MrsJ keeps getting infected by this horrible piece of malware!


Whilst I know how to get shot of it, it's time consuming and of course relies on my being around!
What I'm wondering is why it picks on her Netbook and not my PC?

We connect to the net via a modem/router with a built in firewall - because of this I don't bother with a software firewall on the Netbook. I have now enabled the Windows Firewall, but I'm not confident this will keep the said malware at bay?

I have Spyware Doctor installed on my PC and the licence allows installation on upto three computers. Is it worth putting this on the Netbook as well? I haven't as yet as I find it uses quite a lot of system resource.

What would anyone suggest in order to keep this odious program away from the Netbook?
Why doesn't AVG 8.0 Free keep it away? How does it get past the router's firewall?

Cheers!

do share as I think that may be what's effig up my pc at the mo...

This link has a removal tool to download, worth a try.

It also references some rogue processes & registry keys that may need some attention. The user comments at the bottom may come in useful too for further things to try.

I've not tackled this yet so have no ready made solution, but it does seem to involve stopping this av.exe process regenerating itself.

Nothing is mentioned about the Run or RunOnce keys relating to start up processes, so i wonder if they are worth looking at too. A HijackThis scan would help with that.

Other than that - is the Anti-Virus on her machine AVG? Yours too Barrington?

I have experience of dealing with this little blighter and I have to say it's a b*tch to get rid of. Somehow it kept planting a file in the C:\Windows\Prefetch\ folder that kept it coming back after Anti-Virus sweeps had gotten rid of the infected file/s it had generated (my dad had 142 files with the same virus in them!). I had to do a combination of things to clear it but it took a good 5/6 hours of faffing, so the easiest thing would have been to wipe the drive and reinstall Windows. My dad now keeps all of his photos and letters and stuff on an external hard drive so that it's easier to clean out his C:\ drive when he inevitably installs another virus (no idea how he manages it with all the anti-virus stuff I give him!)

same here Jules, my paw seems to do the impossible too so i store their valuables on a secondary HDD.

could always disable the Prefetch folder but then that will increase prog loading times. so thats a catch 22 which may be worth doing.

try that link anyway Jester/Barry, you never know your luck. if you wanna know how to disable/enable prefetch its a trip into the registry which i can do remotely for you or give instructions.

but you might have to be ready to reinstall windows if as Jules says its the most pain free way.

Malware Bytes does a good job.
Only thing is, if you're already infected the virus won't let it run (clever git! ).
One way is to uninstall/reinstall MB, update and scan. That all takes time though.
Slightly quicker, if MB is already installed, is to rename the "MB".exe (not sure of the exact name, but it's the only .exe in the folder) file to "MB".com - then run the quick (ha ha) scan. Takes about 30 mins on MrsJ's Netbook. That gets rid of the little bigger, although I'm not certain whether or not there may be a trace file left which is how it manages to come back.
I will maybe take a look at the prefetch thing when I get home tonight.
Also, SuperAntiSpyware is supposed to clean very deep - might be worth giving that a go after the original clean using MB?

Good luck!

Would you be able to put avast on your netbook?

Jester, I suspect you are not fully removing the malware or MrsJ is re-visiting the website that installs it.

From a quick scan of the web for removal of this spyware, it would appear a lot of people have to run MalwareBytes in safe mode to help removal of this software and then find pointers in the registry. It would appear to install files outside it's own install directory that may put the thing back on your PC/Netbook on restart.

Do you keep the AVG virus database files up to date - if AVG is missing it, you should be able to block any executable by adding manual entries to a "block list", but as I don't run AVG 8.0, you'll have to rely on someone else to point out how to configure this.

It may be worth posting a HijackThis report on here for some of us techies to review. I suspect there are registry entries that re-start it.

Whenever cleaning out virus infections, I always clear the prefetch folder, temporary directories and temporary internet folders as it may still be lurking there.

A temporary fix to help identify when the thing is coming back is to go through your removal and take note of the install directory name and exectuable. After removal, create your own directory of the same name and create a blank text file in the directory - rename this to match the executable name and then remove all security privileges from this directory and exe file so it can't be deleted, replaced or renamed thus causing a problem for the virus to re-install itself. I've had to do this in the past to track down when a virus was re-infecting a PC, which turned out to be a hidden service.

This is the malware that caused my partner's daughter's netbook problem netbook-problem-t71535.html . Used Superantispyware to remove 12 trojans/ viruses and PC Guard (free version of Kaspersky that comes with Virgin Media) picked up another after the event

No success in fixing rundll32.exe that was taken out as part of the removal process so far thinking of trying a networked repair of XP next and if that doesn't get it running again I'll do a full reinstall.

It would appear it was picked up by allowing an alleged video codec to install to enable viewing of music videos. Looking at the internet browser history there were several instances of 2 page visits to porn sites that I'm assured weren't visited/ viewed deliberately and as it's only 2 pages/ site I've no reason to disbelieve her (if I stumble across a porn site I definitely look at more than 2 pages!).

I think it's worth pointing out that giving remote access to your PC to someone you have known only through an internet forum is not really a good idea and that anyone responding to offers of remote help on an internet forum should think seriously before agreeing.
Also I don't think it's a good idea to offer to help someone via remote access on an internet forum, but maybe that's just me. A naive person may well put trust in a person making such an offer on FISO (by virtue of the good reputation of FISO as opposed to the reputation of the person offering help) and, being niaive, may then be offered a similar service in another forum and think that if FISO allows such behaviour it's probably OK.
All in all I think it's worth noting that you just don't know the trustworthiness (or lack thereof) of the person requesting remote access to your computer, regardless of the forum you are on. If you wouldn't give the person your bank details don't give them remote access to your PC either.
Oh, and don't give total strangers your bank details either.

yip AVG for me.

I DL Malwarebytes and that picked up a few problems and seems to have cleared things, but PC is hellishly slow still, going to try your link (STOPzilla)

sorbie's right, be wary who you give remote desktop access to. especially when it's me

fortunately its one of the services i offer as part of my business and a few fisoers have already been suckered into it, and so they are beyond saving

Barry, you wanna send me a HJT scan? See what running processes we can look at. Also, check how much RAM you have (right click my computer > properties). Should be able to speed up the puter

Windows firewall (and a typical home router firewall) will only monitor and filter incoming connections, a proper software firewall will monitor both incoming and outgoing traffic - this helps alert you if a rogue application or process tries to make contact with the outside world once it's already sitting in your PC (which a lot of spyware does)

Also, check to see if the antivirus / anti-malware progs you use have an option to do a boot time scan (avast has this facility) - this will scan before Windows and any other processes have a chance to load so may have a better chance of detection

how can I right click your computer?



will do a hjt later mate, cheers.

don't you play dumb with me B Right click My Computer select Properties, in the popup box wait a second or two (espesh if your machine is slow) and some info will appear, including how much RAM you have.

But you knew that already Got your HJ scan, will look at it now.

Barry - You hijacking my thread...?!!!






Just about to run all the anti spyware, registry cleaning, virus zapping software I have - if I'm not on for a day or two you know something went wrong.....

Still here!

MM - I went through the manual removal procedure on the link you posted and none of the files it says to remove were there (MalwareBytes done a good job?).

I think MrsJ must be getting the virus from a specific site, as there was around a week between infections. If there were files remaining on the Netbook after removal, it would appear again either straight away or at the next start-up wouldn't it?

If it is a specific site that's to blame, why doesn't AVG stop it?
What should I install to her Netbook that will stop it?
As I said previously, I have Spyware Doctor running on my desktop and have never been affected, but then neither have I seen a notification that it's been found. Should I have if it's tried to get me?
I don't go to the same dodgy sites as the missus though, so probably won't have been at risk (my dodgy sites are completely different ones!!)
I'm reluctant to install Spyware Doctor if it's not going to stop the little bigger anyway as it slows down start-up etc on my machine.

gawd knows J, does sound like a site is responsible. quite why its getting around AVG i dunno.

if what i've read so far is that its this av.exe thats the issue, then if your missus puter is infected, you should see that in Task Manager > Processes

If your missus puter is temporarily clean until her next infection, then av.exe shouldn't be there. Simples I do agree that it should pop up earlier if its not been removed (computers don't always play by the rules tho )

So in that case I would suggest trying to catch that site the moment it occurs, maybe install zone alarm for a week, as that squeals on everything - so hopefully when av.exe tries to enter you'll get a notification asking for you to allow it. Obviously that would mean she spends the rest of the week getting bugged by ZA for other safe sites/progs, but could be worth it just to catch the rogue site.

Also, maybe a more painfree way - try a browser switch? Is she using IE at the mo? Put her on Firefox, or if she's on FF - try Chrome. See if the security settings of a different browser bounce it off.

You could also make sure you have the latest Microsoft updates applied to your netbook, make sure you are on the latest version of AVG free and if you still get the virus, report it to Grisoft at virus@avg.com, although you may need to track down where it is coming from first.

Another safeguard would be to create a standard user account for MrsJ to login to when surfing the internet. Without all powerful Administrator security rights it would be harder for the virus to install itself.

Jester, do you know how about the windows registry and how to search all keys, data and values for av.exe? If a search comes up with "not found", MalwareBytes is doing a good job. If you find any, list them on here for advice on removal/correction. Don't make changes to the registry unless you know what you are doing.

I tried to search the browser history as the virus appeared near as dammit to 9pm on Tuesday, but there's too much to rummage through.... Using ZA for a short while is perhaps a good idea though - swore I'd never go near it again but maybe as long as it's temporary?!

No sign of av.exe anywhere. I ran registry cleaner and looked in the places that Mark's link suggested, but other than than have not delved into the registry.

MrsJ is running IE8, but curiously when I ran SuperAntiSpyware this morning, the majority of the tracking cookies it found related to Firefox - and that's not even installed on the Netbook (as far as I know anyway....?)

I'm back at work now, so can't try anything else until the morning.


Cheers for the suggestions btw - I'm sure one or other will work, sooner or later!!

For now however, there is no sign of the virus on her puter!

coolio. to be fair J I'd just use Chrome anyway as your main browser. Have all 3 installed but use Chrome - much faster & thus far threat free

Afraid I'm a rather dyed in the wool IE man.
I tried Firefox and Chrome, but didn't think either were quite as user friendly as Internet Explorer.

Why is it that other browsers would give protection anyway? I thought viruses attacked various parts of your system not connected with IE.

Have to say however, that I've never got on with IE8 as well as I did with IE7 (plus IE7 Pro add on).



No-one has said whether I should put Spyware Doctor on the Netbook btw - could it help or is it more trouble than it's worth?

In short, yes put it on there. You've been hit twice so far, so run it on your netbook for a while until you're confident the malware is not returning, you can always remove it if it is impacting the performance of the machine badly.

Good point - that's what I do on my desktop after all, just start it up to run a scan every once in a while.

I'll pop it on tonight - if I can get the machine away from the missus!!