SKA Virus

My wsock32.dll file has become infected with a virus. I detected this when I ran McAfee virus scanner. I downloaded instructions from the McAfee home site and the instructions tell me to rename wsock32.ska to wsock32.dll, but when I go to DOS and give the command to rename, I get the message duplicate file or file in use and will not rename. In explorer, under windows/system folder, I find the wsock32.ska file, but not the wsock32.dll file. I have tried to rename there with the same results.

When I run my virus scan and the ska virus is detected, I cannot clean or delete. If I cannot do any of the things above, what is the definitive answer?
shirshooAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Kyle SchroederEndpoint EngineerCommented:
From Microsoft:
To resolve this issue:
 
1. Restart your computer. Press and hold down the CTRL key until you see the
  Windows 98 Startup menu (for Windows 95, press F8 when you see "Starting
  Windows 95"), and then choose Safe Mode Command Prompt Only.
 
2. Type the following commands, pressing ENTER after each command:
 
  cd windows\system
  copy liste.ska c:\windows\desktop\liste.txt
  del ska.dll
  del ska.exe
  ren wsock32.dll wsock32.old
  copy wsock32.ska wsock32.dll
 
3. Restart your computer normally.
 
NOTE: If Happy99.exe is run more than once on a computer, the Wsock32.ska file
also carries the virus payload. In these instances, you must extract a "clean"
copy of the Wsock32.dll file again.
 
MORE INFORMATION
================
 
Happy99.exe is a 32-bit Windows-based Trojan Horse virus. When you run this
program, it displays fireworks on the screen. It also creates two files named
Ska.exe and Ska.dll, copies your original Wsock32.dll file to Wsock32.ska, and
modifies the Wsock32.dll file.
 
The Wsock32.dll file cannot be modified if it is in use. If the Wsock32.dll file
is in use when you run the Happy99.exe program, it adds an entry to the registry
that runs Ska.exe the next time the computer is started, and then modifies the
Wsock32.dll file. The modified Wsock32.dll file detects when e-mail messages and
newsgroup postings are sent, and sends a copy of the Ska.exe file, named
Happy99.exe, in those messages. All e-mail addresses that are sent a copy of the
file are recorded in the Liste.ska file in the Windows\System folder. The
Liste.ska file is a text file, and you can view it by using any text editor
(such as Notepad).
---------------------------------------
The wsock32.ska is a backup of the "real" wsock32.dll.  The reason you can't see wsock32.dll in Explorer is because it is a hidden file.  As stated above, if the virus is executed twice, then the wsock32.ska is also infected.  In this case you'll need to extract a new one.

Start->Run->sfc
Now choose to extract a file, type in wsock32.dll.  Save it to c:\ (root directory).

Then boot to DOS mode, and type the following commands:

cd windows\system
ren wsock32.dll wsock32.vir
ren wsock32.ska wsock32.bad
copy c:\wsock32.dll .  (that is one period ".")
del ska.dll
del ska.exe

Then restart and the SKA virus should be gone.  Run a full VirusScan again to make sure.  Also be sure you have the latest DAT files incase you have a Happy99 (Ska) variant.

-dog*
0
 
stevenlewisCommented:
If it can't find the wsock32.dll
it may be hidden
use the attrib command (from a dos prompt, booted to dos)
cd\c:\windows\system
attrib -h -s -r wsock32.dll
del wsock32.dll
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
pjknibbsCommented:
Files with the DLL extension are hidden by default in Explorer, no matter what their actual hidden status is--you need to look at the options for the Explorer window and set them to "Show all files" rather than "hide hidden and system files".
0
 
shirshooAuthor Commented:
Jeff responded promptly with his answer, and refered me to a Symantec page with a program for removing the virus. I downloaded the program and removing the virus was simple and quick. I have also sent this program to persons that I may have infected with the virus too.

Thank you so much for your solution to my problem.

Bob
0
 
shirshooAuthor Commented:
Jeff responded promptly with his answer, and refered me to a Symantec page with a program for removing the virus. I downloaded the program and removing the virus was simple and quick. I have also sent this program to persons that I may have infected with the virus too.

Thank you so much for your solution to my problem.

Bob
0
 
shirshooAuthor Commented:
Jeff responded promptly with his answer, and refered me to a Symantec page with a program for removing the virus. I downloaded the program and removing the virus was simple and quick. I have also sent this program to persons that I may have infected with the virus too.

Thank you so much for your solution to my problem.

Bob
0
All Courses

From novice to tech pro — start learning today.