Yesterday, while browsing the YAHOO Sports section I accidentally clicked on an advertisement and a new tab opened up with a website saying “Watch free NHL games”. I promptly closed the tab and continued browsing the same site and other sports websites…FOX, ESPN and BBC SPORTS. After a few minutes, a RED bordered NOD32 window showed up saying the following:

This Computer may be infected(I think) with a variant of the WIN2K (000000000) worm. Please check with the NOD32 system and that the system has the latest updates. Action: The connection to the internet has been terminated.

I said "I think" because can't remember if it said infected for certain. I checked the virus logs….the above message was there, although for the Name section, it just said “This Computer”…no file or folder location was given. This was detected by the IMON module. When I double clicked on the entry, no new details were given about folder location.

After this, I ran:
NOD32 scan and clean – no infected files showed up
3 Anti-spyware scans – Windows Defender, Ad-Aware and A-Squared Free – Nothing but 4 Low Risk tracking cookies showed up…I deleted them
Zone Alarm Firewall – no intrusions appeared as having “got through”
NOD32 scan and clean – again, no infected files showed up

I really hope that I do not have to re-format. So, my question is, is there some way for me to find the location of the infected files/folders? Or is the worm that good at hiding itself?

Your help would be greatly appreciated.
Bart

If IMON detected the malware your PC is clean. It'll terminate the connection with that site so you can't get infected.

{QUOTE-> This Computer may be infected(I think) with a variant of the WIN2K (000000000) worm. Please check with the NOD32 system and that the system has the latest updates. Action: The connection to the internet has been terminated. <-QUOTE}
Hi, it looks like fake alert from fake application. I have never seen name WIN2K from ESET and this announcement from NOD32 v2. I recommend to perform full scan with on-demand scanner and any other online scanner (eg. KAV).

{QUOTE-> If IMON detected the malware your PC is clean. It'll terminate the connection with that site so you can't get infected. <-QUOTE}

That is true, but only when IMON is set to drop the connection (one of the basic questions during setup). It may be configured to ask a question as far I know. So there might be a little risk that this PC is infected.

Perhaps you can try the sysinspector to have a second opinion, but you will need to know something about it.

Otherwise, boot into safe mode and run a full system scan.

Greetings from a warm Holland