Late in January I had been checking out some links that I found some interest in. One from the Trains thread dealing with futuristic designs. This led to a web site that I like to go to once in a while,
www.darkroastblend.com. From there I ended up at a Russian site dealing with trains with jet engines attached. Neat I thought, until a familiar sign popped up on my screen. It was labeled the WinXP-AntiSpyware-2012 and warned that it had detected various threats on my machine. It indicated to click on it's link to download and use (pay) for the software to remove these threats. This warning is a virus and a trojan itself. I have AVG and MalwareBytes software and use ZoneAlarm firewall. All of these were disabled as well as the icons on my desktop. I immediately shut down the computer and started to work out a solution. I found win32/fakerean rogue trojan (alias antispywarexp). I ran a dos script to regain control of my desktop and shut down all ports. I found the original virus in the windows directory and upon opening it, found that it was all written in Russian Cryllic. It had been updated from earlier versions, this one opening up more ports and doing more damage than before. Once in safe mode, I ran the malwarebyte software and found more: trojan.fakems, dc13.exe, dc11.exe, trojan horse generic 26.bxh1, mxecnwraos.exe, muilerwar, aorcxrwesm.exe, cryptic.dwo, a0213536.sys, trojan.qhost.bg, blogmixnews.com/enterpoint and a js/redir. All nasty
The scans took several hours and each day I would put the computer in normal mode and check the network activity. Something was making my svchost.exe run at 90% still. I would invariably find unusual activity that had me shut it down and scan again with stronger antivirus/malware software. This went on for two weeks (I still had to go to work during the day and spend nights battling demons).
I ended up with a complete cleaning of the registry and a close look at all system files and executibles. I thought I had it licked and all was quiet (for a few hours). Then notepad started to access the internet? Not just one but several at once. Then others like eprcr.exe, oledao.864855970142993.exe and jikao.8111674874204556.exe all going to the same ip address: 190.9.35.198 (bgp.he.net). All of these were finally found in the windows prefetch and temp folders. I did a system file checker to correct any corrupted files. Then the dreaded go.google virus hit. I was really tired of this. I downloaded Microsoft's MSRT (it found 2 more trojans) and TDSS (found 3 others) , Avast( 10), IOptions (found 3, plus some that had not completely downloaded yet) and hitman pro (found several remnants and 23 other nasties!). This last one finally did it. Got rid of the last bits, but guess what - no internet.
In removing the nasties, they were not able to repair the damage from the corrupted files. I had several system files that were missing/corrupted. I rebuilt the tcp/ip stack, borrowed/copied missing system files, then found that the hosts file was hardcoded. This was really getting tiresome, so I wrote a new hosts file. One final run of hitman pro showed nothing found.
I rebooted the computer one last time and crossed my fingers. Success, no abnormal network access, no unusual port activity and the computer was humming away like new. Soooo, if you've wondered where I've been for the last few weeks, it's here - battling demons. Oh, and also if you wonder what I do when I'm not working on paper models, I used to be a programmer!