A few weeks ago, my PC was somehow infected with some nasty thing that tried to turn it into a spambot via drive-by download. I had the current version of Symantec AntiVirus running, set to the absolute highest paranoia levels and updated daily. I also had Spybot Search & Destroy running, again, updated daily and carefully configured. I had both do full system scans every day, as well as keeping them memory-resident at all times.
Neither program ever gave so much as a peep. In fact, when I found the original file that was to blame and checked it manually with Symantec AV, it passed as though it were as innocent as a babe. If I hadn’t had the antivirus software configured to show me an icon in the systray when it was checking outgoing mail, who knows when I would have realized that the system was compromised? As it was, I knew within seconds. (Hey, I notice “outgoing mail” when my email program isn’t even open.) I ended up pulling out the ethernet cable to stop communications ’til the system was clean.
Of course, after that happened, I knew that the two main security programs sucked. I tried a few others that I keep installed to do scans just to check how well the main ones are doing, and they thought my system was clean, too. Well, clean but for every cookie I’ve ever allowed into a browser. Those, they scream about. <snark>That’s reassuring, because you know it’s far more worrisome that somebody using a free site counter might know if I’ve visited her site before than that my machine has become a zombie, spewing out spam and letting who knows who use it for nefarious purposes.</snark>
I was able to find the program name and services that the trojan was using and removed those manually, so I could go back online to get more help. I tried four times, and was finally able to complete the online scan provided by TrendMicro. It claimed to have found 171 problems but crashed yet again when it was supposed to start trying to remove them. I went back to the site after a reboot and went through the whole danged process again, only to be told that the system had only four possible problems (and none of them the guilty file!)
I finally cleaned out the infection manually, searching for and examining every file created or changed on the date in question. I found the services that were installed and removed them, too. I went through my registry and everything else with a fine-toothed comb in a process that made my obsessive-compulsive traits a gift. The nasty is gone, and I verified that it didn’t get a chance to spread to any other PCs on our LAN.
So, back to security software research! I chose Bull AV this time, on the basis of independent test results. They rated Bull, Nod32, and McAfees VirusScan Enterprise as best. I already hate McAfee, which left just the first two.
I found the Bull suite very sexy—it includes backup capabilities with some free online storage space. It also had a two-month trial, which was nice. And Bull identified a frightening number of problems in old email archives. Symantec and several other programs never spotted them. These days, our mail server has its own antivirus software and does a very good job of keeping such things away.
Bull wasn’t been so good about actually cleaning email infections. It supposedly works with Thunderbird, but it doesn’t do it very well. If there’s one suspicious email message in a folder or “mailbox,” Bull puts the entire folder into quarantine, or just deletes it! That is not ideal, to say the least.
It was also slowing down my system terribly, so I moved on to Nod32. It doesn’t have backup and only has a one-month trial. It does have attractive pricing that is comparable to Bull’s, which takes the fact that most of us have multiple computers in our homes into account. I like that.
It hasn’t slowed down my system appreciably, even with the firewall (and that’s rare). It has caught every test bit of nastiness I’ve tossed its way. It also deletes only the questionable message from mail folders, rather than the whole folder that contains the message.
We’ve still got Bull running on another PC, and it works just fine there with no appreciable slowdown. That machine is comparable to this one, so I don’t know why there’s such a big difference. Right now, I’d happily recommend either Bull or Nod32.
A few days ago, a friend got hit with something that sounds like a variant of the malware that hit my machine. He and his wife had a lot of trouble getting rid of it, and the tech support people they spoke with claimed that none of the anti-malware vendors have put out any updates that are really reliable against this particular trojan.
I use Firefox, not MSIE. I’m very careful with its security settings. Outlook doesn’t live on my machine at all. I don’t visit warez or porn sites. I do install and try a fair amount of software, but I’m fairly careful about making sure it comes from reputable sources. I kept the programs I mentioned memory resident, ran full scans daily, and used other programs to scan on a weekly basis. I still got hit by a trojan. My friends are tech-savvy and very security conscious, too.
Please take a little time now to check your system and be sure your security software is good (not just popular), configured properly, and up to date. And that you use it!
I just got done clearing a very similar problem. The only A/V app I tried that would even see part of the problem was Kaspersky. Norton, Trend, Macafee, spybot, and ad-aware were all oblivious. I ended ripping out most of it by hand using HijackThis, autoruns, and got a little bit of help from superspyware remover, and a couple of scripts from MajorGeeks.com. Very nasty, very time consuming.
I’m sorry that you had to deal with it, too. I hope we’ve seen the last of it here!