[shesun4givn2]

Hi folks it's me again.

This PC I'm currently working on is running WinME. The user said she received several emails in the past 2-3 days indicating she had the netsky virus. I explained that just becase she had emails returning to her indicating her computer was infected didn't mean it WAS infected .. that it could be due to another infected computer with her email addy in it. She, however, had opened each and every email telling her she was infected and quiet possibly is infected NOW. She says each time she boots up she has LOADS of errors. She has not been able to access either her CD-ROM drive nor her CDRW drive, nor has she been able to run many of her programs at all.

When I boot her WinME pc up, I have to go through a multitude (the quantity of this error varies with each boot) of:
DVP for Windows 95: Virus detected:
C:\WINDOWS\SYSTEM\ various and asundry file names, could be infected with an unknown virus

Along with at least one:

Error Starting Program
A Required .DLL file, C:\PROGRAM FILES\TEXTBRIDGE CLASSIC\BIN\TBMENU.EXE, was not found.

I've had very little experience with WinME. Does it have system restore and would it be advisable for me to try to restore to a point prior to infection ... say ... April 1, 2004? Do I need to try to eliminate the virus(es) before restoring? Do I need to have her recycle this pc as a doorstop?

Any ideas/help would be greatly appreciated.

 

[shesun4givn2]

When I ran HJT on her pc and saved the log, I received a message stating:
NOTEPAD could be infected with a virus.

I put the diskette in my pc and ran Trend Micro's Housecall on it and it showed no virus. Is it safe to open on my pc so I can post a copy of her log here?

 

[dai]

d/l the virus remover here
http://securityresponse.symantec.com/avcenter/tools.list.html
you will have to turn restore off and back on again to clear it out of there as well

 

[shesun4givn2]

I tried to access System Restore through Start>Programs>Accessories>System Tools>System Restore and get the message:

System Restore cannot run until you restart the computer. Please restart the computer, and then run System Restore again.

I've restarted several times and get this same message each time I try to run System Restore.

 

[shesun4givn2]

Hi ya Dai! I'll download that tool now. I have the stinger tool as well. I don't have anything yet that is telling me exactly what virus she does have ... just her comment about the emails she has since deleted. Do you think this IS netsky virus?

Also, she has several things in her HJT that I believe are questionable. Do you think it's safe for me to open her log in my A drive since Housecall shows the file to be clean?

 

[dai]

it sounds like restore is corrupted
try and delete the virus with the tool and then run the system file checker

 

[dai]

you will need to know what virus it is to d/l the tool
check the disk for virus with another online check panda has one,before opening it up

 

[shesun4givn2]

Thanks Dai. I don't currently have access online with the infected pc. I'm running the fxnetsky removal tool now although I keep having to 'OK' the many DVP for Windows 95: Virus detected messages so the fix can continue running. I'll give you an update as soon as it's through.

The pc I'm working on isn't currently connected to the internet. She does have Command AntiVirus software installed, but she hasn't updated her DAT files in months, nor has she purchased any continuing updates.

 

[shesun4givn2]

The Fxnetsky tool has completed and says 'Netsky Virus was not found on this computer.'

I'm currently setting up Panda's online scanner to scan the disk in drive A so I can, hopefully, post the HJT log.

 

[shesun4givn2]

Ooooooook. Here's her HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 12:33:32 PM, on 4/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\WINUPD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\F-PROT95\CSS_1631.EXE
C:\PROGRAM FILES\COMMAND SOFTWARE\F-PROT95\DVPAPI9X.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRA~1\COMMAN~1\F-PROT95\DVP95.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\N-CASE\MSBB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSUPD.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEATHERCAST\WEATHER.EXE
C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
C:\PROGRAM FILES\NETSCAPE\NETSCAPE 6\NETSCP.EXE
C:\WINDOWS\SYSTEM\WINUPD.EXE
C:\PROGRAM FILES\SCREENART\WILLOWRD.EXE
C:\LOTUS\SMARTCTR\SMARTCTR.EXE
C:\LOTUS\SMARTCTR\SUITEST.EXE
C:\LOTUS\WORDPRO\LTSSTART.EXE
C:\LOTUS\REGISTER\REMIND32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cox-internet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_22.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_7.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [DVP95] C:\PROGRA~1\COMMAN~1\F-PROT95\DVP95.EXE
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\N-CASE\MSBB.EXE
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [SysUpd] C:\WINDOWS\SYSUPD.EXE
O4 - HKLM\..\Run: [pujevar] C:\WINDOWS\pujevar.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [CSS_Central] C:\PROGRA~1\COMMAN~1\F-PROT95\CSS_1631.EXE
O4 - HKLM\..\RunServices: [dvpapi9x] C:\PROGRA~1\COMMAN~1\F-PROT95\DVPAPI9X.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [WeatherCast] C:\PROGRA~1\WEATHE~1\Weather.exe /q
O4 - HKCU\..\Run: [Weather] C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape 6\Netscp.exe" -turbo
O4 - HKCU\..\Run: [SPYKILLER] C:\PROGRAM FILES\SPYWARE KILLER\SPYWAREKILLER.EXE /BOOT
O4 - HKCU\..\Run: [winupd.exe] C:\WINDOWS\SYSTEM\winupd.exe
O4 - Startup: F-AGENT 95.lnk = C:\Program Files\Command Software\F-PROT95\F-AGENT.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O4 - Startup: ScreenArt.lnk = C:\Program Files\ScreenArt\WillowRd.exe
O4 - Startup: Lotus SmartCenter 97.lnk = C:\lotus\smartctr\smartctr.exe
O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.compute-inc.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37872.7801736111
O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?rand=20034713
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccommon/download/tgctlcm.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

 

[shesun4givn2]

Am currently running the stinger removal tool which $teve had previously suggested to another user who possibly had netsky virus.

As soon as stinger started running it found numerous infections of W32/[email protected] and some W32/Bagle.gen

Results are:

Number of infected files 188
Number of files repaired 2
Number of files deleted 140

That means 46 files are still infected eh?

Help!

 

[shesun4givn2]

OK all 46 of the infected files which show couldn't be repaired are this type and range :

C:\RESTORE\TEMP\AR0000018 - C:\RESTORE\TEMP\AR0000105

 

[shesun4givn2]

Personal Log, Stardate 0415.2004

I've re-ran stinger (because I was still getting all the 'virus' error messages after rebooting) and this time stinger's results were:

Number of infected files 92 (a lot of them were the same files shown as deleted the 1st time through)
Number of files repaired 1
Number of files deleted 20

That leaves 70 infected files this time through.

On the UP side, I have been able to get msconfig to run now. I've unchecked a lot of (I believe) unnecessary items. Now I'll reboot and try running stinger again.

 

[shesun4givn2]

Personal Log, Stardate 0415.2004 continued

Oh what a difference an interferring (and otherwise useless), obsolete, UNupdated (but STILL running!) antivirus software can be.

THIS time through the results were:

Number of infected files 122
Number of files repaired 276 (I'm still not sure how it's repairing more than it found )
Number of files deleted 3

and on the LAST run through with stinger ......

the ONLY place it found infected files (121 of them suckers now) and it could not repair them was in the .... you guessed it! ...

C:\RESTORE\TEMP\AR0000018.CPY - C:\RESTORE\TEMP\AR0000256.CPY

range.

I wonder, are these files part of the currently deactivated System Restore??

Hmmmmm I think I should boot to DOS (or in safe mode) and deleted these little pests.

 

[dai]

dump the command a/v and put the free version of avg a/v on
they are probably in the restore.
run the system file checker and see if it will fix it so you can get into the restore to turn it off.
i have not used me for years so i am very rusty on it

 

[shesun4givn2]

Hi ya Dai! How do I get to 'system file checker'?

 

[dai]

from memory
start/accessories/system tools/file checker

 

[shesun4givn2]

she has (under start>program files>accesories>system tools>

character map
clipboard viewer
disk cleanup
disk degragmenter
driverspace
maintenance wizard
net watcher
resource meter
scan disk
scheduled tasks
system information
system monitor
system restore

but no file checker could it be a part of maintenance wizard?

oops gotta run pu kids, brb

thanks again for your help Dai!

 

[dai]

from ms
Start your computer in Safe mode. To do this, restart your computer, press and hold down the CTRL key after your computer completes the Power On Self Test (POST), and then choose Safe Mode from the Startup menu.
Click Start, point to Programs, point to Accessories, point to System Tools, and then click System Information.
On the Tools menu, click System Configuration Utility to start the System Configuration Utility tool.
In the System Configuration Utility tool, click Extract File.
In the Extract one file from installation disk dialog box, type the name of the file that you want to extract, and then click Start.
In the Restore from box, type c:\windows\options\install or type the custom location of the installation files.NOTE: Use c:\windows\options\install if you installed a Windows Me retail product, or c:\windows\options\cabs if your computer manufacturer installed Windows Me.


In the Save file in box, type c:\.
Click OK to extract the file, and then click Yes to create a folder for the extracted file.
Drag the extracted file from the folder on drive C to the location of the file that you replaced, and then click Yes to overwrite the file.
Restart your computer.
If you extract a file directly to the destination folder to replace a file that is protected by the System File Protection feature, you may receive the following error message:

Extract File
The specified file is protected and may not be copied or deleted.
Some files are used in Safe mode and you cannot replace them while they are in use (such as the Wsock32.dll file). To replace these files, use the Extract command that is included on the Windows Me Startup disk.

You can extract files directly to the destination folder when you start your computer with the Startup disk.

The default source folder for Microsoft Windows installation files is the C:\Windows\Options\Install folder.

If you need to make a Startup disk to run Extract, use the following steps:
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add/Remove Programs.
On the Startup Disk tab, click Create Disk.
For additional information about how to use the Extract tool, click the article number below to view the article in the Microsoft Knowledge Base:

129605 How to Extract Original Compressed Windows Files


Create a Manual Restore Point for System Restore
After you have extracted a file, create a manual restore point for System Restore so that the file you extracted is restored in case you use System Restore in the future. To create a manual Restore Point, follow these steps:


Click Create a restore point, and then click Next.
Enter the description of your Restore Point and then click Next to confirm the creation.
Click OK or Home.
For additional information about System Restore, click the article number below to view the article in the Microsoft Knowledge Base:

267951 Description of System Restore in Windows Millennium Edition
The information in this article applies to:
Microsoft Windows Millennium Edition
Last Reviewed: 7/6/2001 (1.0)
Keywords: kbFAQ kbinfo KB265371

 

[shesun4givn2]

hi ya dai can these infected files be in system restore while system restore is off? i turned it off before running the fxnetsky and stinger, and have not yet turned it back on ....