Network News

X My Profile
View More Activity

PC Got a Virus? Consider Getting Help Offline

If you suspect or know your PC is infected with a virus, it's probably wise to avoid purchasing anything using that computer until you're sure the machine is clean. That includes additional anti-virus or security products.

Chances are the malicious software on your machine includes built-in ability to steal user names, passwords and other sensitive data from infected hosts.

Recently, I've heard from several people who used their credit or debit cards at the first sign of infection, to renew or upgrade their anti-virus protection when their existing software didn't work or failed to update. Also, in a Live Web chat a few weeks ago, one reader described how he "stupidly" went online and bought an anti-virus product after realizing he'd infected his machine with a DNS hijacker Trojan.

Consumers can be forgiven for such goofs: After all, they paid for security software, they expect (rightly or wrongly) to be protected, and yet still got hit with malware.

Setting aside the question of whether consumers can count on their anti-virus programs to completely insulate them from malicious software (they can't and shouldn't), security companies ought to know better than to encourage this risky behavior.

According to one researcher I've been working with who is investigating consumer passwords and credentials filched by the "Zeus" Trojan -- a password stealing kit -- one of the records he found was of a victim who had his credit card credentials stolen after visiting security-software site

In the course of transacting with Symantac, Robert Delano, a realtor from Leland, N.C., also provided his name, address and telephone number. He said he contacted Symantec via their customer service telephone line as well as their support line via online chat, after his system started acting strangely. Also, his up-to-date Norton product warned him that it had detected a virus (it was, in fact malware associated with the Zeus Trojan).

After railing at Symantac's customer support people via their online chat support for not properly protecting his machine, Delano was told to speak with their premium support folks who could remotely take control over his system and give it a thorough inspection and cleaning.

Delano said he initially protested, but after pricing other services like Best Buy's Geek Squad, he agreed to pay Symantac $100 for the service. He was instructed to enter his credit card number and other billing information at a secure Web site. However, the keyloggers that were still on his machine, intercepting his information.

"So far they've found three keyloggers, so this [malware] was taking my personal information as I was giving it to Symantec," Delano said. "The thing that upset me most with this is, when they asked for my credit card number, why didn't they stop and think to give me a number where I could call and give my information over the phone?"

While Symantec's support site, was indeed an encrypted, "https://" connection, most modern keyloggers can snag the information entered into a chat window or credit card field before it is encrypted and sent through the user's browser.

Lenny Alugas, Symantec's vice president of support, said that when the customer interacts with the company over chat, the only method they've employed to gather information, including credit card, has been through a secure online Web site. But he acknowledged that such a process can be problematic if a keystroke logger is installed on the end-user's machine.

"While we have not experienced any similar issues to date, moving forward, we'll need to add an additional step in our chat system that allows for a phone call from the rep to the customer, in order to gather the credit card information securely and avoid any chance of compromise," Alugas said.

In Symantec's latest Internet Security Threat Report, released in April 2008, it reported that threats to confidential information made up 68 percent of the volume of the top 50 potential malicious code infections. The anti-virus giant noted that of all confidential information threats detected this period, 76 percent had the ability to record whatever credentials the victim types or enters into his or her keyboard or at an online Web form.

Some of Symantec's biggest competitors also recently observed that a majority of current malware includes a data-stealing component. According to McAfee, malicious software that steals personal data has risen tenfold from 130,000 samples last year to 1.3 million this year.

Cleaning up malware infections is no easy task, no matter how you attack the problem, but there is absolutely no reason to feed the beast. Though it may take longer, consider using toll-free phone support when contacting computer security vendors -- at least when providing payment details. Delano said he has since canceled the compromised corporate credit card, but acknowledged he would have remained ignorant of the threat had he not been contacted by the researcher who has been investigating the Zeus Trojan.

If you've been using your Windows PC without any up-to-date anti-virus software for a while, consider downloading free anti-virus software and running a complete scan before deciding on any purchases. Free anti-virus software is available from AVG, Avira, AVAST!, to name just a few. If you're looking for a quick-hit second opinion, several respectable anti-virus firms offer free online scanners that should remove any malware found. These include online scanners from Bitdefender, ESET (makers of NOD-32), and F-Secure. All of these scanners require users to run the scans with Internet Explorer.

By Brian Krebs  |  December 22, 2008; 5:21 PM ET
Categories:  From the Bunker , Latest Warnings , Safety Tips  | Tags: zeus  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Hundreds of Stolen Data Dumps Found
Next: Beware Holiday e-Greeting Cards, Digital Hitchhikers


Wow columnist is a newb, L2 not pitch the number one virus software. Im not gonna say the name you should of done your homework before writting trash blogs about IT/IS stuff. AVG and Avast! have been having alot of issues with being disabled by virus's off installation lately so I would no longer recommend them...

Posted by: scrushmaster | December 23, 2008 6:56 PM | Report abuse

Hello Brian, congratulations for your articles and your fight against malware and spammers.

what do you think about the communities that offer free malware removal such CastleCops, BleepingComputer and others?
This communities offer an efficient free service using their own softwares with great efficiency.

Best Regards,

Posted by: fabioassolini | December 23, 2008 8:01 PM | Report abuse

@scrushmaster -- the point of recommending the free tools on a known or suspected to be infected system was to give people a suggestion for cleaning their machines of malware before considering purchasing a product using that system. You seem to have strong views on the subject: What free AV would you recommend?

@fabio -- I recommend those forums all the time, especially when I am answering a difficult infection problem from one my readers in our Live Online chats. CastleCops, BleepingComputer both great sources of direct help, and also frequently the source of the answer you're looking for when you Google for an answer to your problem.

I would also recommend DSL Reports' excellent security cleanup forum.

Posted by: BTKrebs | December 23, 2008 8:24 PM | Report abuse

If you even suspect that a keylogger is on your system, the only guaranteed-to-work solution is to flatten the village and rebuild from scratch. Backup your data, format the hard drive, and reinstall Windows. In fact, you should probably consider doing this with any detected infection.

Malicious software attacks are now so sophisticated that its difficult for anti-virus vendors to even detect them, let alone completely clean them from your system.

To keep your machine from being infected again, set up a limited user account for your daily work & surfing. This is what intelligent I.T. departments in any large corporation or government agency will create for the vast majority of their users.

Using an administrator-level account as your main account is the #1 weakness that malicious software use to get onto a Windows system. The infected e-mail attachment or web site will use your user rights against you.

Posted by: taskforceken | December 23, 2008 8:35 PM | Report abuse

@taskforceken -- I happen to agree with you. In fact, I gave readers that advice about two years ago.

It's a nice -- some say the only -- recommendation for an infected Windows PC. But then, when you dig deeper, you find that soooo many consumers who own a Window box don't even have the original OS install CD, either because they lost it or the vendor they bought the PC from never gave it to them.

Posted by: BTKrebs | December 23, 2008 9:47 PM | Report abuse


I decided to do a dry run of the ESET site you noted. Much to my amazement, not only is the more secure Firefox browser NOT supported, but Internet Explorer (Ver 5 !! or higher) is required.

I did not go through with the scan on my server as planned, because I see little sense in using an inherently insecure browser to scan what is (according to the numerous other defensive layers I use) a clean machine.

What are they thinking??

Posted by: Post-It1 | December 23, 2008 10:09 PM | Report abuse

I was a little miffed by Mr Delano's attitude of entitlement; that someone else, Symantec in this case, was responsible for his carelessness and ignorance.

A PC connected to the internet is not an appliance as carefree as a toaster, although they do tend to get marketed that way. While PC's do not yet require an exam of competency before use like a car, their use is further towards that end of the spectrum than that of of the simple kitchen appliance.

Posted by: Late2Bass | December 24, 2008 10:46 AM | Report abuse

If security giant Symantec/Norton cannot protect us against keyloogers and other malware attacks, then are there any that can? Would it be appropriate to suggest maybe the top 5 that will do the job here in this forum?

Posted by: Drayknight | December 24, 2008 11:01 AM | Report abuse

Hello Bryan and all, with sadness CastleCops announced the end:

"Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

With respect to the server marathon, by March 17 2009 CastleCops will refund contributions made through PayPal that were specifically designated for servers. Unfortunately, server donations made via check cannot be returned because we do not have the addresses for the donating entity. Unless instructed otherwise, CastleCops will re-allocate these funds as a donation to the Internet Systems Consortium ( This organization sponsored our hosting environment for approximately the past 2 years. Please contact us [cc at laudanski dot com] before March 17, 2009, if you would like a return of your server marathon donation. Otherwise, we would like to thank the ISC for their unfettered support.

We thank everyone in creating our unique footprint and memories in time.

Love, Best Wishes and Happy Holidays, CastleCops
PST 23 Dec 2008"

Posted by: fabioassolini | December 24, 2008 11:41 AM | Report abuse

Scan the infected HD as a slave on a second PC, using Linux oder Apple.

Posted by: eubemevoce | December 24, 2008 1:13 PM | Report abuse

Is there a way to positively determine if a key logger is on ones system or not?
I use AVG firewall which blocks outgoing as well as incoming malicious connections.
The Gibson ( Shields Up test shows my ports stealthed. If I have no connections open NETSTAT shows connections as listening and not established. Is this sufficient proof? Still, I am fearful that I may get infected and not know it.
Frank C

Posted by: Frank751 | December 24, 2008 1:16 PM | Report abuse

<"....we'll need to add an additional step <in our chat system that allows for a phone <call from the rep to the customer, in order <to gather the credit card information <securely and avoid any chance of <compromise," Alugas said.

Ah, I don't take calls from folks who want my credit card info...try again, Symantec!

Posted by: Dale_R | December 24, 2008 1:19 PM | Report abuse

Thank you very much for useful information

Posted by: edbroker2 | December 26, 2008 12:38 AM | Report abuse

Last year My Dell laptop (xp pro) instantly went bluescreen when I installed from the cd that came with SAMSUNG external dvd drive (Model: GSA E10L). Virus scan (Symantec or Kaspersky, I don't remember exactly as I had switched at about that time) didn't produce anything. I then got curious and tested the cd in my emachine desktop, which also started giving me problem. Although my device was plug and play, I tried to use the CD to test the Nero in it. I really got suspicious and ultimately reformatted (with almost whole day lost since I did not have backups) both machines ( This experience scared me off from installing from CD that came with my SAMSUNG cell phone). Now this alert from Amazon for another SAMSUNG device reminds the pain I got and moreove make me believe that I may have actually ended up installing "Free Viruses" from SAMSUNG.

Posted by: rajpol | December 28, 2008 8:56 AM | Report abuse

Oops! The post about SAMSUNG was intended for the next post in this blog about viruses from SAMSUNG photo viewer. Sorry for the mishap.

Posted by: rajpol | December 28, 2008 9:04 AM | Report abuse

>>Ah, I don't take calls from folks who want my credit card info...try again, Symantec!

Dale_R, they would be calling you if and only if you got in touch with them first, authorizing the call because you want help. Normally your caution would be good advice, here not so much.

Posted by: JeffRandom | December 29, 2008 12:22 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company