Is there some built-in MS anti-virus scanner, etc?

[Y. Soserious]

Inline:

Is there some built-in MS anti-virus scanner, or something that gets
automatically downloaded on certain occasions?

YES, during the patch Tuesday updates. The malicious software removal tool.
It's a barebones thing that only looks for certain malware. Not nearly what
you need.

I'm sorry if part of this question is vague. My ex-gf was annoyed at
her computer and impatient with me and I got a discription in dribs
and drabs, and incompletely.

She seems to have a virus. When she started winXPSP3, she got a green
shield and a message that she may have a virus, and it gave 4 or 5
suggestions of what to do. I don't know what the other suggestions
were. She chose to run some anti-virus that it suggested, and hten
changed her mind and called me.

That was the virus.

us she has is AVG, and I suggested she do a full scan

with that, but it wouldn't start. When she clicks on AVG icon in
systray it says: "application can not be executed if avgui.exe is
infected"

Restarting gave the same first message. This time she told me about
the green shield and that the message was in an IE box.

Should she have let that anti-virus run to completion?

No, it was the virus. It was a scam.

At first I thought it was one of the web scan/scams, but maybe it's
good???

Nope, it was a scam.

Last night I dl'd the latest copy of Bit Defender Rescue Disk, and it
is far different from last December's version. I'm going to give her
the CD at work today, but it would be simpler if the suggested scan
was a good thing to run.


Separate question: Why don't Dell computers have a reset button?

Ask Dell.

 

[Paul]

Is there some built-in MS anti-virus scanner, or something that gets
automatically downloaded on certain occasions?


I'm sorry if part of this question is vague. My ex-gf was annoyed at
her computer and impatient with me and I got a discription in dribs
and drabs, and incompletely.

She seems to have a virus. When she started winXPSP3, she got a green
shield and a message that she may have a virus, and it gave 4 or 5
suggestions of what to do. I don't know what the other suggestions
were. She chose to run some anti-virus that it suggested, and hten
changed her mind and called me.

The only anti-virus she has is AVG, and I suggested she do a full scan
with that, but it wouldn't start. When she clicks on AVG icon in
systray it says: "application can not be executed if avgui.exe is
infected"

Restarting gave the same first message. This time she told me about
the green shield and that the message was in an IE box.

Should she have let that anti-virus run to completion?

At first I thought it was one of the web scan/scams, but maybe it's
good???

Last night I dl'd the latest copy of Bit Defender Rescue Disk, and it
is far different from last December's version. I'm going to give her
the CD at work today, but it would be simpler if the suggested scan
was a good thing to run.


Separate question: Why don't Dell computers have a reset button?

Thanks.

You can try running this, as this is good at removing the odd piece
of "rogue" malware. The free version is what you'd be downloading,
which is used for extermination rather than constant monitoring.

http://en.wikipedia.org/wiki/Malwarebytes

http://www.malwarebytes.org/

http://majorgeeks.com/download.php?det=5756 Apr29,2010 version 1.46

The main problem with using a program like that, is the malware may
prevent the tool from being started. You can try renaming the file,
to something like "surprise.exe" and run it. If that doesn't work,
you'll have to check some of the anti-malware sites for tools
that can temporarily stop the malware, until you can get MBAM started.

As far as I know, MBAM claims to work best in regular boot mode.
It isn't supposed to work quite as well in "Safe Mode", but you
can try that as well, if you're not making any progress. You can be
assured, that any "rogue AV" program, is well equipped to deal with
all the usual workarounds, so removing it won't exactly be easy.

If the "name" of the rogue software is printed on the screen
of the affected computer, you can use a search engine to search
for more information on it.

Paul

 

[mm]

Is there some built-in MS anti-virus scanner, or something that gets
automatically downloaded on certain occasions?


I'm sorry if part of this question is vague. My ex-gf was annoyed at
her computer and impatient with me and I got a discription in dribs
and drabs, and incompletely.

She seems to have a virus. When she started winXPSP3, she got a green
shield and a message that she may have a virus, and it gave 4 or 5
suggestions of what to do. I don't know what the other suggestions
were. She chose to run some anti-virus that it suggested, and hten
changed her mind and called me.

The only anti-virus she has is AVG, and I suggested she do a full scan
with that, but it wouldn't start. When she clicks on AVG icon in
systray it says: "application can not be executed if avgui.exe is
infected"

Restarting gave the same first message. This time she told me about
the green shield and that the message was in an IE box.

Should she have let that anti-virus run to completion?

At first I thought it was one of the web scan/scams, but maybe it's
good???

Last night I dl'd the latest copy of Bit Defender Rescue Disk, and it
is far different from last December's version. I'm going to give her
the CD at work today, but it would be simpler if the suggested scan
was a good thing to run.


Separate question: Why don't Dell computers have a reset button?

Thanks.

 

[PA Bear [MS MVP]]

...She chose to run some anti-virus that it suggested, and hten

changed her mind and called me.

Too late now & she shouldn't have clicked on ANYTHING in the pop-up, not
even the X to close it!

The suggested "anti-virus" was the infection! It's a "rogue," quite
possibly be this one:
http://blogs.technet.com/b/mmpc/arc...of-the-microsoft-security-essentials-pie.aspx

Avoid Rogue Security Software!
http://www.microsoft.com/security/antivirus/rogue.aspx

Didn't AVG do a great job!

 

[Mike S]

Is there some built-in MS anti-virus scanner, or something that gets
automatically downloaded on certain occasions?
I'm sorry if part of this question is vague. My ex-gf was annoyed at
her computer and impatient with me and I got a discription in dribs
and drabs, and incompletely.
She seems to have a virus. When she started winXPSP3, she got a green
shield and a message that she may have a virus, and it gave 4 or 5
suggestions of what to do. I don't know what the other suggestions
were. She chose to run some anti-virus that it suggested, and hten
changed her mind and called me.
The only anti-virus she has is AVG, and I suggested she do a full scan
with that, but it wouldn't start. When she clicks on AVG icon in
systray it says: "application can not be executed if avgui.exe is
infected"
Restarting gave the same first message. This time she told me about
the green shield and that the message was in an IE box.
Should she have let that anti-virus run to completion?
At first I thought it was one of the web scan/scams, but maybe it's
good???
Last night I dl'd the latest copy of Bit Defender Rescue Disk, and it
is far different from last December's version. I'm going to give her
the CD at work today, but it would be simpler if the suggested scan
was a good thing to run.
Separate question: Why don't Dell computers have a reset button?
Thanks.

Run Malwarebytes Antimalware, with the latest definition files, using a
full scan. Run the scan once, delete anything you don't know to be good,
then reboot and immediately run it again, doing another full scan.

 

[Pegasus [MVP]]

Is there some built-in MS anti-virus scanner, or something that gets
automatically downloaded on certain occasions?


I'm sorry if part of this question is vague. My ex-gf was annoyed at
her computer and impatient with me and I got a discription in dribs
and drabs, and incompletely.

She seems to have a virus. When she started winXPSP3, she got a green
shield and a message that she may have a virus, and it gave 4 or 5
suggestions of what to do. I don't know what the other suggestions
were. She chose to run some anti-virus that it suggested, and hten
changed her mind and called me.

The only anti-virus she has is AVG, and I suggested she do a full scan
with that, but it wouldn't start. When she clicks on AVG icon in
systray it says: "application can not be executed if avgui.exe is
infected"

Restarting gave the same first message. This time she told me about
the green shield and that the message was in an IE box.

Should she have let that anti-virus run to completion?

At first I thought it was one of the web scan/scams, but maybe it's
good???

Last night I dl'd the latest copy of Bit Defender Rescue Disk, and it
is far different from last December's version. I'm going to give her
the CD at work today, but it would be simpler if the suggested scan
was a good thing to run.


Separate question: Why don't Dell computers have a reset button?

Thanks.

Not built in but free: Microsoft Security Essentials -
http://www.microsoft.com/Security_Essentials/

 

[Walt]

Or you could do a System Restore maybe?

You can try running this, as this is good at removing the odd piece
of "rogue" malware. The free version is what you'd be downloading,
which is used for extermination rather than constant monitoring.

http://en.wikipedia.org/wiki/Malwarebytes

http://www.malwarebytes.org/

http://majorgeeks.com/download.php?det=5756 Apr29,2010 version 1.46

The main problem with using a program like that, is the malware may
prevent the tool from being started. You can try renaming the file,
to something like "surprise.exe" and run it. If that doesn't work,
you'll have to check some of the anti-malware sites for tools
that can temporarily stop the malware, until you can get MBAM started.

As far as I know, MBAM claims to work best in regular boot mode.
It isn't supposed to work quite as well in "Safe Mode", but you
can try that as well, if you're not making any progress. You can be
assured, that any "rogue AV" program, is well equipped to deal with
all the usual workarounds, so removing it won't exactly be easy.

If the "name" of the rogue software is printed on the screen
of the affected computer, you can use a search engine to search
for more information on it.

Paul

 

[Paul]

Or you could do a System Restore maybe?

Not if it is already infected by malware.

Malware attacks System Restore, to prevent that very removal mechanism.

Paul

 

[mm]

Not built in but free: Microsoft Security Essentials -
http://www.microsoft.com/Security_Essentials/

Thanks to all of you. Yes, the screen must have been part of the
scam. She ran bit-defender for up to 5 hours last night until it
finished and it says she has 4 viruses. I'm going there now to look
at the results and disinfect or delete as appropriate. I hope that
will work.

 

[Hello Kitty]

Thanks to all of you. Yes, the screen must have been part of the
scam. She ran bit-defender for up to 5 hours last night until it
finished and it says she has 4 viruses. I'm going there now to look
at the results and disinfect or delete as appropriate. I hope that
will work.

The problem with this particular scam or malware is that it roots itself
into your registry. You should find a free program called "Hijack This" to
identify start up entries that keep whatever was installed to her machine
alive. There is also a rare file called "ComboFix" that can find and remove
a number of issues.

Those 2 free programs I mentioned have been able to help me remove
ad/malware completely from my PC after infection.

Good luck.

 

[mm]

The problem with this particular scam or malware is that it roots itself
into your registry. You should find a free program called "Hijack This" to
identify start up entries that keep whatever was installed to her machine
alive. There is also a rare file called "ComboFix" that can find and remove
a number of issues.

Those 2 free programs I mentioned have been able to help me remove
ad/malware completely from my PC after infection.

Thanks. I found Hijack This, which looks very good, and I"m going to
look for CombofFix.

I still started another thread to give my progress, such as it is.
She can download email, virus definitinon, and according to MS, HTTPS
and FTP.

Only HTTP eludes her!

 

[mm]

The problem with this particular scam or malware is that it roots itself
into your registry. You should find a free program called "Hijack This" to
identify start up entries that keep whatever was installed to her machine
alive. There is also a rare file called "ComboFix" that can find and remove
a number of issues.

Those 2 free programs I mentioned have been able to help me remove
ad/malware completely from my PC after infection.

Good luck.

Thanks agaoin. I fund this one too.
http://www.combofix.org/download.php

IMPORTANT : ComboFix is extremely powerful , You should not run
ComboFix.exe unless you are asked to by a trained helper

Wait a second. If he's helping me, who's in charge!

But seriously, the descriptions give a lot of warnings, but also say
this:

"ComboFix also displays a report that can be used by trained helpers
to remove malware that is not automatically removed by the program.

Please note that running this program without supervision can cause
your computer to not operate correctly. Therefore only run this
program at the request of an experienced helper."

Yet the progrma removes things (malware) automatically!!!! I'm sort
of reckless but that scares me.

 

[Paul]

Yet the progrma removes things (malware) automatically!!!! I'm sort
of reckless but that scares me.

You can do anything you want... as long as you have backups.

If you haven't prepared for a "meltdown" while you're curing
this malware, you could end up in a awful mess.

No matter who wrote the anti-malware tool, such a tool can
quarantine or delete enough files, to cause the OS to fail to
boot the next time. If you took the system offline and did
a backup when you first started working on the machine, then
you have options if things go wrong.

For example, I've heard of tools, that quarantine infected files,
but they're placed on a temporary ramdisk. If you shut down
such a tool, the ramdisk disappears with it, and if you need to
put any of those files back, they're gone.

If it's your own machine, then you know how valuable the
setup and files are. You might not need a backup image for
that. If you're working on someone else's machine, then more
care should be taken.

Paul

 

[mm]

You can do anything you want... as long as you have backups.

Well, right now the problem is not mine but my ex-gf's machine and she
doesn't have backups. I had to urge her for 2+ years to start using
an antivirus. In fact all those 230 viruses that I report in my next
thread that she found from 2003 and 2004 were probably from the time
when she didn't use antivirus.

If you haven't prepared for a "meltdown" while you're curing
this malware, you could end up in a awful mess.

No matter who wrote the anti-malware tool, such a tool can
quarantine or delete enough files, to cause the OS to fail to
boot the next time. If you took the system offline and did
a backup when you first started working on the machine, then
you have options if things go wrong.

For example, I've heard of tools, that quarantine infected files,
but they're placed on a temporary ramdisk. If you shut down
such a tool, the ramdisk disappears with it, and if you need to
put any of those files back, they're gone.

Ha ha. I don't know if I'm the only one, but I told that story here
last December. It was BitDefender Rescue Disk. They never replied to
me when I wrote to tell them about this problem but they have very
much changed how the program works and also expanded what it does.

It no longer has quarantine at all. Now it only has no change,
delete, disinfect, and rename.

You know, even last December they deleted or disinfected, and maybe
even renamed files on the hard drive. If they could do that, they
could have written the quarantine file to the same drive, instead of
the ramdisk. I wonder why they didn't think of that.

If it's your own machine, then you know how valuable the
setup and files are. You might not need a backup image for
that. If you're working on someone else's machine, then more
care should be taken.

Exactly. But what gets me is not that the risk is so high -- as you
say, it's not, if one has backups -- but that they post all these
warnings and then, at the same time, go in the other direction by
removing things automatically. It seems self-contradictory.

 

[mm]

With those attitudes: maybe it's time to cement the "ex"
in the relationship, and let her find someone else to
bug with her careless attitude to computing; and if her

Yes, I've cemented the "ex". She has too.

attitudes extend to the rest of her life, maybe it's time

Let's just say while in some ways she was more compatible than almost
anyone I've met, in other ways we're not at all.

to sit back and be thankful that you don't have twenty
years of unplanned child support to look forward to.
At least, I _hope_ you don't.

It's not just the money. I would hate to have a child growing up in a
household where I didn't live. And I don't have one doing that.

But we're still friends. We do favors for each other. In this case,
I'll probably learn a lot about computers, and I'd rather learn on
hers than on mine.

 

[PA Bear [MS MVP]]

...I had to urge her for 2+ years to start using

an antivirus.

In your first post in this thread, you told us she had AVG installed which
"wouldn't start" but you didn't tell us she'd be running without an AV app
for 2+ years.

See...

Cleaning a Compromised System
http://technet.microsoft.com/en-us/library/cc700813.aspx

Back-up any personal data (none of which should be considered 100%
trustworthy at this point) then format the HDD & do a clean install of
Windows. Please note that a Repair Install (AKA in-place upgrade) will NOT
fix this!

HOW TO do a clean install of WinXP: See
http://michaelstevenstech.com/cleanxpinstall.html#steps and/or Method 1 in
http://support.microsoft.com/kb/978307

After the clean install, you will have the equivalent of a "new computer" so
take care of EVERYTHING on the following page BEFORE otherwise connecting
the machine to the internet or a local network (i.e., other computers) AND
BEFORE connecting a flash drive, SDCard, or any other external drive to the
computer:

4 steps to help protect your new computer before you go online
http://www.microsoft.com/security/pypc.aspx

Other helpful references include:

HOW TO get a computer running WinXP Gold (no Service Packs) fully patched
(after a clean install)
http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121c

HOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a
clean install)
http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2b

Tip: After getting the computer fully-patched, download/install KB971029
manually before connecting any external drive to the computer:
http://support.microsoft.com/kb/971029

NB: Any Norton or McAfee free-trial that came preinstalled on the computer
when you bought it will be reinstalled (but invalid) when Windows is
reinstalled. You MUST uninstall the free-trial AND download/run the
appropriate removal tool BEFORE installing any updates, Windows Service
Packs or IE upgrades AND BEFORE installing your new anti-virus application
(which will require WinXP SP3 to be installed).

Norton Removal Tool
ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe

McAfee Consumer Products Removal Tool
http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

Also see:

Risks & Benefits of P2P file sharing
http://www.microsoft.com/protect/data/downloadfileshare/filesharing.aspx
http://blogs.technet.com/mmpc/archive/2008/10/06/the-cost-of-free-software.aspx

Steps To Help Prevent Spyware
http://www.microsoft.com/security/spyware/prevent.aspx

Steps to Help Prevent Computer Worms
http://www.microsoft.com/security/worms/prevent.aspx

 

[Daave]

Well, right now the problem is not mine but my ex-gf's machine and she
doesn't have backups.

Not wise. Actions have consequences!

 

[mm]

In your first post in this thread, you told us she had AVG installed which
"wouldn't start" but you didn't tell us she'd be running without an AV app
for 2+ years.

That's true, I didn't say that, but fwiw, that period ended about 5
years ago.

I'll send her your post and, it is to be hoped, she'll do all or at
least some of these things.

Thanks.

 

[mm]

Not wise. Actions have consequences!

For sure.

So far, she seems to have gotten off easy this time. I'll try to use
this problem as a motivation for her to start doing backups. In
truth, at least in the past, it didnt' matter much if she had no
backups because she had no user data of any remaining importance. She
doesn't or at least didn't engage in important email correspondence.
Etc.


Anyhow, the problem may be solved. Whatever it is started when she
went to www.letmewatchthis.com , to download a tv show or movie. She
had done this before with no trouble, but this time a screen came up
in AVG warning her that she might have a virus and to do a scan. She
was suspicious, but not enough and she ran the "scan" for a little bit
before stopping it. The website has been hacked, is that a fair
conclusion? They'll fix it eventually??

Yesterday, after I scanned with BitDefender Rescue disk and got rid of
6- year old emails with never-opened viruses, I scanned with AVG and
found a trojan and an registry entry pointing to it.

Is it possible this is a new trojan/virus that wasn't in the AVG list
on Friday (when she got infected) and was in the list on Saturday when
AVG found it.


The final problem seems to have been the FFox proxy settings.

[Almost the same text follows as in the later thread:]
My friend called me this morning. After I left, AVG finished scanning
everything yesterday and didn't find anything more.

But she got a different, new message from Firefox, something about
"can't find the proxy". So she knew I'd be sleeping that early and
she called another friend and he had her go to:
Firefox/Options/Advanced/Network/[Connection] Settings and she was set
for Use System Proxy Settings. (So am I.) He had her change to No
Proxy, and now her FF works. As far as she has noticed, everything
works.

She hasn't checked IE yet, but neither did I yesterday. Maybe it
worked after I used AVG to remove the trojan. But it seems the virus
changed soemthiing in the "System Proxy Settings" so that they no
longer work. What in practice, before the virus, the difference
between them and "no proxy" was, I don't know.

Is there some way to find the System Proxy Settings and change them
back to their proper values?

Thank you all for the help, and even the criticism in the next thread.

 

[mm]

Whatever it is started when she
went to www.letmewatchthis.com , to download a tv show or movie. She
had done this before with no trouble, but this time a screen came up
in AVG

Not AVG. I meant, ...came up in Firefox, appearing to be an IE or
Microsoft screen...