dssenh.dll

[tech92117]

We just got calls from two separate clients about c:\windows\system32\dssenh.dll within 10 minutes of each other.  Theses clients have nothing to do with each other.

New virus or a problem with avast?

[aromano]

Our company has had around a dozen computers infected within 20 minutes today with this as well.  In the bottom right, the On Scan message indicates c;\windows\system32\dssenh.lll has been found.  The name is genaric, loke trojan.gen {other] so it does not know what it is.  Please help.

[polonus]

Hi aromano.

Name     Dssenh.dll
Size (bytes)    134.48
Version    5.2.3790.0 (srv03_rtm.030324-2048)
Company    Microsoft Corporation

Description
   Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
It is a non-critical OS file of XP, api info:  http://source.winehq.org/WineAPI/dssenh.html

You may check your variety of the dll here for authenticity:
http://www.programchecker.com/selectfiletoscan.aspx
Also upload the file here: http://www.virustotal.com
If only avast and an av that uses the same scanner flag it, it may be a FP,

polonus

[Nikkis]

I scanned that file with virustotal, result:
http://www.virustotal.com/analisis/c3f160d551fb2fd8bc9ec6362ba15566

[polonus]

Hi User322,

Just as I said, the two that flag  use the same engine, so more than likely an avast FP, exclude this file for avast, and this will be probably corrected with the next iAVS Update.
So your version of the dll might be Microsoft's and legit, so OK.
But see here what probably started the false detection and why it was falsely flagged, there must have been malicious versions of this dll around in Taiwan and the United States:
http://www.prevx.com/filenames/3307554365234513872-X1/DSSENH.DLL.html

polonus

[tech92117]

We have ~10 avast installs and these two sites flagged the file within 20 minutes of each other.  Two separate locations with no relation, other than we manage their IT and use avast.

We pulled the dssenh.dll from an infected machine onto one of our clean machines and it was instantly flagged as a virus.  If avast is false positive flagging a different version of the dll that may be true, but from what we've seen it appears to be a legit virus.

EDIT:  We compared the version of the DLL on different machines.  The clean version and the dirty version are the same.

[DavidR]

I have that file in my XP Pro SP3 system and a scan by avast doesn't detect anything on that, but there has just been a VPS update 090424-0, so ensure that you have the latest VPS version and scan again.

The MD5 for my file is:
dssenh.dll
MD5:
FEDE68BF80052BAD393AFD5C2E60DCB0

Which matches the one you uploaded to VT MD5...: fede68bf80052bad393afd5c2e60dcb0, so I believe the FP may already have been corrected in the latest VPS update.

[tech92117]

We're also running VPS update 090424-0 and just an md5 on this dll.

Our MD5 matches the MD5 above.

It still comes back to us as infected.

[DavidR]

Very weird, I can't understand how two files with the same MD5 can be detected differently

The only thing I can suggest is to send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and probable false positive in the subject.
 
Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there. A copy of the file/s will remain in the original location, so you will need to take further action and can remove/rename that.
 
Send it from the User Files section of the chest (select the file, right click, email to Alwil Software). It will be uploaded (not actually emailed) to avast when the next avast auto (or manual) update is done.

Personally I don't like excluding files if there is an element of doubt to them, but I guess that given the VT results that would be a low risk, but a risk all the same and any exclusion decision would have to be up to you having accepted there may be a risk.

Declaration - I'm just an avast user and in no way associated with Alwil software, just giving an opinion.

You could add it to the exclusions lists:
Standard Shield, Customize, Advanced, Add and
Program Settings, Exclusions (right click the avast ' a ' icon)
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location.
When it is no longer detected then you can also remove it from the Standard Shield and Program Settings, exclusions.

[aromano]

Thanks for you help.  Only VBA32 found it suspicious when uploading to virustotal.  MD5...: c8dbfef835ff54467425c8f3abcf7046.  The avast scan removes this file, and I suspect others.  After a boot time scan our users cannot connect to our mail server via Outlook now.  The error is Acquiring Credentials Failed.  Does anyone know where I can get a good copy of this file?  I looked on my XP CD and it was not there.  I don't trust any other pc's in our office.
Thanks

[ShaggyMoose]

On scanning my system today, Avast 4.8 found Win32.Trojan {Other} in the same DLL. I have a dual boot Vista/XP Professional install and it detected the virus in the XP install. When I boot into XP and check with AVG 8.0, there is no problem found. I can't see anything in HijackThis and there is no strange behavior going on. I suspected a false positive and was surprised to immediately find this topic. Anyone know exactly what is going on yet?

[jsejtko]

Hello,

please update to new vps (090425-0), this false positive has been just fixed and released.

Best Regards

[DavidR]

Thanks jsejtko, you're up late I'm just about to call it a night nearly 3am here.

[blestw4]

I am so confused. I was infected with this virus this afternoon. I tried installing the new version. It now says no files are infected but I still can't access any of my accounts that involve my email. I know nothing of computers and all of this is foreign to me.

[ShaggyMoose]

Thanks for the quick response. I wasn't really worried, but still...