorun.inf file...

Microsoft Security Advisory (967940): Update for Windows Autorun
How to Maximize the Malware Protection of Your Removable Drives

Other security reading resources:Browser Security resources:• Finally, if you need to replace your anti-virus, firewall or need a reliable anti-malware scanner please refer to:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users