quick question about AVG

[ADoozer]

completely reinstalled a friends PC and installed AVG free edition the other day (first time ive ever used this software).

ran a scan and it found nothing.

i gave her the pc back and in 1hour and 8 minutes, she msned me telling me avg had found a virus. (found a file winfix.exe).

anyway, yesterday i re-ran a scan and found nothing, except that in the list of files in the system32 folder some said "changed" instead of "ok" (most noticably kernel32.dll)

today she tells me the pc is running extreamly slow and wont let her connect to the internet and shes had several more AVG popups about viruses.

anyway the question: is "changed" bad (she literaly had the pc back 1hour and 8minutes and apparently recieved 1 file over msn (an bitmap file))

thnx for any input

If somethings hard to do, its not worth doing - Homer Simpson

 

[LloydSev]

yes, if kernel32.dll changed, it means something installed that required root access and modified the kernel to do this..

now don't freak out, hell printer drivers do this..

but if she didn't knowingly install anything, it's possible she may have a rootkit installed on her system now.

http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

Computer/Network Technician
CCNA

 

[carrr]

Quite possibly bad.
winfix.exe may be:

http://www.sophos.com/virusinfo/analyses/w32sdbotma.html

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[ADoozer]

lloydsev: ah, thats good in some respects then, i had installed a printer a webcam and bt broadband in between the scans.

carrr: yes thats the file it mentioned on the virus alert, i vaulted it and checked for the mentioned registry entries but they werent there.

im not so worried about the slow running because i set avg up to scan on load (which ive noticed is very resource intensive)

but the recurring virus alert worries me slightly (even though avg catches it).

i will have another check tomorow to make sure there are no more "changed" items.

will also create user accounts for the family (which inevitably will result in "i cant install blah blah blah.exe.. whats wrong?")

thanx for the input, ill keep the thread informed.

If somethings hard to do, its not worth doing - Homer Simpson

 

[aquias]

I have a few questions/comments...

1. Check AVG's configuration. Ensure what real time scan options you have set.

2. In addition to an AVG scan, connect to Trend Micro's housecall and run a scan from there.

3. Get a firewall installed on her system (if one doesn't already exist).

4. Lastly, the slow down could be due to non-virus malware. If you haven't already download and run Microsoft's Antispyware beta and see what it picks up (I'd also recommend Spyware Blaster).

5. Make certain she knows to scan items (like bmp files) prior to opening them on her system. If she is infected it could be a problem of her not understanding how some items are coming across to her system.

By the sounds of what you've laid out, and I could be very wrong here, it seems as if she is exposed on several fronts for items to get a foothold on her system. Take some additional time to close up as many of the gaps as you can on her system.

 

[LloydSev]

You can setup MSN Messenger to scan files when she receives them, before she opens them.

Computer/Network Technician
CCNA

 

[ADoozer]

aquias:
1) not sure until i check tomorrow.. but whatever it default installs too

2) yup trendmicro was run too (my favourite online scanner)

3) they have a copy of zonealarm... but they dont know where the cds are.. again.. will have to wait and see on that one

4) ran adawareSe, spybot S&D, hijack this, cwshredder

5) no offence to her but shes not the sharpest pencil in the box. i did tell her on several occasions to "right click anything you download and click scan with AVG"

i thought id covered most bases.. ovbiuosly i didnt take into account the user.

lloydsev: will do that tomorow

thnx again for the input

If somethings hard to do, its not worth doing - Homer Simpson

 

[aquias]

In the interim, download the free version of ZA or enable the XP firewall to further protect her from herself. Also, I'd install and configure Microsofts Real Time scanner, it's pretty straight forward and not all that intimidating for them.

 

[ADoozer]

update: well ive run spybot again and found 5 "problems", adawareSE revealed a furthe 15. the rootkitfinder found 67 discrepencies all associated with pinball sound files. not sure what to do about that.

avg found nothing, but keeps popping up saying "the file you are trying to run had a virus (same exe as mentioned above).

something definately isnt right. :s

If somethings hard to do, its not worth doing - Homer Simpson

 

[aquias]

Have you run Trend Micro's Housecall? If not, try that and see if it's able to clean the virus off.

 

[ADoozer]

update #2: finally connected to trendmicro (had to use the old online scanner as i couldnt connect to the new one) it found a further 6 trojans and a few worms (that couldnt be cleaned or deleted).

re-ran hijackthis, cwshredder, spybot, adaware, avg scan.

rebooted.. same problems.

decided it would be quicker to nuke it and start again (and this time limited user accounts, avg and zonealarm)

ugh, in future i stick to new builds and programming... i feel for you system admins!!

If somethings hard to do, its not worth doing - Homer Simpson