strange virus
 

I seem to have a bizarre virus that is causing lots of pages (including lightspeedcash.com) to be redirected to someone else's page.

I ran adaware, it didn't pick it up

I ran norton antivirus, nothing -- it says to delete wininetd.exe -- but the file is in use and cannot be deleted.

Any suggestions from the experts?

yeah , you can delete it in dos screen when you boot your computer.. type F8 - F9
i dont remember well and go to dos screen

Bleach or a blowtorch will kill all viruses.

Abstinence is the only real way to avoid these kind of problems.

Try spybot. It sometimes works better than adaware.

The TROJ_WORTRON.10B Trojan generates Worm samples that it can easily modify. This worm uses Simple Mail Transfer Protocol (SMTP) commands in sending emails to recipients listed in the infected user's Windows Address Book. The email format depends on how the Trojan designs it. The subject field, message body, and attachment arrive in different text strings. The email format of every worm is different for every worm.

This worm may or may not execute the following:

Search HTML files for email addresses and send copies of itself.
Steals passwords that are sent to a certain email address. It may send a file containing key logs every system startup or once a day.
Terminate installed firewall products such as, "OUTPOST.EXE" and "ZONEALARM.EXE."
Displays a messagebox on the first execution of the worm on the infected system.
Upon execution, this worm installs itself on the system. It drops a WININET.EXE file in the Windows System directory. It then modifies the system registry so that WININET.EXE executes upon execution of an application file in the Windows environment. To do this, it modifies the data from ""%1" %*" into "%sysdir%\wininet.exe "%1" %*" in the default value of the following in the registry:

HKEY_CLASSES_ROOT\exefile\shell\open\command

HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\
shell\open\command

Thereafter, when the password stealing option is enabled, it creates an EXELIB.DLL file in the System directory, where possible passwords are contained. It sends EXELIB.DLL to a certain email address every system startup or once a day. The certain email address is pre-set when the worm was generated.
It then displays a message box, which the Trojan generates for the worm. This message box is also optional from the generation of the worm.

Description:

The Trojan, TROJ_WORTRON.10B generates this worm, which propagates via email. It sends copies of itself to all email recipients listed in the infected user's Windows Address Book.

Solution:



Open the Registry Editor. Click Start>Run, type REGEDIT then hit the enter key.
In the left panel, double click the following:
HKEY_CLASSES_ROOT>exefile>shell>
open>command
In the right panel, locate and modify the "(Default)" entry, with the data value is "%sysdir%\wininet.exe "%1" %*" into "%1" %*".4. gain in the left panel, double click the following:
HKEY_LOCAL_MACHINE>Software>CLASSES>exefile>
shell>open>command
In the right panel, locate modify the "(Default)" entry with the data value, "%sysdir%\wininet.exe "%1" %*" as "%1" %*".
Restart your system.
Scan your system with Trend Macro antivirus and delete all files detected as WORM_WORTRON.10B. To do this Trend Micro customers must download the latest pattern file and scan their system. Other email users may use HouseCall, Trend Micro's free online virus scanner.

If W32.Wotron.Worm is executed, it does the following:

It copies itself as %System%\Wininet.exe.

If the password-stealing component was enabled, it creates the following files:

\%System%\Sysd.dll
\%System%\Exelib.dll

Also, if the password-stealing component was enabled, the worm sends passwords that it finds on the infected computer to the worm's creator. The file that contains the stolen passwords is Exelib.dll.

In the registry key

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command

it changes the (Default) value to

%System%\wininet.exe"%1" %*

This causes the worm to run when you attempt to run an .exe file.

The worm can also be configured to stop personal firewall and antivirus programs, and to display a message the first time that it is run.





Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.


To remove this worm:

1. Update the virus definitions, run a full system scan, and delete all files that are detected as W32.Wotron.Worm.
2. If the worm has run, restore the value in the registry key

HKEY_LOCAL_MACHINE\Software\Classes\exefile\shell\ open\command

to

"%1" %*

For details on how to do this, read the following instructions.

To scan with Norton AntiVirus and delete the infected files:

NOTE: If the worm has already run, you may have to do this last. If programs such as Norton AntiVirus no longer start, first follow the instructions in the section "How to restore the default value of the registry key HKEY_LOCAL_MACHINE\Software\CLASSES\exefile\shell\ open\command," which follows this section.

1. Obtain the most recent virus definitions. There are two ways to do this:
Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions have undergone full quality assurance testing by Symantec Security Response and are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions have undergone full quality assurance testing by Symantec Security Response. They are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files.
NAV Consumer products: Read the document How to configure Norton AntiVirus to scan all files.
NAV Enterprise products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
3. Run a full system scan.
4. Delete all files that are detected as W32.Wotron.Worm.

How to restore the default value of the registry key
HKEY_LOCAL_MACHINE\Software\
CLASSES\exefile\shell\open\command
The worm modifies the registry so that an infected file is executed every time that you run an .exe file. Follow these instructions to fix this.

Copy Regedit.exe to Regedit.com:
Because the worm modified the registry so that you cannot run .exe files. You must first make a copy of the Registry Editor as a file with the .com extension and then run that file.

1. Do one of the following, depending on which version of Windows you are running:
Windows 95/98: Click Start, point to Programs, and click MS-DOS Prompt.
Windows Me: Click Start, point to Programs, point to Accessories, and then click MS-DOS Prompt.
Windows NT/2000/XP:
a. Click Start, and click Run.
b. Type the following, and then press Enter:

command

A DOS window opens.
c. Type the following, and then press Enter:

cd \winnt

d. Go on to the next step.

2. Type the following, and then press Enter:

copy regedit.exe regedit.com

3. Type the following, and then press Enter:

start regedit.com

1. Proceed to the section "To undo the changes that the worm made to the registry" only after you have accomplished the previous steps.

NOTE: The Registry Editor will open in front of the DOS window. After you finish editing the registry and have exited Registry Editor, close the DOS window.

To undo the changes that the worm made to the registry:

CAUTION: Symantec strongly recommends that you back up the system registry before you make any changes. Incorrect changes to the registry can result in permanent data loss or corrupted files. Please make sure that you modify only the keys that are specified in this document. For more information about how to back up the registry, please read How to back up the Windows registry before proceeding with the following steps. If you are concerned that you cannot follow these steps correctly, then please do not proceed; consult a qualified computer technician for more information.

1. Navigate to and select the following key:

HKEY_LOCAL_MACHINE\Software\CLASSES\
exefile\shell\open\command

CAUTION: This key contains many subkey entries that refer to other file extensions. One of these file extensions is .exe. Changing this extension can prevent any files ending with an .exe extension from running. Make sure you browse all the way along this path until you reach the \command subkey.
Do not modify the HKEY_LOCAL_MACHINE\Software\CLASSES\.exe key.
Do modify the HKEY_LOCAL_MACHINE\Software\CLASSES\
exefile\shell\open\command subkey that is shown in the following figure:


<<hahahaha= NOTE: Modify this key.


2. Double-click the (Default) value in the right pane.
3. Delete the current value data, and then type "%1" %*
(That is, type the following characters: quote-percent-one-quote-space-percent-asterisk.)

NOTES:
On Windows 95/98/NT, the Registry Editor will automatically enclose the value within quotation marks. When you click OK, the (Default) value should look exactly like this: ""%1" %*"
On Windows 2000/XP, the additional quotation marks will not appear. In these environments, the (Default) value should look exactly like this: "%1" %*

4. Make sure that you completely delete all value data in the \command key prior to typing the correct data. If you accidentally leave a space at the beginning of the entry, any attempt to run program files will result in the error message, "Windows cannot find .exe." or "Cannot locate C:\ <path and file name>."
5. Exit the Registry Editor. If you have not run the full system scan as directed in the previous section, do so now.

all these were found at different AV sites but for Wininet.exe


must be the same as Wininetd.exe but all i ve found about it was in japanese


hope this helps anyway

Norton sucks.


http://www.my-etrust.com

D/l their 30day trial and then scan your hard drive with it.

This is the best virus remover we have found and use it all the time at the pc shop.