Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Combofix log analysis

  • Please log in to reply
No replies to this topic

#1 William Lambton

William Lambton

  • Members
  • 1 posts
  • Gender:Male
  • Local time:06:59 AM

Posted 18 December 2010 - 12:26 AM


Earlier today, Microsoft helped me deal with a virus which entered my computer on 11th this month.

I detected it in part myself through Process Explorer, in the Command Line under Properties for rundll32.exe. The whole command was: C:\WINDOWS\system32\rundll32.exe "C:\WINDOWS\system32\wsock321.dll",KOAEPDQ. However, I did not notice the extra "1" in this .dll's file name. I did notice though that by suspending rundll32.exe one function of the virus ceased, namely that of disabling and keeping disabled (i.e. preventing starting) Microsoft Security Essentials, Microsoft Malicious Software Removal Tool and Windows Security Centre (Windows Firewall was unaffected).

Eventually, Microsoft rang up from India and we had a joint session. They quickly noticed the extra figure 1. Deletion of wsock321.dll proving impossible even in Safe Mode, a Kapersky scan was run, to little effect. Then an Ice Sword scan - looking back, the effect of this wasn't clear. Lastly Combofix was run. At the end of all this, wsock321.dll no longer showed up in the System32 folder, and the three basic security features referred to above were restored to normal use.

Combofix produced a detailed log. Can I post it here for a check?

My concern is that Microsoft's main mission was to get Security Essentials up and running again. They didn't ask for the log. I am not sure therefore whether or not I have only cured part of the issue. Presumably wsock321.dll disabled Security Essentials to let something else run.

Views welcome.

BC AdBot (Login to Remove)


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users