Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


wcdrtc32.dll and wcdrtc32.dl_

  • This topic is locked This topic is locked
7 replies to this topic

#1 Hermo


  • Members
  • 7 posts
  • Local time:11:45 PM

Posted 19 November 2011 - 01:45 PM

Hello im infected by wcdrtc32.dll and wcdrtc32.dl_ its located in C:\WINDOWS\system32
and im little bit worried because i cannot delete it or quarantine.
My Nod32 Antivirus 5 tells me its unable to clean.
from Now on i cannot open some ''.exe'' files because it says that i have no permission.
I am only Administrator in this computer.
Please help!

AhnLab-V3 2011.11.19.00 2011.11.19 -
AntiVir 2011.11.18 W32/Sality.xx
Antiy-AVL 2011.11.19 -
Avast 6.0.1289.0 2011.11.19 Win32:Sality-FX
AVG 2011.11.19 -
BitDefender 7.2 2011.11.19 -
ByteHero 2011.11.14 -
ClamAV 2011.11.19 -
Commtouch 2011.11.19 -
Comodo 10780 2011.11.18 -
DrWeb 2011.11.19 -
Emsisoft 2011.11.19 -
eSafe 2011.11.18 -
eTrust-Vet 37.0.9576 2011.11.19 Win32/Sality.R!DLL
F-Prot 2011.11.19 -
F-Secure 9.0.16440.0 2011.11.19 -
Fortinet 4.3.370.0 2011.11.19 -
GData 22.283/22.516 2011.11.19 Win32:Sality-FX
Ikarus T3. 2011.11.19 -
Jiangmin 13.0.900 2011.11.16 -
K7AntiVirus 9.119.5497 2011.11.19 -
Kaspersky 2011.11.19 -
McAfee 5.400.0.1158 2011.11.19 -
McAfee-GW-Edition 2010.1D 2011.11.19 Heuristic.BehavesLike.Exploit.CodeExec.FFJO
Microsoft 1.7801 2011.11.19 -
NOD32 6643 2011.11.19 -
Norman 6.07.13 2011.11.19 -
nProtect 2011-11-19.01 2011.11.19 -
Panda 2011.11.19 -
PCTools 2011.11.19 Malware.Sality
Prevx 3.0 2011.11.19 -
Rising 2011.11.18 -
Sophos 4.71.0 2011.11.19 -
SUPERAntiSpyware 2011.11.19 Trojan.Agent/Gen-Nullo[Short]
Symantec 20111.2.0.82 2011.11.19 W32.Sality.V
TheHacker 2011.11.19 W32/Warezov.et
TrendMicro 9.500.0.1008 2011.11.19 -
TrendMicro-HouseCall 9.500.0.1008 2011.11.19 -
VBA32 2011.11.18 -
VIPRE 11088 2011.11.19 -
ViRobot 2011.11.19.4782 2011.11.19 -
VirusBuster 2011.11.18

Type: Virus
Discovered: 16.11.2006
Updated: 13.02.2007
Affected systems: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
AV Vendor: Symantec


When W32.Sality.V is executed, it performs the following actions:

•Drops the following files:

•%System%\wcdrtc32.dl_ - 17,876 bytes, detected as W32.Sality.V
•%System%\wcdrtc32.dll - 25,600 bytes, detected as W32.Sality.V

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

•Creates the following mutex:


•Injects wcdrtc32.dll into explorer.exe process.

•Infects .exe and .scr files on drives C to Z.

•Numerates the following registry key entries and infects .exe files that are referenced as data values:


•Appends itself by creating a new section 'trdata'. The section size is 20,480 bytes.

•Deletes files with the following extensions:


•Deletes .key files containing the following string:


•Deletes files whose name starts with:


•Checks for Internet connection by querying the following URL:


•Attempts to connect to the following URL:


•Appends the following lines to the file %System%\SYSTEM.INI:


Any help is appreciated.

Attached Files

Edited by Orange Blossom, 20 November 2011 - 01:24 PM.
Deactivated link. ~ OB

BC AdBot (Login to Remove)


#2 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,769 posts
  • Gender:Male
  • Local time:05:45 PM

Posted 24 November 2011 - 01:50 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/428528 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:04:45 PM

Posted 25 November 2011 - 02:52 PM

Hello Hermo, are you still there?

If so, please follow the "HelpBot" instructions in the previous post, and I will get back with you once I research the requested scans.

Best Regards,

#4 Hermo

  • Topic Starter

  • Members
  • 7 posts
  • Local time:11:45 PM

Posted 26 November 2011 - 02:23 AM

Description is up there, I used the Dr.Web CureIt, it detected 90 infected files ( but theres alot more of them) and i was able to clean them, but they still get infected by Sality.NAL. Somehow i deleted the Sality.NAL but it keeps coming back to my system32 folder.
My Operating System is Windows XP Professional.
I don't have Windows XP CD available.


Attached Files

Edited by Hermo, 26 November 2011 - 05:13 AM.

#5 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:04:45 PM

Posted 26 November 2011 - 03:18 PM

Hey Hermo :)

I'm afraid I have very bad news. Your system is infected with a nasty variant of Win32/Sality. This family of malware is a polymorphic file infector which infects .exe, .scr files, downloads more malicious files to your computer, steals sensitive system information/passwords and sends it back to the attacker.

Please see Kaspersky's Threat Encyclopaedia of Win32.Sality.NAO.

With this particular infection, the safest solution and only sure way to remove it effectively is to reformat and reinstall the OS.

As with many other malware, Sality disables antivirus software and prevents access to certain antivirus and security websites. Sality can also prevent booting into Safe Mode and may delete security-related files found on infected systems. To spread via the autorun component, Sality generally drops a .cmd, .pif, and .exe to the root of discoverable drives, along with an autorun.inf file which contains instructions to load the dropped file(s) when the drive is accessed.

About Sality Virus

If the computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised and change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach.Because your computer was compromised please read:

Since Win32.Sality is not effectively disinfectable, your best option is to perform a full reformat as there is no guarantee this infection can be completely removed. In most instances it may have caused so much damage to your system files that it cannot be completely cleaned or repaired. In many cases the infected files cannot be deleted and anti-malware scanners cannot disinfect them properly. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:


I know this is not what you were hoping to hear, but in this case, it is the best course of action.

Do you have any further questions?

Best Regards,

#6 Hermo

  • Topic Starter

  • Members
  • 7 posts
  • Local time:11:45 PM

Posted 26 November 2011 - 04:09 PM

Thank you for the HELP!
Really appreciated.

I perform OS install as soon as i can.



#7 oneof4


  • Malware Response Team
  • 3,779 posts
  • Gender:Male
  • Location:The Collective
  • Local time:04:45 PM

Posted 28 November 2011 - 08:01 AM


Best Regards,

#8 m0le


    Can U Dig It?

  • Malware Response Team
  • 34,527 posts
  • Gender:Male
  • Location:London, UK
  • Local time:09:45 PM

Posted 02 December 2011 - 06:16 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users