[Warning] An error occurred on booting while being infected tampering system files.

1. Introduction

It's a been a long time to had been spread malicious file with the purpose of stealing online game account.
Recently we got unique and bothersome malicious file(being tampered of ws2help.dll) which try to fail booting normally, it’s an uncommon case as usual and needs a big caution for general user.
The malicious file uses main route via file hosting web site and has been tampering with various web site and uses it, therefore its speed of spreading seems so rapid and have a wide range.

nProtect family supports "Generic Detection / Repair" features to diagnose and cure similar to new and variant malicious files without additional pattern update. nProtect user can prevent this malicious file. Their related diagnosis name is as follows:

* Trojan/W32.Forwarded.Gen

2. Spreading path and symptoms of infection

These malicious files usually spread through file hosting web site, famous social commerce site, and internet news site. In addition, the infected range has been being spread with using vulnerability of Adobe Flash Player, Microsoft OS’.

First, this malicious file hacks ordinary web site and injects malicious Script clandestinely. From the injected Script, various vulnerabilities are being used, finally they let user try to download and execute various malicious file to steal famous online game user’s account. 

When infected by a malicious file, an abnormal operation can cause the side effects as following.
a. Kills Internet Explorer forcibly
b. Makes slow computer executing speed
c. Makes Blue Screen of Death (BSOD)
d. Makes rebooting endlessly
e. Not allows safe mode booting.

 This following images are malicious Script code and SWF file code of malicious files.

* Symptoms are same!!

* Malicious SWF file and code in Script

We can see that it uses CVE-2011-2110 vulnerability and leads to download following malicious file (0122.exe).

After downloaded and infected by malicious file, we mentioned above, it creates another malicious file (8906506370856890.exe), which can create other malicious files (ws2help.dll 33,611,784) to steal specific online game account.

* Generated file

- (Windows\system32)\ws2help.dll (33,611,784 bytes, Malicious file)
- (Windows\system32)\ws3help.dll (19,968 bytes, Normal file)
- (Windows\system32)\(yyyymdhhmmss).dll (19,968 bytes, Normal file)

* The path “Windows\system32” might be differed depending on its OS type.

Generated as described above, the malicious file, the picture below, make you easy to understand.

ws2help.dll file is a normal Windows system files. As you can see looking at the picture above malicious file changes file name original ws2help.dll to ws3help.dll and it changed its name ws2help.dll for masquerading itself.

* BSOD occurs, repeating the symptoms of an infinite reboot

Described above, after infection process, you are infected and got a malicious file to steal specific online game account information.

However, the biggest problem of this variant is showing user blue screen on rebooting.

Moreover, if its blue screen has been shown once, it can occur infinite reboot on loading memory and show blue screen intinitely.

3. How to prevent

These malicious file is already infected several times over a wide range, we mentioned several times before in our Korean blog not translated though, and various cases of damage occurred such as hijacking online gaming account information and shutting down Internet browser occasionally when using Internet banking.

However, this variant was found that if the user's PC is infected, it can cause fatal damage and leads disk formatting.

Fortunately, nProtect family supports "Generic Detection / Repair" features to diagnose and cure similar to new and variant malicious files without additional pattern updates of  "2011-06-23.01 pattern version". nProtect user can prevent this malicious file.

Currently, for our paid users who have using the nProtect family version, they can prevent with just updating the latest engine and pattern (2011-07-05.01) updates from the malicious file infection. So be sure to keep the latest engine and pattern.
But we got a good news for general member. We will let you know some process to avoid instead of disk formatting. These following images will help you to recover.

* How to recover from infected PC.

1. Prepare Windows installation CD. Then insert in CD tray and reboot. Press any key while this page is shown "Press any key to boot from CD...".

2. Press <R> to recover on this screen.

3. You can see this image on recovery console.

First, select the Windows to recover (in case of mine, drive D: has been infected). Pressed “2” enter.
They can require administrator password or yours, type your password if set, or just press enter if not.

4. Enter the following command sequence.

* Enter following commends

- "del ws2help.dll" (Delete malicious file)
- "ren ws3help.dll ws2help.dll" (Rename normal file to normal file name)
- "exit" (exit)

5. Try rebooting after input commends.

To avoid damage from unwanted damage to occur, such as the following"Managing Security Tips"Such as to comply with what the user's own interests and efforts can be more important.

Not only for this but plenty of possibilities to have similarity to the malicious file can emerge. Therefore, we recommend keep "Security management tips" from avoidance of those behaviors.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) provides diagnosis/treatment function such as malicious file stated above and runs responding system 24 hours against various security threats.


  1. If you want to get useful advice from me,just realise that information is priceless today. I always try to keep my phone info in safe. You can read this page and you will get more advices.

  2. Thanks for sharing.I found a lot of interesting information here. A really good post, very thankful and hopeful that you will write many more posts like this one.

  3. This web page is quite awesome. I hope I won't have any troubles with my PC. Thanks anyway.

  4. I would rather to share this blog with my friends, this is awesome article. Keep Posting…
    Web Hosting Companies

  5. XLSX files are the type of Microsoft Excel spreadsheets from where we can create, edit, view or share files. open xlsx file using the OpenOffice calc. program. For using Microsoft excel online, visit open xlsx file online.

  6. This Article is Worth of sharing. The information is helpful for sure! Keep going like this! Linux Web Hosting

  7. The ultimate goal of online psychology research paper writing services is to provide Psychology Assignment Writing Services and psychology research paper services since most psychology coursework writing service students lack time to complete their custom psychology coursework writing services.

  8. Fantastic. I appreciate your efforts to collect this meaningful information from different different sources acsm file . thanks

  9. Students find Human Resource Writing Services as being of great assistance since they are able to complete their human resource assignment writing services and human resource research paper writing services on time.

  10. Google Chrome 2021 for Windows is a very popular web browser. Rapid, the appearance is straightforward, simple to use, furnished with ample functions for browsing, all of that makes numerous users choose to utilize the browser. The synchronization attribute additionally functions as a backup. As soon as allowed, web browser information such as book marks, search history, passwords and also more will be kept in the customer's Google account. Google Chrome 2021 APK offers two alternatives in saving website. You can wait in HTML format so you can open it in your internet browser whenever you need it or in PDF format. If you're interested in saving a web page as a PDF, that include can be found in the Print menu of Google Chrome.

  11. Briefs have unusual morals and conventional beliefs of the family. They're not as ruined as Western ladies, they love you for that which you are, not what you have. You can buy wife online from our website. This is a dating service for women who are keen to meet new men. After all, they have several free girls of various ages. I've just had good feelings! I suggest you look there, too, for your passion.