Posted 18 December 2010 - 12:26 AM
Earlier today, Microsoft helped me deal with a virus which entered my computer on 11th this month.
I detected it in part myself through Process Explorer, in the Command Line under Properties for rundll32.exe. The whole command was: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\wsock321.dll",KOAEPDQ. However, I did not notice the extra "1" in this .dll's file name. I did notice though that by suspending rundll32.exe one function of the virus ceased, namely that of disabling and keeping disabled (i.e. preventing starting) Microsoft Security Essentials, Microsoft Malicious Software Removal Tool and Windows Security Centre (Windows Firewall was unaffected).
Eventually, Microsoft rang up from India and we had a joint session. They quickly noticed the extra figure 1. Deletion of wsock321.dll proving impossible even in Safe Mode, a Kapersky scan was run, to little effect. Then an Ice Sword scan - looking back, the effect of this wasn't clear. Lastly Combofix was run. At the end of all this, wsock321.dll no longer showed up in the System32 folder, and the three basic security features referred to above were restored to normal use.
Combofix produced a detailed log. Can I post it here for a check?
My concern is that Microsoft's main mission was to get Security Essentials up and running again. They didn't ask for the log. I am not sure therefore whether or not I have only cured part of the issue. Presumably wsock321.dll disabled Security Essentials to let something else run.