win32malum virus

Secure Home | Search | About

Lost Password?

Microsoft Antivirus Discussions

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

win32malum virus

needhelp

03-27-2007

David H. Lipman

nee

nee

David H. Lipman

nee

David H. Lipman

nee

David H. Lipman

cquirke (MVP Wi...

nee

nee

Charles W Davis

Posted by =?Utf-8?B?bmVlZGhlbHA=?= on March 29, 2007, 9:14 pm

If you were Registered and logged in, you could reply and use other advanced thread options

when I submit the socks8b.exe file to virustotal I receive a message that
says 0 (zero) bytes transferred. what does that mean?

"David H. Lipman" wrote:

> | can I just get rid of socks8bB.exe?

> |

> The free version is the fuill version free for one year and then you have to

pay for a

> subscription.

> If you could just delete the file, then eTrust would have done so already.

> Please submit a sample to Virus Total --

> http://www.virustotal.com/flash/index_en.html

> The submission will then be tested against many different AV vendor's scanners.

> That will give you an idea what it is and who recognizes it. In addition,

unless told

> otherwise, Virus Total will provide the sample to all participating vendors.

> You can also submit a suspect, one at a time, via the following email URL...

> mailto:scan@virustotal.com?subject=SCAN

> When you get the report, please post back the exact results.

> Then we can determine what software may be used to remove this.

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> http://www.ik-cs.com/got-a-virus.htm

Posted by David H. Lipman on March 29, 2007, 9:45 pm

If you were Registered and logged in, you could reply and use other advanced thread options

| when I submit the socks8b.exe file to virustotal I receive a message that
| says 0 (zero) bytes transferred. what does that mean?
|

That means the File Handle of the EXE file is held open by the OS and you can't
just;
delete it, copy it or easily submit it to Virus Total.

Download, extract and execute Pocket KillBox
http://www.bleepingcomputer.com/files/spyware/KillBox.zip

Use that utility to remove the file. It should create a backup in; C:\!KillBox

You should be able to submit "socks8b.exe" once the PC has rebooted and it is
moved to;
C:\!KillBox

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Posted by =?Utf-8?B?bmVlZGhlbHA=?= on March 30, 2007, 2:18 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Thanks! socks8b is deleted (though I couldn't find the backup in killbill so
couldn't submit to virus total.

But the virus isn't gone!!!! It has now infected a00085583.exe located:
systemvolumeinformation. I can't even find these files (conducted a file
search). You've been so helpful -- how can I find this file to delete?

"David H. Lipman" wrote:

> | when I submit the socks8b.exe file to virustotal I receive a message that

> | says 0 (zero) bytes transferred. what does that mean?

> |

> That means the File Handle of the EXE file is held open by the OS and you

can't just;

> delete it, copy it or easily submit it to Virus Total.

> Download, extract and execute Pocket KillBox

> http://www.bleepingcomputer.com/files/spyware/KillBox.zip

> Use that utility to remove the file. It should create a backup in;

C:\!KillBox

> You should be able to submit "socks8b.exe" once the PC has rebooted and it is

moved to;

> C:\!KillBox

> --

> Dave

> http://www.claymania.com/removal-trojan-adware.html

> http://www.ik-cs.com/got-a-virus.htm

Posted by David H. Lipman on March 30, 2007, 4:13 pm

If you were Registered and logged in, you could reply and use other advanced thread options

| Thanks! socks8b is deleted (though I couldn't find the backup in killbill so
| couldn't submit to virus total.
|
| But the virus isn't gone!!!! It has now infected a00085583.exe located:
| systemvolumeinformation. I can't even find these files (conducted a file
| search). You've been so helpful -- how can I find this file to delete?
|

If I understand you correctrly, this is the WinXP System Restore cache. You can
either
leave it there an d it will eventually Cache Out or you can disable the System
Restore
cache, reboot the PC and then re-enable the System Restore cache which will
purge the System
Restore cache of this file. If you do purge the System FRestore cache, after
you re-anble
the cache you should set a new Restore Point.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Posted by cquirke (MVP Windows shell/use on March 30, 2007, 5:01 pm

If you were Registered and logged in, you could reply and use other advanced thread options

On Fri, 30 Mar 2007 16:13:38 -0400, "David H. Lipman"

>| Thanks! socks8b is deleted (though I couldn't find the backup in killbill so

>| couldn't submit to virus total.

>| But the virus isn't gone!!!! It has now infected a00085583.exe located:

>| systemvolumeinformation. I can't even find these files (conducted a file

>| search). You've been so helpful -- how can I find this file to delete?

>If I understand you correctrly, this is the WinXP System Restore cache. You

can either

>leave it there an d it will eventually Cache Out or you can disable the System

Restore

>cache, reboot the PC and then re-enable the System Restore cache which will

purge the System

>Restore cache of this file. If you do purge the System FRestore cache, after

you re-anble

>the cache you should set a new Restore Point.

This is a bad way to purge SR, as it has side-effects, but there isn't
really a cleaner way to do this in WinME without resorting to DOS mode
(i.e. simply delete the C:\_RESTORE subtree in DOS mode).

In XP, a better way is to:
- create a new "clean baseline" Restore Point
- run Disk Cleanup, More Options tab
- purge all but most recent restore point
- back to "general" tab, UNcheck what you don't want cleared
- OK to apply Disk Cleanup (else old SR data is not purged)

The reason to prefer these approaches is that any SR settings you may
have applied (capacity limit in WinME, capacity limits and excluded HD
volumes in XP) are preserved, whereas disabling and re-enabling SR
will usually fall back to "waste maximum space everywhere" duhfaults.

It's also good to have a baseline restore point in XP, because (unlike
WinME) the SR data in the SVI subtree is the only automatic registry
backup that is maintained by XP.

>------------ ----- ---- --- -- - - - -

The most accurate diagnostic instrument
in medicine is the Retrospectoscope

>------------ ----- ---- --- -- - - - -

Similar Threads	Posted
HELP: Virus is preventing me from installing anti virus software!!	January 11, 2007, 2:17 am
I have a virus that uses "anti virus software" downloads as a cover up	March 24, 2007, 1:40 pm
I have a worm or virus that does not allow me to go to ANY anti-virus website	January 28, 2006, 10:29 pm
Caught a Virus: Virus:Trj/Shutdown.Z -- need advice	June 13, 2007, 12:59 am
Vundo fix not finding vundo virus - windows tool deletes virus	May 14, 2008, 2:06 pm
Does anybody know what virus i've got?	July 5, 2005, 8:23 am
New Virus?	July 6, 2005, 11:22 am
virus	July 19, 2005, 12:20 pm
Virus help	August 8, 2005, 10:34 am
Virus Help	August 13, 2005, 8:00 am

The site map in XML format XML site map