29 replies to this topic

[1excop36]

Hello; Please excuse a bit of background first. As part of some upgrades to stretch a few more years out of my Dell Dimension 8200, I installed a new Maxtor hard drive and started from scratch with a fresh install of Windows XP and SP2, along with the multitude of security and other updates. I decided to try out Kasperky Anti-virus and installed the trial version. I am also using SpySweeper and have AdAware SE (no real time scanning) which I use as a backup to SpySweeper. I am using the Windows Firewall. During the course of installing and reinstalling my various programs, I began experiencing random program lockup (they stopped responding) and eventually discoved that when I deactivated KAV, the program(s) would begin functioning properly. After trying various remedies suggested by folks on the KAV support forum, without success, I unistalled it and switched to the AVG free edition. The program "lock up" problems seems to have been resolved. On AVG's first scan it discovered and deactivated something called "Winbo32.exe". I did a Google check and gather it is apparently some type of malware. Neither Spysweeper, KAV nor AdAware SE had uncovered this. It also does not show up in a HiJackThis scan, although that may be because AVG deactivated it. My concern is that there are still 9 winbo32 entries in various parts of my registry. To the extent possible, I have not found any other signs of it in any files. First of all, can someone give me more definitive information as to what this is, what it does, how serious it is and how I may have gotten it onto my system without any of my security software picking it up until AVG did? Obviously, the next question is, how do I get rid of all traces of it? Can I safely delete the registry entries without causing a major system snafu? As far as I can tell, my system is running fine, so far. But since I know little about this, I'm reluctant to follow the "leave well enough alone" philosophy. Any assistance will be greatly appreciated. Gerry

[tallin]

Hello;

Please excuse a bit of background first. As part of some upgrades to stretch a few more years out of my Dell Dimension 8200, I installed a new Maxtor hard drive and started from scratch with a fresh install of Windows XP and SP2, along with the multitude of security and other updates. I decided to try out Kasperky Anti-virus and installed the trial version. I am also using SpySweeper and have AdAware SE (no real time scanning) which I use as a backup to SpySweeper. I am using the Windows Firewall. During the course of installing and reinstalling my various programs, I began experiencing random program lockup (they stopped responding) and eventually discoved that when I deactivated KAV, the program(s) would begin functioning properly. After trying various remedies suggested by folks on the KAV support forum, without success, I unistalled it and switched to the AVG free edition. The program "lock up" problems seems to have been resolved.

On AVG's first scan it discovered and deactivated something called "Winbo32.exe". I did a Google check and gather it is apparently some type of malware. Neither Spysweeper, KAV nor AdAware SE had uncovered this. It also does not show up in a HiJackThis scan, although that may be because AVG deactivated it.

My concern is that there are still 9 winbo32 entries in various parts of my registry. To the extent possible, I have not found any other signs of it in any files.

First of all, can someone give me more definitive information as to what this is, what it does, how serious it is and how I may have gotten it onto my system without any of my security software picking it up until AVG did? Obviously, the next question is, how do I get rid of all traces of it? Can I safely delete the registry entries without causing a major system snafu?

As far as I can tell, my system is running fine, so far. But since I know little about this, I'm reluctant to follow the "leave well enough alone" philosophy.

Any assistance will be greatly appreciated.

Gerry

Hi 1excop36 (Gerry)

On the following site your problem seems to be identified as a worm.
http://www.castlecop...tartupList.html
and further information as to how to remove it is on this site:
http://www.sophos.co...w32rbotgru.html
for your information and help.

If it was my computer I would firstly follow the above two sites and then post a Hijackthis log over on the Hijackthis Logs and Malware Forum.
http://forums.tomcoy...emoval_f27.html
However another more proficient volunteer will no doubt come by and give their opinion as to what they would suggest you do.

Good luck and hope this is of some help.

[Doug]

I support Tallin's plan! Hi Gerry. Nice to see you around. Doug

[1excop36]

Appreciate the reply but unfortunately I don't have Sophos AV. Also, as far as I can tell, the HijackThis log doesn't show any signs of this. However, as nothing critical is being affected at this point, I can wait to hear from some other folk. Thanks again.

[1excop36]

Doug; Just missed your reply by a few moments. Since Tallin's first option appears to be a no go, should I go ahead and post my HijackThis log (in the appropriate place of course) along with my tale of woe? I am also using TuneUp 2007 and the registry editor module's search function shows where each of the 9 registry entries containing win32.exe are located. Other than that, I've been unable to find any other signs of it anywhere else on my computer nor any ill effects. I realize that messing with the registry is risky, but if I do a restore point (as well as a TuneUp recovery point), would deleting the registry entries be worth a try? Or am I better off letter greater and more knowledgeable minds have a go at this? Gerry

[1excop36]

Well, I decided to be daring. First, I found two unchecked winbo32 boxes in the Windows Firewall exceptions and deleted them. That reduced the Winbo32 registry entries to 5. I made a restore point and throwing caution to the wind, deleted 3 of them which also took care of the remaining two. As far as I can tell, no more signs of Winbo32.exe on my system anywhere. Better still, all is working as it should. I must give the free version of AVG an A+ for finding and disabling it after it got by SpyBlaster, AdAware AE, SpySweeper and Kaspersky AV. Thanks to all for their advice. Hopefully this will be the end of this problem. Gerry

[tallin]

Well, I decided to be daring. First, I found two unchecked winbo32 boxes in the Windows Firewall exceptions and deleted them. That reduced the Winbo32 registry entries to 5. I made a restore point and throwing caution to the wind, deleted 3 of them which also took care of the remaining two. As far as I can tell, no more signs of Winbo32.exe on my system anywhere. Better still, all is working as it should. I must give the free version of AVG an A+ for finding and disabling it after it got by SpyBlaster, AdAware AE, SpySweeper and Kaspersky AV.

Thanks to all for their advice. Hopefully this will be the end of this problem.

Gerry

Hi again 1excop36,
Glad you have your problem sorted out.
Have you considered installing the free version of Zone Alarm firewall. http://filehippo.com...zonealarm_free/
In my prowling around the forums on the internet I have learned that Windows Firewall is not rated well. I am running two computers both with XP/SP2 and both with Zone Alarm free and very pleased with it.

I agree with you that AVG free is excellent and has saved me about three times from various Trojans and one Virus over the years.

I was sorry my last post was not of any use to you, but it seems you have been able to solve your own problem which is a good feeling at least.

Thanks for posting back and letting us know you are fine.

kind regards,

[Doug]

Hi Gerry,

Sorry I missed you..... again.
Seems like I could do better since we are in the same time zone and both in the northern part of the state.
I've got to do better, as Tallin is I think 14 time zones away and seems to be able to keep up.
Maybe I need a new watch or a calendar or something.
________

Removing Registry Entries is "one" step in removing some types of malware.
However, in the instance of a "worm" like Winbo32.exe, there are 22,960 file locations where elements of the malicious little creature hides away bits and pieces of code.

That's where well constructed automated tools come into play, since it would be ridiculous to think that a person could routinely check that many locations manually, let alone be able to identify oddly or randomly named items that may or may not be malicious.
_________

Even though you don't "own" Sophos, you can still benefit from the link Tallin offered to you.
Yep. Some of the "majors", do offer free versions of their utility for specific recovery procedures.

On the Sophos page linked by Tallin, Select - Recovery(tab) then click on "instructions for removing worms".
Scroll down to the entry for Windows 2000/XP/2003, as excerpted below:

* Windows 2000/XP/2003
1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
2. Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen "For troubleshooting and advanced startup options for Windows 2000, press F8". In the Windows 2000 Advanced Options Menu, select the third option 'Safe Mode with Command Prompt'.
3. At the infected computer, place the CD in the CD drive (D: in this example).
At the command prompt type

D:

to access the CD drive. Type:

CD SAV32CLI

Then type:

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

to remove the worm.
4. Before leaving Safe Mode, edit any registry entries mentioned in the worm analysis recovery instructions.
5. If problems persist, contact support.

In anticipating you walking through that process, I just downloaded, created the CD, rebooted to SAFE Mode with Command Prompt and initiated the scan.

The scan took about 12 minutes on my machine.

It is safe and thorough and free.
___________

After you do the above.............. What next?

To be on the safe side, run and post a HJT Log for that machine, over into our Malware Removal Forum.

Why? Oftentimes, when a machine becomes infected with one identified malware, others get invited in unknown to the owner/user. Other advanced tools would be needed to detect and/or rule-out such additional infections.

The Sophos tool is the correct one for your first line of Recovery.
Other advanced tools as recommended by your Expert Advisor over in Malware Removal should repair or confirm your machine as clean of malware.

Best Regards
Doug

[1excop36]

Hi Doug; No worries. We may be in the same time some but as far as I know neither of us is psychic. Anyway, I will follow your instructions late on today (need to by some more recordable CDs anyway). Then I'll have to borrow my daughter's laptop to make the disk as hers is the only other recorder (I've yet to get a USB setup for the CD-RW I removed from my Dimension and replaced with a DVD-RW). Once that's done (and knowing my daughter it may not be until tonight), I'll post the HijackThis file. On the positive side, I've run full scans with AVG, SpySweeper, AdAware and Trojan Hunter and all have come up clean. CCleaner has shown no major registry errors. So hopefully I escaped serious damage. I'm still curious how this critter managed to sneak through. As to Zone Alarm, I've had nothing but bad luck system wise every time I've tried out a version of it going back at least 3 years now. I know it's supposed to be the best, but every time I've installed it, my computer developed a major memory leak and always slowed down to a crawl with all sorts of conflicts. After my recent Kaspersky experience, I'm naturally reluctant to give it a whirl again, not to mention hearing the griping from my spouse about leaving well enough alone . Again to you and Tallin, thank you very much for the assistance. I'll let you know how things go later on tonight most likely. Gerry

[Doug]

There are other good free Firewalls.
I happen to have had good luck with Zone Alarm.
Others, notably some gamers, hate it.

Sygatecomes highly recommended.

Best Regards

[1excop36]

My Dear Doug; So much for no worries. Either the worm was on a piece of software I downloaded (which tested clean but I should have known better as it wasn't a "trusted source") or, as you rightly suspected, it was still lurking about. I was going to burn that CD on my daughter's computer in the morning but I missed it but that much. (Yes I'm old enough for the original Maxwell Smart) About the time my Firefox profile went to heck in a hand basket (fortunately I back it up weekly), AVG picked up entries of SHeur.AMW Trojan Horse which is Winbo32.exe and Win32 PEPatch Virus all located in C:\System Volume\_restore (6 different files). But AVG did not neutralize/send them packing to the vault as it did last time, which I gather is one of the vices of this infection. Yet, nothing out of the ordinary is showing on my HijackThis scan that wasn't there before this all started. Moreover, some of my dive letter have changed for no apparent reason. On the personal front, this is just the frosting on a bad day. I have really bad osteoarthritis in both knees from almost 20 years of "crime fighting" and jumping out of perfectly good airplanes in the Army and the pain today finally broke my stoicism and brought me to tears. Scared both me and the wife. I just finished a relatively new treatment of 3 injections into the knee with something made out of rooster combs that boosts the cushioning ability of the fluid inside the knee. Naturally a side effect can be more joint pain. Plus the image of that titanium knee replacement is rather vivid. I apologize for the personal sob story and probably should just delete it but I just need to vent a little. In any event, I'm going to try running a deep scan with Trojan Hunter before catching at least a few "ZZZZZ's". Then I'll run the fix you recommended and hope for the best. Once I've done that, I'll post my HighjackThis File so all can see what a doofus I've been and perhaps find something else I missed. As the Beatles said, "Obla dee Obla dah, life goes on. Regards Gerry

[Doug]

Hi Gerry,

C:\System Volume\_restore is of course your System Restore, and apparently some of the Restore Points were taken when the infection was active. So each of those identified Restore points has a nice copy to offer back to you if you were to make the mistake of trying System Restore at this time.

Some more "reckless or novice helpers" around the net would jump to the recommendation of turning off System Restore to get rid of the contained infection.
Don't do that! You may need to use System Restore at some point in this fix, and even an infected Restore Point is better than no Restore Points at all.
Note: you won't find any helpers here at TC recommending to turn-off System Restore to flush the old points, until after the machine is confirmed to be free of all infection.

AVG won't be able to delete or fix items in the System Restore, as Windows tends to protect Restore Points.
Fortunately, the protection goes two ways and the infection is "unlikely" to be able to reach back into your machine.

I'd move directly to the Sophos worm removal fix, and save any further antispyware solutions for after Sophos.
Including, wait on Trojan Hunter, until after running Sophos.

If you've already run the Trojan Scan, no problem, just move on to Sophos.
Then Run and Post a HJT Log over in Malware Removal.
Maybe the big guns will have additional insight and tools to recommend.
_________

Sorry to hear about the joint pain.
Most of us have parts that have started wearing out someplace in the body.
You accelerated your knee condition in service to your country and community. Thanks.
Some of us get broken down for no good reason at all.

I have a few friends/peers who have the titanium knee or stainless steel hip.
In all cases, they have experienced "remarkable" improvement and were up and walking within the next day or two.
Rehab stresses putting the joint to action on same day as surgery!
This is one area that modern medicine has made great strides.
Probably courtesy of all those high-rent professional athletes that have insurance and huge incomes to repair themselves.

S.F. area has some excellent facilities for the surgery.

Best of Luck,
and Best Regards,
Doug

[1excop36]

Hi Doug; As soon as I can get the use of my daughter's computer and some recordable CDs I'll run the Sophos program. Curiously, the hidden operating file that is supposed to contain the restore point files, as I understand it, C:\System Volume, was empty when I checked it after making my post. I guessing here that's where Windows keeps the restore files based upon what AVG showed. Also Trojan Hunter found everything clean. I did delete the downloaded program file, I suspected contained the infection. Firefox is functioning properly again (thank goodness I backup my profiles weekly) and that whole snafu may have been due to a faulty extension. One other thing you might be able to explain. Somewhere along the line I picked up a "removable" D drive, which pushed both DVD drives down a notch. All my USB memory sticks have always followed my DVD-RW which had been drive "E". Should I need to worry about this other than being OCD about the proper order of the drive letters? Again I appreciate your help. I have a good orthopedist now who's got several options up his white sleeve to keep me from becoming more of a Robocop than I already am. Just FYI, back in 86 a newly licensed teenager going over 50 mph plowed head-on into my patrol car when he went to change the radio station. I managed another 10 years on the job but age and the damage finally caught up and I was forced to take a medical retirement. But I was lucky, for almost 20 years I got to do a job I loved that people just watch on TV. Take care and I'll keep you posted. Gerry

[Doug]

Probably no need to worry about the order of drive naming.

Run a Full Tests over at PCPitstop and post your TechExpress back here to this thread.

http://www.pcpitstop.com

Best Regards

[1excop36]

Hi Doug; Please excuse my absence. I had a bit of a reaction to the last injection they gave me in my knee and it is my lot in life to always be in that marginal group that gets the rarely occurring side effects and have been just plain miserable. I'm so far behind in stuff I need to do around the house it's not funny. In any event, my trusty Dell is still behaving weird, though every AV, Anti-spyware scan shows it clean. The Sophos scan showed nothing so AVG must have gotten rid of the infection. I traced the source to a greeting card program I downloaded for my wife and while I scanned it before trying to install, the virus was well hidden in the setup files. It should have been a clue when the darn thing wouldn't install in the first place. I posted my HighjackThis log on the Malware Removal forum. I tried running the PC Pitstop tests but for some reason it wouldn't load the results after the tests so I have a query in the help forum there. I may be jumping the gun, but I'm almost at the point where I'll just backup what files I need; reformat the hard drive and start over. As soon as I get the PC Pitstop log, I'll post it here for your perusal. Perhaps there will be something of not in the HighjackThis log that will shed some light on the situation as well. I suspect what ever it is, it's probably nothing major, but one of those things that just irritates the heck out of you. Regards; Gerry