«

I am working on a machine that runs XP home version. It has a file infected
with the w95.Hybris.gen virus. I have ran NAV and it will not repair, quaratine
nor delete the infected file. I have tried in safe mode also. Symantec does not
have a removal tool for the .gen virus, but does have one to remove other
W95.Hybris types.(Which they make a note that the tool will not work with .gen)
The NAV files are updated.
The source of the virus is
\Device\Harddisk0\Partition1\WINDOWS\system\WSOCK3 2.DLL
it states this is a compressed file within C:\undo\backup.cab which I can not
locate. I have tried scanning with sys restore on and off. Can someone shed
some light on how to remove this? Also, as one may know from the file which is
infected, I can not get online except in safemode.
Thanks, Mike
Please remove nospam to email me
Michael Bell @Bell Electronics
Rincon, GA.31326

Well, since that file is not the virus executable, but rather the infected
result of the virus, I assume that NAV was able to kill the virus itself
that created the infected wsock32.dll file, as well as remove the registry
entries that called the virus up at startup to infect the winsock file. If
this is the case, all you really need to do is replace that wsock32.dll file
with the valid one. As you discovered this isn't easy, since WinXP uses
system file protection to prevent you from easily replacing that file. (of
course, the virus would have defeated this moderate protection in order to
infect in the first place). So, I have a couple of suggestions that might do
the trick. First, try running SFC /scannow from a command prompt window.
Have your WinXP cd handy because it may ask for it. This may detect the
bogus file and replace it with the proper original. If that doesn't work,
you can try a program called "move on boot" which allows you to designate a
file to replace or move on bootup, which should circumvent the XP file
protection. You'll probably need to expand the original wsock32.dll file
from the WinXP CD first, then designate the expanded file as the one you
want to move to the windows\system32 folder, overwriting the old infected
one. Then, rescan with NAV and verify that the infection is gone.

http://www.gibinsoft.net/gipoutils/bin/moveonb.exe



"MBell72398" <> wrote in message
news:...
> I am working on a machine that runs XP home version. It has a file
infected
> with the w95.Hybris.gen virus. I have ran NAV and it will not repair,
quaratine
> nor delete the infected file. I have tried in safe mode also. Symantec
does not
> have a removal tool for the .gen virus, but does have one to remove other
> W95.Hybris types.(Which they make a note that the tool will not work with
..gen)
> The NAV files are updated.
> The source of the virus is
> \Device\Harddisk0\Partition1\WINDOWS\system\WSOCK3 2.DLL
> it states this is a compressed file within C:\undo\backup.cab which I can
not
> locate. I have tried scanning with sys restore on and off. Can someone
shed
> some light on how to remove this? Also, as one may know from the file
which is
> infected, I can not get online except in safemode.
> Thanks, Mike
> Please remove nospam to email me
> Michael Bell @Bell Electronics
> Rincon, GA.31326
>