Citadel and multiple virus attack
On sunday I had a telephone call from my bank, which said that my PVC was infected with the troian Citadel, and and that my Visa card was blocked to protect my account. Presumably they were right, as I could not reach the home page of F-Secure or any other homepage with security solutions. The bank strongly recommended me to delete and reload the system drive.
However, deleting the drive was an unpleasant option and I tried some other solutions, among them reapeatedly use of the already installed F-Secure Anti-Virus and a down-loaded Sophos removal tool, with I had loaded at my working place computer. The Sophos was run twice.
Soon I was able to upgrade the F-Secure again and when running it on-line, I had 31 detected attacs of GenVar.Kazy, Java Exploit CVE, Java Troian Downloader Open Connection, Win32.Worm.Autorun, Win32.WormVB.NJZ, Gen/Variant.Strictor and Gen/Variant.Graftor.
The run with Sophos detected Troj/Browin-Gen, Troj/WPAKill-A and Mal/FakeAV-OY.
At the end of the long story, my simple question is: is the Citadel Troian still in my system? If not, is it necessary to delete and reload the system drive
Thankful for comments and advices!
Casper
Comments
-
Hi Casper,
The steps below would help to clean your system or to ensure that your system is clean.
1. Download and run the latest F-Secure EasyClean.
2. Configure the F-Secure Manual scan settings.
- Open F-Secure > Settings > Manual Scanning (on the left panel).
- under scanning options,
'scan inside compressed files' and 'use advanced heuristic (slower)' -> Enable.
‘scan only known file types (faster)' -> Disable.
- Press OK.3. Perform a full system scan.
- Open F-Secure > Scan button > Full computer scan.
- If any virus found please select Delete and restart the computer after the scan. Repeat the scan until the scan result return no virus found.Thanks.
Best Regards,
Jayson -
Done as suggested! Result: clean.
Today I recieved an answer of a mail I sent on sunday to the F-secure support on the Citadel issue. In that they suggest only running the Internet Securty as in 2. and 3 above.. (The mail answer took too long time - five days is an eternity if you need your PC daily.)
Thanks for nearly immediate answer and good advicing!
casper
-
Hello,
>> The bank strongly recommended me to delete and reload the system drive.
> However, deleting the drive was an unpleasant option
The bank is wise with their suggestion of re-install! Parting with your money will be even more unpleasant than deleting the drive and starting from scratch. If you don't like the menial task, use a portion of your potential e-bank hacking losses to pay a computer techie to wipe the PC and re-install Windows and apps for you.
The thing is, if the string of infections you listed also have a rootkit component yet unseen, then there is no way to give 100% guarantee about your computer having been disinfected. At the very least, there should be a cold boot from optical drive (Live Linux with antivirus, like F-Secure's Rescue CD 3.16 ISO) and do a full scan of all computer storage, because some rootkits are only possible to recognize in this inactive state, not when Windows is running!
Kind regards: Tamas Feher.
-
Maybe it could be correct that something is still hidding in the system. Today I have had two weblinks changed when browsing a newspaper site, www.dn.se One of the links was this one http://gvinich.info/iHCqDA? uDfkX=3 Pleas don't click it, as I don't know if it is safe. I googled the link adress, and having deleted the ending, it showed up that it should be some homepage with cyrillian (russian) text. It doesn't necessary be something in my PC - it could also be something at www.dn.se
Casper
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!