Citadel and multiple virus attack


On sunday I had a telephone call from my bank, which said that my PVC was infected with the troian Citadel, and and that my Visa card was blocked to protect my account. Presumably they were right, as I could not reach the home page of F-Secure or any other homepage with security solutions. The bank strongly recommended me to delete and reload the system drive.


However, deleting the drive was an unpleasant option and I tried some other solutions, among them reapeatedly use of the already installed F-Secure Anti-Virus and a down-loaded Sophos removal tool, with I had loaded at my working place computer. The Sophos was run twice.


Soon I was able to upgrade the F-Secure again and when running it on-line, I had 31 detected attacs of GenVar.Kazy,  Java Exploit CVE, Java Troian Downloader Open Connection,  Win32.Worm.Autorun, Win32.WormVB.NJZ, Gen/Variant.Strictor and Gen/Variant.Graftor.


The run with Sophos detected Troj/Browin-Gen,  Troj/WPAKill-A and Mal/FakeAV-OY.


At the end of the long story, my simple question is: is the Citadel Troian still in my system? If not, is it necessary to delete and reload the system drive


Thankful for comments and advices!






  • Casper

    Done as suggested! Result: clean.  Man Happy


    Today I recieved an answer of a mail I sent on sunday to the F-secure support on the Citadel issue. In that they suggest only running the Internet Securty as in 2. and 3 above.. (The mail answer took too long time - five days is an eternity if you need your PC daily.)


    Thanks for nearly immediate answer and good advicing!



  • etomcat
    etomcat Posts: 147 Superuser



    >> The bank strongly recommended me to delete and reload the system drive.

    > However, deleting the drive was an unpleasant option


    The bank is wise with their suggestion of re-install! Parting with your money will be even more unpleasant than deleting the drive and starting from scratch. If you don't like the menial task, use a portion of your potential e-bank hacking losses to pay a computer techie to wipe the PC and re-install Windows and apps for you.


    The thing is, if the string of infections you listed also have a rootkit component yet unseen, then there is no way to give 100% guarantee about your computer having been disinfected. At the very least, there should be a cold boot from optical drive (Live Linux with antivirus, like F-Secure's Rescue CD 3.16 ISO) and do a full scan of all computer storage, because some rootkits are only possible to recognize in this inactive state, not when Windows is running!


    Kind regards: Tamas Feher.

  • Casper

    Maybe it could be correct that something is still hidding in the system. Today I have had two weblinks changed when browsing a newspaper site, One of the links was this one uDfkX=3 Pleas don't click it, as I don't know if it is safe. I googled the link adress, and having deleted the ending, it showed up that it should be some homepage with cyrillian (russian) text. It doesn't necessary be something in my PC - it could also be something at



This discussion has been closed.
Pricing & Product Info