I have Windows XP Service Pack 2 (presumably up-to-date) … I deleted McAfee and installed Comodo Virus Scan, AdWare Blocker and Firewall … the Trojans aren’t deleted and I do still have the flashing yellow triangle that tells me I have a “black door Trojan” and the balloons that tell me my PC is infected … it says that I have the PSW.x-Vir (password stealer), NetWorm-i.Virus and something that starts with (Mydoom?) … or something… >:(
I tried system restore out of Windows but the Trojans have hijacked my Restore calendar as well, so I can only “restore” it to Nov, 16, the date my PC was infected.
I have uploaded a bunch of files (was around 12,000) to Comodo’s servers for the verification.
The above is a generic Yahoo News article. After it loads, the IE is sent to the fake anti-Spyware site but now is giving me the “Unable to connect” message.
The same goes with most IE based “Pop-ups”.
The last time I tried Comodo Virus Scan, it went for about 10 minutes, then the Window Defender gave me a message that my PC was infected by a Trjoan and recommended I delete it and restart my PC. I did that and it was the last I saw of the flashing yellow triangle.
Except, it still seems to highjack the currently non-existent IE.
This is a good example of where prevention beats the cure.
With the current state of malware art there are some infections that are not practical to attempt removing.
If they get the first punch in and compromise the system it’s pretty much game over.
At that point the best course of action is to grab your files and documents and do a fresh install of the OS.
However, when I got on Yahoo, it still tries to redirect me to this ... (I hope this shows up ... it may not)
The above is a generic Yahoo News article. After it loads, the IE is sent to the fake anti-Spyware site but now is giving me the “Unable to connect” message.
The same goes with most IE based “Pop-ups”.
Can you grab the url/link to the fake anti-Spyware site and IM it to me?
The last time I tried Comodo Virus Scan, it went for about 10 minutes, then the Window Defender gave me a message that my PC was infected by a Trjoan and recommended I delete it and restart my PC. I did that and it was the last I saw of the flashing yellow triangle.
Except, it still seems to highjack the currently non-existent IE.
You are still infected from the sound of it.
The CPU running at 100% is probably CBOC refusing to give up the battle.
You can hog tie and blind CBOC before throwing her into the melee and she’ll still fight.
.
.
The malware site isn’t popping up anymore. It was “Kukkareck” … something … supposedly in Argentina.
I am getting no “Trojan” messages anymore. Yesterday, PC worked as well as in the “olden days”, dropped to single percentage digits. Today, the CPU is getting overloaded again, up to 100%.
In my list of working “execute” processes, from “Wscntfy”, “issch” to “MsMpeng” to “ctfmon”, which are are likely to be Trojans?
I get 42 to 47 of those and can make a list.
My hunch is that I manually blocked the right one yesterday and that kept the CPU load low.
On the other hand, something else - and it could have been the same thing - was really confusing my AOL. Could it be AOLLoad or AOLDial that are infected? I used to get AOLDial pop-ups when I was off AOL quite often in the past. Maybe it was a password stealer program at work.
Another hint that the PC could still be infected via is that when I write my AOL e-mail, the spell checker is really slow to catch the errors/typos. Before the infection, it was instant. Now, there’s a delay. then again, maybe that’s the CPU overload. That sometimes makes all icons disappear and I have to turn the PC off manually because even the Start button isn’t working.
If I dump AOL and re-load, will it help or are the viruses likely to be hidden in other parts of memory and files anyway?
If you reload the operating system you shouldn’t have any problems with active infections.
First thing after the reload is complete I always install BOClean and then my AV scanner and scan all my files.
If you do this you should be fine.
Good advice but reloading Windows costs money, $130 at my local Best Buy. :-\
The programs that were infected are definitely AOLDial.exe and AOLLoader.exe.
I am blocking them manually with Comodo and CPU usage had immediately gotten down, first to 50%, then to its usual single digits. They still pop-up every other minute but they are being blocked now.
I assume that even if I delete these programs, the Trojan will be still hiding in other places?
Aside of these evil-doers, my PC operation is basically normal now.
I’d suggest pulling the data you want to keep to another drive, disk or partition, boot from the OS install disk and install a fresh OS.
Your default BIOS settings are more than likely set to “boot from disk” so it’s pretty much a point and click install.
You may want to use a utility like SIW to grab installation keys for your licensed software that require it in order to facilitate a smoother transition.
Most fairly recent systems will complete the basics in less than an hour…
The problem is once the system has been compromised like this you never know for sure you didn’t miss a backdoor somewhere.
Here’s an interesting tidbit - last night, I deleted a couple of fake icons/programs that were left by the Trojan and my CPU use went down to the single digits again.
In the past when I had done it, they came back within a few minutes. Now, they’'re off.
But today I am getting the AOLDial.exe pop-ups that I didn’t get last night and my CPU usage is back up to 100%.
So, obviously, the virus/Trojan is still present.
BTW, what’s OLE Automation and can/should someone suppress it?
This must be how the Trojan contacts the hijacker’s server.
And, ya, I’ll definitely have to reload the OS.
Question - if I store my files on Yahoo or AOL, including pictures, and then reload and access them again, what are the odds of this virus re-appearing with the Comodo installed?
Depends.
You weren’t using IE when you were hijacked were you? :o
Question - if I store my files on Yahoo or AOL, including pictures, and then reload and access them again, what are the odds of this virus re-appearing with the Comodo installed?
I’m not an advocate of online storage, AOL, or Yahoo. All 3 spell trouble in my book.
Uploading large chunks of personal data across several networks is time consuming, an opportunity for file corruption and loss not to mention the security and privacy issues.
If you have another drive handy you can probably slave it onto your current system internally with either an IDE or SATA cable (depending on your setup) or, externally with an external USB drive.
If you don’t have access to an extra drive (at today’s prices why not?) then use your optical drive to burn to disk.
So far as the virus reappearing, that will be up to you.
All files should be scanned while on an inactive partition or drive before using them in your new OS installation.
Don’t connect to the “tubes” without a firewall.
Staying away from 3rd party applications such as AOL that force you to use MS IE sourced browsers would be advisable as well.
Safe hex is a posture you assume to limit exposure to risk. Reduce your attack surfaces and you’ll reduce attacks.
Exploits are generally directed at the low hanging fruit, a few precautions on your part will get you out of the line of fire.
