Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Infection - Winsn.exe / Winsos.exe / Shovth.exe / Reg.exe


  • Please log in to reply
4 replies to this topic

#1 unclelew

unclelew

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 20 December 2007 - 08:55 PM

I have ths nasty infection that keeps re-generating. AVG found w32.Small.GYE and removed it. But this bugger keeps coming back. These files keep returning winsn.exe, winsos.exe, shovth.exe,reg.exe.

this infection does not allow hiiden files to be seen. Contents of My computer will not display.

Has anyone had any experience with this one!!

thanks.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:29 PM

Posted 20 December 2007 - 11:23 PM

Welcome to th Forum unclelew. Please follow the BC Tutorial instructions below. Let us know ...

How to remove Ultimate Defender (Removal Instructions)
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 PM

Posted 21 December 2007 - 01:53 PM

Your going to need specialized tools and assistance with removal of this infection.

Please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". In step #9 there are instructions for downloading HijackThis and creating a log. (This is a self-extracting version which will automatically install HJT in the proper location.) If using Windows Vista, be sure to Run As Administrator.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 unclelew

unclelew
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:29 PM

Posted 28 December 2007 - 08:50 PM

Hello,

Sorry for the long delay. I ran HJT, AVG, And SuperAntispyware, but this bugger kept returning. I noticed that it was creating executable files with the same name as the folders that were on the root of C, windows folder had a windows.exe and it was 87KB, the same for all the profiles I had; all users.exe, desktop.exe, ect. Since the infecton started on the 19th I did a search for files created on the 19th and deleted all the exe's. The same for all the files listed above(winsos.exe,winsn.exe...ect) I also looked for trayicons.exe and autorun.ini(all hidden). that's the one that prevents my computer icon from opening. I downloaded the last AV definitions from nortons and it seems to have gone away but I'll keep you posted.

thanks,

Lew

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,592 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 PM

Posted 29 December 2007 - 12:43 AM

One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge. Read the Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

Although the backdoor Trojan has been identified and may be removed, your PC has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume that because the backdoor Trojan has been removed the computer is now secure. Many experts in the security community believe that once infected with this type of malware, the best course of action is to reformat and reinstall the OS - "When should I re-format?".

Should you decide not to follow that advice I recommend you follow the instructions I provided to post a hijackthis log. I doubt the entire infection is gone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users