kernel32.dll & wsock32.dll

My anti-virus detected kernel32.dll and wsock32.dll as viruses. They are
located in c:\windows\system32. Is it possible they are a virus, they didn't
delete from the computer even though avast no longer recognizes them as
viruses?

And why is there a system32 folder on my computer? Doesn't it mean "system
32-bit folder"? I'm using a 64-bit so shouldn't I have a system64 folder?

WilliamW wrote:
> My anti-virus detected kernel32.dll and wsock32.dll as viruses. They are
> located in c:\windows\system32. Is it possible they are a virus, they didn't
> delete from the computer even though avast no longer recognizes them as
> viruses?
>
> And why is there a system32 folder on my computer? Doesn't it mean "system
> 32-bit folder"? I'm using a 64-bit so shouldn't I have a system64 folder?

What antivirus are you using? Has the program - and the version you are
using - been certified to work with Vista?

Since you are using Vista 64-bit, I assume you did a clean install and
not an upgrade from an XP 32-bit system. Is this right?

I have Vista Ultimate 32-bit installed (clean) and I have a
Windows\System32 folder with both those files in it. This is on a
known-clean system.


Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

You can't ever be 100% sure, but I am almost sure that's a false positive
result. The only thing that makes me unsure is that you are using 64-bit. I
don't have a 64-bit Vista install to compare to at the moment. On a 32-bit
system those are system DLLs. Which AV program are you using?

You should still have a System32 directory on your 64-bit box. For one
thing, the system has a 32-bit sub-system and needs some place to put the
files for it. For another, I thought (it's been a while since I tried 64-bit
Vista) that there is no System64 directory. It just puts all the 64-bit stuff
into the System32 folder because everything is written to look in that
directory already. Again, I need to verify to be sure, but I think that is
correct.

BTW, several years ago one of the major AV programs decided that a critical
system component was a virus. It even went ahead and quarantined it, with the
result that the system immediately blue-screened and never rebooted again.
The vendor apologized for the error and rectified the situtation by
publishing updated signatures that properly recognized the OS as not being a
virus.

"WilliamW" wrote:

> My anti-virus detected kernel32.dll and wsock32.dll as viruses. They are
> located in c:\windows\system32. Is it possible they are a virus, they didn't
> delete from the computer even though avast no longer recognizes them as
> viruses?
>
> And why is there a system32 folder on my computer? Doesn't it mean "system
> 32-bit folder"? I'm using a 64-bit so shouldn't I have a system64 folder?

Hello,
The system32 folder contains 64-bit files. This has to remain that way for
backward compatibility problems.
32-bit files are located in the c:\windows\syswow64 folder.
To verify the files you can run
C:\Windows\system32>sfc /verifyfile=c:\windows\system32\kernel32.dll
This is the expected response
Windows Resource Protection did not find any integrity violations.

Now repeat for wsock32.dll

and repeat for the files in the syswow64 folder as well just to be safe.

C:\Windows\system32>sfc /verifyfile=c:\windows\syswow64\kernel32.dll



Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|>Thread-Topic: kernel32.dll & wsock32.dll
|>thread-index: AcdSzjSpGS9A3ePDQhC80ULfJ1LpBg==
|>X-WBNR-Posting-Host: 76.22.73.219
|>From: =?Utf-8?B?SmVzcGVy?= <Jesper@discussions.microsoft.com>
|>References: <6A22EEF2-4A51-45D3-A388-6078056DE778@microsoft.com>
|>Subject: RE: kernel32.dll & wsock32.dll
|>Date: Sat, 17 Feb 2007 12:00:00 -0800
|>Lines: 29
|>Message-ID: <5AD61E5F-6464-4838-ACDF-042BF10F84D5@microsoft.com>
|>MIME-Version: 1.0
|>Content-Type: text/plain;
|> charset="Utf-8"
|>Content-Transfer-Encoding: 7bit
|>X-Newsreader: Microsoft CDO for Windows 2000
|>Content-Class: urn:content-classes:message
|>Importance: normal
|>Priority: normal
|>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
|>Newsgroups: microsoft.public.windows.vista.security
|>Path: TK2MSFTNGHUB02.phx.gbl
|>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1859
|>NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
|>X-Tomcat-NG: microsoft.public.windows.vista.security
|>
|>You can't ever be 100% sure, but I am almost sure that's a false positive
|>result. The only thing that makes me unsure is that you are using 64-bit.
I
|>don't have a 64-bit Vista install to compare to at the moment. On a
32-bit
|>system those are system DLLs. Which AV program are you using?
|>
|>You should still have a System32 directory on your 64-bit box. For one
|>thing, the system has a 32-bit sub-system and needs some place to put the
|>files for it. For another, I thought (it's been a while since I tried
64-bit
|>Vista) that there is no System64 directory. It just puts all the 64-bit
stuff
|>into the System32 folder because everything is written to look in that
|>directory already. Again, I need to verify to be sure, but I think that
is
|>correct.
|>
|>BTW, several years ago one of the major AV programs decided that a
critical
|>system component was a virus. It even went ahead and quarantined it, with
the
|>result that the system immediately blue-screened and never rebooted
again.
|>The vendor apologized for the error and rectified the situtation by
|>publishing updated signatures that properly recognized the OS as not
being a
|>virus.
|>
|>"WilliamW" wrote:
|>
|>> My anti-virus detected kernel32.dll and wsock32.dll as viruses. They
are
|>> located in c:\windows\system32. Is it possible they are a virus, they
didn't
|>> delete from the computer even though avast no longer recognizes them as
|>> viruses?
|>>
|>> And why is there a system32 folder on my computer? Doesn't it mean
"system
|>> 32-bit folder"? I'm using a 64-bit so shouldn't I have a system64
folder?
|>

Anti-Virus is avast 4.7 Home edition - listed as compatible with Vista and
64-bit PC's.

So far the computer hasn't acted up at all, and I had already deleted the
files through the AV. As for running the sfc utility, I need to log into the
administrator to do it, so that'll take until tomorrow. I'm tending to think
that the files may have been automatically replaced with the correct version
when I ran the AV. Otherwise when I deleted them they would have been gone
permanently or been replaced by infected copies which would show up on the
next scan. Right?

Thanks for the info...I hadn't even thought about backwards compatibility.

""Darrell Gorter[MSFT]"" wrote:

> Hello,
> The system32 folder contains 64-bit files. This has to remain that way for
> backward compatibility problems.
> 32-bit files are located in the c:\windows\syswow64 folder.
> To verify the files you can run
> C:\Windows\system32>sfc /verifyfile=c:\windows\system32\kernel32.dll
> This is the expected response
> Windows Resource Protection did not find any integrity violations.
>
> Now repeat for wsock32.dll
>
> and repeat for the files in the syswow64 folder as well just to be safe.
>
> C:\Windows\system32>sfc /verifyfile=c:\windows\syswow64\kernel32.dll
>
>
>
> Thanks,
> Darrell Gorter[MSFT]
>
> This posting is provided "AS IS" with no warranties, and confers no rights
> --------------------
> |>Thread-Topic: kernel32.dll & wsock32.dll
> |>thread-index: AcdSzjSpGS9A3ePDQhC80ULfJ1LpBg==
> |>X-WBNR-Posting-Host: 76.22.73.219
> |>From: =?Utf-8?B?SmVzcGVy?= <Jesper@discussions.microsoft.com>
> |>References: <6A22EEF2-4A51-45D3-A388-6078056DE778@microsoft.com>
> |>Subject: RE: kernel32.dll & wsock32.dll
> |>Date: Sat, 17 Feb 2007 12:00:00 -0800
> |>Lines: 29
> |>Message-ID: <5AD61E5F-6464-4838-ACDF-042BF10F84D5@microsoft.com>
> |>MIME-Version: 1.0
> |>Content-Type: text/plain;
> |> charset="Utf-8"
> |>Content-Transfer-Encoding: 7bit
> |>X-Newsreader: Microsoft CDO for Windows 2000
> |>Content-Class: urn:content-classes:message
> |>Importance: normal
> |>Priority: normal
> |>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
> |>Newsgroups: microsoft.public.windows.vista.security
> |>Path: TK2MSFTNGHUB02.phx.gbl
> |>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1859
> |>NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
> |>X-Tomcat-NG: microsoft.public.windows.vista.security
> |>
> |>You can't ever be 100% sure, but I am almost sure that's a false positive
> |>result. The only thing that makes me unsure is that you are using 64-bit.
> I
> |>don't have a 64-bit Vista install to compare to at the moment. On a
> 32-bit
> |>system those are system DLLs. Which AV program are you using?
> |>
> |>You should still have a System32 directory on your 64-bit box. For one
> |>thing, the system has a 32-bit sub-system and needs some place to put the
> |>files for it. For another, I thought (it's been a while since I tried
> 64-bit
> |>Vista) that there is no System64 directory. It just puts all the 64-bit
> stuff
> |>into the System32 folder because everything is written to look in that
> |>directory already. Again, I need to verify to be sure, but I think that
> is
> |>correct.
> |>
> |>BTW, several years ago one of the major AV programs decided that a
> critical
> |>system component was a virus. It even went ahead and quarantined it, with
> the
> |>result that the system immediately blue-screened and never rebooted
> again.
> |>The vendor apologized for the error and rectified the situtation by
> |>publishing updated signatures that properly recognized the OS as not
> being a
> |>virus.
> |>
> |>"WilliamW" wrote:
> |>
> |>> My anti-virus detected kernel32.dll and wsock32.dll as viruses. They
> are
> |>> located in c:\windows\system32. Is it possible they are a virus, they
> didn't
> |>> delete from the computer even though avast no longer recognizes them as
> |>> viruses?
> |>>
> |>> And why is there a system32 folder on my computer? Doesn't it mean
> "system
> |>> 32-bit folder"? I'm using a 64-bit so shouldn't I have a system64
> folder?
> |>
>
>

Those files are protected in Vista. If the AV engine deleted them they would
have been replaced automatically. The same would have happened if some
malware had modified them. Thus the reason it is unlikely (but possible) that
they were truly malware.

If you find that they are the correct versions, and Avast flags them as
malicious, then you should talk to the makers of Avast. They may have a bug
in their definitions.

"WilliamW" wrote:

> Anti-Virus is avast 4.7 Home edition - listed as compatible with Vista and
> 64-bit PC's.
>
> So far the computer hasn't acted up at all, and I had already deleted the
> files through the AV. As for running the sfc utility, I need to log into the
> administrator to do it, so that'll take until tomorrow. I'm tending to think
> that the files may have been automatically replaced with the correct version
> when I ran the AV. Otherwise when I deleted them they would have been gone
> permanently or been replaced by infected copies which would show up on the
> next scan. Right?
>
> Thanks for the info...I hadn't even thought about backwards compatibility.
>
> ""Darrell Gorter[MSFT]"" wrote:
>
> > Hello,
> > The system32 folder contains 64-bit files. This has to remain that way for
> > backward compatibility problems.
> > 32-bit files are located in the c:\windows\syswow64 folder.
> > To verify the files you can run
> > C:\Windows\system32>sfc /verifyfile=c:\windows\system32\kernel32.dll
> > This is the expected response
> > Windows Resource Protection did not find any integrity violations.
> >
> > Now repeat for wsock32.dll
> >
> > and repeat for the files in the syswow64 folder as well just to be safe.
> >
> > C:\Windows\system32>sfc /verifyfile=c:\windows\syswow64\kernel32.dll
> >
> >
> >
> > Thanks,
> > Darrell Gorter[MSFT]
> >
> > This posting is provided "AS IS" with no warranties, and confers no rights
> > --------------------
> > |>Thread-Topic: kernel32.dll & wsock32.dll
> > |>thread-index: AcdSzjSpGS9A3ePDQhC80ULfJ1LpBg==
> > |>X-WBNR-Posting-Host: 76.22.73.219
> > |>From: =?Utf-8?B?SmVzcGVy?= <Jesper@discussions.microsoft.com>
> > |>References: <6A22EEF2-4A51-45D3-A388-6078056DE778@microsoft.com>
> > |>Subject: RE: kernel32.dll & wsock32.dll
> > |>Date: Sat, 17 Feb 2007 12:00:00 -0800
> > |>Lines: 29
> > |>Message-ID: <5AD61E5F-6464-4838-ACDF-042BF10F84D5@microsoft.com>
> > |>MIME-Version: 1.0
> > |>Content-Type: text/plain;
> > |> charset="Utf-8"
> > |>Content-Transfer-Encoding: 7bit
> > |>X-Newsreader: Microsoft CDO for Windows 2000
> > |>Content-Class: urn:content-classes:message
> > |>Importance: normal
> > |>Priority: normal
> > |>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
> > |>Newsgroups: microsoft.public.windows.vista.security
> > |>Path: TK2MSFTNGHUB02.phx.gbl
> > |>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1859
> > |>NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
> > |>X-Tomcat-NG: microsoft.public.windows.vista.security
> > |>
> > |>You can't ever be 100% sure, but I am almost sure that's a false positive
> > |>result. The only thing that makes me unsure is that you are using 64-bit.
> > I
> > |>don't have a 64-bit Vista install to compare to at the moment. On a
> > 32-bit
> > |>system those are system DLLs. Which AV program are you using?
> > |>
> > |>You should still have a System32 directory on your 64-bit box. For one
> > |>thing, the system has a 32-bit sub-system and needs some place to put the
> > |>files for it. For another, I thought (it's been a while since I tried
> > 64-bit
> > |>Vista) that there is no System64 directory. It just puts all the 64-bit
> > stuff
> > |>into the System32 folder because everything is written to look in that
> > |>directory already. Again, I need to verify to be sure, but I think that
> > is
> > |>correct.
> > |>
> > |>BTW, several years ago one of the major AV programs decided that a
> > critical
> > |>system component was a virus. It even went ahead and quarantined it, with
> > the
> > |>result that the system immediately blue-screened and never rebooted
> > again.
> > |>The vendor apologized for the error and rectified the situtation by
> > |>publishing updated signatures that properly recognized the OS as not
> > being a
> > |>virus.
> > |>
> > |>"WilliamW" wrote:
> > |>
> > |>> My anti-virus detected kernel32.dll and wsock32.dll as viruses. They
> > are
> > |>> located in c:\windows\system32. Is it possible they are a virus, they
> > didn't
> > |>> delete from the computer even though avast no longer recognizes them as
> > |>> viruses?
> > |>>
> > |>> And why is there a system32 folder on my computer? Doesn't it mean
> > "system
> > |>> 32-bit folder"? I'm using a 64-bit so shouldn't I have a system64
> > folder?
> > |>
> >
> >

Hello Jesper,
the OS protects the differently than Windows XP.
The ACLs on the files do not let the files be modfied as easliy as they
were before.
the files are not automatically replaced, to replace the files you would
have to run sfc /scannow or boot to the DVD and run a repair.
Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|>Thread-Topic: kernel32.dll & wsock32.dll
|>thread-index: AcdUcXQNw/Gt7TQURGCl6II0bpUEpw==
|>X-WBNR-Posting-Host: 207.171.180.101
|>From: =?Utf-8?B?SmVzcGVy?= <Jesper@discussions.microsoft.com>
|>References: <6A22EEF2-4A51-45D3-A388-6078056DE778@microsoft.com>
<5AD61E5F-6464-4838-ACDF-042BF10F84D5@microsoft.com>
<dlWmEvvUHHA.2096@TK2MSFTNGHUB02.phx.gbl>
<06736E63-7281-4915-8DA4-B77E48D706D7@microsoft.com>
|>Subject: RE: kernel32.dll & wsock32.dll
|>Date: Mon, 19 Feb 2007 14:01:05 -0800
|>Lines: 117
|>Message-ID: <7B645DCD-AA47-4234-8932-A28085E5163D@microsoft.com>
|>MIME-Version: 1.0
|>Content-Type: text/plain;
|> charset="Utf-8"
|>Content-Transfer-Encoding: 7bit
|>X-Newsreader: Microsoft CDO for Windows 2000
|>Content-Class: urn:content-classes:message
|>Importance: normal
|>Priority: normal
|>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
|>Newsgroups: microsoft.public.windows.vista.security
|>Path: TK2MSFTNGHUB02.phx.gbl
|>Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.vista.security:1987
|>NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
|>X-Tomcat-NG: microsoft.public.windows.vista.security
|>
|>Those files are protected in Vista. If the AV engine deleted them they
would
|>have been replaced automatically. The same would have happened if some
|>malware had modified them. Thus the reason it is unlikely (but possible)
that
|>they were truly malware.
|>
|>If you find that they are the correct versions, and Avast flags them as
|>malicious, then you should talk to the makers of Avast. They may have a
bug
|>in their definitions.
|>
|>"WilliamW" wrote:
|>
|>> Anti-Virus is avast 4.7 Home edition - listed as compatible with Vista
and
|>> 64-bit PC's.
|>>
|>> So far the computer hasn't acted up at all, and I had already deleted
the
|>> files through the AV. As for running the sfc utility, I need to log
into the
|>> administrator to do it, so that'll take until tomorrow. I'm tending to
think
|>> that the files may have been automatically replaced with the correct
version
|>> when I ran the AV. Otherwise when I deleted them they would have been
gone
|>> permanently or been replaced by infected copies which would show up on
the
|>> next scan. Right?
|>>
|>> Thanks for the info...I hadn't even thought about backwards
compatibility.
|>>
|>> ""Darrell Gorter[MSFT]"" wrote:
|>>
|>> > Hello,
|>> > The system32 folder contains 64-bit files. This has to remain that
way for
|>> > backward compatibility problems.
|>> > 32-bit files are located in the c:\windows\syswow64 folder.
|>> > To verify the files you can run
|>> > C:\Windows\system32>sfc /verifyfile=c:\windows\system32\kernel32.dll
|>> > This is the expected response
|>> > Windows Resource Protection did not find any integrity violations.
|>> >
|>> > Now repeat for wsock32.dll
|>> >
|>> > and repeat for the files in the syswow64 folder as well just to be
safe.
|>> >
|>> > C:\Windows\system32>sfc /verifyfile=c:\windows\syswow64\kernel32.dll
|>> >
|>> >
|>> >
|>> > Thanks,
|>> > Darrell Gorter[MSFT]
|>> >
|>> > This posting is provided "AS IS" with no warranties, and confers no
rights
|>> > --------------------
|>> > |>Thread-Topic: kernel32.dll & wsock32.dll
|>> > |>thread-index: AcdSzjSpGS9A3ePDQhC80ULfJ1LpBg==
|>> > |>X-WBNR-Posting-Host: 76.22.73.219
|>> > |>From: =?Utf-8?B?SmVzcGVy?= <Jesper@discussions.microsoft.com>
|>> > |>References: <6A22EEF2-4A51-45D3-A388-6078056DE778@microsoft.com>
|>> > |>Subject: RE: kernel32.dll & wsock32.dll
|>> > |>Date: Sat, 17 Feb 2007 12:00:00 -0800
|>> > |>Lines: 29
|>> > |>Message-ID: <5AD61E5F-6464-4838-ACDF-042BF10F84D5@microsoft.com>
|>> > |>MIME-Version: 1.0
|>> > |>Content-Type: text/plain;
|>> > |> charset="Utf-8"
|>> > |>Content-Transfer-Encoding: 7bit
|>> > |>X-Newsreader: Microsoft CDO for Windows 2000
|>> > |>Content-Class: urn:content-classes:message
|>> > |>Importance: normal
|>> > |>Priority: normal
|>> > |>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
|>> > |>Newsgroups: microsoft.public.windows.vista.security
|>> > |>Path: TK2MSFTNGHUB02.phx.gbl
|>> > |>Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.security:1859
|>> > |>NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
|>> > |>X-Tomcat-NG: microsoft.public.windows.vista.security
|>> > |>
|>> > |>You can't ever be 100% sure, but I am almost sure that's a false
positive
|>> > |>result. The only thing that makes me unsure is that you are using
64-bit.
|>> > I
|>> > |>don't have a 64-bit Vista install to compare to at the moment. On a
|>> > 32-bit
|>> > |>system those are system DLLs. Which AV program are you using?
|>> > |>
|>> > |>You should still have a System32 directory on your 64-bit box. For
one
|>> > |>thing, the system has a 32-bit sub-system and needs some place to
put the
|>> > |>files for it. For another, I thought (it's been a while since I
tried
|>> > 64-bit
|>> > |>Vista) that there is no System64 directory. It just puts all the
64-bit
|>> > stuff
|>> > |>into the System32 folder because everything is written to look in
that
|>> > |>directory already. Again, I need to verify to be sure, but I think
that
|>> > is
|>> > |>correct.
|>> > |>
|>> > |>BTW, several years ago one of the major AV programs decided that a
|>> > critical
|>> > |>system component was a virus. It even went ahead and quarantined
it, with
|>> > the
|>> > |>result that the system immediately blue-screened and never rebooted
|>> > again.
|>> > |>The vendor apologized for the error and rectified the situtation by
|>> > |>publishing updated signatures that properly recognized the OS as
not
|>> > being a
|>> > |>virus.
|>> > |>
|>> > |>"WilliamW" wrote:
|>> > |>
|>> > |>> My anti-virus detected kernel32.dll and wsock32.dll as viruses.
They
|>> > are
|>> > |>> located in c:\windows\system32. Is it possible they are a virus,
they
|>> > didn't
|>> > |>> delete from the computer even though avast no longer recognizes
them as
|>> > |>> viruses?
|>> > |>>
|>> > |>> And why is there a system32 folder on my computer? Doesn't it
mean
|>> > "system
|>> > |>> 32-bit folder"? I'm using a 64-bit so shouldn't I have a system64
|>> > folder?
|>> > |>
|>> >
|>> >
|>