Windoze issue

[The Dark Side of Will]

Using AVG free with windoze 2K. Recently downloaded AV update and subsequent virus scan found virus in wsock32.dll
In reboot following attempted healing of this file, the following problem popped up:

The system makes it through the low res "Win 2K loading" screen and the desktop background color pops up for a second, then a BSOD comes up with a short message about a fatal error requiring restart, then the screen goes blank and the computer restarts. The message is not on the screen long enough to determine what the fatal error is and what it involves, so I don't know how to go about fixing it. Does anyone have any ideas about how to get it to stick around?

I'll be going to Linux before the end of the year, so this is only a short term problem.

Heck, I'm not even too worried about getting the computer (a laptop) to fire up again, as long as I can recover some data from the hard drive...

[eHoward]

i like the microsoft windows one care. It's free for now and much better then AVG.

I'm not a windows guy so I can't help you boot the thing. I would try a recovery cd if you've got one.

[DiggityBiggity]

Probably a stupid question.. but have you pressed F8 before the computer reboots??

If not.. it brings you to a boot sequence screen.. try SAFE MODE.. and from there.. you may be able to recover data

[The Dark Side of Will]

Yeah, it comes up in safe mode, where AVG refuses to give me the option to heal the file...

Does USB work in Win2K safe mode? That's basically my only way of getting info off this machine.

[Aaron]

Just delete your System 32 folder.

Worked for me.



:scratch:

[Kohburn]

if you have a second hard drive or another computer you can boot fromt he other hard drive and then just pull the info you want from the bad one

[whipped]

yeah, if it's a laptop, just get one of those 3.5" IDE adapters and install it in a desktop to copy stuff over.

[zonyl]

Dont need to pull the drive out. Boot the Knoppix CDrom and copy the files over usb or nic to another machine. Oddly I have had to do this twice recently for similar reasons as you are experiencing.

If you need more details, I would be glad to help via email.

[p8ntman442]

Dont need to pull the drive out. Boot the Knoppix CDrom and copy the files over usb or nic to another machine. Oddly I have had to do this twice recently for similar reasons as you are experiencing.

If you need more details, I would be glad to help via email.

^^^ do that, then wipe the hd and reformate, clean install. Make sure your virus scanner is on and up to date b4 you pull files over though.

[Series8217]

Some of the better antivirus software allows you to download updated definitions (from another computer) then burn to a CD and boot off of it to clean up your infected system.
Also, did you write down the name of the virus? If you look it up on Symantec's virus database they generally have specific instructions on how to remove it. You can also do a google search to see how others have had success if they got to the same point you're at.. its generally pretty hard to find but I'll often find on some Russian forum or something there is a solution

[BigRedDeckSpoiler]

Google "wsock32.dll virus" without the quotes.

There's a few things that it could be. Most of them point to the "happy99" virus, although there are a couple of others that alter wsock32.dll as well.
Wsock32.dll is the file that allows TCP/IP (your internet protocol) to work.
The BSOD is probably happening because it's tripping up, trying to start the network.
Just for grins, you might try copying wsock32.dll from another working W2K machine, to your windows\system32 folder. The one on my XP machine is only 21K, so it should fit on a floppy just fine. Copying system files doesn't always work on NT based machines, but it's definitely worth a try.

[Series8217]

The virus probably lives in another file that overwrites the real winsock32.dll when it loads. Replacing or deleting winsock32.dll wont solve the problem

[BigRedDeckSpoiler]

The virus probably lives in another file that overwrites the real winsock32.dll when it loads. Replacing or deleting winsock32.dll wont solve the problem

Very true. But hopefully, the antivirus software has or will snag the perpetrator.
If not, maybe one of the googled links will provide enough info to kill it.
No guarantees, but it's something to try.

[MNFatz]

Google "wsock32.dll virus" without the quotes.

There's a few things that it could be. Most of them point to the "happy99" virus, although there are a couple of others that alter wsock32.dll as well.
Wsock32.dll is the file that allows TCP/IP (your internet protocol) to work.
The BSOD is probably happening because it's tripping up, trying to start the network.
Just for grins, you might try copying wsock32.dll from another working W2K machine, to your windows\system32 folder. The one on my XP machine is only 21K, so it should fit on a floppy just fine. Copying system files doesn't always work on NT based machines, but it's definitely worth a try.

You should be able to stick in the original CS and choose 'repair an existing installation'. That will preserve your personal files, but you'll have to reinstall 3rd party software.

wsock32.dll is the .dll most of the socket functions are exported from. Sockets=the nuts n bolts of the windows os connecting to a network like someone else said.

Copy it from another machine or extract it off of your original setup disks. YOu should be able to start the machine in safe mode (f8) to prevent the network related functionality from loading. If you STILL have the problem reboot into safe mode and step through the login to see precisely where it's bombing at.

This might go away if you turn the system file protection feature back on; it all depends on when the last image of the machine was taken. This feature marks all the system related dlls as protected and will allow deletion, renaming, changing, etc, but will immediately copy back the old version out of a cache. I've never seen this work, but if you're in the realm of last resorts you might as well give it a try.

[Series8217]

That reminds me..
If you can boot into safe mode, go to Start>Programs>Accessories>System Tools>System Information.
Click on the tools menu, find "System File Checker" or "File Signature Verification Utility" and run that. It should check your system files against the originals in the CABs or on the CD and replace them as necessary. It may fix your problem, but again the virus may reside elsewhere. Its worth ttrying if you have to save the system though.

[zonyl]

That reminds me..
If you can boot into safe mode, go to Start>Programs>Accessories>System Tools>System Information.
Click on the tools menu, find "System File Checker" or "File Signature Verification Utility" and run that. It should check your system files against the originals in the CABs or on the CD and replace them as necessary. It may fix your problem, but again the virus may reside elsewhere. Its worth ttrying if you have to save the system though.

There are some pretty sophisticated root kits nowadays for Windoze (Ring-0 stuff now), far more than what the media and AV companies even realize.

To prevent / counter this problem, I installed linux on my work pc, and run Windows and my work applications in a VMWare image now (save all of my docs via samba to the linux host) At the slightest hint something is wrong with Windows, in a couple of seconds I pull back the VMWare image to a prior checkpoint , and Im off to the races again. I will even run Windows now in non-persist mode if I am comfortable with the setup of my applications.

On the linux side, I run daily MD5's against all system bins from an MD5 master file located on a partition that only gets mounted upon check.

[eHoward]

I like that idea.

On the linux side, I run daily MD5's against all system bins from an MD5 master file located on a partition that only gets mounted upon check.