Korean Job Discussion Forums

[caniff]

Any sites or measures that I can use to clear up the garbage? Using an old computer from my old hagwon, so between the ex-students, my friends, and my own activities I am cyber-handicapped. Any ideas much appreciated.


Caniff

[kiwiboy_nz_99]

Download some free security aplications, AVG, Ad Ware, Spybot Search and Destroy, and The Cleaner. Run them.

If they find something they can't remove, find the name of that virus, and download a specific removal tool, just type the name of the virus, trojan, worm, of malcode into a search engine. There will be removal tools.

[caniff]

Thanks. I'm a knuckle-dragger, therefore the inquiry...

[Tony Danza's Houseguest]

This website does a free scan:

http://housecall.antivirus.com/housecall/start_corp.asp

It works.

[Zed]

I've got that spybot worm on here now but it seems to have disabled my ability to connect to the internet so I can't download directly.

(I'm at work now).

It's infected:
C:/WINDOWS/SYSTEM32/Winregs32.exe

and

C:/WINDOWS/SYSTEM32/syswin32.exe .

Norton can't get rid of it.

[gajackson1]

Zed, get what programs you can downloaded.

Then, boot into SAFE MODE with NETWORK SUPPORT

that should keep everything from gearing up, allowing you to run your progs & get rid of it. While in safe mode, only do 1 task at a time.

Glen

ps ~ it would help to know what OS you are using

[Gregarious Monk]

Boot into safe-mode to run your scan, make sure that "System Restore" is turned off. If that doesn't work, try what i've blathered below.

The Winregs32.exe *is* a trojan and not a system file. Boot in safe mode and you can remove the virus manually by removing the registry entries found in this article:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.DN&VSect=T

If you boot into safe mode you will be able to rename the file to winregs32.BAK, create a plain text file (make sure that windows is set to show file extensions), rename it 'winregs32.exe', and check the 'read-only' box on the file properties to prevent reinfection if you don't have a virus scanner installed.

The other file you mentioned is another worm, not just an infected file. A detailed article is here:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irccontact.html

You can use the same trick as above (empty text file with the same name as the virus) to prevent reinfection if you don't have an up-to-date virus scanner.

You have to make sure that all the updates for windows are in place and that your virus scanner is active and updated in order to keep this from happening. Chances are that these were installed via the network and will appear again.

[Demophobe]

The rules for asking for help:

1. The OS please.
2. The name of the virus/trojan/spyware if avaliable.
3. The exact problem it's causing.
4. Any and all messages that pop up from virus scanners or Windows regarding the problem. Be as exact as you can.
5. Your configuration; virus scanning software or AV, firewall app, background programs running (ctrl+alt+del)...
6. What you were doing when the problem began and any suspicious behavior by the system.

People...help us to help you. These pleas for help are so vague, no one can give you pointed assistance. Kiwi gave the best and only advice in this situation....a smattering of general programs that seem like they might apply to your situations.

Heck, download them all and more if you can't be more specific in your post.

Not flaming here, folks. Please be more thorough in your posts.

[gajackson1]

I'll add one more to that:

Please conside making a CD with an offline virus scanner/remover; preferably one that will do a boot-sector trojan scan as well.

For travel/friends comps, I have a cd loaded with, hmm? what?

*Trojan Remover and AVWINSFX for viruses,

*SpywareBlaster, Spybot S&D, Ad-aware & PestPatrol (PestPatrol is overlooked a lot, IMHO, and a GREAT program) for ads/spyware/hacking stuff

*ZoneAlarm as a firewall

And, courtesy of Demophobe, I've just added CCleaner (CrapCleaner) to the mix.

I also put a copy of PCBooster on there, which I run after all the others. Helpful esp. in 2nd/3rd world countries, for quickly boosting/stabilizing internet connections.

Can't tell you how many times a disc like this on standby, combined with booting a comp into safe mode w/ns has saved grief.

Regards,

Glen

[Zed]

[Demophobe]

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

Did you try this yet? Seems like a good enough method.

There are 2 other options: You can try automatic removal with Trend Micro System Cleaner (http://www.trendmicro.com/download/tsc.asp) or you follow the manual removal instructions:

Because W32.Spybot terminates task manager and regedit you need another tool to terminate the malware processe(s):
http://www.sysinternals.com/ntw2k/freeware...e/procexp.shtml

This is a freeware tool and has similar features like Windows built in task manager.

This is the removal description from Trend Micro's homepage (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN):

---------------------------------------

Identifying the Malware Program
Before proceeding to remove this malware, first identify the malware program.

Scan your system with Trend Micro antivirus and NOTE all files detected as WORM_SPYBOT.GEN. To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's free online virus scanner.


Terminating the Malware Program
Since this malware terminates the Windows NT and 2000 Task Manager and is invisible on the Windows 95, 98, and ME Task Manager, you need to use a process viewer to terminate this malware. One such utility is Process Explorer from SystInternals (see URL above). This small program can be downloaded freely from the SysInternals site.

Once you have downloaded utility, locate and terminate the process of the file(s) detected earlier.



Removing Autostart Entries from the Registry

Removing autostart entries from registry prevents the malware from executing during startup. You will need the name(s) of the file(s) detected earlier.

1. Open Registry Editor. To do this, click Start>Run, type REGEDIT, then press Enter.
2. In the left panel, double-click the following:
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>RunOnce
3. In the right panel, locate and delete the entry or entries whose data value (the rightmost column) is the malware file(s) detected earlier.

NOTE: If you were not able to terminate the malware process from memory as described in the previous procedure, restart your system.

Try it and post back.

Nortons doesn't seem to be catching this one but I've heard that Avast does and it's free. Might be worth using this for a complete scan as this malware sticks in the boot files.

[eamo]

[Zed]

I got rid of the syswin infection but haven't been able to do anything about the winregs infection yet.

I'll have to get my neighbour to download that other program and install it from a disc as I can't connect to the net at the moment.

Thanks for all the helpful advice guys.
Damn you kiwiboy!

[kiwiboy_nz_99]

Hmmm, I can't imagine malware entering your system through linking to that site as it's very legit. But in any case, I've found a better site to host my mp3's, so hopefully no problem like that again.

[Dalton]

Here's a list of software and links I saved. I have'nt checked all the links lately and there is other stuff out there but I think this is a good start:

Free:
This link is to CNets' most popular downloads page. You'll see
AdAware, Zone Alarm, Mozilla Firefox, Spybot Search and Destroy
AdAware and Zone Alarm

Spybot Search and Destroy
Coolweb Shredder
note : the CWS author hasn't been updating as much lately.

HiJack This
Spyblaster
Spyware Guard

Not:
Window Washer
Scroll down and find Window Washer 5.1 on the right. DL it and open and read the .nfo file(s) with notepad. The rip is built into the program. Just install it. Run it every time you go off line.


Info and help sites:
Prevention article from cexx.org
spywareinfo.com
cexx.org

This is a lot of stuff. You have to get into the properties for each one too. For instance Ad Aware has a setting to eliminate the reg entry for anything it finds. Ad Aware will disable a lot of free stuff that comes with spyware and adware. Like free DivX and Download accelerator. I let it and learn to live with out that stuff.