Winsock32...problem or not?

[dg76]

I have been reading everywhere possible on this issue, and just simply find too many conflicting things about it. Is it a virus(or worm...) or not? Hijack This does not like it, and I delete it out of it, but it comes right back upon a new scan.

I have run everything imaginable after I had an attack last week that infected my computer and thought I got everything. However, I noticed that my services.exe process kept climbing up to 155k and bogging down my machine, so I got cracking again. I got rid of a few more worms this morning, but the winsock32 keeps appearing. Upon looking in my registry, winsock32 is freaking everywhere, so I don't want to just delete all the instances, but then again, Hijack This and several other sites have it as being a worm & a problem. Also, Hijack This states it is in c:/Windows...but I cannot actually find it there upon looking. Yes, I have undone hidden files and folders.

Can anyone shed some light on this? I'd appreciate any help. This one just has me stumped.

Here is my log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebSe...veX/ofmctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

[jholland1964]

This log looks incomplete. Was it run in safe mode? When was it run? Basically the only programs showing are your anti-virus program and webshots, this is what makes this very incomplete. There had to be other things running unless all else was disabled prior to the running of HJT.
The unnecessary programs that should NOT be running during an HJT scan basically are browsers, im programs, music programs and the like. Go ahead and allow others to run as they normally would run.

Always include that top portion which reads like this;
Logfile of HijackThis v1.99.1
Scan saved at 6:03:53 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

otherwise we know nothing about the computer's operating system.



I would say, yes, you have "something nasty" on the computer, at present we don't know what....a hijacker, trojan, worm? We don't know yet. For heavens sake don't go deleting files at random, we have to know exactly what we may be dealing with first. What were the names of the worms you removed and where was their location and how did you remove them?

Begin cleaning by going to this link
Follow ALL the steps given, in the order given exactly. Once you have completed all those steps (and take NO OTHER STEPS until requested) then run a NEW HJT scan and save entire log as a text file. Post back here with THAT log and the AVG Anti-spy log which is one of the tools you will run from the link above.

[dg76]

The log is not incomplete except for the top portion. That is what is running on my computer. I keep it very clean and orderly. Here is the entire log of everything.

Also, I have not been just randomly deleting files. I have done sweep after sweep, and as you will see, the worms I deleted this morning were with EZ anti-virus software. All adware and trojans were deleted last week with either Spybot, Adaware, or knowing of files that did not belong.

My major problem is the last thing on the hijack log. That is what I am concerned about.

Here is the entire log again.

Logfile of HijackThis v1.99.1
Scan saved at 11:25:27 AM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmesus.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B2FCED61-570E-11D3-B160-00A0C9E70E84} (OmniForm Form Control) - https://www4.lsac.org/LSACD_XMLWebSe...veX/ofmctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe

[dg76]

I ran Ewido. It found the winsock32.exe problem just as Hijack This did. It also found two tracking cookies, which it also deleted. But just like it has been, after deletion, it immediately reappears. Before you ask, it doesn't matter if it is deleted in safe mode either. It just comes right back. After running a second scan on Ewido, it did not find the winsock32.exe. However, Hijack This continues to find it, and it keeps reappearing after it is fixed. This is where I need some help. Can someone help on this? This is the only remaining problem I have. I've run the cleaners, Crap Cleaner, ATF Cleaner...and done all the necessary scans. The winsock32.exe is the only remaining problem I have left. Any help would be appreciated.

[dg76]

Oh, and also when I type in msconfig and go to services, there is an instance of winsock32. It is stopped and not running, but it remains there.

[jholland1964]

Oh, and also when I type in msconfig and go to services, there is an instance of winsock32. It is stopped and not running, but it remains there.

That is not where you see if it is running. Most disabled items remain in msconfig. That is not a problem.
Go to taskmanger and see...ctrl-alt-delete will get you there.
We need to see the actual original ewido log.
The entry in the HJT log just means that it is set by XP services to run on start up.
You can remove these one of three ways;
There are several ways you can use to delete the service key:

1. Delete it using XP's SC command you would type the following from a command prompt:
   
   sc delete winsock32

2. Use HijackThis to delete the service. You can click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

[PhilliePhan]

2. Use HijackThis to delete the service. You can click on Config, then Misc Tools, and then press the Delete an NT service.. button. When it opens you should then enter the service name and press OK.

This is the better option.

This baddie adds values to 8 or 9 registry keys as well as modifies the Hosts file.

A complete removal would have to address those issues. There should be a good Sophos writeup to guide you.

Cheers
PP

[dg76]

So then winsock32 is bad? The reason I ask is because it is in so many places in the registry. I saw the Sophos write up online, but had never heard of them before so I did not trust it. You are saying all instances of winsock32 should go?

As far as it being in my processes under control/alt/del, it is not there and hasn't been. I was just concerned about it b/c I had found it in Hijack This, and it was not present in previous logs before this.

As far as the Ewido log, I must have missed something as I did not see the option for the log, just to remove the couple things on there.

[PhilliePhan]

So then winsock32 is bad? The reason I ask is because it is in so many places in the registry. I saw the Sophos write up online, but had never heard of them before so I did not trust it. You are saying all instances of winsock32 should go?

To answer our question, I would say yes, this is a baddie and needs to go.

But, further analysis is needed to determine exactly which baddie it is... there are a number of different baddies that use winsock32.exe. The path where it runs from and Reg keys differ among the various baddies and we'd need to pin them down.

Perhaps a WinPFind2 Log......?

I am heading out the door, but Judy will be able to help you and I really don't want to step on her toes


Best Luck
PP

[jholland1964]

Download WinPFind2
Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.

When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log here.