Computer viruses

My computer was crippled all day yesterday as I struggled with a computer virus that nothing could detect. McAfee didn't detect it, neither did Spybot Search&Destroy. After tracking it down manually, I found 3 parts of it, and got rid of it, only to find that some other part I couldn't find kept restoring it. It was vicious. Searches of google for the .dlls (kazepala.dll, gadibure.dll, hokovinu.dll and others) revealed almost nothing. I finally found one product that could detect it (PREVX), but when it tried to remove it, it completely hosed my computer, making it totally unbootable.

So then I had to restore my computer back to the manufacturer's original OS - (XP SP1), losing 4 years of updates. And wouldn't you know it--I STILL had the stinkin' virus!

Finally I managed to get rid of it. I'm not entirely sure how. But it involved an awful lot of trickery using a combination of Recovery Mode and restoring good pieces of the registry in Recovery Mode (not an easy thing to do!) and unlocking and deleting suspicious DLLs. I found at least 7 in the end.

Finally, I got it up and running and spent the rest of the night restoring it back to XP SP3. Now, less than 24 hours later, I got ANOTHER virus! Holy smokes! I can't believe it. This one McAfee detects (some of), but can't quarantine or remove.

Part of the virus is AntiVirus 2009 (which is not really an anti-virus, but an evil trojan). I've disabled most of it, but some of it is still hidden away in places I do not know.

Spybot S&D's resident portion was able to detect the foul move to update the registry, but when I denied the update, somehow, the virus managed to do it anyway, modifying my startup routine to force the load of the virus on boot-up. For a while, my browser was locked into going only to Amazon.com no matter what I typed in. It also caused the resident portions of McAfee to crash and kept main program of Spybot S&D from starting. Again, I managed to restore a good registry, and then tried to go back to a known restore point, but that failed. It seemed to work well enough to get rid of whatever portion had hijacked my explorer.exe and other critical pieces of the OS that aren't part of the registry. But I'm not sure yet how much of the virus is left over.

Before this latest round, I had re-checked all my security and javascript settings, and they were all good, but somehow this one got in through a rogue javascript containing the virus/trojan that McAfee and SpyBot both allowed to download and start. Very frustrating.

I'm re-running the latest McAfee, Spybot S&D, Stinger, and PrevxCSI. So far no luck, but it's not over yet. McAfee just released another update, which I can't seem to download. But I'm going to keep trying.

And yes, I know that everything I just said means absolutely nothing to 99% of the people who will ever read this. But anyhoo....

UPDATE: Just a brief update in case somebody stumbles on this and having the same problem as I did. Three things have really helped:

1) Malwarebyte's Anti-Malware has been the only thing to detect and properly remove the malware I had. And it's free to boot. w00t!

2) The principal cause of my infections is shady javascript and/or java that downloaded, without my permission, their programs and ran them. How they were able to do this without violating every java and javascript security policy, I don't know. Doesn't matter. What seems to be helping now is a FireFox Addon called NoScript. By default it blocks everything. So, it is a bit of a pain to teach NoScript was to allow or not allow. But it's pretty easy to allow, block, permanently allow, and permanently revoke the ability for scripts to run. So far I am liking it.

3) I now have a complete copy of my registry in an accessible place that makes it far easier to restore my registry in recovery mode if I have to. Why Windows makes it so impossible to restore the registry in recovery mode, I don't know. But at least I have it. Here's a website that taught me how.