AVG tells me I have a Virus identified Worm/Spybot. It says it's found in C:\WINDOWS\SYSTEM32\winsock2.exe
It says to remove the virus run AVG. I do that, it finds it, then says it can't move or heal the file.
I went into Windows Explorer and can't manually delete the file.
I went to the AVG site and it has little to nothing about it there. I've done some google searching and can't find anything.
How I got this at my laptop I have no idea. I only use it a couple times a week. I never open files that I haven't asked someone for. Shoot I don't even open the dumb picture attachments my mother sends me that have been forwarded all over the place!
I ran a scan on my desktop and it is clean.
Can someone help me please.
I've never dabbled in the registry and know very little about dos, so I'll need real basic step by step instructions if someone has any. I'm running WinXP
Thanks,
Barb
Worm/Spybot
-
hayc59
- Posts: 2355
- Joined: Fri Jul 20, 2001 12:00 pm
- Location: LSD melts in your mind, not in your hand.
from AVG site--->
http://www.grisoft.com/virbase/virbase. ... 8c5a9cf000
Worm/Spybot
The exact description is not available.
This type of virus spreads across local networks or through internet via shares disks. The virus searches for computers in its "neighborhood" with shared network drives and then copies itself on them.
For prevention as far as possible do not share whole disks, but only selected folders. It is also advisable to use passwords on shared folders.
We recommend you remove binding to "File and printer sharing" in Bindings Tab under TCP/IP Properties for all TCP/IP protocols (the TCP/IP protocol is usually defined for every LAN or Dial-Up adapter).
Peer-to-peer networks
Next most common method of spreading is by "peer-to-peer" networks (like KaZaA), the virus creates a few copies of itself in folders within the P2P shared system. If these files have got alluring names then there is a good chance somebody will download these files and execute them.
some help from trendmicro.com--->
http://www.trendmicro.com/vinfo/virusen ... M_SPYBOT.B
http://www.grisoft.com/virbase/virbase. ... 8c5a9cf000
Worm/Spybot
The exact description is not available.
This type of virus spreads across local networks or through internet via shares disks. The virus searches for computers in its "neighborhood" with shared network drives and then copies itself on them.
For prevention as far as possible do not share whole disks, but only selected folders. It is also advisable to use passwords on shared folders.
We recommend you remove binding to "File and printer sharing" in Bindings Tab under TCP/IP Properties for all TCP/IP protocols (the TCP/IP protocol is usually defined for every LAN or Dial-Up adapter).
Peer-to-peer networks
Next most common method of spreading is by "peer-to-peer" networks (like KaZaA), the virus creates a few copies of itself in folders within the P2P shared system. If these files have got alluring names then there is a good chance somebody will download these files and execute them.
some help from trendmicro.com--->
http://www.trendmicro.com/vinfo/virusen ... M_SPYBOT.B
ãrê ¥Øu êxpêriêncêD
Hmmmm
First scan with housecall, I shut off AVG, watched the files it was scanning, when it came to what was suposed to be infected, AVG pops up with the warning. I ok it, but housecall finishes the scan and says its clean.
So I'm wondering if AVG somehow was messing up the housecall scan. I uninstalled AVG, ran housecall again, it still says I'm clean.
I don't have Kazaa and have never had Kazaa installed on that pc.
Could AVG had given me a false positive? I updated it today, could it have been a bad update? Could housecall have missed it?
Zone Alarm has been asking permission for winsock to access the internet. I'd been telling it no for some time. I looked it up and read in several places it was a normal process for internet connection. Recently, if I had the laptop on for any length of time, it wouldn't open any web pages. I thought that might have been the problem so I've been allowing it the last few times it's asked.
I think I'll go to the McAfee site and run their free scan if they still offer it.
Any other suggestions?
Barb
First scan with housecall, I shut off AVG, watched the files it was scanning, when it came to what was suposed to be infected, AVG pops up with the warning. I ok it, but housecall finishes the scan and says its clean.
So I'm wondering if AVG somehow was messing up the housecall scan. I uninstalled AVG, ran housecall again, it still says I'm clean.
I don't have Kazaa and have never had Kazaa installed on that pc.
Could AVG had given me a false positive? I updated it today, could it have been a bad update? Could housecall have missed it?
Zone Alarm has been asking permission for winsock to access the internet. I'd been telling it no for some time. I looked it up and read in several places it was a normal process for internet connection. Recently, if I had the laptop on for any length of time, it wouldn't open any web pages. I thought that might have been the problem so I've been allowing it the last few times it's asked.
I think I'll go to the McAfee site and run their free scan if they still offer it.
Any other suggestions?
Barb
MANUAL REMOVAL INSTRUCTIONS
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_SPYBOT.B.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.
Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware.
One such utility is Process Explorer from SystInternals. This small program can be downloaded freely from the SysInternals site.
Once you have downloaded the utility, locate and terminate the process of the file(s) detected earlier.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
To remove the malware autostart entries:
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
<malware detected earlier>
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry or entries:
<malware detected earlier>
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Locating a Malware File
On Windows 9x/NT
Click Start>Find>Files and Folders.
In the Named input box, type:
KEYLOG.TXT
LOG.TXT
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
On Windows 2000/ME/XP
Click Start>Search>For Files and Folders.
In the Search for files and folders named input box, type:
KEYLOG.TXT
LOG.TXT
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
Identifying the Malware Program
To remove this malware, first identify the malware program.
Scan your system with your Trend Micro antivirus product.
NOTE all files detected as WORM_SPYBOT.B.
Trend Micro customers need to download the latest pattern file before scanning their system. Other Internet users may use Housecall, Trend Micro’s free online virus scanner.
Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware.
One such utility is Process Explorer from SystInternals. This small program can be downloaded freely from the SysInternals site.
Once you have downloaded the utility, locate and terminate the process of the file(s) detected earlier.
Removing Autostart Entries from the Registry
Removing autostart entries from the registry prevents the malware from executing during startup.
To remove the malware autostart entries:
Open Registry Editor. To do this, click Start>Run, type Regedit, then press Enter.
In the left panel, double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry or entries:
<malware detected earlier>
Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 95, 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP.
In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce
In the right panel, locate and delete the entry or entries:
<malware detected earlier>
Close Registry Editor.
NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.
Locating a Malware File
On Windows 9x/NT
Click Start>Find>Files and Folders.
In the Named input box, type:
KEYLOG.TXT
LOG.TXT
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
On Windows 2000/ME/XP
Click Start>Search>For Files and Folders.
In the Search for files and folders named input box, type:
KEYLOG.TXT
LOG.TXT
In the Look In drop-down list, select the drive which contains Windows, then press Enter.
No one has any right to force data on you
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
and command you to believe it or else.
If it is not true for you, it isn't true.
LRH
This ^&%! thing has made my rededit inoperable.
Do you know if after running the process viewer and terminating it if my regedit will work again?
If not, is there anyway to get there to remove it from the registry?
Also, anyone know how I got this? I don't use Kazaa and as far as I can remember, have not opened any attachements sent to me on that pc. I have it turned on only 2 - 3 days a week, and generally just to do a quick peak at emal from Mailwasher. I rarely even download mail to it.
It is hooked up wireless just to share internet. I never set up any file sharing between the 2 computers.
I really appreciate all the help.
Barb
Do you know if after running the process viewer and terminating it if my regedit will work again?
If not, is there anyway to get there to remove it from the registry?
Also, anyone know how I got this? I don't use Kazaa and as far as I can remember, have not opened any attachements sent to me on that pc. I have it turned on only 2 - 3 days a week, and generally just to do a quick peak at emal from Mailwasher. I rarely even download mail to it.
It is hooked up wireless just to share internet. I never set up any file sharing between the 2 computers.
I really appreciate all the help.
Barb
Thank you thank you thank you!!
I think I got it for the most part. I have missed something in the registry as when I start up, I get a message about not being able to find winsock2.exe. Zone Alarm isn't asking for permission anymore and it's not listed as a running program. So I think I'm safe till I find.
I'll dig around some more and see what I can find.
You all are great!
Barb
I think I got it for the most part. I have missed something in the registry as when I start up, I get a message about not being able to find winsock2.exe. Zone Alarm isn't asking for permission anymore and it's not listed as a running program. So I think I'm safe till I find.
I'll dig around some more and see what I can find.
You all are great!
Barb
-
hayc59
- Posts: 2355
- Joined: Fri Jul 20, 2001 12:00 pm
- Location: LSD melts in your mind, not in your hand.
=these should get rid of the rest.=
Another program that is really good at cleaning an infected PC is Trojan Remover. It should save you the headaches of manually repairing the registry. Here are the details of what it can do and the download for the free 30 day trial version that is fully functional, very easy to use Be sure to get the updates first, of course.
Trojan Remover
http://www.simplysup.com/tremover/details.html
Trojan Hunter also has a 30 day free trial version (but you'll have to get the updates manually as the online updater doesn't work on the evaluation version)
Trojan Hunter
http://www.misec.net/
thanks C.J.
Another program that is really good at cleaning an infected PC is Trojan Remover. It should save you the headaches of manually repairing the registry. Here are the details of what it can do and the download for the free 30 day trial version that is fully functional, very easy to use Be sure to get the updates first, of course.
Trojan Remover
http://www.simplysup.com/tremover/details.html
Trojan Hunter also has a 30 day free trial version (but you'll have to get the updates manually as the online updater doesn't work on the evaluation version)
Trojan Hunter
http://www.misec.net/
thanks C.J.
ãrê ¥Øu êxpêriêncêD
McAfee's says I'm clean now. 
I went through and searched in regedit and deleted several more items.
The last time I rebooted I had no error messages. I think I got it!
I will do the Trojan scanner just to make sure I got everything out.
I guess my next step is the networking forum to find out how to secure this better.
Barb
I went through and searched in regedit and deleted several more items.
The last time I rebooted I had no error messages. I think I got it!
I will do the Trojan scanner just to make sure I got everything out.
I guess my next step is the networking forum to find out how to secure this better.
Barb
-
YeOldeStonecat
- SG VIP
- Posts: 51171
- Joined: Mon Jan 15, 2001 12:00 pm
- Location: Somewhere along the shoreline in New England
I'll be honest with you....that one is a bear to clean out of the system. I've run across it before, took several attempts to rid, my clients system has "appeared" clean for a few months now, but it's acting quirky since.
Upon removing it initially, in a matter of days it would come back. Upon looking deeper, I noticed logons from "guest", and I noticed TFTP.EXE in the root of the C drive...a perfectly legitimate file, but one that should absolutely not be found in the root of a computers C drive.
Also, not surprisingly, her AOL account had problems with being used to launch spam. She went through password changes several times.
Upon removing it initially, in a matter of days it would come back. Upon looking deeper, I noticed logons from "guest", and I noticed TFTP.EXE in the root of the C drive...a perfectly legitimate file, but one that should absolutely not be found in the root of a computers C drive.
Also, not surprisingly, her AOL account had problems with being used to launch spam. She went through password changes several times.
MORNING WOOD Lumber Company
Guinness for Strength!!!
Guinness for Strength!!!
Thank you
I did read about the TFTP files. From what I understood, that while some were good, some were bad and needed removed. The problem for me was knowing which ones, so I didn't dig for those. Maybe I should?
I will continue scanning with different anti virus on both computers daily to make sure it doesn't come back. I'll also keep checking the registry.
My biggest concern is how I got it so I can be sure not to get anything like it again.
My daughter said she did install Kazaa on here, but then removed it as she knows I don't like it. She didn't know if it was before or after my recent format and reinstall though. She is VERY good at scanning anything she receives before opening it. Her b/f had a nasty virus last year and it was a mess to clean up. She then realized why I stress that everything is checked first, so I trust that she does.
It's only been maybe a month since the reinstall so I don't think it was after.
I also hate being online if it's possible I'm sending out stuff. If I'm not allowing anything but what I know to go out with the firewall (Sygate on the desktop, ZA on the laptop) am I alright?
Barb
I did read about the TFTP files. From what I understood, that while some were good, some were bad and needed removed. The problem for me was knowing which ones, so I didn't dig for those. Maybe I should?
I will continue scanning with different anti virus on both computers daily to make sure it doesn't come back. I'll also keep checking the registry.
My biggest concern is how I got it so I can be sure not to get anything like it again.
My daughter said she did install Kazaa on here, but then removed it as she knows I don't like it. She didn't know if it was before or after my recent format and reinstall though. She is VERY good at scanning anything she receives before opening it. Her b/f had a nasty virus last year and it was a mess to clean up. She then realized why I stress that everything is checked first, so I trust that she does.
It's only been maybe a month since the reinstall so I don't think it was after.
I also hate being online if it's possible I'm sending out stuff. If I'm not allowing anything but what I know to go out with the firewall (Sygate on the desktop, ZA on the laptop) am I alright?
Barb
So far so good. All my scans have been clean. I have set a lot more of my security settings up. Some I think too far, but I'll need to play with them more I guess.
I did have Sygate pop up with a warning when I tried to click on this link from the general discussion board [url]http://www.derkosmischetodesstrahl....tank_vs_car.avi[/url]
The warning said:
Application has changed since the last time you opened it, process id: 4294516435
Filename: C:\Program Files\Windows Media Player\WMPLAYER.EXE
The change was denied by user.
---- Modules changed: 1 ----
C:\Program Files\Windows Media Player\WMPLAYER.EXE
---- New modules: 0 ----
The security type was an executable file and the severity was major.
Should I be concerned or do I just have security levels set too high?
Barb
I did have Sygate pop up with a warning when I tried to click on this link from the general discussion board [url]http://www.derkosmischetodesstrahl....tank_vs_car.avi[/url]
The warning said:
Application has changed since the last time you opened it, process id: 4294516435
Filename: C:\Program Files\Windows Media Player\WMPLAYER.EXE
The change was denied by user.
---- Modules changed: 1 ----
C:\Program Files\Windows Media Player\WMPLAYER.EXE
---- New modules: 0 ----
The security type was an executable file and the severity was major.
Should I be concerned or do I just have security levels set too high?
Barb