My desktop was infected by Trojan Horse Virus yesterday and this is not the first time :(.
Last time it took me and my friends two days to identify the virus and finally reformat the hard disk! This time we spent the whole night. The problem seemed to be solved. But I am not sure.
The symptom is that my google search results are redirected to some unknown ad websites and my AVAST! Antivirus software (Home edition) can not update itself due to the failure connection to the server.
(1) Diagnosis
Use "Hijackthis" to generate a log file.
Find a suspicious executive file in the directory "C:\WINDOWS\system32\systen.exe"
(http://www.greatis.com/appdata/d/Windows/s/systen.exe.htm)
(2) Delete this exe file
First mannually delete it from the folder "C:\WINDOWS\system32\"
Second delete any history related to this "systen.exe" from registry
"hkey_local_machine\software\microsoft\windows\currentversion\run"
(3) Update AVAST! and start a through scan
After deleting "systen.exe", AVAST! recovers its updating function.
Several virus were reported during a through scan of all hard disks!!!!!!!
The google search engine came back to normal after those virus were killed.
(4) Use Malwarebytes' Anti-Malware to scan my computer one more time.
Seven malicious programs were found and killed.
I think the infection is caused by my visiting of some unsafe sites from one of them a Trojan was uploaded onto my computer. I am really afraid that my personal information might have been sent out reached malicious hands. It's ergent to place myself on a credit watch programme, which tracks suspicious account movements. Btw, I need to change the passwords to all my accounts.
:( I learned a serious lesson!
============================
Later today I found out that the virus was from my office desktop!!!!!!!
I had to fight with the demon in that computer again! This demon was even stronger!
Symptom:
It not only blocked the update function of all anti-virus software, but also killed the process of any malware detection/repair tools.
Error message about "svchost.exe" popped up sometimes.
At first, I followed the instructions in the following link:
http://www.geekstogo.com/forum/Google-Search-Redirected-t218403.html
The virus was killed temporarily. But it came back after 1 min. There must be some open back doors.
Then I used the following tools (TOGETHER) to kill the virus and clean my computer. I had to change the name of setup file and exe file so that it could be run in my computer.
The scan result showed 9 files including some registry files were inflected!!
Malwarebytes' Anti-Malware (Very good)
=============================
Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 3
3/18/2009 12:20:00 PM
mbam-log-2009-03-18 (12-19-57).txt
Scan type: Quick Scan
Objects scanned: 71913
Time elapsed: 9 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\ -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\ -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\ (Trojan.Agent) -> No action taken.
============================================
It takes a long time. It seems the virus hided behind normal registry key/data. Malwarebytes performed wonderful in detecting Trojan agents. But if I deleted infected files using Malwarebytes, Windows cannot be restarted next time.
Therefore, I had to use F-Secure to deal with those viruses.
2. F-Secure Anti-Virus 2009 (Evaluation Version) (good)
==================================
TDSScfum.dll
backdoor: w32/TDSS.W
Win32.TDSS.rtk
Virus:
Backdoor.Win32.TDSS (system infection)
Spyware:
Tracking Cookie
Adware.Win32.Boran
TrackingCookie.Imrworldwide
==================================
3. Spybot-SD Resident
Spybot-Search & Destroy is not very useful since it required updating before doing virus scan. As I mentioned, the update function had been blocked by the virus.
Finally the virus are gone. I did full scan and cleaned unnecessary files using Ccleaner in safe mode.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment