What Is Winbo32.exe And How Do I Dispose Of It?
#1
Posted 27 July 2007 - 06:40 PM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
Register to Remove
#2
Posted 27 July 2007 - 07:32 PM
Hi 1excop36 (Gerry)Hello;
Please excuse a bit of background first. As part of some upgrades to stretch a few more years out of my Dell Dimension 8200, I installed a new Maxtor hard drive and started from scratch with a fresh install of Windows XP and SP2, along with the multitude of security and other updates. I decided to try out Kasperky Anti-virus and installed the trial version. I am also using SpySweeper and have AdAware SE (no real time scanning) which I use as a backup to SpySweeper. I am using the Windows Firewall. During the course of installing and reinstalling my various programs, I began experiencing random program lockup (they stopped responding) and eventually discoved that when I deactivated KAV, the program(s) would begin functioning properly. After trying various remedies suggested by folks on the KAV support forum, without success, I unistalled it and switched to the AVG free edition. The program "lock up" problems seems to have been resolved.
On AVG's first scan it discovered and deactivated something called "Winbo32.exe". I did a Google check and gather it is apparently some type of malware. Neither Spysweeper, KAV nor AdAware SE had uncovered this. It also does not show up in a HiJackThis scan, although that may be because AVG deactivated it.
My concern is that there are still 9 winbo32 entries in various parts of my registry. To the extent possible, I have not found any other signs of it in any files.
First of all, can someone give me more definitive information as to what this is, what it does, how serious it is and how I may have gotten it onto my system without any of my security software picking it up until AVG did? Obviously, the next question is, how do I get rid of all traces of it? Can I safely delete the registry entries without causing a major system snafu?
As far as I can tell, my system is running fine, so far. But since I know little about this, I'm reluctant to follow the "leave well enough alone" philosophy.
Any assistance will be greatly appreciated.
Gerry
On the following site your problem seems to be identified as a worm.
http://www.castlecop...tartupList.html
and further information as to how to remove it is on this site:
http://www.sophos.co...w32rbotgru.html
for your information and help.
If it was my computer I would firstly follow the above two sites and then post a Hijackthis log over on the Hijackthis Logs and Malware Forum.
http://forums.tomcoy...emoval_f27.html
However another more proficient volunteer will no doubt come by and give their opinion as to what they would suggest you do.
Good luck and hope this is of some help.
#4
Posted 27 July 2007 - 07:54 PM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
#5
Posted 27 July 2007 - 08:05 PM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
#6
Posted 28 July 2007 - 12:29 AM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
#7
Posted 28 July 2007 - 03:43 AM
Hi again 1excop36,Well, I decided to be daring. First, I found two unchecked winbo32 boxes in the Windows Firewall exceptions and deleted them. That reduced the Winbo32 registry entries to 5. I made a restore point and throwing caution to the wind, deleted 3 of them which also took care of the remaining two. As far as I can tell, no more signs of Winbo32.exe on my system anywhere. Better still, all is working as it should. I must give the free version of AVG an A+ for finding and disabling it after it got by SpyBlaster, AdAware AE, SpySweeper and Kaspersky AV.
Thanks to all for their advice. Hopefully this will be the end of this problem.
Gerry
Glad you have your problem sorted out.
Have you considered installing the free version of Zone Alarm firewall. http://filehippo.com...zonealarm_free/
In my prowling around the forums on the internet I have learned that Windows Firewall is not rated well. I am running two computers both with XP/SP2 and both with Zone Alarm free and very pleased with it.
I agree with you that AVG free is excellent and has saved me about three times from various Trojans and one Virus over the years.
I was sorry my last post was not of any use to you, but it seems you have been able to solve your own problem which is a good feeling at least.
Thanks for posting back and letting us know you are fine.
kind regards,
#8
Posted 28 July 2007 - 11:31 AM
Sorry I missed you..... again.
Seems like I could do better since we are in the same time zone and both in the northern part of the state.
I've got to do better, as Tallin is I think 14 time zones away and seems to be able to keep up.
Maybe I need a new watch or a calendar or something.
________
Removing Registry Entries is "one" step in removing some types of malware.
However, in the instance of a "worm" like Winbo32.exe, there are 22,960 file locations where elements of the malicious little creature hides away bits and pieces of code.
That's where well constructed automated tools come into play, since it would be ridiculous to think that a person could routinely check that many locations manually, let alone be able to identify oddly or randomly named items that may or may not be malicious.
_________
Even though you don't "own" Sophos, you can still benefit from the link Tallin offered to you.
Yep. Some of the "majors", do offer free versions of their utility for specific recovery procedures.
On the Sophos page linked by Tallin, Select - Recovery(tab) then click on "instructions for removing worms".
Scroll down to the entry for Windows 2000/XP/2003, as excerpted below:
* Windows 2000/XP/2003
1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
2. Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
3. At the infected computer, place the CD in the CD drive (D: in this example).
At the command prompt type
D:
to access the CD drive. Type:
CD SAV32CLI
Then type:
SAV32CLI -REMOVE -P=C:\LOGFILE.TXT
to remove the worm.
4. Before leaving Safe Mode, edit any registry entries mentioned in the worm analysis recovery instructions.
5. If problems persist, contact support.
In anticipating you walking through that process, I just downloaded, created the CD, rebooted to SAFE Mode with Command Prompt and initiated the scan.
The scan took about 12 minutes on my machine.
It is safe and thorough and free.
___________
After you do the above.............. What next?
To be on the safe side, run and post a HJT Log for that machine, over into our Malware Removal Forum.
Why? Oftentimes, when a machine becomes infected with one identified malware, others get invited in unknown to the owner/user. Other advanced tools would be needed to detect and/or rule-out such additional infections.
The Sophos tool is the correct one for your first line of Recovery.
Other advanced tools as recommended by your Expert Advisor over in Malware Removal should repair or confirm your machine as clean of malware.
Best Regards
Doug
If you wish, you may Donate to help keep us online.
#9
Posted 28 July 2007 - 12:40 PM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
Register to Remove
#11
Posted 29 July 2007 - 06:18 AM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
#12
Posted 29 July 2007 - 10:50 AM
C:\System Volume\_restore is of course your System Restore, and apparently some of the Restore Points were taken when the infection was active. So each of those identified Restore points has a nice copy to offer back to you if you were to make the mistake of trying System Restore at this time.
Some more "reckless or novice helpers" around the net would jump to the recommendation of turning off System Restore to get rid of the contained infection.
Don't do that! You may need to use System Restore at some point in this fix, and even an infected Restore Point is better than no Restore Points at all.
Note: you won't find any helpers here at TC recommending to turn-off System Restore to flush the old points, until after the machine is confirmed to be free of all infection.
AVG won't be able to delete or fix items in the System Restore, as Windows tends to protect Restore Points.
Fortunately, the protection goes two ways and the infection is "unlikely" to be able to reach back into your machine.
I'd move directly to the Sophos worm removal fix, and save any further antispyware solutions for after Sophos.
Including, wait on Trojan Hunter, until after running Sophos.
If you've already run the Trojan Scan, no problem, just move on to Sophos.
Then Run and Post a HJT Log over in Malware Removal.
Maybe the big guns will have additional insight and tools to recommend.
_________
Sorry to hear about the joint pain.
Most of us have parts that have started wearing out someplace in the body.
You accelerated your knee condition in service to your country and community. Thanks.
Some of us get broken down for no good reason at all.
I have a few friends/peers who have the titanium knee or stainless steel hip.
In all cases, they have experienced "remarkable" improvement and were up and walking within the next day or two.
Rehab stresses putting the joint to action on same day as surgery!
This is one area that modern medicine has made great strides.
Probably courtesy of all those high-rent professional athletes that have insurance and huge incomes to repair themselves.
S.F. area has some excellent facilities for the surgery.
Best of Luck,
and Best Regards,
Doug
If you wish, you may Donate to help keep us online.
#13
Posted 29 July 2007 - 11:44 AM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
#14
Posted 29 July 2007 - 01:22 PM
Run a Full Tests over at PCPitstop and post your TechExpress back here to this thread.
http://www.pcpitstop.com
Best Regards
If you wish, you may Donate to help keep us online.
#15
Posted 04 August 2007 - 04:15 AM
Computers:
Mine: Dell N5030 Laptop Pentium Dual Core T4500 2.30 GHz, 6GB RAM, 10X DVD Recorder Windows 7 & New WD 500GB HD
Wife's: Gateway SX2370-UR10P Desktop AMD A8-3820 APU with Radeon HD Graphics 6GB Ram 1TB HD
"The moment you think you know it all should also be the moment you realize that you do not."
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users