It all started November 6, 2005...
Written by Rock, former SS:2845 dev and StarSiege guru.
This is a long story about a particularly NASTY trojan that infected my WinXP-Pro machine, and how I recovered from it. I'm telling it simply so that others might learn from it and take preventive measures. It took me 8 days to flush out and exorcise this digital demon and cast it back into the hell from whence it came. When I finally came up for air, I knew a whole lot more about trojans. I started seeing visions of the future. I did not like what I saw!
Generally, I don't get viruses or trojans. I don't open email attachments from unknown sources (the primary source of infection), I don't open executable attachments from ANYONE unless I scan them first, I never EVER open .eml files regardless of scanning them, and I don't click on questionable web-links. I can usually smell a trojan or virus a mile away. That's because I know what they look like, I know how they hide, how they dig in to evade detection, and I understand the technical tricks that they use. Despite all of that, something does, on rare occasions, bite me. Okay, so what? I'm a big boy. I know the risks, but I also know that I can find them and get rid of them.
But THIS ONE!! This one deserves this write-up.
For me, a fresh install of Windows is out of the question. I can't afford the time, energy, and especially the loss of data to reinstall Windows, and all my other software, at every little hiccup of the machine. I've learned to fix the stuff at the source.
For the past several days, I've been chasing a trojan on my machine. I assume it was installed by an ActiveX control during web browsing. I was Googling for some general auto-repair information, and I clicked on a link that installed the trojan. I knew this because of the way the computer reacted as soon as I clicked the link. All of a sudden, I started getting advertisement pop-ups here and there, despite the fact that I had a pop-up blocker turned on.
I'll be the first to admit that it was my own fault. This probably wouldn't have happened if I had had anti-spyware and anti-virus software running in the background. Those programs are great, but ONLY IF YOU TURN THEM ON! But those programs are also like hooking up a trailer to your Ferrari... they really drag down the performance when they're active. If you play a lot of games online, then you know what I mean. So I set scanners to run only on demand. That way, I can run them when I want.
Also, I usually leave my ActiveX fully enabled as a convenience setting. Lots of good web sites use ActiveX and I don't like getting prompted all the time. This time, that convenience cost me, because that was the doorway to the infection!
Read on for part 2: "Scrape this stuff off my shoe!"
