downloader.small.54.y

Discussion in 'malware problems & news' started by lkrq, Dec 15, 2005.

Thread Status:
Not open for further replies.
  1. lkrq

    lkrq Registered Member

    Joined:
    Jan 29, 2004
    Posts:
    4
    several W2K systems on our network have been infected today with Trojan Horse Downloader.small.54.y. AVG 7.1 finds it and heals it (vaults it) at first glance, however, when looking at it in the vault AVG states that the infected file is the back up file and cannot be cleaned. The file is WSOCK32.DLL

    The Path: c:\WINNT\SYSTEM32\WSOCK32.DLL

    The systems enter a vicious cycle of rebooting upon 10 seconds of reaching the W2K splash screen.

    When I stop and log in in SAFEMODE WITH NETWORKING I am able to run AVG and it will find it, vault it and state that it cannot clean it and states that the BACKUP is infected and cannot be cleaned.

    I rebooted and the system went into the rebooting cycle again. I find the file at c...W...system32\wsock32.dll and run AVG and it is still contaminated.

    We have had 10 units hit withing 1 hour.

    Thanks in advance for any help.

    HillCoRob
     
    lkrq, Dec 15, 2005
    #1
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,278
    Location:
    New England
    Since there is another person that suddenly had multiple PCs "infected" with the same thing on the same day, also determined by AVG, it is far more likely that it was a false positive from AVG then actually infected systems. Best guess, I'd say AVG deleted a needed system file which is why all those systems, from both people's networks, are now unbootable.

    https://www.wilderssecurity.com/showthread.php?p=632093#post632093
     
    LowWaterMark, Dec 15, 2005
    #2
  3. ettu

    ettu Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    18
    Location:
    Featherston, New Zealand
    Had experience with this virus friday 16th
    found some systems had an uninfected wsock32.dll.

    to fix the infection:
    search for wsock32.dll on each pc then scan all found with AVG, you should find some uninfected
    Copy an uninfected file to floppy or cd
    replace file in DLLcache
    place a copy in system32, but will need to rename it (remember what you called it)
    search registry for 2 entries for wsock32.dll, remove them
    restart pc into command prompt only
    Change directory to system32 folder
    rename wsock32.dll to virus, rename copy as wsock32.dll
    restart pc
    Delete virus
    at this point you are virus free, unsure as yet if any further infections will follow

    If you cannot start your PC.
    Put the HDD into another clean pc
    replace wsock32.dll in system32 and dllcache with clean wsock32.dll
    the computer will start
    remove 2 registry references for wsock32.dll
     
    ettu, Dec 17, 2005
    #3
  4. Graemea

    Graemea Guest

    Same problem on the 16th.

    Mmm .. curious...

    When I checked the sytsem the file was actually infected in the compressed Service Pack 2 files. Weird.
     
    Graemea, Dec 18, 2005
    #4
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    @ lkrq,

    Since you have posted most of your finds and other pertanent info in the other ongoing wsock32.dll thread....I'll close this thread you started so as not to cause duplicate troubleshooting assistance.

    Discussion continued here---> wsock32.dll
     
    Bubba, Dec 19, 2005
    #5
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...