wsock32.dll

Discussion in 'malware problems & news' started by TCFCU, Dec 15, 2005.

Thread Status:
Not open for further replies.
  1. TCFCU

    TCFCU Guest

    I need some BIG help... this morning I had 6 PCs that had a msg from AVG that a Trojan Horse Downloader.Small.54.Y and it said file "WSOCK32.DLL"

    Now those 6 PCs can not boot into windows... every time they try, it gets them as far as the blue sceen right before the "Ctrl Alt Delete" log-in box then it reboots itself and goes on and on... it just keeps looping. But it will go into "Safe" mode.

    I've been on the phone with Microsoft for over an hour and they didn't know what's going on.

    HELP!!!
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Since there is another person that suddenly had multiple PCs "infected" with the same thing on the same day, also determined by AVG, it is far more likely that it was a false positive from AVG then actually infected systems. Best guess, I'd say AVG deleted a needed system file which is why all those systems, from both people's networks, are now unbootable.

    https://www.wilderssecurity.com/showthread.php?p=631940#post631940
     
  3. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Try this:

    Go into Safe Mode and rename the AVG folder. Just rename the "Grisoft" folder to "Grisoft123," or anything really. Then try to reboot. You will most likely see some error messages when Windows starts up, but that's okay.

    Go ahead and try that and then report back here.

    Phil
     
  4. lkrq

    lkrq Registered Member

    Joined:
    Jan 29, 2004
    Posts:
    4
    renaming GRISOFT Folder fixed the problem on every system we have tried so far. Only POWER USERS and ADMINISTRATORS can RENAME the folder.

    THANKS MILLIONS

    LKRQ
     
  5. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203

    You're welcome. I suspected that would work because the same basic thing happened to me back in July.

    Now, in case you haven't figured it out yet, here's what you should do next:

    Rename the Grisoft123 folder (or whatever you renamed it to) back to Grisoft. Then uninstall AVG and replace it with Avast or AntiVir.

    Phil
     
  6. TCFCU

    TCFCU Registered Member

    Joined:
    Dec 15, 2005
    Posts:
    1
    PCALVERT THANKS A MILLION!!!

    It worked!! Thank GOD I didn't go with my worse case scenario this morning (Format HD) :'(

    I also got my AVG working again. B/C all the PCs that were affected were on SP2 and the rest of the PCs that were not affected have SP4... So I upgraded those 7 PCs to SP4 and renamed AVG back to "GRISOFT" and BADA BING! It works fine... It SUCKS that Grisoft has a bug with their new update(s).

    But why do think I should replace AVG with Avast or AntiVir??


    Thanks again!!
     
  7. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203

    You're welcome. Lucky for you that I happened to read your message. :)

    Since you got AVG working again, go ahead and keep using it. But if it happens again, I think you know what you should do.

    When this happened to me back in late July, I used a disk image I made on July 8th to recover. Then I waited at least a week before updating AVG again. This seemed to work okay, but within two weeks the problem happened again. So I dumped AVG and started using AntiVir PE.

    Phil
     
  8. XGammo

    XGammo Guest

    Yeah thanks heaps.I had same prob lucky i found is thread.....I dump AVG & went for Avast...AVG sux big time...
    Thanks again.....
     
  9. ettu

    ettu Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    18
    Location:
    Featherston, New Zealand
  10. ettu

    ettu Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    18
    Location:
    Featherston, New Zealand
    from what i have seen looks like this virus infects only W2k pre-SP4
    incidently we have in excess of 40 pcs running AVG free & AVG pro, we have no problems with AVG, found 1 pc in last 2 years with an issue, but was easily remedied, unlike Norton Antivirus.
    I believe this is a new infection but AVG has detected it,
    Trend Micro Sysclean also detects this virus but cannot remove it
    AVG removes the files, but they must be replaced, and the registry references dont get removed yet, so must be removed manually
     
  11. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Any idea how the little beast gets onto the computer? I did a search the other day on Google and found very little info. I did find links to our discussion of it, though. :)

    Phil
     
  12. ettu

    ettu Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    18
    Location:
    Featherston, New Zealand
    got to admit this one is difficult
    both AVG and Trend find a virus, but there is a question of whether it is a virus or not
    we had 7 PC's that lost internet connections, untill the files had been replaced, and the registry had had 2 entries removed
    All systems affected appear to be Win2K with SP2 installed, not all copies of wsock32.dll scan as infected
    The main issue seems to be, inability to boot successfully after removing wsock32.dll
    So where it comes from is as yet un-answered, as is what it is
     
  13. lkrq

    lkrq Registered Member

    Joined:
    Jan 29, 2004
    Posts:
    4
    So far we have determined that all affected systems are W2K PRE SP4, therefore, I will add SP4 then change the directory name back to GRISOFT and try this again.

    The following is from AVG TECH SUPPORT. Their instructions have not worked on any of the systems, even those where we have been able to log on as administrator.

    Will keep you updated on what happens next. Thanks to all who are working with us on solving this problem.

    LKRQ - HillCoRob



    "Thank you for your email.

    We have already reported this problem from other customers - the detected file is a false alarm. This means, that the file is correct and virus-free, but AVG detects it as a virus.

    There is correction update available now - please use following instructions to fix this problem.

    Do following, please:

    - Please restart your computer to the Safe mode.

    - Open AVG Control Center, doubleclick on the AVG Resident Shield and unmark the first checkbox "Turn on AVG Resident Shield".

    - Please open AVG Virus Vault (in AVG -> upper menu Program -> Launch Virus Vault), right-click on the file "C:\WINNT\SYSTEM32\WSOCK32.DLL" and choose Restore File(s)

    Then please restart your computer and update your AVG (right click the AVG icon in the system tray and choose "Check for updates" - > Internet)

    - Please open AVG Control Center, doubleclick on the AVG Resident Shield and mark the first checkbox "Turn on AVG Resident Shield" to make Resident Shield Active.


    Thank you for your cooperation and understanding.


    Best regards,

    Ondrej Novotny
    AVG Technical Support

    website: http://www.grisoft.com
    mailto: technicalsupport@grisoft.com"


    On Thu, 15 Dec 2005 14:45:37 -0600 you wrote:
     
  14. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    The fact that renaming the Grisoft folder allows the affected systems to boot normally indicates that the problem is likely with AVG itself. My guess is that the update changed something about AVG to make it less compatible and, as a result, there is a conflict between AVG and Windows and/or some other application. Or maybe AVG is just totally messed up. :)

    Phil
     
  15. cookee_nz

    cookee_nz Guest

    Re: wsock32.dll (Trojan horse Downloader.Small.54.Z)

    Hi all,

    Yesterday I had a PC (Windows 2K) infected with variant Z of this virus, like the other postings I've seen, AVG picked it but Norton didn't.

    The System would boot just to the GUI background then simply keep rebooting at the same point, but it would start in safe mode ok. If I scanned the hard drive in another system, no viruses were detected. Very odd.

    Anyway, it had Service Pack 3 installed so we thought... hmmm? and then on the off-chance installed SP4 in Safe Mode - BINGO - problem fixed. PC now booting normally.

    As luck would have it, we also had a Laptop come in with SP2 on it, that has the variant small.54.y. We put SP4 on that also and bingo, all ok too.

    As is always the case, simple fix to a %^#&* of a problem. I've probably lost 3-4 hours until finally get the solution. I hope enough people read this to save them the same grief.

    Possibly on a system with SP4 already in place, you may still be able to apply it again - could be worth a crack.

    I would post this elsewhere as well but who can be bothered signing up to every site that has reported this problem? - this is the only one that let me post without being a member. If anyone else wishes to spread the word about the fix, please feel free.

    Cheers

    Steve Cook & Stuart Abernathy
    ABLE Business Machines Wellington
    New Zealand
     
  16. Dev Null

    Dev Null Guest

    Guys, Thanks a lot - I got the Z variant of this last friday and I have been scratching my head as to how I might have contracted this - I operate a very tight ship. My laptop is W2K SP3 (it didn't have enough space left to install SP4). I installed the excellent Treesize professional which let me find and reclaim 500Mb. I will try an install of SP4 again when I get home.

    The link with AVG makes sense because only my laptop uses AVG. My main PC uses Norton and it couldn't find anything - and my usual sources of virus information are awfully quiet about this one.

    Thanks again!

    Gary.

    (Isn't it ironic that the AV/Anti-spyware/Anti-phishing tools are now starting to disrupt computers more than the things they are trying to prevent...)
     
  17. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    When you find a file that's infected with one of these, please submit it here:

    VirusTotal
    www.virustotal.com/xhtml/index_en.html

    You will be able to see which anti-virus programs are able to detect it. More importantly, the file will be distributed to the ones that don't so they can update their signatures.

    Phil
     
  18. lkrq

    lkrq Registered Member

    Joined:
    Jan 29, 2004
    Posts:
    4
    Thanks to all who worked on this issue with us. In the final analysis, it really appears to have been an AVG PROBLEM of FALSE POSITIVES.

    Below is the latest from AVG Tech Support and this does work, but so does updating W2K to SP4:



    Dear Sir/Madam,

    Thank you for your email.
    You can solve the problem following the instructions below:

    1. Kindly restart your system to the Safe Mode by repeatedly pressing the F8 key immediately after the computer starts to boot and choosing the Safe Mode option from the menu.

    2. Open the C:\WINNT\System32\drivers folder and find the avg7rsnt.sys file

    3. Rename this file (right-click on it and choose "Rename") to avg7rsnt.old

    4. Open AVG Virus Vault and find the wsock32.dll, right-click on it and choose "Restore File(s)".

    5. Restart your computer.

    6. Now, in the normal mode, please update your AVG. After updating, please verify in the upper menu Information -> About AVG, that the version of your Virus Base is 267.14.1/204

    If the update is unsuccessful please send us the exact wording of error message that is displayed when you try to update AVG.

    Please send us also the following files:
    - AVG7.LOG from the folder:
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data

    - AVGINET.LOG from the folder:
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\upd7bin

    - UPDATE7.LOG and UPDATE7.LOG.BCK from the folder:
    C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7upd

    Please note that if TRIALversion already expired you cannot update AVG. In this case please uninstall AVG from your computer so the system file will not be removed by AVG.

    7. If you are able to update AVG, please open the C:\WINNT\System32\drivers folder and rename the avg7rsnt.old file back to the avg7rsnt.sys.

    8. Restart your computer and the problem should be resolved.

    9. I strongly recommend that you update your Windows 2000 to the latest Service Pack 4 Rollup 1:

    http://www.microsoft.com/downloads/...cf-8850-4531-b52b-bf28b324c662&DisplayLang=en

    It also contains several critical patches that protect your computer against large number of virus threats.

    Thank you for your cooperation and please accept our apologies for the inconvience.


    Best regards,

    Jitka Vondrakova
    AVG Technical Support

    website: http://www.grisoft.com
    mailto: technicalsupport@grisoft.com
    On Mon, 19 Dec 2005 10:45:17 -0600 you wrote:

    >We have tried your suggestion on multiple computers and it does not
    >work. In every instance the RESIDENT SHIELD was already turned off, and
    >our users (non power users) could not turn it on or do anything else.
    >
    >In safe mode, even logged on as ADMINISTRATOR the UPDATE downloaded but
    > the INSTALLATION WAS UNSUCCESSFUL. The only alternative we are
    >left with is to UNINSTALL AVG then REINSTALL AVG. Computers will have
    >to be transported hundreds of miles to our HQ to accomplish this since
    >we do not have ADMINISTRATORS in our outlying offices.
    >
    >We do hope you can solve this issue before we instruct out users to
    >transport those computers.
    >
    >Thank you,
    >
    >
    lkrq
    >Help Desk/PC Technician
    >IT Dept., Kerrville
     
  19. Definitely a false positive ...
    On an XP system I have a backup of the old (untouched for a long ... time) previous system in the C:\old\ directory.
    Suddenly on the 16th (GMT+10 4am) the C:\old\WINDOWS\system32\wsock32.dll AND C:\old\...\system32\dllcache\wsock32.dll were deleted coz they were considered to be infected.
    However, the directory has also been copied onto the file server (many moons ago) and backed up every day.
    An AVG scan of the file today 22nd in all other backup locations (I've checked 8 ) says it's now OK (it hasn't changed of course)
    So it's definitely a false positive that they have now also fixed.
    SO ... those suggesting you should dump AVG - I only ask one question: No other virus checker ever gets false positives? (have had at least 2 cases in the distant past where Norton couldn't even find a virus that AVG fixed) I'm not saying to convert to AVG - I'm am saying that if you dump a virus checker every time you get a problem then you will end up without a virus checker :)
     
Thread Status:
Not open for further replies.