Although KAV was able to catch it trying to make changes in registry, but the the trojan's ability to create multiple files faster than KAV can handle. So i have to set to Deny all that pops up, one-by-one.To my horror, my directories multiplied. The worm created a mirror of my drive C: and E: (partition drive). I am suppose to have C: (root), D: (CD), and E: (partition). Now i got G: (mirror of C:) and F: (mirror of E:). When i double-click on the mirror drives, the worm gets crazy. Finally, after what seemed like an eternity of denying access of the worm to the registry, i opened up HijackThis to see what is going on inside my PC. Well, HJT showed the worm or trojan has installed itself as a Browser Helper Object (BHO). I am using Firefox 2.0.0.14 and IE7.
I just can't tell which browser the bug latched into. So while doing battle with KAV on one side, i deleted (fixed) the BHO from HJT.Then i open Task Manager and killed the worm process running there under my name.After the pop-up warnings subsided, i rebooted my laptop.
The directories were restored, but my My Computer icon was corrupted. I had to install XPTweak software to rebuild the icons.
I opened Windows Explorer and went to C:\WINDOWS. I saw two explorer.exe files with different icons. Once was an exe icon, the other a folder icon. I deleted both. Then i opened another Explorer windows, and i saw another explorer.exe appeared on the list.
I clicked on the file and it says it came from MS. I mean the file properties description says it is from MS. No problem.I opened the two browsers to see if something will come up in the directory. Nothing.I ran HJT again. There are two BHOs remaining:O2 - BHO: ietzbpaq.dll - {29109876-7619-9101-7012-901938475192} - C:\WINDOWS\system32\ietzbpaq.dllO2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - C:\WINDOWS\system32\skqncbib.dllI tried to located them in system32 but the files are not there. My folder view is set to "view hidden files and folders".
Well, as long as it doesn't give my KAV a knee-jerk, i guess the trojan/worm is under control.
----------
Anti-virus Galore
I have reviewed and tried several anti-virus software.
I tried McAfee, the one that is supposed to be licensed and can be downloaded from P2P. I discovered it has a backdoor and can be turned off by third party programs, and when used in Internet cafe, it can be overwhelmed and crashed out of the PC. Verdict: Out.
Then there was Symantec's Norton AV. It usually comes with a new PC. Norton is like Vista. Its installation space is as large as Office 2007. It is sooo annoying with all those warning signs. It can't even distinguished legit windows operations. I guess MS Vista copied their UAC from Norton. If you think you can use Norton effectively from the time you bought your PC until after one year, you are wrong. You may be able to ignore its warning to register and get a license; you may see that your PC is connecting to Live Update, but the truth is, it is not protecting your PC after the expiry. It will just warn you a virus or worm has been found but it will not clean it. If the file affected is a vital .exe file, it will just quarantine the file -- change the file extension, and promptly crash your system. Regardless what Norton-lovers will say, the program sucks. So i removed it from my PCs. Rejected.
I tried next, Panda's Titanium. Nice and simple layout. Not so much security feature. Quick updating. But when i installed it in internet cafe setup, the hapless Panda just got hammered by viruses and disappeared from the tray. Rejected.
My sister-in-law sent me from the US, an original licensed CD of AVG. I thought it was just another "cheap" anti-virus. But to my surprise, it withstood the internet cafe's onslaught of bugs.
It was easy to install and quick to update. The way it handled infected files is superb. Not like McAfee or Norton's quarantine. In AVG, if the virus is on its DB, cleaning is automatic. Otherwise, it gives an option to Delete or quarantine. There was one virus which infected excel and word files. Under McAfee or Norton, the file would have been deleted or quarantined. But in AVG, it cleans automatically without damaging or corrupting the file. It was only anti-virus and anti-spam. So the spyware passed through. Nevertheless, i liked the performance and highly recommended it to my clients. I suggest you buy an original licensed CD. Not the one you can download from P2P (antivirus coming from P2P contains trojans). Do not bother using the Freeware - it does not clean, only warn you.
Finally, our company purchased Kaspersky Anti-virus 6.0 Enterprise . I used KAV when it was still v.3 or 4. I wasn't impressed. But this v. 6.0 was different. Easy to install and easy to configure. Even easy to update. After i ran the first-time scan, it caught a lot of bugs in my laptop. It even cleaned my flash drives of some worms that my 'pirated' AVG (because my previous license has long expired) did not capture.
It has anti-spam (e-mail), anti-phishing, anti-banner, anti-dialer, anti-spy features. There is also pro-active defense (I only checked the Application Activity Analyzer and Registry Guard. I turned off the Office Guard). I also turned-off Mail scanning, as it can caused problems with my MS Outlook. But overall, the KAV is very efficient and ruthless to the viruses, trojans and worms. I love it when the pop-up warning gives a Delete/Apply to All option. Almost always, even when the filename is something like explorer.exe, it should be deleted. Highly recommended.
I really hate it when the office internet speed goes down because someone's PC has got a host of spywares and worms. So now, i requested our IT to purchase the Kaspersky Internet Security 2009 (an upgrade from our KAV). Since almost all of us are online most of the time.
Do not be fooled by all of those P2P, torrent-downloaded antiviruses. Buy licensed antivirus. That's the real security for your PC.
Have a safe internet surfing.
No comments:
Post a Comment