How can I cure this disease? Blocking these files means a lack of internet access. DB version - 3614
[attachment deleted by admin]
Maybe try the following download and run a full scan of malwarebytes and then reset your winsock.
reset winsock instructions
-
Click Start>Run from the Windows Desktop. -
In the Open: field type CMD, then click OK. The Windows Command Console will appear. -
In the Command Console window type netsh int ip reset c:\Reset.txt -
Press Enter on the keyboard. -
In the Command Console window type netsh winsock reset -
Press Enter. -
Close the Windows Command Console and Restart the computer. Internet connectivity will be restored.
failed. Its still alive
I cant kill these files by means of gmer cause they are necessary. I could not use the results of the GMER scannning cause I dont know how
Rootkit Unhooker show this (look at attached picture), for example. Do I need to unhook it?
[attachment deleted by admin]
Well, try to quarantine them if that broke your network restore them and tell me 
or you can use a cure scanner like doctor web cureit
you can upload the infection and comodo can create a cure for it
Mswsock.dll and termsrv.dll may be a legitimate Windows files. There are legitimate files with these names in system32 folder. We may be looking at false positives from CIS. What are you setting for Heuristics?
Restore the file from quarantine and check its properties. See if they look like they are from Microsoft. For references I attached the images of the properties of these files of my Win 7 system.
Can you post screenshots of the properties of those two files on your system?
[attachment deleted by admin]
they are from russian version Windows XP SP3 (looks like)
jay2007tech, I have done it
I know that they are legitimate Windows files, but they could be modified some ways
If you look at the first picture in this thread which was attached by me (here), you can see that there are “Backdoor”. Not some HeurXXX, but BACKDOOR from database
Im scared
[attachment deleted by admin]
Hi Scary_bear,
First of all don’t be scared.
Are you running completely Russian localized version of XP Pro?
Just submit files to Comodo lab - password protect the archive and e-mail.
If you quarantined such files without investigating first - please don’t do that anymore ever.
Even if files were tampered / substituted /infected - you cannot quarantine such vital system files - The special procedure may be required in order to restore system files
(sometimes system itself will be able to recover … but that is not the fact at all)
Most AVs are failing in cleaning things like that. You can end up with the system damaged beyond repair.
Eric most likely is right regarding FPs.
But he showed properties for Win 7 which are very different
I attached properties for XP Pro. They are just a bit different to compare to what you showed. That is not necessarily wrong. That just has to be investigated.
I have English version with Russian & Ukrainian as two other languages
If you speak Russian - please feel free to PM and I tell you the palace, where to go in order to check your system properly… but I think that just submitting files as suggested to Comodo will resolve the issue.
Finally, those who offered using Gmer & and Dr.Web and alike / etc. and trying to fix; use healing with the Software you most likely know a little about… or whatever - just bluntly - shame on you ! … as simple as that!
Cheers!
[attachment deleted by admin]
Hi, SiberLynx,
Yes I running completely Russian localized version of XP Pro.
Just submit files to Comodo lab - password protect the archive and e-mail.They need my email? OK: [s][i]xxxx[at]xxxx.xxx[/i].[/s] I have submitted these files. I have checked them by [i]virustotal.com[/i]. mswsock.dll - no results even Comodo ( ???). termsrv.dll - trojan... ("Sunbelt").
By the way I have AVIRA antivir Personal installed. She said nothing. Computer is clean on her opinion
Насчет русского не понял. Если кто-то понимает, что я пишу, то можете не стесняться
Насчет Гмера и доктора Вёба тоже не понял. Гмер хорош тем, что человек, непонимающий что там написано, вряд ли станет нажимать какие-нибудь кнопки. А вот доктор Вёб… Он делает вид, как будто знает что делать. Однажды я “убил” систему при попытке излечить ее этой программой
I think its just unknown rootkit
Just say what I need to unhook?
Mod Edit : private email address removed
Scary_Bear,
First please remove your e-mail - that is not safe thing to do in the open forum
Who “they” need your e-mail? Comodo? No, you have to send suspects to any vendor that produces flaggings for their analysis of the code (attach password protected archive)
As far as I remember the address is malwaresubmit[at]avlab.comodo.com
EricJH can correct me if I’m wrong
I’m not using Comodo’s AV so so I may be wrong but there is a special thread here about the submission.
As for the part in Russian … not sure that it is appropriate to post it here therefore I mentioned PM or there is a Russian section.
So in that Russian-part you are talking about not touching buttons in GMER 
Yes that is true
but not everybody knows that when the advice given they it was given
Some will see “red text” and do the damage in split of a second.
As for quarantining and healing and killing the system(Dr. Web in your example)
that was my second point in previous post. Any security can do that when people blindly quarantine files from system area or having auto- quarantine/delete/heal enabled - that must be disabled.
At the same time Dr. Web has some very strong points in cleaning certain types of infections but you have to be guided by professional who knows at what stage and how to based on other necessary information provided about your system
If on-line scan by Comodo does not flag the files currently that it should’t flag them on your PC with the latest DB. Is that the case?
If so, they fixed it already
Why would you you think it’s rootkit?
You did not describe any symptoms of the system’s misbehaviour, just some flaggings.
Mswsock.dll is an extensions for Winsock (Sockets Service Provider) …
Do you have any problems with connection?
My regards
p.s. and AVIRA is not “she” but “it”
That is in Russian It sounds like some female name… indeed ;D
I checked the version numbers of mswsock.dll and termsrv.dll of my XP SP3 installation (full Durch with all updates installed).
The version number now have me puzzled.
[tr][td][/td][td] EricJH [/td][td] SiberLynx [/td][td] Scary_bear[/td][/tr]
[tr][td]mswsock.dll[/td][td] 5625[/td][td] 5625[/td][td] 5649[/td][/tr]
[tr][td]termsrv.dll[/td][td] 5512[/td][td] 5512[/td][td] 5815[/td][/tr]
Scary_bear’s version numbers are newer than SiberLynx’s and mine. Scary_bear: do you have any clue why you have newer versions?
There should a back up copies of mswsock.dll and termsrv.dll in in the C:\WINDOWS\ServicePackFiles\i386 folder.
When there is no explination to why these files have a higher version I am thinking of the following “cure”. Boot to safe mode and rename the two files to mswsock.dll.bak and termsrv.dll.bak and copy the back up files from C:\WINDOWS\ServicePackFiles\i386 to system 32. Make sure they have the same version numbers as SiberLynx and I have.
[attachment deleted by admin]
Hi Guys,
I wouldn’t hurry with the substitution yet
Here is a little table to compare
==============
mswsock.dll
i386 - 5.1.2600.5512 (xpsp.080413-0852)
system - 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)
termsrv.dll
i386 - 5.1.2600.5512 (xpsp.080413-2111)
system - 5.1.2600.5512 (xpsp.080413-2111)
As you can see the version of mswsock.dll in i386 is different
and this one is more important as I understand since definitely in use.
I did not have time yet to look deeper and find how the localization may relate to the difference in versions. Not sure that it will be easy task if search MS site
Probably the way is - asking in MS forum and/or newsgroup which I can do later.
Meanwhile, Scary_bear - you can request the thing in the Russian section.
I ma sure that the guys there will provide info about the version they have
As a matter of fact, do you have all MS patches in place?
Cheers!
On my Windows XP SP3 installation I can confirm for the files in C:\WINDOWS\ServicePackFiles\i386:
mswsock.dll .5512
termsrv.dll .5512
The proper version for mswsock.dll can be found in C:\WINDOWS\system32\dllcache. There I find the .5625.
Recapitulating. Scary_bear may be able the find the proper version of mswsock in C:\WINDOWS\system32\dllcache and the proper version for termsrv.dll in C:\WINDOWS\ServicePackFiles\i386.
Can you confirm this SiberLynx?
Greetings all.
1st, thanks to the moderator who’ve been attentive enough himself or to the request for removing private e-mail from OPs post.
Eric, thanks for the reply and confirming the versions in i386
As for the procedure suggested I would still say - there is no rush to substitute anything yet.
The message about alleged infection is not clears at all.
We don’t have any info about Comodo’s confirmation after submitting files
I still think that Eric’s note about FP is the one that is True.
My opinion - it is necessary to find out about some specifics re: localization.
I did not get time yet to find out with MS.
More importantly:
Since Scary_bear can communicate with us – there is no need for guessing and making fast desperate moves – that could be more harmful than infection itself.
Meaning if it is there already nothing you can do except dealing with it in a proper manner after having additional information
Then, you should never attempt to remove any infection in Safe Mode – that is The LAW!
You will fail, especially with rootkits (I’m practically certain - that is not the case here but anyway – that’s just a note) .
Only the certified professional malware fighter can tell you when and at what stage of already carried out removal process you have to use Safe Mode if necessary.
Finally, I’ve never came across with the compromised system Microsoft files whether those are signed or unsigned where the malware would change the version (!!!) ???
That would be the most stupid thing to do, considering the “malicious purposes”
You have to give some credit even to the newbies in the “malware development” field
Cheers!
*** added *** Eric, I forgot to answer your question re: C:\WINDOWS\system32\dllcache
mswsock.dll - 5.1.2600.5625 (xpsp_sp3_gdr.080620-1249)
But I am not convinced yet at this stage that the substitution is what’s needed
Hello everybody,
EricJH,
Scary_bear's version numbers are newer than SiberLynx's and mine. Scary_bear: do you have any clue why you have newer versions?Really. Thank you. I have istalled SP3 and security SP4 for Windows XP SP 2. This files are from one of these packs. Security SP4 realize date - 2009.11.15.
SiberLynx,
Then, you should never attempt to remove any infection in Safe Mode – that is The LAW! You will fail, especially with rootkits (I'm practically certain - that is not the case here but anyway – that's just a note) .I already have the experience of replacing system files even in normal mode (some of them could be replaced while they aren't in use).
I was talking about the procedure when the infection is suspected or indeed there.
Do you still have flaggings? Have you submitted the files?
But most interestingly
What is this SP4 for XP ? ??? Can you be more specific about that?
Here is Windows Service Pack Road Map
and Windows Life-Cycle Policy
see “Lifecycle Supported Service Packs” link at the end of the page
*** added *** do you mean this Security Service Pack 4 for Windows XP SP3 version 9.11.28 from file sharing sites? Well… 88) What on earth possessed you to do such thing even if it’s safe?
My regards
I thought it could be a rootkit if ithere was a virus that may have been injected. There is one called the virus.protect.c It injected the ndis.sys driver. It also protected the file so it prevented from scanning. That was the main reason why no antivirus could not detect it.
Also by injecting the ndis it could by-pass the firewall.
Since malwarebytes and reseting the winsock to defualt did not work what could it be. So I thought GMER could help.
http://www.threatexpert.com/report.aspx?md5=381a3d5af5f75861b1469d839719d22b
Hi jake12345,
My post had several points.
Here is the initial and only information we had
Blocking these files means a lack of internet access
and nothing else.
Definitely one will have troubles with the connection when blocking that. Isn’t that obvious?
Therefore amongst other remarks I said something like: even if that is a genuine infection it’s better to leave it alone – it is already there … and try to follow the standard procedure of presenting information about your system. See any decent “Malware removal help” forum.
No conclusion whatsoever could’ve been made from the initially presented “details” - there were no details.
Neither I could see any connection and any reason to run offered Tools at the very beginning,
nor I can get it from your last post and the link provided.
Blindly running such Tools as “Rootkit Revealers”, “Winsock Cure Tools”, “ComboFix”, etc. without having required preliminary details about the system – is a “death penalty” for the OS in 99% cases including the fact that the infection may not be even present.
You can read tones of articles about that out there and most of such Utilities, like those mentioned and the similar, have a precaution that is displayed as a 1st screen.
Similar mistake often made when users are just posting HiJackThis report and nothing else.
One thing to admit - that is not damaging (unless some “boxes were ticked and button pressed already)… but that is useless anyway, because the said Tool is not a malware removal Tool by any means on its own.
It is necessary to provide all required information prior to seeking help.
Only certified professional specialist should guide you. You can see the certificate in their signatures. They are not hiding it :).
Otherwise you can do whatever you want, and you are responsible for any of you actions.
That is “kinda Ok” when you are doing that with you own computer, but one must be very cautious and have the sense of responsibility when giving advices to other people.
I do understand that you had no deliberate bad intentions,
but even if you may not agree with my message and the way any suspicion of the alleged infection has to be approached, probably someone else will read in the future and save his/her system.
My regards