Expert: Lorry - 3/9/2008

Question
I bought a Lenovo laptop in China last year (I live in China) and after using Internet Explorer 6.0 for a couple of weeks I was suddenly surfing at an unbearably slow speed. I downloaded AVG’s free antivirus edition and Spybot-SD Resident and ran a full search. I was surprised to find all sorts of red-highlighted items in the results, and proceeded to erase them. Ever since then, however, whenever I turn on the laptop I have to run a virus scan with AVG in certain folders, because every time I turn it off or restart it, the same trojans appear in the same spot. I always delete them prior to opening Firefox (I left Internet Explorer, and was planning on leaving Windows altogether, but I haven’t gathered the courage to make the move to a Linux-based OS while living in China).

The path I need to search is: Local Settings\Temp, and the two files I find are SHQ.DLL (according to AVG “Trojan horse PSW.OnlineGames.VXA”)  and SHQMANGR.DLL (“Trojan horse PSW.OnlineGames.MMD”). When I do the search, four changes also appear in the following items (they all report “Result: Change” and “Status: Changed”): WINDOWS\system32\kernel32.dll, WINDOWS\system32\user32.dll, WINDOWS\system32\shell32.dll, WINDOWS\system32\ntoskrnl.exe and WINDOWS\system32\drivers\etc\hosts.

I must also point out that if I do decide to surf without deleting these trojans first, after I do not know how much time, I have to search in WINDOWS\system32 for two other nuisances (I do not remember their exact names, but they are very similar to the other two, if not identical).

I do not download music or practically anything, and don’t go into strange or unsafe sites (to my knowledge) or any Chinese sites. My computer is on a local connection, with two other computers (two Chinese guys, one of which plays online and downloads a lot of stuff, I guess, as is normal here), yet I have Windows firewall.

Thank you for reading.

Fernando


Answer
Hi Fernando,

Not knowing which viruses are on the computer, using Internet Explorer go to:

http://security.symantec.com/sscv6/default.asp?langid=ie&venid=sym

Click the GO button, then under Virus Detection, click Start. You might be told that you need to download and install ActiveX Controls for the scan to work, answer Yes.

Write down exactly anything it finds, then go to: http://www.symantec.com/search/  and do a search for what was found. Symantec usually has a removal tool and/or directions for removing manually. Make sure that you follow the instructions for removal, step by step, especially the part regarding disabling System Restore.

Before running Spybot, make sure you check for updates before running a scan. As it is a free program, you have to do it manually.

You might want to use the free version of Zone Alarm instead of the Windows firewall. Check it out at:

http://www.download.com/ZoneAlarm-Firewall-Windows-2000-XP-/3000-10435_4-1003988...

Once you remove the viruses, after you disable System Restore, make sure you enable it afterwards.

Since you have AVG installed, make sure you update it once a week and run a virus scan afterwards.

Hope this helps!
Lorry