TechInNeed
IS-IT--Management
Winfree.exe in \windows\system32 directory is infected witha virus. Is it safe to delete this file?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
winfree.exe is infected 1
- Thread starter TechInNeed
- Start date
- Status
-
1
- #2
KimberTech
MIS
What virus did it tell you winfree was infected with?
Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.
Members of Tek-Tips provide answers to questions based on the information given. For the best answers, post detailed descriptions of the issue. Use the search features of the site to see if your issue was already addressed in another thread.
- Thread starter
- #4
TechInNeed
IS-IT--Management
Sorry for the late reponse.
Smah
I am using Small Business Server (Windows 2000)
KimberTech
According to F-Secure see below for examples of the report. When I try to rename, delete or disinfect the files in question, it is not successful. It says that the files are located inside an archive. Please advise.
C:\WINNT\system32\winfree.exe\tftp8675 Infection: is a destructive program
C:\WINNT\system32\winfree.exe\winhelper.exe Infection: is a security risk or a "backdoor" program
C:\WINNT\system32\winfree.exe\WinOS.hlp Infection: Backdoor.IRC.Cloner
C:\WINNT\system32\winfree.exe\Advisory.nfo Infection: Backdoor.IRC.Flood.a
C:\WINNT\system32\winfree.exe\OS32.ini Infection: IRC-Worm.Froze
C:\WINNT\system32\winfree.exe\pnc.exe Infection: is a security risk or a
"backdoor" program
Smah
I am using Small Business Server (Windows 2000)
KimberTech
According to F-Secure see below for examples of the report. When I try to rename, delete or disinfect the files in question, it is not successful. It says that the files are located inside an archive. Please advise.
C:\WINNT\system32\winfree.exe\tftp8675 Infection: is a destructive program
C:\WINNT\system32\winfree.exe\winhelper.exe Infection: is a security risk or a "backdoor" program
C:\WINNT\system32\winfree.exe\WinOS.hlp Infection: Backdoor.IRC.Cloner
C:\WINNT\system32\winfree.exe\Advisory.nfo Infection: Backdoor.IRC.Flood.a
C:\WINNT\system32\winfree.exe\OS32.ini Infection: IRC-Worm.Froze
C:\WINNT\system32\winfree.exe\pnc.exe Infection: is a security risk or a
"backdoor" program
- Thread starter
- #6
TechInNeed
IS-IT--Management
It is not a folder.
It is a file.
I have navigated to the specified location/path and verified that it is indeed a file and not a folder.
The exact error message when I try to delete, disinfect OR rename the file is
"The Object could not be accessed. The file is located inside an archive"
It is a file.
I have navigated to the specified location/path and verified that it is indeed a file and not a folder.
The exact error message when I try to delete, disinfect OR rename the file is
"The Object could not be accessed. The file is located inside an archive"
An archive is normally a file that contains others, such as a zip, arc or lzh file even if the extension is something else. Try setting F-Secure to avoid scanning archives then see if you can access it (be sure to turn it back on afterwards though).
Another way to try and delete it is to use the command prompt and Deltree copied from Win9x (be very careful if you don't know how to use this).
John
Another way to try and delete it is to use the command prompt and Deltree copied from Win9x (be very careful if you don't know how to use this).
John
- Thread starter
- #9
TechInNeed
IS-IT--Management
I will try both approaches after hours to avoid any sort of downtime.
Btw, is this file ok to delete?
Btw, is this file ok to delete?
I expect it is - no workstation version of Windows comes with that archive in the System32 folder. I don't know for sure about SBS, but even if you have the application that converts html to some other format, it shouldn't be critical to windows and could probably be reinstalled.
- Thread starter
- #11
TechInNeed
IS-IT--Management
Thanks man for all your help and thansk to everyone as well. I will try this tonight and keep you all posted.
I just searched a little differently than before and found this: Maybe someone installed this utility. If needed, it certainly could be installed again.
- Thread starter
- #13
TechInNeed
IS-IT--Management
Update:
Well, my main concern with removing this file was that it may have been a critical file. By performing searches and be advised in this posting, I went ahead and delete the file. I was not able to delete the file through F-Secure, but I was however able to delete it through Windows Explorer. I will reboot the system and then execute another scan.
Thanks again for all your help.
Well, my main concern with removing this file was that it may have been a critical file. By performing searches and be advised in this posting, I went ahead and delete the file. I was not able to delete the file through F-Secure, but I was however able to delete it through Windows Explorer. I will reboot the system and then execute another scan.
Thanks again for all your help.
- Thread starter
- #14
- Status
Similar threads
- Locked
- Question