Expert: Carolyn Meinel - 3/9/2008

Question
I bought a Lenovo laptop in China last year (I live in China) and after using Internet Explorer 6.0 for a couple of weeks I was suddenly surfing at an unbearably slow speed. I downloaded AVG’s free antivirus edition and Spybot-SD Resident and ran a full search. I was surprised to find all sorts of red-highlighted items in the results, and proceeded to erase them. Ever since then, however, whenever I turn on the laptop I have to run a virus scan with AVG in certain folders, because every time I turn it off or restart it, the same trojans appear in the same spot. I always delete them prior to opening Firefox (I left Internet Explorer, and was planning on leaving Windows altogether, but I haven’t gathered the courage to make the move to a Linux-based OS while living in China).

The path I need to search is: Local Settings\Temp, and the two files I find are SHQ.DLL (according to AVG “Trojan horse PSW.OnlineGames.VXA”)  and SHQMANGR.DLL (“Trojan horse PSW.OnlineGames.MMD”). When I do the search, four changes also appear in the following items (they all report “Result: Change” and “Status: Changed”): WINDOWS\system32\kernel32.dll, WINDOWS\system32\user32.dll, WINDOWS\system32\shell32.dll, WINDOWS\system32\ntoskrnl.exe and WINDOWS\system32\drivers\etc\hosts.

I must also point out that if I do decide to surf without deleting these trojans first, after I do not know how much time, I have to search in WINDOWS\system32 for two other nuisances (I do not remember their exact names, but they are very similar to the other two, if not identical).

I do not download music or practically anything, and don’t go into strange or unsafe sites (to my knowledge) or any Chinese sites. My computer is on a local connection, with two other computers (two Chinese guys, one of which plays online and downloads a lot of stuff, I guess, as is normal here), yet I have Windows firewall.

Thank you for reading.

Fernando


Answer
The fact that those files keep on showing up in \Temp means that AVG is failing to find the master files that keep on reloading those files into \Temp.

Here's what will almost certainly work.

1) Download F-Secure's Complete Internet security suite, which offers a free thirty day trial: https://store.f-secure.com/cgi-bin/dlreg/ml=EN?ID=FSISTB&desid=TRIAL

2) Disconnect from the Internet.

3) Uninstall your current antivirus. This is absolutely essential because otherwise it and F-Secure will fight each other and might crash your computer. It isn't good enough to just turn off your old antivirus because it probably has been crippled by your virus infection.

4) Install F-Secure. Download any updates available.

5) Run a complete scan of your computer. Follow any instructions F-Secure might give you.

6) Reboot.

If this works, you can either keep F-Secure or uninstall it and reinstall your old antivirus. But -- watch out. You get what you pay for, and AVG did exactly that for you already.