I got home from work and my husband informed me that his PC (with XP Pro) has another bug. (This from the man who swears he doesn't need anti-virus or any other kind of protection because his PC never gets infected -- this is the second time in two months. =P) He does not know if Windows Firewall was enabled before he noticed the problem.
Booting his PC up, Windows XP Pro loads normally, but then there is an error message stating:
ViewMgr has encountered a problem and needs to close. Error signature: szAppName: Viewpoint Service.exe szAppVer: 18.104.22.168 szModName: Viewpoint Service.exe szModVer: 22.214.171.124 offset: 00002250Then shortly after that appeared, a "Security Center Alert" popped up saying:
To help protect your computer, Windows Firewall has blocked activity of harmful software. Do you want to block this suspicious software? Name: Win32.Netsky.Q Risk level: High Description: Netsky.Q is a worm trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information. Keep Blocking [was grayed out] Unblock [also grayed out] Enable Protection [not grayed out] Windows Firewall has detected unauthorized activity, but unfortunately it cannot help you to remove viruses, keyloggers and other spyware threats that steal your personal information from your computer. [link-->]Click to download and activate protection.My husband says that he did click on the link that said "Click to download and activate protection". He said that when he did so, a window popped up to download some sort of antivirus software. He did not go further than that.
Opening an Internet Explorer window shows the following:
Insecure Browsing Navigation on hold Insecure internet activity. Threat of virus attack Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes. Also insecure internet activity can result in revealing your personal information. To get full advanced real-time protection for PC and internet activity, register your antivirus software. We recommend you to protect your PC now and continue safe internet browsing. [link]Click here to get full advanced real-time protection and continue browsing. [link]Continue to this website unprotected (not recommended).When he chose "Continue to this website unprotected", put www.google.com in the address bar, and did a search web search, a new window popped up saying something about "Monster..." something or other. (I didn't want to repeat them myself.) No other addresses he tried in the address bar worked.
He did already have AdAware installed on his computer (left over from the last time I had to bail him out of such trouble), but it would not update.
I downloaded the latest version of AVG free antivirus on my own PC, burned it to a CD, and installed it on his PC. It also would not update. I was able to run AVG in safe mode (it ran command line). There were many, many files that were "file locked not scanned".
The report only showed that one PUPs was found and cleaned.
Spybot would not updated either.
What should I try next?
Thanks a bunch!
I should add that the only reason I did not include any screen shots or copy of the AVG scan report is I'm not sure if it would be risky to plug my USB drive into his PC (I don't want to lose or infect anything on that drive), or to then plug that USB drive into my (so far) healthy PC. Would this be safe to do?
Incidentally, my mother and daughter both described some similar windows (but possibly different names) on their work/school PCs in the past week. In their cases, the infection affected both IE and Firefox, but their McAfee got rid of the trojan (as far as they can tell).
Edited by capecodlynne, 15 December 2008 - 07:02 PM.