Virus or Trojan ?

[NotquiteanooB]

I've been called by a friend who is using AVG (free) and Windows ME. She had some kind of virus or trojan that AVG has picked off and cleaned or Quarantined. Now she can no longer get out to the Net or OE for emailing. PC seems to run okay and everything onboard seems good according to her.
Does anyone know of any recent virus or Trojan that would have that kind of result when it was attacked ? I wonder if when I try to help her this coming Sat. if I shut down System Restore and then go Safe Mode, will I be able to get out on the Net ? She doesn't remember the name of what got found / deleted / quarantined .
Any suggestions ? I did printout the Consolidated Malware Solution rev. 08 from Schadenfroh; and will try some of those suggestions, IF, I can get to the internet.
Edit: She does have Spybot and Ad-aware installed; but are they up-to-date ?? I wonder.

 

[NotquiteanooB]

Ideas ? Suggestions ? Anyone ...

 

[ArchAngel777]

Originally posted by: NotquiteanooB
Ideas ? Suggestions ? Anyone ...

Well, there are a lot of possbilities. But, I can advice you to load up in Safe Mode + Networking. That way you would be able to access the internet. Nothing spurious can load in Safe Mode, at least, been in my experience. So if it works fine in safe mode, you are going to have to look into better virus/spyware protection software. AVG does a great job, but it appears not it isn't doing the right job in this situation.

Check the processes and match them up with known ones based on a google search. Try and find the process/exe that is causing all of this and then do a websearch and look for a known method to clean it up.

Good luck with it.

 

[NotquiteanooB]

Thanks AA777. I'll post my results tomorrow eve.

 

[John P]

If you can get on the internet somehow hit the Trend Micro website and run their free online virus and spyware checks.

 

[mechBgon]

I'd suggest she scan with Microsoft AntiSpyware beta and the scanner described in this text file, and run WinsockFix. If she can't get to the Internet, then you may have to go over there yourself with the stuff on a CD or thumb drive.

If System Restore is still active, then you might have her try backing up a week in the System Restore, getting the MS Antispyware, etc all downloaded, then restart in Safe Mode and attack again. The WinsockFix utility should restore browsing capability after the malware is ripped out.

edit: ooops, I just noticed it's Windows ME. Instead of Microsoft Antispyware, try a free 30-day trialware of Webroot Spysweeper.

 

[NotquiteanooB]

Thanks John and Mechbegon; I use the TrendMicro on all my own PC's. I had her try a few things, but she still wasn't able to get to the net. I'll go visit tomorrow morning. I also found out she's doing renovations ... soooo maybe it's not a PC, but a wiring problem now !! Something I describe as a ID10T error. I'll take a spare working PC and see if I can get to the Net. That will at least prove the wiring.

News update at 6 pm tomorrow !!

 

[NotquiteanooB]

Mechbegon: I notice WinsockFix says XP at the download site.; But requires 98/ME/2000/XP etc. Is it gonna work on ME ??

 

[mechBgon]

Originally posted by: NotquiteanooB
Mechbegon: I notice WinsockFix says XP at the download site.; But requires 98/ME/2000/XP etc. Is it gonna work on ME ??

Good question, now that you mention it. There's a similar thing for the Win9x/ME famil specifically... lessee here... ok, this is the one I think I heard about.

 

[NotquiteanooB]

MechBgon: You are an absolute fountain of info.... I'm in awe ... Much THANKS again.

 

[NotquiteanooB]

PC is fixed.
1. Rebooted, got error message re:"netbot.dll' missing. Checked Internet Options and home page had not been hijacked.
2. no apps could access internet
3. Booted into 'safe mode'
4. still couldn't access Internet.
5. ran AVG; Spybot; and Ad-aware without the most recent updates. Nothing was found.
6. AVG virus vault had about 20+ captured and quarantined viruses.
Last evening I had downloaded Winsockfix to a floppy.
7. Put the floppy into the drive; accessed it thru My computer; opened and ran it.

Mechbgon: Winsockfix works like a charm. It first recognizes the operating system on the PC. So it doesn't matter if it's 98;ME;2K; or XP; it will work for them all. Then it analyzes the registry and looks for missing parts of Windows; fixes any problems and reports back that it has repaired problem(s).
8. Remove floppy and reboot.
9. Came up with additional quickstart icons in taskbar. One of which was Zone Alarm.
10. Now could access the IE and OE etc. again.

When I asked about the Zone Alarm; she said that she had a popup that ZA had an update; so she updated .... got a warning from SpyBot ... and she thinks cancelled it.

I'm not sure really what happened, but I suspect either SpyBot shutdown something in ZA; or the update got done but she did not go into programs and allowed all the connections to 'trusted' or 'internet'. ZA has an emergency setting to block all traffic. I bet that got set somehow. Seems Winsockfix did something to fix or remove that blocking.

Thanks for the help all...

 

[mechBgon]

sweet Thanks for the info about WinsockFix working on WinME/98