I recently had the most (unfortunately) successful virus/malware attack in over 15 years on a computer that was running fully updated NIS 2009.
I'm posting this in hopes that some of this experience might be useful to others and that I might get some feedback that might help me and others avoid this experience.
On 1/4/10 while looking at Google-searched websites I entered a website (I think green-checked by NIS 2009) which had an anti-virus popup screen. I closed the popup and then the browser but didn't knowingly download anything. I read here that it is better practice to close the browser window than to do anything with the popup screen. That's probably good advice.
When my wallpaper changed to a green background with a computer-is-infected text box I realized that something bad had happened. I immediately went to NIS 2009. There was a record of a SONAR-detected intrusion which was reported to have been blocked. I ran a quick scan which didn't indicate any problems. I then researched the problem on the internet and found some information on this board to be most helpful. The search suggested this was an anti-virus malware which had probably installed win*86.exe files and modified the registry to block access to changing the wallpaper and the task manager. I did a search for the win*86 files in safe mode and found a winhelper86.dll file in a system folder and deleted it. I also found and reset the added registry keys preventing wallpaper change and blocking the task manager. This fixed those problems but I subsequently went back and deleted the added registry keys.
I then proceeded, as frequently recommended in this forum, to do complete scans with NIS 2009 in safe and normal mode. I also downloaded Malware Bytes AntiMalware, updated it and ran a complete scan in safe mode. None of these scans reported any problem.
During the next day or so I noticed two other instances of Trojan intrusions reported in the NIS 2009 history but these were indicated to be blocked or quarantined.
During the next two days I encountered freezes and, with increasing frequency, a blue error screen on Windows boot-up indicating the machine couldn't boot because there was a serious system error. I could boot into Windows by using the safe boot or by using the boot with last successful configuration. I tried restoring to an earlier time point but this process never completed successfully.
After a couple days of these problems I got an intercept web page from my ISP indicating that they had determined that I had a virus-infected computer and there was malicious activity (bots) originating from my account. It was clear that I had an ongoing serious problem than hadn't been detected or fixed by NIS 2009 or Malware Bytes. At this point I disconnected the computer from the internet and proceeded to do a format and Windows reinstall. I also installed NIS 2010 and, hopefully, this will be more reliable and protective than NIS 2009. This appears to have fixed the problem and is frequently recommended as a last resort in this forum.
My learnings from this experience are:
1. I didn't realize (or at least appreciate enough) that malware could be downloaded from visiting a website without any downloading action on the part of the user other than perhaps closing a pop window. My recollection is that this was a NIS 2009 "green-checked" site as I do pay attention to this and don't go to "red-xed" or even "?" marked sites.
2. NIS 2009 appears to have recognized some problem but it failed to prevent downloading of the malware and it apparently couldn't detect the continued presence of the malware. My faith in NIS 2009 to at least indicate an unresolved problem if it couldn't fix it was misplaced. It was only after I kept getting crashes and, most importantly, verification of malicious activity from my account that I became convinced that the clean scans and lack of unresolved problem indications from NIS 2009 were not only in error but were providing a completely false sense of security. To be fair the MBAM program also apparently was unable to detect a problem.
While I appreciate that no antivirus and security software is completely reliable I am both surprised and disappointed that NIS 2009 didn't even indicate an unresolved problem despite what were apparently ongoing serious problems and malicious behavior. Please note that I never had any indication that NIS 2009 was not operating properly or was being compromised. It always booted up on launch and responded to commands like scanning or displaying history reports in a normal manner.
3. In retrospect, I think that it would have been more prudent to have done as much as possible with my computer disconnected from the internet. I might have solved the problem with a lot more of online activity but all the while my computer and ISP account were being jeopardized by ongoing malicious activity. I would be interested if the experts might agree with this recommendation for general troubleshooting procedures?
Thanks for reading and I would appreciate any recommendations to avoid a repetition for myself or others.
Foreman