July 06, 2010

Trojan.BHO - whew!

Over the July 4th weekend, my computer got infected with this spyware/virus. The behavior was interesting. It indicated that my computer was infected and that Add/Remove programs was disabled. Then it prompted me to buy Anti Virus software called AV Security Suite. When it repeatedly did so and I couldn't get rid of the messages, something was clearly up and this time it was different. There were numerous issues in all:

  1. I couldn't run the Remove Applications tool from the Control Panel.
  2. On clicking on any google or yahoo results, my browser would be taken to an unsolicited (but respectable :) website. Typically these sites would list the AV Security Suite solution as something I should buy. 
Now its been few hours and I think I have successfully eliminated all the files related to this attack. I have some notes here which could help anyone else having this issue.

The first phase of fixes made by Malwarebytes Anti-Malware software worked really well: it deleted most of the major Trojan files on the first run. However the second and third runs revealed more files to delete. This was quite odd since it seemed like the virus was self-generating or something. Eventually I was still left with a sporadic redirection problem: Both Yahoo and Google search results would get redirected to arbitrary sites. Now these would be random sites. And the problem would kick in every now and then. It seemed like there was something slithery still sneaking around on the computer.

Then I tried a whole bunch of other software:

  1. CCleaner: This cleaned up my entire PC, my Startup Menu etc., Everything except my Desktop I think. It didnt help with the virus at all. However it did leave me feeling clean on the PC ;)
  2. Spybot Search & Destroy: Again, this software found some low risk cookies and files. No big deal. I am sure by tomorrow these files would find their way into my PC by tomorrow.
  3. Super AntiSpyware. Again same results as the Spybot.
  4. HijackThis. This was the tool which did it and I found that a normal user may find it very hard to use. In just a few seconds, it exposed a few settings for the BHO registry entries that were causing my browser to behave as it was. And deleting them was a quick snap as well. None of the other tools found/exposed what HijackThis (made by TrendMicro) did. Good job!
Overall the experience was eye-opening. My PC came with Vipre Enterprise software suite and that also was not any help at all. It couldnt find the bad registry entries and it was not able to detect/delete a lot of the files found by the other tools.

I feel that since my last dealing with a computer virus, nothing has really changed. Its only the players which has changed. The state of the industry is still the same - there is no single fix-all as maybe the viruses keep evolving...

Update: Unfortunately my fixes didn't fix it all! The PC is still suffering from tabs or redirects at random to unsolicited websites. This affects only searches done on yahoo and google. On clicking on a search result, sometimes (like the third or fourth time) I would be redirected to a bunch of websites opening one after another. Luckily none of them are offensive. Pure junk and inconvenient.

Tried the following today:

  1. Microsoft Security Essentials: Piece of junk. Just like other microsoft software, this one is buggy and has its own problems. Couldnt even connect and download its database from microsoft website.
  2. Prevx. This has seemed to work and it did detect a virus (and it was the only one) when my browser was opening random websites. It immediately killed my firefox and said it cleaned my hosts file. I havent had the problem since. Lets see. My fingers and everything else I can cross is crossed ;)


William said...

I had the same problem. It was very frustrating. What I was the best,easiest and quickest solution was to use "Restore". I wound back to a date three weeks prior to getting the virus. It allowed me to start fresh...
Hope that helps.

Andrew said...

Ditto on having the same problem. The virus/trojan you had -- the one causing the Firefox search-box redirection -- replaced the google.xml and yahoo.xml files in your Firefox searchplugins directory.

I believe those files can't simply be recreated, which is why you're still having redirect troubles even though the trojan is gone.

Try copying clean ones from another PC or simply reinstall Firefox. Either should work. At least it did for me. :)