Malware Keeps Reinstalling Itself, Despite Deletion, Every Time I Re-Boot

[Mobi]

Every time I turn on my lap top I get a warning from AVIRA that a malware entitled….

W32/small.l

Type: 0006314D

…is present on my machine, and they give me the option to delete it, which of course I do.

Then the next time I boot, it is back again and I delete it again, and so on and so on.

After deletion I have run Avira, Malwarebytes and other anti-virus software but no malware is reported on the PC so I can assume it has been successfully deleted.

Yet somehow it re-installs itself every time I re-boot.

There has been no noticeable effect on computer performance.

Has anyone any experience of this or how to stop it from reinstalling itself each time I re-boot?

Thanks

Mobi

[Korv]

The keyword is source.

As it comes back again and again, it must origin from somewhere you frequent or from a computer nearby.

Find that source and you'll rid of it.

I would also try other AV options, such as eSET and Norton.

And of course, if you run any pirated software, it could very well be the source of the malware.

[theoldgit]

I have a similar problem, I have found myself with a very tenacious malware.

Every time I start my computer up this programme starts up and will not allow me to access the Internet, or if it does it closes it down, it will not let me run Malware Bytes anti virus programme.

Bizarrely the dodgy virus is trying to get me to buy a fake anti virus programme.

Before I throw my computer from my 11th floor balcony, can anyone offer me any, practical, advice?

Edited June 17, 2012 by theoldgit

[Mobi]

I am at home.

There is no other computer and I have my own internet/wifi connection which is code protected.

I have no pirate software.

The warning of the malware immediately appears on re-boot and is then immediately deleted if I don't do so myself with 16 seconds.

As I said,I then run Avira, (which is the same AV who advised me that the malware was present and then deleted it), and it reports my machine clean, which assume it is as everything runs fine, including internet.

Ditto Malwarebytes.

It just seems to reinstall, either upon shut down or re-boot.

I hate Norton but I might try AVG.

In the past 10 years, AVG then Avira have kept my computers completely clean.

[Mobi]

I also downloaded and ran Kaspersky TDSSKiller, which is a free rootkit removal tool that is designed to remove the TDSS rootkit.

"This rootkit downloads other malware, redirects Google searches, and prevents programs (exe files) from opening.

TDSSKiller will also detect and remove other rootkits, such as the ZeroAccess rootkit."

The software reported my computer clean, so I am sure that it is, except for a few seconds when I re-boot and before Avira deletes the reinstalled malware.

But I'd like to get rid of it 100%

I can't be the first person to have this problem, surely?

[23962323]

I am at home.

There is no other computer and I have my own internet/wifi connection which is code protected.

I have no pirate software.

The warning of the malware immediately appears on re-boot and is then immediately deleted if I don't do so myself with 16 seconds.

As I said,I then run Avira, (which is the same AV who advised me that the malware was present and then deleted it), and it reports my machine clean, which assume it is as everything runs fine, including internet.

Ditto Malwarebytes.

It just seems to reinstall, either upon shut down or re-boot.

I hate Norton but I might try AVG.

In the past 10 years, AVG then Avira have kept my computers completely clean.

You will hate AVG even more

[JSixpack]

Take a look at all your startup programs, scheduled tasks, boot execute programs, and Windows services. Also browser helper objects. Delete or disable anything suspicious.

Easiest way to do this is via the autoruns utility you can download here:

http://technet.micro...s/bb963902.aspx

Edited June 17, 2012 by JSixpack

[doctormann]

Sometimes you can get re-infected from System Restore.

Try turning this off - which will delete all your restore points - and turn it back on once Avira claims to have deleted the virus. You'll need to do a reboot before turning it on again.

I don't know which OS you're running but this method often works for WinXP.

DM

[Thaddeus]

Mobi, try this.....

http://www.bleepingcomputer.com/download/rkill/

It's worked for me in the past in conjunction with Avast.

[GuyL]

I would boot on Hiren's Boot CD (for instance, or on a similar bootable CD including the necessary cleaning tools) and try to clean this computer using one or several of the tools included on Hiren's Boot CD: http://www.hirensbootcd.org/download/

Your malware is probably replicating itself with a programmed task after your local system has booted. Booting on Hiren's Boot CD should prevent this and the tools included on this CD should help you to clean your computer.

You can also check your local registry settings (RegEdit), at least those four sections as it might contain suspicious programs (check everything launched there that you don't know with Google search, for instance):

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\Current_Version\Run

Computer\HKEY_CURRENT_USER\Software\Microsoft\Windows\Current_Version\RunOnce

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current_Version\Run

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current_Version\RunOnce

It's not always sufficient, but it's a good start.

Edited June 17, 2012 by GuyL

[mamypoko]

Boot up in Safe Mode> run you virus prog. > reboot

[SamuiHomemadeFood]

As said. It appear4s the virus / malware has loaded into the boot sector of your computer so every time you boot up it simply reinstalls itself. Boot into safe mode and run the scan again and that should do it.

You can also try looking here for more information on how to remove it.

http://www.spywareviruscleaner.com/How-to-Remove-W32/Small.L.virus.html

Good luck

[FritsSikkink]

Source http://www.spywareviruscleaner.com/How-to-Remove-W32/Small.L.virus.html :

How to Remove W32/Small.L.virus by Manual?

Step 1: Disable and remove W32/Small.L.virus processes.

Step 2: Detect and remove W32/Small.L.virus registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\ XTray.exe

HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN XTray.exe

Step 3: Detect and remove other W32/Small.L.virus files

Important Note:Even though it is possible to manually remove W32/Small.L.virus, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware viruses are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT experts or highly qualified system administrators. For common computer users, it is recommended to use automatic spyware removal applications found on spywareviruscleaner.com

Edited June 17, 2012 by FritsSikkink

[xanax]

from NOD32 threat center:

Threat Encyclopaedia

Win32/Small.L

Aliases:Virus.Win32.Small.l (Kaspersky), W32.Madangel (Symantec), W32/Alisa.d (McAfee) Type of infiltration:Virus  Size:5322 B Affected platforms:Microsoft Windows Signature database version:1941 (20061228) 

Short description

Win32/Small.L is a file infector. The virus tries to download and execute several files from the Internet.

Installation

When executed, the virus creates the following files:%system%\Serverx.exe (9418 B)In order to be executed on every system start, the virus sets the following Registry entry:[HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Run]"Serverx" = "%system%\Serverx.exe"The following Registry entries are created:[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters]"AutoShareWks" = 0"AutoShareServer" = 0

Executable file infection

The virus searches local and network drives for executable files. The virus searches for executables with one of the following extensions:.exe.scrExecutables are infected by appending the code of the virus to the last section. The host file is modified in a way that causes the virus to be executed prior to running the original code. The size of the inserted code is 5322 B. It avoids files which contain any of the following strings in their path:winnwind

Other information

The virus contains an URL address. It tries to download a file from the address. The HTTP protocol is used. The file is stored in the following location:c:\setupx.dllThe file is then executed. The virus launches the following processes:%system%\setupx.exe%system%\updatex.exeThe virus contains the following text:Angry Angel v3.0The virus may create and run a new thread with its own program code within any running process.

[xanax]

I have a similar problem, I have found myself with a very tenacious malware.

Every time I start my computer up this programme starts up and will not allow me to access the Internet, or if it does it closes it down, it will not let me run Malware Bytes anti virus programme.

Bizarrely the dodgy virus is trying to get me to buy a fake anti virus programme.

Before I throw my computer from my 11th floor balcony, can anyone offer me any, practical, advice?

ok this is going to be a bit tiredsome .....the answer is with malwarebytes even thou it won't let you run it....follow the instructions here if symptoms are the same otherwise please provide a full description of your problem plus screenshots if u can.

http://virus.geeksailor.com/how-to-remove-windows-stability-alarm-virus-removal-guide/

[Mobi]

Many thanks to the volume of replies.

I believe I have fixed it, thanks mainly to JSixpack who gave me the link to check my startup programmes.

I ran the programme and it hi-lighted a number of dubious files and when I did an web search I found two that were noted as very suspicious and dangerous. I deleted them - possibly somewhat foolishly - and waited with bated breath to see if I had screwed up my computer, but the Gods were with me, and everything is now fine.

I have re-booted several times and no sign of the malware on start-up. I also ran a number of 'killer' programmes, as recommended by folk in this thread and each time no malware was detected.

I have also checked my registry and there is no sign of the malicious registry entries as advised by FritsSikkink and Xanax.

So I guess I am clean.

In the meantime I also downloaded AVG, ran it and again, my computer is reported as clean. I will now uninstall it as I already have more than enough antivirus software....I think...

Thanks again folks,

Edited June 17, 2012 by Mobi

[Jessi]

Many thanks to the volume of replies.

I believe I have fixed it, thanks mainly to JSixpack who gave me the link to check my startup programmes.

I ran the programme and it hi-lighted a number of dubious files and when I did an web search I found two that were noted as very suspicious and dangerous. I deleted them - possibly somewhat foolishly - and waited with bated breath to see if I had screwed up my computer, but the Gods were with me, and everything is now fine.

I have re-booted several times and no sign of the malware on start-up. I also ran a number of 'killer' programmes, as recommended by folk in this thread and each time no malware was detected.

I have also checked my registry and there is no sign of the malicious registry entries as advised by FritsSikkink and Xanax.

So I guess I am clean.

In the meantime I also downloaded AVG, ran it and again, my computer is reported as clean. I will now uninstall it as I already have more than enough antivirus software....I think...

Thanks again folks,

Stop looking at Porn sites, Its not good for your computer or your HEART!!!!!!!!!!!!!!

[cooked]

I also downloaded and ran Kaspersky TDSSKiller, which is a free rootkit removal tool that is designed to remove the TDSS rootkit.

"This rootkit downloads other malware, redirects Google searches, and prevents programs (exe files) from opening.

TDSSKiller will also detect and remove other rootkits, such as the ZeroAccess rootkit."

The software reported my computer clean, so I am sure that it is, except for a few seconds when I re-boot and before Avira deletes the reinstalled malware.

But I'd like to get rid of it 100%

I can't be the first person to have this problem, surely?

Thanks for the tip about TDSS killer, which I just installed and ran. Despite unticking the box 'install Softonic search bar', this still got installes, both in Firefox and in IE. Took me another 10 minutes to get rid of. The scan results were worthwhile though.

[FritsSikkink]

I am at home.

There is no other computer and I have my own internet/wifi connection which is code protected.

I have no pirate software.

The warning of the malware immediately appears on re-boot and is then immediately deleted if I don't do so myself with 16 seconds.

As I said,I then run Avira, (which is the same AV who advised me that the malware was present and then deleted it), and it reports my machine clean, which assume it is as everything runs fine, including internet.

Ditto Malwarebytes.

It just seems to reinstall, either upon shut down or re-boot.

I hate Norton but I might try AVG.

In the past 10 years, AVG then Avira have kept my computers completely clean.

You will hate AVG even more

AVG (free version) is fine for me in combination with hitmanpro

Edited June 17, 2012 by FritsSikkink

[Mobi]

It's back!!

The warning disappeared after booting for a few days, but 2 days ago it came back again. Whatever I removed from the 'start' registry, must have done a temporary fix, but now it is back - same as before - the warning on start-up from Avira which then deletes it.

I spent pretty much all of yesterday working through all the suggestions contained in this thread but to no avail.

But I need some help from GuyL regarding the 'Hirens boot cd'.

I downloaded it, burnt a CD and tried to use it. However I am completely baffled by the boot menu on the CD as although it is supposed to contain anti-virus and clean up software, I cannot locate it in the menu. There is a menu option to boot up into a 'Mini Windows XP' which apparently contains antivirus stuff, but I am running W7, so it is of no use to me.

Any ideas what menu option to boot from?

Thanks

[Mobi]

During the period I was running both AVG and Avira on my computer, it was only Avira that identified and deleted the virus on start up. Nothing from AVG.

I have run all my normal anti virus software, plus some other stuff suggested in this thread in 'safe' mode, but to no avail.

[Banzai99]

http://www.spywareremovaltoolkit.com/all-detail/Worm.Win32.Small.l.html

[Mobi]

http://www.spywarere...32.Small.l.html

Went there, downloaded their 'free' product, used it to scan my computer , and after several hours of scanning it told me I had one suspicious file in Microsoft Office. When I opted to 'remove' the file, I was redirected to a website where I had to pay a sum of money before the offending file would be removed.

On top of that the widows of the virus scanner froze on my machine, and I couldn't find any file in Microsoft Office that resembled the one that was listed.

It also told me how to remove the offending registry files manually. So I went into 'safe' mode and found two of the files listed and deleted them. There was another file that was also listed but it just didn't look like a 'bad' file as it had references to Skype, and other propriety software in its sub files, so I didn't delete it. (I should add that I created a restore point before doing all this.)

Finally, I went back to the internet and found another site that made similar claims to 'The Spyware Tool Removal Kit' file. This is 'PCSafe Doctor'. It had a similar list of 'bad ' registry files to delete and also offered a 'free' scan. I started to download this software before realising that it was identical to the one I had previously downloaded. No doubt if I ran it, it would list a file or files that were suspicious, and then ask me to subscribe before removing them.

These programmes have now been removed from my computer.

Sadly, after spending countless hours going round in circles, I am no further forward.

Ideas anyone? - something that really works, not just an internet scam...

[Thaddeus]

Mobi,

I know I mentioned it before, did you try rkill in conjunction with Avast, it's a combination I have been using for years, not just on my PC but several others, and it hasn't failed me yet.

[Korv]

The antivirus company ESET have documentet the virus:

http://www.eset.eu/encyclopaedia/win32-small-l-virus-w32-madangel-alisa-d?lng=en

Does the information look familiar to you?

If not, then it is some other virus, and a probably misidentification by Avira.

[bangkockney]

Get a copy of avaast and schedule a boot time scan.

[GuyL]

...

But I need some help from GuyL regarding the 'Hirens boot cd'.

I downloaded it, burnt a CD and tried to use it. However I am completely baffled by the boot menu on the CD as although it is supposed to contain anti-virus and clean up software, I cannot locate it in the menu. There is a menu option to boot up into a 'Mini Windows XP' which apparently contains antivirus stuff, but I am running W7, so it is of no use to me.

Any ideas what menu option to boot from?

Thanks

Sorry, I was abroad and without an Internet connection for the last two days.

You can boot on Hiren's boot CD and select the "Mini Windows XP" menu. The goal is to not booting on your current system and then, you can run the various antivirus and antispyware programs included on Hiren's boot CD. It doesn't matter if your operating system is Windows 7. The tools included on Hiren's boot CD will scan and clean your whole hard disk from malware and, as you haven't booted using your current local operating system, it should prevent said malware to replicate itself on startup.

[Mobi]

ThanksGuyL, now all is clear and I will boot into the Mini XP menu and run the software.

In the meantime, I seem to be clean again - thanks to those suggesting Avast and rkill. Yesterday I ran both of them (rKill sveral times) and I no longer get any virus warnings at start-up. So fingers crossed, I've made it this time.

[JSixpack]

If it comes up again, try this: find out exactly where the file is before your antivir deletes it, or look in the antivir log to find out where it was. Then delete it (if it hasn't been deleted) (empty your recycle bin) and create another file in its place w/ the same name. Right-click and in Properties, make it read-only. Possibly your fake virus file can't be overwritten by the real virus file. Whatever was creating the file may be still be around, but if it can't do anything, then it's not worth worrying so much about.

Earlier I mentioned looking in the Windows scheduler. I assume you did that.

Edited June 23, 2012 by JSixpack

[pipo1000]

There are a few posts in this thread explaining how to manually remove the malware.Did the OP already tried that or wasn't it successful?