Strike out

Got your own spyware horror story?

I'm a serious gamer and a frequent Web surfer, so I know the dangerous worms that lurk behind every site I visit. Because of six severe infections, I've had to learn a lot about PC security, including how to completely sweep my hard drive. After thorough research, I got ZoneAlarm Security Suite, and I have to say I've been totally impressed.

A few days ago, I came across a torrent that claimed to contain a keygen for Counter-Strike. With confidence in my security protection, I downloaded it and ran the EXE file. Almost immediately, a ZoneAlarm firewall warning popped up to warn that the keygen was trying to communicate with scvhost.exe. I foolishly agreed to the transfer, and surprisingly, nothing happened. Then I tried to open Task Manager to kill the process. Windows produced a message saying that the Task Manager was disabled by the administrator...which is me. I hadn't disabled a darn thing.

The Task Manager was still disabled when I restarted my computer. Using a program called TuneUp Utilities 2006, I was able to see that 10 scvhost.exe processes were running. When I tried to end them, the processes either regenerated or a window opened saying that my computer would restart in 1 minute. I tried System Restore, but all my restore points had been deleted. I tried to override the spyware by modifying the Registry, but that also was disabled. A ZoneAlarm scan showed that Backdoor.Ciadoor was the infection, with the highest risk level. After hours of extensive cleanup, the problems with my processes stopped.

Or so it seemed. In fact, I was blocked from accessing the Internet. That's when I gave up, deleted the C: partition, and reinstalled Windows. A small, imprudent click had resulted in the massive loss of my personal files.

After I reinstalled Windows, I did some research on Backdoor.Ciadoor. The virus I thought I was infected with turned out to be a backdoor Trojan horse that gave the attacker full access to my computer. My advice is simple: before downloading a file from a disreputable Web site, think twice.

-Rick
New York, U.S.A.

Reply from the Download.com editors:

Others, too, have fallen for the old "free keygen" trick that ended up pumping their computer full of spyware. We're surprised that the vivid memories from past malware run-ins didn't balance your longing to crack Counter-Strike. Using unauthorized software is always a game of roulette, and you should have heeded your mistrust of handouts from unknown Web sites rather than test the power of your security suite.

Backdoor.Ciadoor is indeed a Trojan that lets an operator remotely control your computer, in addition to logging keystrokes and slashing security programs. Though you were right to target this Trojan when you first spotted the process, the real danger was the scvhost.exe worm that launched from the keygen EXE file. Also known as W32/Agobot-S, scvhost.exe was the first to invite in your attacker remotely, by connecting to an IRC server as it launched, and again each time Windows ran. It's possible that your attacker infected you with Backdoor.Ciadoor to disable your security programs, and then let free-wheeling malware take its course on your unprotected machine.

We don't condone illegal serial hacks, but we do recommend that all of our users equip themselves with the necessary tools to make educated decisions. One option for tracking dangerous Web sites, McAfee's free SiteAdvisor software, may have provided valuable security information about the Web site you visited and saved you from those gruesome nightmares of identity theft. Surf in peace.