PDA

View Full Version : WS2_32.DLL/Patch -- what a pain



CaveatEmpty
2009-08-05, 02:19
@ :\windows\system32\WS2_32.dll

AVG started complaining about this last nite, but couldn't kill it.

I did find a clean version (hidden) in :\windows\system32\dllcache -- seems to have been parked there by SP2 -- but, of course, the 'running' version is defended.

As the day went along, AVG update froze, then browser windows (IE6 & FireFox) started shutting down, and finally the wireless connection died.

Thanks to 'flash-drive-net', HJT and Jotti & VirusTotal logs follow:

Thanks.
==========================================
Filename: ws2_32.dll
File size: 82944 bytes
Filetype: PE32 executable for MS Windows (DLL) (console) Intel 80386 32-bit

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:35 PM, on 8/4/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Utils\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Utils\AVG8\avgemc.exe
C:\Utils\AVG8\avgrsx.exe
C:\Utils\AVG8\avgnsx.exe
C:\Utils\AVG8\avgcsrvx.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\system32\RunDll32.exe
C:\Utils\AVG8\avgtray.exe
C:\Utils\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\system32\svchost.exe
C:\Utils\HijackThis-Trend\HijackThis.exe

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Utils\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utils\Spybot-S&D\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [BMMMONWND] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll,BMMAutonomicMonitor
O4 - HKLM\..\Run: [BLOG] rundll32.exe C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ACTray] C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe
O4 - HKLM\..\Run: [ACWLIcon] C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [AVG8_TRAY] C:\Utils\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Utils\Java\jre6\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utils\Java\jre6\bin\npjpi160_13.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utils\Java\jre6\bin\npjpi160_13.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Utils\Spybot-S&D\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.scottrade.com
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Utils\AVG8\avgpp.dll
O20 - Winlogon Notify: ACNotify - ACNotify.dll (file missing)
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Unknown owner - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Utils\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Utils\AVG8\avgwdsvc.exe
O23 - Service: ThinkPad PM Service (IBMPMSVC) - Lenovo - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: IPSEC Services PolicyAgentWebClient (PolicyAgentWebClient) - Unknown owner - C:\WINDOWS\system32\7C.tmp.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
--
End of file - 5954 bytes



=== Jotti Log ====
[ArcaVir] 2009-08-04 Found nothing
[G DATA] 2009-08-04 Trojan.Patched.EM
[A-Squared] 2009-08-04 Found nothing
[Ikarus] 2009-08-04 Found nothing
[Avast! antivirus] 2009-08-04 Win32:Patched-KW
[Kaspersky Anti-Virus] 2009-08-04 Found nothing
[Grisoft AVG Anti-Virus] Operation timed out
[ESET NOD32] 2009-08-04 Found nothing
[Avira AntiVir] 2009-08-04 Found nothing
[Norman Virus Control] 2009-08-04 Found nothing
[Softwin BitDefender] 2009-08-04 Trojan.Patched.EM
[Panda Antivirus] 2009-08-03 Found nothing
[ClamAV] 2009-08-04 Found nothing
[Quick Heal] 2009-08-04 Found nothing
[CPsecure] 2009-08-04 Found nothing
[Sophos] 2009-08-04 Mal/WSHack-A
[Dr.Web] 2009-08-04 Found nothing
[VirusBlokAda VBA32] 2009-08-03 Found nothing
[Frisk F-Prot Antivirus]2009-08-03 Found nothing
[VirusBuster] 2009-08-04 Found nothing

=== VirusTotal ===
a-squared 4.5.0.24 2009.08.04 -
AhnLab-V3 5.0.0.2 2009.08.03 -
AntiVir 7.9.0.240 2009.08.04 -
Antiy-AVL 2.0.3.7 2009.08.04 -
Authentium 5.1.2.4 2009.08.03 -
Avast 4.8.1335.0 2009.08.04 Win32:Patched-KW
AVG 8.5.0.406 2009.08.04 Win32/Patched
BitDefender 7.2 2009.08.04 Trojan.Patched.EM
CAT-QuickHeal 10.00 2009.08.04 -
ClamAV 0.94.1 2009.08.04 -
Comodo 1863 2009.08.04 -
DrWeb 5.0.0.12182 2009.08.04 -
eSafe 7.0.17.0 2009.08.04 -
eTrust-Vet 31.6.6657 2009.08.04 -
F-Prot 4.4.4.56 2009.08.03 -
F-Secure 8.0.14470.0 2009.08.04 -
Fortinet 3.120.0.0 2009.08.04 -
GData 19 2009.08.04 Trojan.Patched.EM
Ikarus T3.1.1.64.0 2009.08.04 -
Jiangmin 11.0.800 2009.08.04 -
K7AntiVirus 7.10.810 2009.08.04 -
Kaspersky 7.0.0.125 2009.08.04 -
McAfee 5697 2009.08.03 -
McAfee+Artemis 5697 2009.08.03 -
McAfee-GW-Edition 6.8.5 2009.08.04 -
Microsoft 1.4903 2009.08.04 Trojan:Win32/Patched.L
NOD32 4305 2009.08.04 -
Norman 6.01.09 2009.08.04 -
nProtect 2009.1.8.0 2009.08.04 -
Panda 10.0.0.14 2009.08.03 -
PCTools 4.4.2.0 2009.08.04 -
Prevx 3.0 2009.08.04 -
Rising 21.41.14.00 2009.08.04 -
Sophos 4.44.0 2009.08.04 Mal/WSHack-A
Sunbelt 3.2.1858.2 2009.08.04 -
Symantec 1.4.4.12 2009.08.04 -
TheHacker 6.3.4.3.375 2009.08.01 -
TrendMicro 8.950.0.1094 2009.08.04 -
VBA32 3.12.10.9 2009.08.04 -
ViRobot 2009.8.4.1867 2009.08.04 -
VirusBuster 4.6.5.0 2009.08.04 -
==================================================

/.

CaveatEmpty
2009-08-06, 04:44
Additional thinking (and despiration!) led me to 'trying' an SP2-on-disk .. "add features - communications" (?) -- seems to have 'refreshed' the offending DLL.
Wireless restored by itself, AVG has fresh updates, and the world is rosy :yahoo:

See y'all next time.
/.