I have no idea how it happened, but for some reason my Web browser now defaults to a strange search engine that I've never seen before. I don't recall making the change myself, and I can't imagine why it would have happened. It's also had a tendency to mess up the Auto Complete portion of my Internet Explorer address bar, making it a pain to enter addresses. Worse, I can't seem to get rid of whatever's causing these problems or find a way to return to my default search engine. As a matter of fact, I can't even get to MSN anymore. Do you have any ideas as to why this might be happening and how I can go about restoring everything to the way it was before?
Unfortunately, we do indeed have a pretty good idea how your misfortune may have happened, though we're not sure how easily you'll be able to correct it. We recently answered an SOS from a family member and discovered that his PC had become infected with the Trojan.Digits virus.
According to Symantec's SecurityResponse Web site, when this Trojan Horse is executed, it creates the file EXCEL10.DLL and registers it as a Browser Helper Object, which means the component receives information regarding all the actions inside Internet Explorer. It also modifies IE's Hosts file to point to a number of different sites specified by the Trojan's author, along with deleting a bunch of files from your system and making extensive changes to the Windows Registry.
Our guess is that you inadvertently downloaded the same or a similar virus along with a piece of shareware or freeware, underscoring yet again the old advice that you should be as careful about any applications you install on your PC as about any e-mail attachments you open. Specifically, be sure to study the end-user license agreement (EULA) for any shareware program, especially a file-sharing package such as KaZaA. These applications are often littered with adware and spyware programs that insidiously install themselves without permission.
Before moving on, we'll repeat once more the importance of reviewing the entire EULA for all software you download, as permissions in fine print are the only things keeping such malware legal (of course, keeping them ethical is already a lost cause).
Diagnosing and Removing the Problem
Back to the problem at hand: Norton AntiVirus indicated that the Trojan should have been easily to remove, but that was wrong -- very wrong. It took hours to remove the infected files and clean out the Registry. No fewer than three times, when we thought we'd removed every trace of the thing from the system, it resurfaced. Finally, we had to nuke the PC -- erasing the hard disk and reinstalling the OS.
Again, we don't know if you have Trojan.Digits or one of its skuzzy cousins, but we think it's safe to say you're suffering from malware malaise. Our first recommendation is that you get your hands on a good antivirus package, which will hopefully be able to find, identify, and remove the contamination or at least diagnose and point you in the right direction on the often long and frustrating path of repair.
If you can't wait for a shrink-wrapped solution, we suggest checking out Symantec's Online Security Check, Trend Micro's HouseCall, or a similar interactive site, where you'll find tools capable of detecting your PC's vulnerability to external attacks and scanning for the presence of viruses, worms, and Trojans. PestScan is an online detector that specializes in spyware rather than viruses in general.
Unfortunately, because spyware and adware programs often modify key system files such as the Hosts file, they often can't be simply and automatically removed. In these cases, you'll need to study the antivirus vendor's online encyclopedia or other reference file to learn how to edit and/or restore files manually. Another tip: While several scans of our Trojanized PC reported that the system as virus-free, restarting the computer in Safe Mode and rescanning turned up no fewer than four copies of the offending virus. So don't let down your guard after a quick scan -- perform at least one thorough, Safe-Mode scan to be sure.
Guarding Against Future Infestations
Once you get the system repaired, you'll want to install some safeguards to minimize the chances of this happening to you again. For starters, always make sure that your antivirus definitions are up to date. This is one of the easiest (for most antivirus programs, done automatically) and most important things you can do to protect your PC.
Next, install a personal firewall such as Zone Labs' free ZoneAlarm. A firewall alerts you to both inbound and outbound activity on your network or Internet connection, letting you control exactly what type of traffic is allowed and warning you of any suspicious activity -- such as a program you don't recognize that's trying to send data to the Internet.
Finally, consider a specialized adware and spyware scanner/remover. Both free and paid programs are available here, arguably led by LavaSoft's free-for-noncommercial-use Ad-Aware Standard Edition. This utility performs a comprehensive scan of your memory, Registry, and hard disk, looking for known data-mining, aggressive advertising, and tracking components.
Another good, free spyware fighter is called SwatIt. This program searches your PC for Trojans, worms, bots, and other hacker programs, and can detect and remove over 4,000 different Trojan programs and variants. It doesn't work on adware, though, so you might want to install both programs, or consider shelling out $40 or so for the deluxe version of either or for the PestScan people's PestPatrol.
The Pop of Doom
Even if you steer clear of P2P file-sharing utilities, you can come into contact with malware through pop-up ad windows that sometimes redirect you to unsavory sites. There are numerous pop-up blockers available to fight these hijackers, ranging from freeware favorites to components of security suites such as Symantec's Norton Internet Security 2004.
One last utility you might want to consider installing is the free Browser Hijack Blaster, which runs silently in the background and only springs into action when an attempt is made to modify your IE home page, search page, or Browser Helper Objects. Whenever one of these items is changed (or added), you are immediately provided with information on what's going on, as well as given the option to revert to your previous settings.
