I'm helpless!
December 8, 2005 5:49 PM Subscribe
I've got a bunch of spyware/adware. It got on to my computer all in one go, though I'm not sure how, and now I can't completely get rid of it. Worse, I don't even know exactly what it is.
When it first happened, I also had a virus that attempted to send a bunch of email in my name, except I use gmail and Norton caught it. I got rid of that using Norton, then ran Adaware, Spybot and Microsoft's anti-spyware thing. Now I still get IE popups and occasionally it'll redirect pages in firefox to ads when I try to load them. I run spybot every once in a while and it always gives me the same ten or so problems - advertising.com, avenue a inc, bfast, coremetrics, doubleclick, fastclick among many others - all of which it fixes with no problem. The popups keep coming, though.
The weirdest thing is that sometimes I won't have any IE popup windows open, yet when I ctrl+alt+del and check the processes there's at least five instances of iexplore.exe (and nothing I don't recognize, i.e. spyware). On the other hand sometimes I'll have five popups and one instance of it running.
What the hell is going on? What else can I do to get rid of this aggrivating crap? I've checked my add/remove programs, and there's nothing suspicious there.
When it first happened, I also had a virus that attempted to send a bunch of email in my name, except I use gmail and Norton caught it. I got rid of that using Norton, then ran Adaware, Spybot and Microsoft's anti-spyware thing. Now I still get IE popups and occasionally it'll redirect pages in firefox to ads when I try to load them. I run spybot every once in a while and it always gives me the same ten or so problems - advertising.com, avenue a inc, bfast, coremetrics, doubleclick, fastclick among many others - all of which it fixes with no problem. The popups keep coming, though.
The weirdest thing is that sometimes I won't have any IE popup windows open, yet when I ctrl+alt+del and check the processes there's at least five instances of iexplore.exe (and nothing I don't recognize, i.e. spyware). On the other hand sometimes I'll have five popups and one instance of it running.
What the hell is going on? What else can I do to get rid of this aggrivating crap? I've checked my add/remove programs, and there's nothing suspicious there.
For a really bad infection I agree; reformat and reinstall. However, first get every other bit of spy searching software you can find. Run them all from protected mode so that the virus or adware has less chance to run and interfere with the spy searching. That will probably work and it will be less effort than a complete reinstall. If you do the reinstall, do it from behind a firewall (any router should do) to make sure you don't get owned before updating windows. (Apple looks better every day.)
posted by caddis at 6:03 PM on December 8, 2005
posted by caddis at 6:03 PM on December 8, 2005
The #1 tool in my aresnal to defeat viruses and spyware is Hijack This!. Be very very careful - it's a registry scanner, so don't just delete everything it shows. Copy and paste the log file into this log file analyzer to see what everything is. Comb through carefully.
This is the best way to avoid reformatting (it's a little scary how often that is suggested - do you repaint your bedroom when there's a rat infestation?)
posted by muddgirl at 6:07 PM on December 8, 2005
This is the best way to avoid reformatting (it's a little scary how often that is suggested - do you repaint your bedroom when there's a rat infestation?)
posted by muddgirl at 6:07 PM on December 8, 2005
it's a little scary how often that is suggested - do you repaint your bedroom when there's a rat infestation?
well, back in the day a reinstall was something of a nightmare. these days with cd/dvd writers going for $30 a pop, self-installing drivers and broadband internet to replace your shareware and/or pirated software, it's pretty much a breeze. last time i did it, it took all of an hour, most of which was spent reading a magazine while the winXP installer churned through its nonsense. not such a big deal anymore.
posted by sergeant sandwich at 6:14 PM on December 8, 2005
well, back in the day a reinstall was something of a nightmare. these days with cd/dvd writers going for $30 a pop, self-installing drivers and broadband internet to replace your shareware and/or pirated software, it's pretty much a breeze. last time i did it, it took all of an hour, most of which was spent reading a magazine while the winXP installer churned through its nonsense. not such a big deal anymore.
posted by sergeant sandwich at 6:14 PM on December 8, 2005
Reinstall, including all your apps, and then create a drive image. The next time you need to go through this it will only take ten minutes. Alternatively, you can create unattended install scripts, or even an unattended install DVD, but this is somewhat harder.
Really though, if you get rid of internet explorer and outlook and get a firewall, you will have virtually no problem with viruses and spyware anymore.
posted by Chuckles at 6:32 PM on December 8, 2005
Really though, if you get rid of internet explorer and outlook and get a firewall, you will have virtually no problem with viruses and spyware anymore.
posted by Chuckles at 6:32 PM on December 8, 2005
If you're running Firefox and you're still getting redirects, it's likely somebody's messed about with your Hosts file. Spybot Search & Destroy has a Hosts File tool (accessible from Advanced Mode) that you can use to check this.
If you don't already have Hijack This, you need it (get it from www.spywareinfo.com). Once you have it, go check out Wilders.org. There are forums there where you can post your Hijack This logs and get advice on what to do about them.
Despite the doomsayers, you will be able to clean your machine up using these tools in less time than it would take you to reformat, reinstall Windows and rebuild everything back the way you had it.
I don't know if this is covered on Wilders, but it should be: once you've cleaned your machine up by whatever method, the single most effective thing you can do to keep this garbage off it (assuming Windows XP) is to create a single Computer Administrator account that you will use solely for doing administrative things (software and hardware installation etc) and change the account type on all the other users to Limited Account.
Even if you're the sole user of the machine, it's worth having a limited account for day-to-day use and a separate Computer Administrator account for the other stuff. Password protect the admin account, and if you use a web browser from inside it, do so only to download stuff you already know is safe.
You'll want to make sure your disk is formatted with NTFS, not FAT32, to get the most benefit from this (with FAT32, even a limited account can Do Stuff inside the Windows system folders).
You should also install Sun Java (download it from www.java.com) to replace Microsoft's horrible Java VM, and use Set Program Access and Defaults to disable access to Internet Explorer (install the Firefox "IE View" extension to handle the occasional site that won't render properly in anything but IE).
Also, if you haven't installed Service Pack 2, do that; make sure Windows Firewall is on and all exceptions are disallowed; and turn on Automatic Updates.
Don't use Norton Antivirus; in fact, avoid Norton tools in general. When Peter Norton wrote things for DOS twenty years ago, Norton stuff was pretty good. It isn't any more; now it's bloated overhyped crap and damn near as hard to get rid of as some spyware. Use AVG 7.1 Free antivirus instead - does a good job of detecting things and its auto updater is the best I've seen.
It is perfectly feasible to set up a Windows XP machine so that it's (a) useful (b) not subject to infection. It pisses me off no end that they're never never never set up that way when you buy them from the shop.
posted by flabdablet at 6:38 PM on December 8, 2005
If you don't already have Hijack This, you need it (get it from www.spywareinfo.com). Once you have it, go check out Wilders.org. There are forums there where you can post your Hijack This logs and get advice on what to do about them.
Despite the doomsayers, you will be able to clean your machine up using these tools in less time than it would take you to reformat, reinstall Windows and rebuild everything back the way you had it.
I don't know if this is covered on Wilders, but it should be: once you've cleaned your machine up by whatever method, the single most effective thing you can do to keep this garbage off it (assuming Windows XP) is to create a single Computer Administrator account that you will use solely for doing administrative things (software and hardware installation etc) and change the account type on all the other users to Limited Account.
Even if you're the sole user of the machine, it's worth having a limited account for day-to-day use and a separate Computer Administrator account for the other stuff. Password protect the admin account, and if you use a web browser from inside it, do so only to download stuff you already know is safe.
You'll want to make sure your disk is formatted with NTFS, not FAT32, to get the most benefit from this (with FAT32, even a limited account can Do Stuff inside the Windows system folders).
You should also install Sun Java (download it from www.java.com) to replace Microsoft's horrible Java VM, and use Set Program Access and Defaults to disable access to Internet Explorer (install the Firefox "IE View" extension to handle the occasional site that won't render properly in anything but IE).
Also, if you haven't installed Service Pack 2, do that; make sure Windows Firewall is on and all exceptions are disallowed; and turn on Automatic Updates.
Don't use Norton Antivirus; in fact, avoid Norton tools in general. When Peter Norton wrote things for DOS twenty years ago, Norton stuff was pretty good. It isn't any more; now it's bloated overhyped crap and damn near as hard to get rid of as some spyware. Use AVG 7.1 Free antivirus instead - does a good job of detecting things and its auto updater is the best I've seen.
It is perfectly feasible to set up a Windows XP machine so that it's (a) useful (b) not subject to infection. It pisses me off no end that they're never never never set up that way when you buy them from the shop.
posted by flabdablet at 6:38 PM on December 8, 2005
I second spywareinfo.com.
posted by ObscureReferenceMan at 6:44 PM on December 8, 2005
posted by ObscureReferenceMan at 6:44 PM on December 8, 2005
GoogleAnswers had many responses to similar questions. Pick the one that fits
posted by growabrain at 6:57 PM on December 8, 2005
posted by growabrain at 6:57 PM on December 8, 2005
Hitman Pro - honestly the best program I've ever used for spyware/adware. It downloads and installs all the good freeware anti-malware tools, optimizes their settings, and runs everything for you.
The site isn't in English though, but the program is.
posted by Ekim Neems at 7:55 PM on December 8, 2005
The site isn't in English though, but the program is.
posted by Ekim Neems at 7:55 PM on December 8, 2005
Two words: rootkit scanner.
My dad tried a half-dozen or more adware/spyware scanning programs multiple times. They never found anything, but my mom's computer still threw IE popups all over the place, even when using Firefox.
The rootkit scanner found something (I believe he said it was in a directory named "Bacshop"?) and that appeared to be visible from safe mode, allowing him to delete it.
Advanced rootkits can't even be seen from safe mode. In that case, perhaps look into booting off a Knoppix (Linux) or BartPE (Windows) bootable CD and poking around looking for stuff that ought not be there.
posted by xiojason at 8:05 PM on December 8, 2005
My dad tried a half-dozen or more adware/spyware scanning programs multiple times. They never found anything, but my mom's computer still threw IE popups all over the place, even when using Firefox.
The rootkit scanner found something (I believe he said it was in a directory named "Bacshop"?) and that appeared to be visible from safe mode, allowing him to delete it.
Advanced rootkits can't even be seen from safe mode. In that case, perhaps look into booting off a Knoppix (Linux) or BartPE (Windows) bootable CD and poking around looking for stuff that ought not be there.
posted by xiojason at 8:05 PM on December 8, 2005
You can get a freeware rootkit scanner from www.sysinternals.com.
CrayDrygu: it will work exceedingly well; after all, it's been working just fine for Unix and its descendants since the seventies.
Of course, when it appears in Vista, M$ will ballyhoo this as an "advanced security feature" and claim to have invented it, but whatever.
M$ systems should have been shipped this way since NT first came out; but the main reason M$ operating systems are popular is that there's this vast amount of software available for them, and unfortunately there's still a hell of a lot of that (notably games and educational software) that requires significant fiddling to make it work in a Limited Account environment, and I'm guessing M$ didn't want to risk annoying people by breaking all those "legacy" apps.
I'm still waiting for M$ to invent "sudo" :)
posted by flabdablet at 8:31 PM on December 8, 2005
CrayDrygu: it will work exceedingly well; after all, it's been working just fine for Unix and its descendants since the seventies.
Of course, when it appears in Vista, M$ will ballyhoo this as an "advanced security feature" and claim to have invented it, but whatever.
M$ systems should have been shipped this way since NT first came out; but the main reason M$ operating systems are popular is that there's this vast amount of software available for them, and unfortunately there's still a hell of a lot of that (notably games and educational software) that requires significant fiddling to make it work in a Limited Account environment, and I'm guessing M$ didn't want to risk annoying people by breaking all those "legacy" apps.
I'm still waiting for M$ to invent "sudo" :)
posted by flabdablet at 8:31 PM on December 8, 2005
Like most people, I go through this every Thanksgiving, when my inlaws etc bring their "suddenly slow" computers over and I find them absolutely infested with spyware and viruses. Here is what I advise:
Get yourself a USB keydrive (2 gig or 1 gig) or even a small USB 2.0 hard drive. Make this bootable on the infected machine, but disconnect the machine from the internet. What you are going to do is boot into this drive (with NO INTERNET CONNECTION), preferably with BART PE XPLITE or Windows 2000 or even a Knoppix distro, copy the pertinent documents off of C;, and then begin your real work.
The most important first step is to get off the important files, before you go into battle.
Once you have safely removed these files, put your USB key or HD away. Now you know that no matter what happens, you at least have saved grandma's never-ever-backed up quicken file or grandpa's never-emailed-will.
My next step, although this is probably insanely stupid, is to boot the machine normally and try to access housecall by trendmicro because I have found that it hands down will detect things that Norton or Mcaffee cannot.
My next step after housecall is to install AVG Free Edition and Microsoft Defender Beta 2. I have found these two to be pretty good together, and if they cannot kill alll the nasties, its time to use a slipstreamed version of Windows XP Pro Lite SP2 to save yourself diminishing returns on hours of effort by doing a complete reinstalll of the OS.
p.s.- it is estimated that somewhere between 25 and 50% of all Windows computers are infested with spyware. Firefox is helping keep this number down, but it is astonishing that we as a society tolerate this type of insecurity.
posted by crazyray at 8:43 PM on December 8, 2005
Get yourself a USB keydrive (2 gig or 1 gig) or even a small USB 2.0 hard drive. Make this bootable on the infected machine, but disconnect the machine from the internet. What you are going to do is boot into this drive (with NO INTERNET CONNECTION), preferably with BART PE XPLITE or Windows 2000 or even a Knoppix distro, copy the pertinent documents off of C;, and then begin your real work.
The most important first step is to get off the important files, before you go into battle.
Once you have safely removed these files, put your USB key or HD away. Now you know that no matter what happens, you at least have saved grandma's never-ever-backed up quicken file or grandpa's never-emailed-will.
My next step, although this is probably insanely stupid, is to boot the machine normally and try to access housecall by trendmicro because I have found that it hands down will detect things that Norton or Mcaffee cannot.
My next step after housecall is to install AVG Free Edition and Microsoft Defender Beta 2. I have found these two to be pretty good together, and if they cannot kill alll the nasties, its time to use a slipstreamed version of Windows XP Pro Lite SP2 to save yourself diminishing returns on hours of effort by doing a complete reinstalll of the OS.
p.s.- it is estimated that somewhere between 25 and 50% of all Windows computers are infested with spyware. Firefox is helping keep this number down, but it is astonishing that we as a society tolerate this type of insecurity.
posted by crazyray at 8:43 PM on December 8, 2005
Something else useful from Winternals is their Process Explorer. It'll tell you the name of the file(s) that launched all those phantom iexplore.exe processes, which will give you a hint as to what to delete. Just kill iexplore.exe and watch for the filename that relaunches it.
posted by evariste at 9:04 PM on December 8, 2005
posted by evariste at 9:04 PM on December 8, 2005
Check out Unattended. This program seriously rules. One CD (probably DVD) for the OS, service packs, patches, applications, etc.
Hint: the first application you install should be perl. You should make perl scripts to do all the random customization you need to do (CPAN has great libraries for *all* areas of Win32), and have those execute at the appropriate times in the installation.
You can always mirror your drive too, but the other advantage of this is you can switch the machine you're using without Windows flipping out on you.
posted by devilsbrigade at 9:21 PM on December 8, 2005
Hint: the first application you install should be perl. You should make perl scripts to do all the random customization you need to do (CPAN has great libraries for *all* areas of Win32), and have those execute at the appropriate times in the installation.
You can always mirror your drive too, but the other advantage of this is you can switch the machine you're using without Windows flipping out on you.
posted by devilsbrigade at 9:21 PM on December 8, 2005
I should mention that DVD support is only in the anon-cvs branch afaik, it hasn't been put into a release yet. Otherwise Unattended installs over a network.
posted by devilsbrigade at 9:24 PM on December 8, 2005
posted by devilsbrigade at 9:24 PM on December 8, 2005
(Last post in a row, I promise)
Turns out the newest release has DVD support. My bad.
posted by devilsbrigade at 9:28 PM on December 8, 2005
Turns out the newest release has DVD support. My bad.
posted by devilsbrigade at 9:28 PM on December 8, 2005
I've recently learned that I can't live without SpySweeper. Seriously. It nails things that AdAware and SpybotS&D won't.
posted by Clay201 at 9:54 PM on December 8, 2005
posted by Clay201 at 9:54 PM on December 8, 2005
evariste: Spybot Search & Destroy has a Process List tool that will do this too; if you click on a process, its parent is highlighted and its children are underlined. Very handy.
devilsbrigade: Unattended looks incredibly useful. Thanks for that link!
posted by flabdablet at 5:05 AM on December 9, 2005
devilsbrigade: Unattended looks incredibly useful. Thanks for that link!
posted by flabdablet at 5:05 AM on December 9, 2005
Do a combination of different anti-spyware runs. Lots of good suggestions above; I find in most cases that using just one anti-spyware prog doesn't get everything. Using a combination (I use Spybot, Ad-Aware, and the MS Antispyware) gets ridm of everything. Some leave small bits, the others find those bits and crush them.
Second (third?) the rootkit comments. Definitely check your HOSTS file.
If all else fails, bite the bullet, wipe and reinstall. Better than letting the baddies take over your system.
posted by caution live frogs at 7:13 AM on December 9, 2005
Second (third?) the rootkit comments. Definitely check your HOSTS file.
If all else fails, bite the bullet, wipe and reinstall. Better than letting the baddies take over your system.
posted by caution live frogs at 7:13 AM on December 9, 2005
« Older SONGFILTER: Need to ID song only using notes of... | Name my baby daughter after a superhero... Newer »
This thread is closed to new comments.
posted by sergeant sandwich at 5:52 PM on December 8, 2005