windows socket errors

**madrox** · October 31st, 2001, 12:31 PM

Recently I believed I received a virus on my machine, but I am unsure. The file was in my windows dir called uhoeuy.exe. The anti-virus program picked up nothing. Now all of a sudden, I am getting windows sockets error messages when I boot my pc. They are Windows socket error (10049) connect API. After some research, I notice it is a WSAEADDRNOTAVAIL (10049) Can't assign requested address . Is there a way to get rid of this error on a windows 98 machine? Also, do you think uhoeuy.exe is a virus? I backed everything up and deleted the exe file, so now whenver I boot, a message comes up looking for the file. Any suggestion?? Formating is always an option, but I want that as a last result. Thanks

**Rog** · October 31st, 2001, 12:51 PM

The file you deleted was likely a trojan file. If your antivirus didn't catch it, it might be missing other things as well.

If this error is not preventing you from accessing the internet, try an online scan here and note everything it finds:
http://housecall.antivirus.com/pc_housecall/

Also run and post the results of the StartupLog.txt file here:
http://home.earthlink.net/~rmbox/Reticulated/Toys.html

------------------
What the Dormouse said
http://forums.techguy.org

**madrox** · October 31st, 2001, 01:21 PM

I did the startup log and got this:

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file

norun=ehoeuy.exe

load=c:\windows\temp\temp.exe

I scanned the pc, and they all seem the be uncleanable. I can connect to the net, but until my cable modem is online, i get those windows socket errors Any suggestions?? Thanks

**Rog** · October 31st, 2001, 01:31 PM

It looks like the file has been disabled, but if you are getting error messages, there may be other things running causing it. We need to see the full startup log.

In the meantime make the load= and run= entries empty and remove the norun=

You should have only

run=
load=

Also run the exefix08 file from the Reticulated Toys site.

The infected files may be deletable and or restorable, but we need to know what they are. uhoeuy.exe is the trojan and can be deleted.

You may need to replace the wsock32.dll, but it would help to know the names of the trojan or virus infections identified.

------------------
What the Dormouse said
http://forums.techguy.org

**madrox** · October 31st, 2001, 01:41 PM

K, the exefix didnt find anything, but I also found this in the startup log:

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file

shell=Explorer.exe ehoeuy.exe

Eveyrthing else seems to be fine in the startup file. I made it so norun=ehoeuy is gone. Im gonna restart and see what happens

**Rog** · October 31st, 2001, 01:53 PM

You just want

shell=Explorer.exe

As for your startup programs, most people cannot tell good files from problem ones. Even the antivirus programs fail because some trojans and worms install "legitimate" clients which are not detected as infected, but which are left to load and run after cleaning. Many server type apps do this and could well cause socket errors.

------------------
What the Dormouse said
http://forums.techguy.org

[This message has been edited by Rog (edited 10-31-2001).]

**madrox** · October 31st, 2001, 01:59 PM

Ok, it fixed the windows problem trying to search for the exe file, but the windows socket error messages are still poping up. I have delted everything dealing with the virus. Any clues? Thanks

**Rog** · October 31st, 2001, 02:02 PM

In addition to what I said, if this infection just occured in the last 3 or 4 days, you could try restoring a previous registry. But if you restore one that does not predate the problem, you will have to re-edit what you have already done.

To restore a prior registry, restart in ms-dos mode and at the c:\windows\> prompt, enter:

scanreg /restore

look for a prior started registry. If you need to cancel out, ctrl-alt-del to restart windows.

------------------
What the Dormouse said
http://forums.techguy.org

**madrox** · October 31st, 2001, 02:16 PM

Restoring the registry doesnt work. It keeps saying that the operation has failed.

**Rog** · October 31st, 2001, 02:34 PM

That happens mostly when the oldest (5th) file is selected. There is a problem because it is overwritten at the same time it is being used to restore. It's probably unavailable now.

If you don't want to post the full startup log for me to have a gander, I don't know what else to suggest other than replacing wsock32.dll and reinstalling DUN; but the problem may not be those files, but something else still running at startup.

It sounds like you may be attempting to connect through a proxy host. Check your Internet Connection setup for that. And look in the Control Panel for a WSP icon.

Have a look at this link; if that trojan was a backdoor one it may have installed proxy client such as this:
http://support.microsoft.com/support.../2/67.asp?FR=0

------------------
What the Dormouse said
http://forums.techguy.org

[This message has been edited by Rog (edited 10-31-2001).]

**madrox** · October 31st, 2001, 02:39 PM

I sent the log file to ur email address. Thanks for your help.

**Rog** · October 31st, 2001, 03:04 PM

Well, first of all I see system.32.exe:
http://support.microsoft.com/support.../q175/3/12.asp
http://www.symantec.com/avcenter/ven...2.mari@mm.html

In addition, I see is a ****load of "spyware" and "foistware" that can cause problems. Ad-Aware will remove most of the spyware but no longer removes Newdot.net.

You have that, webhancer, savenow,"TimeSink Ad Client"="\"C:\\Program,

About Newdot.net, I suggest you see this link and obtain manual uninstall instructions (should they be needed) from support@new.net before attempting to remove it
http://www.cexx.org/newnet.htm

Both that and Webhancer can be very tricky to remove. Done wrong you will not have an internet connection.

Lavasoft recommends removing Webhancer through add/remove, then running their program to finish. Personally I'm skeptical of the Add/remove option, It might just be better to run Ad-Aware in safe mode.
http://www.lavasoftusa.com/
==========================================
I think system32.exe is probably causing your immediate problem so you should address that first:

Go to start and run: regedit

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

With the Run key highlighted, right click on system32.exe in the right hand pane and delete it. Delete the file from the windows\system directory.

------------------
What the Dormouse said
http://forums.techguy.org

**madrox** · October 31st, 2001, 03:30 PM

Well I got rid of system32.exe and the reg file, but its still giving me errors

Any other thoughts? thanks

**Rog** · October 31st, 2001, 04:11 PM

Let Ad-Aware do its thing. Then see about removing newdot.net. Unfortunately the manual uninstall instructions are very complicated. It looks as if you have GoBack installed, and you may need to resort to that if you get into serious trouble.

------------------
What the Dormouse said
http://forums.techguy.org

**Rog** · October 31st, 2001, 04:26 PM

One more method you can try for test purposes is to go to start>run and run msconfig

Click on the "Startup tab" and clear the checks for everything but Scanregistry and systray. Then restart and see if you get any errors. If not go back and re check selectively until you see which startup files are causing the problem.

You can reenable all if it still occurs. In that case you probably have a corrupt Windows installation.

------------------
What the Dormouse said
http://forums.techguy.org

Thread: windows socket errors

Thread Tools

Search Thread

Display

windows socket errors

Thread Information

Users Browsing this Thread

Posting Permissions