My Computer was Totally Downed by CiaDoor

November 8, 2007

I have been planning on blogging for so long. Finally, when I am ready to put some effort in publishing my works, my computer got hijacked. This hijacking happen for a while before I realised it.

Cause

The main reason for the hijack to be successful is because I disabled the anti-virus program. I've been working on bulk file editing for my web pages and so I trade off security for some speed. Yes, indeed a little silly to disable the virus protection for too long.

Actions taken

It was too late when a virus attack and we try to fix. The trojan made me really broke my own computer down trying to remove it. In other words, if I let it stay, I could still use my computer. Funny isn't it, read more and you know why .

After I realise it was on my computer, I attempted 6 different virus scanners without any success. Those useless programs listed in sequence of use, are:

1. Kaspersky v6 with up-to-date database on a clean computer. (no result)
2. TREND Housecall (web-based scanner) (no result)
3. Ad-Aware 2007 Personal (found Win32.Backdoor.CiaDoor)
4. Ad-Aware 2007 Professional Trial (found Win32.Backdoor.CiaDoor)
5. F-Secure Anti-virus 2008 Trial (found Win32.Backdoor.CiaDoor)
6. BitDefender Trial (never worked)

The worst program is F-Secure Anti-virus, which cause the full system crash after I try to uninstall it. Although the screen is very neat and tidy, It have 2 inter-related drawbacks:

• it is too heavy on hard-disk - use 400MB HDD space, bigger than Norton anti-virus.
• it is too heavy on memory - owns 4-5 processes (shown in the task-manager).

Warning to anyone who think about using F-Secure Anti-virus in such circumstance, prepare to reinstall Windows. Why?

1. It forced me to remove all antivirus currently on the system.
2. After it doesn't work I BitDefender, which in turn could not run (i suspect because of F-Secure program disabling others).
3. I tried to uninstall it after finding it was useless.
4. The next reboot it was still on my system tray.
5. I tried to remove the registry key associated with it,
6. Result: Windows show 60s countdown to restart because DCOM error.

Result

For the record, the programs that managed to find Win32.Backdoor.CiaDoor managed to temporarily remove/quarantine the "Registry key" associated with it, but could not remove it's master (the actual malware).

I spent 1 whole day googling for a solution, but found nothing. The information I could find on CiaDoor was few years old. I still can't believe those anti-virus/spyware couldn't take it out.

This virus made me so frustrated. It aggressively utilized my whole down-link bandwidth cost me few days could not doing blogging research. Thanks to OneNote I could take some screen-shots and statistics regarding the behavior of this particular invisible piece of malicious thing.

What's next?

If you known, or experienced this CiaDoor hijack, please tell me your experience by using the Comment box at the bottom of this page. Your feedback is really appreciated.

Stay tuned for my next posts on how the virus acted on my laptop and how each anti-virus program handled the problem.

Tags: Binh, virus