Expert: Keith Davis - 10/21/2008

Question
QUESTION:
I was looking at pages through Google when my winpatrol asked if I would allow a svchost.  I thought that they were safe files so I said yes.  Then my computer restarted without me telling it to.  So I ran my AVG antivirus and it caught 6: Install[1].exe, (2) karna.dat, (2) beep.sys, and a wini10801.exe.  It put them into the virus vault. While the AVG was running the computer told me that windows was damaged and to insert my XP cd, but I didn’t.  I also ran adaware.  However, now when I surf Google and click on a page link it takes me to some bogus anti-virus web page.    How do I fix it?

thanks

ANSWER: You still have the infection (whatever it is?). Although there are legitimate things that use svchost.exe, many trojans use them also.

The first thing you need to do is identify what you have. Did Adaware or Winpatrol give you a name?

I am going to post links to what I've found for the items you listed. I believe there are some possible fixes without doing any major stuff such as repairing with the Windows disk. Short of doing a reformat, I don't see how that is going to get rid of a trojan anyway.

http://www.exterminate-it.com/malpedia/file/karna.dat

http://forums.techguy.org/malware-removal-hijackthis-logs/760542-red-x-pop-up.ht

If your system will allow you to, try to download and install Spybot Search and Destroy from here: http://www.safer-networking.org/en/home/index.html
Do the updates and do a scan with it. It should tell you the exact name of the trojan and may even remove it permanently.

Get back with me on how you come out.

Keith



---------- FOLLOW-UP ----------

QUESTION: I tried to download the two programs you recommended, but they would not connect to the server.  Any other thoughts?

ANSWER: If your computer will not connect to the internet at all you can try to boot into safe mode. This is usually done by pressing F8 repeatedly immediately after turning on the machine. You will come to a screen that gives you some options. You want the option "safe mode with networking". When your machine boots try to access the internet and then download the programs and run scans.
If this still does not work we will have to go to more drastic measures.

Keith

---------- FOLLOW-UP ----------

QUESTION: Ok, I did the safe mode startup and was able to download the Spybot Search and Destroy.  It found some things and removed them.  However, when I ran the exterminate-it, it said there were still threats.  They were about 7 TDSServ (rootkits), OnLineGames (trojan), and 2 Win32.expdwnldr (Adware, BHO).  Should I spend the $25 to activate the exterminate-it, or is there (preferably) a free way to fix it?
Thanks

Answer
Check out this link from a very reputable source. http://forums.majorgeeks.com/showthread.php?t=147717
Try these forums first before paying any money.

If this doesn't work you may want to pay the money for exterminate it. It looks like a reputable program with good reviews.

I'm sorry this has happened to you. I wish we could legally do something with people who write these terrible programs. Below you will find my tried and true methods to avoid programs such as this.

I use 3 different programs and have been virus, spyware, and hack-free for close to 6 years.
Believe it or not all of these programs are free and are rated higher than programs you pay for.

Anti-virus- AVG Free Edition www.grisoft.com (uninstall McAfee if you are going to use this program)

Firewall- ZoneAlarm www.filehippo.com/download_zonealarm_free/
Make sure you disable Windows Firewall (it is worthless anyway) because they don't work well together. Don't get aggravated with the program. At first it will really bug you because it will be popping up a lot. When it pops up read what is trying to access the internet. If it is a trusted program click the check box "remember this" and click allow. After a short while you will get it set where it only alerts you to things that should not be accessing the internet.

Anti-spyware- Spybot Search and Destroy- www.filehippo.com/download_spybot_search_destroy/
Download, install, update, then run a scan and remove all spyware that is found.
Setup the program like this: Go to "mode" (top left of page) and click "advanced". At the bottom left you will see "tools". Expand tools and click "hosts file", then click "add Spybot S and D hosts list"

A little more safe internet advice:
1. I don't use Internet Explorer. It is not as secure as other browsers. I use Mozilla Firefox. It is faster and very secure.
2. I don't use Outlook email. I use web based email like yahoo or hotmail. Outlook actually loads email on your PC. Web based email stays on a server and you just view it from you PC.
3. Only download free software from trusted sources. There are very few that I trust. Trusted: www.filehippo.com, www.majorgeeks.com, www.snapfiles.com

Let me know how you come out.

Keith