win32:patched-kw

[loustrk]

When I turned on my computer tonight I received a bunch off errors
on boot up followed by a warning from avast that it found a Trojan. When
I tried to move to chest or delete I got the message that this was
a read file and it couldn't move it. I let avast to a boot-time scan with
the same results. I also ran mailwarebytes and ad-aware and they didn't
find anything. This took out my internet connection so I'm posting from
my wife's mini. Any ideas?
The file was found in c:\windows\system32\ws2_32.dll

Thanks in advance.

[Lisandro]

Can't the boot time scanning move the file to Chest?
What's the error message?

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
5. Dr. Web

[loustrk]

Can't the boot time scanning move the file to Chest?
What's the error message?

Read the instructions, download and burn (maybe from another computer), finally use one of this rescue CD's:
1. Avira
2. Kaspersky
3. BitDefender
4. F-Secure
5. Dr. Web

It tells me that the file is a "read file cannot process"
When I did the scan in boot time, it found the problem but again, when I tried
to move to chest or delete came up with "error cannot move"
I will try the list you posted tonight and report back.
Thank you

[Maxx_original]

try DrWeb CureIt, if it is able to fix the file... it has been patched to do something bad, but the patched snippet is difficult to clean (without replacing the whole library from the OS cd)..

[loustrk]

Thank you for your replies,
Was able to download dr. web cureit,f-secure easy clean, avira removaltool and
the rescue disc. No media at work so all went into my phone's sd card . No more
room for anything else so I'll give these a try when I get home.
Thanks again everyone.

[polonus]

Hi Max_original,

As the file can be used malicously and one has to repair Winsock afterwards
( http://www.snapfiles.com/get/winsockxpfix.html ), the file can also be altered to be used as a Proxy file to create a kind of personal FW: http://www.codeproject.com/KB/DLL/ReplaceWindowsSocketsDLLs

The code and files are dangerous, because they hack windows system files, a thing that is also done by the malware version at hand,

polonus

[JeebuzC]

Was actually wondering if you had any success with the fixes mentioned above... I've run quite a few different things that worked for me in the past to no avail.  Same problem, avast won't leave me alone about the problem.  If you can replace the file, would anyone know where you could go about getting it?  Any help would be appreciated.

[ifixthings]

Hi loustrk-

If you haven't resolved your issue yet I have the solution.  A friend of mine called me with the exact same problem.  I fixed his computer by using the Windows Recovery Console.  You will need an XP install disc and a copy of the c:\windows\system32\ws2_32.dll file from an uninfected computer.  If you boot from the XP CD- when you get to the installation options screen just select the launch recovery console option.  From the console you can delete or rename the infected file and then copy the clean file from a CD or flash drive to the system 32 folder.  If you don't know how to use the recovery console please reply and I will post step by step instructions.  I tried several of the suggestions already posted with no success, but when I replaced the infected file with a clean copy everything functioned perfectly- we regained internet access and avast stopped reporting a trojan.  We are currently doing a complete system scan for additional issues, but things look promising.  Good luck.

[Lisandro]

Thanks for posting ifixthings. Welcome to avast forums.

[loustrk]

Hi loustrk-

If you haven't resolved your issue yet I have the solution.  A friend of mine called me with the exact same problem.  I fixed his computer by using the Windows Recovery Console.  You will need an XP install disc and a copy of the c:\windows\system32\ws2_32.dll file from an uninfected computer.  If you boot from the XP CD- when you get to the installation options screen just select the launch recovery console option.  From the console you can delete or rename the infected file and then copy the clean file from a CD or flash drive to the system 32 folder.  If you don't know how to use the recovery console please reply and I will post step by step instructions.  I tried several of the suggestions already posted with no success, but when I replaced the infected file with a clean copy everything functioned perfectly- we regained internet access and avast stopped reporting a trojan.  We are currently doing a complete system scan for additional issues, but things look promising.  Good luck.

Well I got home last night and ran all the programs from the list above to no avail . The programs all came up
ok. IFIXTHINGS, If you could give me a step by step I would really appreciate it! I have my xp install disc and I
can get a copy of the dll file from my wife's computer if you tell me how. I was about to go home tonight and
just re-format the whole computer because of the frustration I'm feeling right now, but thanks to all the replies
I don't feel alone and I'll give it anouther shot.
Again, thanks to everyone for all the help.
Lou

[ifixthings]

Here we go-
To copy the dll file from the source computer- double-click 'my computer', double-click the windows folder, then double-click the system32 folder.
You should find the ws2_32.dl file in this folder. Right click on this file and select 'copy'. Insert your media (blank CD or flash drive); open the media by double-clicking the icon for it in windows explorer; select 'paste' from the edit menu at the top of the explorer window. If you are burning onto a CD select 'burn these files to CD' from the panel at the left of the explorer screen. Note- using a CD may be better than a flash drive- some older computers can't access a flash drive outside of the windows environment.

1. Boot computer with XP CD and wait for it to get to the main installation screen; it should give you the option of pressing 'R' to start the recovery console. Do that.
2. You should see a command prompt - C:\windows>
3. Type-  cd system32
hit enter
4. The command prompt should now read C:\windows\system32>
5. Type- rename ws2_32.dll ws2_32.bad
then hit 'enter'
Next you need to find out the drive letter assigned to your CD drive or flash drive; insert your media-
type d: and hit enter; if the command prompt changes to D:\> then type dir and hit enter.  If you see your clean copy of ws2_32.dll listed, then you've got the right drive letter.  If not repeat the procedure using the letter E in place of D; procede through the alphabet until you get the right drive letter.
6. Type the following substituting the ? with the drive letter for your removable media.-
copy ?:\ws2_32.dll c:\windows\system32
hit enter
for example if your removable media were assigned the letter E the command would be- copy e:\ws2_32.dll c:\windows\system3
7. If the above steps are correctly executed, you can remove your cd and type exit at the command prompt to reboot the system
All should be well at this point.  Hope I didn't over or under simplify this.  Best of luck

[ifixthings]

Hi Lou-
Short follow-up to my previous post.
If you need more detail let me know and I can assemble some screen shots, but that will take a few hours to put together.

[loustrk]

Hi Lou-
Short follow-up to my previous post.
If you need more detail let me know and I can assemble some screen shots, but that will take a few hours to put together.

Thank you for the detailed instructions!
I ran in to a problem but I think I have the issue resolved, let me know what you think.
I put a copy of the clean file on my sd card and also on my phone, I used the xp cd to
boot into recovery mode, got to the windows system 32 directory and I renamed the
file to ws2_32.bad.
This is where I had my problem, from recovery mode, the computer would not fine
my sd card or my phone. Now I know for sure that my sd card slot is E: and my phone
comes up as H: It couldn't see the h drive and and when I went to the e drive and did
a dir the ws2_32.dll file wasn't there, there were about 10 files that I didn't reconize and they
were all old. Even when I popped the sd card out, I was getting the same dir. tried to copy the
file anyway but of course it didn't work.

Here is what I did, let me know if you think it's ok.
First I renamed the file back to ws2_32.dll so I could boot up my computer again without
the xp cd. It came up with the same errors along with no internet. I put a copy of the
ws2_32.dll file from my sd card to my desktop, then I went into my computer,windows,system32.
I found the ws2_32.dll file in there and renamed it to ws2_32.bad. then I copied the good file
from my desktop into the system32 dir then I re-booted.

Everything came up fine, no errors and I had my internet connection, first thing I did was run the scan again,
I got the warning from avast again but this time it let me move the 3 files to the chest. At the end of the scan
it said successful, 3 files moved to the chest. one was the ws2_32.bad file that I renamed.
I did the scan again and it came up clean, been running all night and it seems ok.

Thanks again to you and everyone else for all the help!
Lou

 

[ifixthings]

Good Job Lou!

Your solution was clever and yes, everything should be good now.

[JeebuzC]

Any chance anyone knows where to get the file?  All of my friends are either mac users, or run vista... Wasn't able to get a clean file from anyone...