Tags:




Something is killing my FTP!
May 20, 2008 4:21 AM   RSS feed for this thread Subscribe

I have some malware on my machine -- yes, I know, stupid. Prolly got it from pr0n. I'm running Windows XP Home Edition Version 2002 on a Gateway laptop with a Pentium 4, 3.06GHz and 480 MB of RAM. I can connect to the nets, but I can't FTP into sites (I'm a freelance web designer) with either Dreamweaver or WS-FTP, my weapons of choice.

I am having a hard time getting rid of the damn malware, because when I scan my system with Spybot Search and Destroy or Bit Defender my machine shuts itself off! This seems to happen when (I think) the scanning process hits one or another of the nasties. The nasties are:
Trojan.DNSChanger.RU
Trojan.Downloader.Zlob.ABLE
Trojan.Downloader.Zlob.ABLF
Exploit.Java.Gimsh.B
Java.Trojan.Exploit.Bytverify.I
Trojan.Java.ClassLoader.D
Trojan.Java.Binny.A
Trojan.Classloader.G

Can these things futz my ability to FTP? What's my best course of action to get it back? I have work waiting to be done. I'm kicking myself in the ass, so you needn't waste time on that.
posted by Guy_Inamonkeysuit to computers & internet (26 comments total) 2 users marked this as a favorite
I found that googling (on another computer) for the names of the malware often gave me helpful hints for cleaning.
posted by k8t at 4:35 AM on May 20, 2008


No matter what anyone else here tells you, and whether you happen to like this or not, this is the only correct answer: you must erase and reinstall a machine that has been compromised to be sure it's clean again.

This is not negotiable. It's very unpopular, but if you ever want to KNOW you can trust that machine again, you will have to reinstall from scratch.
posted by Malor at 4:39 AM on May 20, 2008


Oh yes, what Malor said. Reinstalling Windows is likely FASTER than fixing the malware as well.
posted by k8t at 4:50 AM on May 20, 2008


3rding wipe.

Take off and nuke the site from orbit. It is the only way to be sure.
posted by mrbugsentry at 5:10 AM on May 20, 2008


Yeah, wipe. Just to note, some malware will block access to anti-malware/security sites to hinder your ability to remove said malware. Typically, this kind of blocking is on HTTP, but also blocking FTP wouldn't be surprising, i.e., let's cut off you off from your antivirus updates.
posted by chengjih at 5:17 AM on May 20, 2008


I just reinstalled yesterday morning. This last install lasted all of two weeks before getting infested with some crapware. Symptoms included a Norton AV popup when I got on the computer in the morning, then the front page of google would come up but not much else. All sites worked fine on another computer.

Once your machine has been compromised like that it can't be trusted. Nuke it from orbit, then look into using VMware or one of those nifty run-Linux-in-Windows installs for your pr0n browsing (or, in my case, Bittorrent sites).
posted by kableh at 5:42 AM on May 20, 2008


Delete it all, reinstall.
posted by grouse at 5:43 AM on May 20, 2008


You could try downloading and burning the Trinity Rescue Kit using a different, clean computer, then boot it on the sick one and do an offline virus scan. That's what I'd do first before going the nuke and pave. But then, I'm odd like that.
posted by flabdablet at 6:04 AM on May 20, 2008


No way would I continue to FTP, use Paypal, or do ANYTHING important on that machine until the OS has been reinstalled. If the machine is not used for anything important, you could probably try with virus removal software, but frankly I don't trust anything short of nuking Windows and starting again. I have seen some malware lately that is almost indistinguishable from a Windows service.
posted by crapmatic at 6:08 AM on May 20, 2008


Malware removers have their place -- cleaning up mild spyware infestations and getting enough control of a machine to back up data files -- but your machine sounds far too infected for you to ever be comfortable that you got it all, and you should be. So, yeah, n'thing the wipe and reinstall. That's especially true if this machine is being used to manage other people's websites. And, by the way, if a machine has been so badly compromised that it may well have rootkits or be part of a botnet, after I paved over it, I'd also go change any passwords that someone could have pulled off that machine by grabbing password stores or by keylogging.
posted by tyllwin at 6:13 AM on May 20, 2008


TRK also has ftp built in, if all you need to do is some quick ftp-ing. Or, if you want to do it in a graphical environment, boot your machine off an Ubuntu live CD, start Firefox, and install the oh so nifty FireFTP extension.

Also: if you have a heap of stuff on your busted Windows installation that's too much trouble to rebuild, and you'd rather pave without nuking, that will work; use Method 3 from this page. Just don't use any part of the old installation until you've done a thorough malware scan after booting the new one.
posted by flabdablet at 6:20 AM on May 20, 2008


rules

1. Never use IE for browsing the internet
2. Have real time virus checker that isn't a Symantec product
3. No peer to peer (OK Soulseek)

I've found Avast home is a good free anti virus app. Can be a resource hog, but you can shut most of that stuff off.

But once you infected with malware, reinstall. That's why adaware spybot etc are ok for cleaning up BHOs and the like, but they are not anti virus apps.
posted by mattoxic at 6:27 AM on May 20, 2008


While it's certainly difficult to fix an infested XP install, it isn't really impossible. It's just 99% of the time more trouble than it's worth. You either spend a day reinstalling, or several days hunting down and killing the infestation.

My 2 cents from a previous AskMe thread on helping to avoid this in the future: In short, make an SP3 disk to speed the install up, and use the free MS VirtualPC program to build yourself a virtual sandbox to protect your real OS when doing risky stuff online (like downloading programs or pr0n).
posted by caution live frogs at 6:34 AM on May 20, 2008


I knew ya'll would tell me to nuke from orbit before I started but I was hoping for... something else. Oh well, at least I don't use IE, so that's something, I suppose, and BitDefender seems to do a pretty good job of real-time virus checking. Except if you're a moran like me and go to questionable sites. No more!

I have recovery disks and all, so I'll go that route. I'll back up my files and nuke the fucker. I appreciate the input from you, flabdablet, so I may consider that depending on what other input I get here.

Shit.

Shit.
posted by Guy_Inamonkeysuit at 6:44 AM on May 20, 2008


That java app exploits an old security hole in java that you probably dont have. Its fairly common but the payload rarely goes off. Zlob is a smitfraud spyware app, which can be removed with this.

Of course you should do an reinstall, but if you need it to chug along for a short while you can try that remover I linked to.

Lastly, your computer shouldnt be shutting off when doing disk scans. I wouldnt be surprised that you have spyware along with hardware troubles, so a new computer may be in your future. Or at least a new disk.
posted by damn dirty ape at 7:14 AM on May 20, 2008


Lastly, what you should be doing is making a user account for everyday usage that is not a local administrator. Only use the administrator account when you need to install or update software. That'll take care of 99% of spyware/virus issues right there. It may take a little getting used to but once you get used to logging in as admin or using RunAs you'll be ok.
posted by damn dirty ape at 7:16 AM on May 20, 2008


One more thing, if you delete your network card entry from hardware manager and let it reinstall (just reboot) you'll knock out whatever hooks those apps put in your network interface. This might get your FTP up.
posted by damn dirty ape at 7:19 AM on May 20, 2008


Thanks, ape, good idea. I can't afford a new machine right now. A new account sounds like the way to go.
posted by Guy_Inamonkeysuit at 7:20 AM on May 20, 2008


You can't get spy ware from 'pr0n', you have to download some executable. Thinking malware comes only from "bad" sites and avoiding them is a recipe for... getting Malware. In fact, malware has actually been bundled as anti-malware in the past.

You need to learn the difference between bad types of files and dangerous actions not bad 'types of sites'. You never want to download and run any executable, and you never want to allow a page to install an ActiveX control (if you're running IE), that sort of thing. Every once in a while a new exploit will come out, but those usually get fixed pretty quickly. You need to keep your browser up to date, but Firefox updates automatically.

Have you tried booting in safemode and running spybot there? That may work, although I'm not sure.

As others said, creating a second non-administrator account, or even using VMWare to create a virtual 'sandbox' are great ideas for avoiding problems in the future.
posted by delmoi at 7:34 AM on May 20, 2008


In my experience, caution live frogs is right, except that what takes up most of the time is not hunting down the infestation; that's generally fairly straightforward. What takes up all the time is putting Windows back together after the malware removal tools have had their wicked way with it. It's fairly common to find that malware has messed up the registry to the extent that Windows won't run properly after the malware's executables have been excised, and as far as I know none of the current crop of offline malware removers will fix an offline registry correctly. Paulsc has often recommended using a Windows repair install to put Humpty together again, but it doesn't always work.

Fixing malware properly is also getting steadily harder to do because the build quality of malware is getting steadily better. For my money, Windows security has hit the iceberg, and it's going down, and I can't see rescue boats on the horizon. I don't think Vista is going to help any, either, because the kludge it has in place to allow people to keep running admin accounts is so incredibly irritating. UAC really does stand for User Annoyed Constantly, and people will turn it off.

Running 100% non-admin for all day-to-day tasks is absolutely what's required. But I think the chances of that becoming the default configuration for Windows as shipped is about as likely as Linux becoming the market leader in desktop systems - it's never gonna happen. In fact, the very same cultural baggage that guarantees Windows its position as market leader also guarantees that it will remain insecure for the foreseeable future.

People who care about the security of their computers should run ABW - anything but Windows. Damn dirty ape has argued fairly vehemently against this advice, on the grounds that if everyone switches from Windows to Ubuntu, so will the malware writers and we'll be back at square 1. But most people don't care about security, and won't switch. Also, if Linux actually did stand a chance of knocking Windows' market share down significantly, it seems to me that the motivations driving that would lead to more diversity, not a replacement of the existing OS monoculture with a different OS monoculture, and that overall security levels would improve as a result.
posted by flabdablet at 7:57 AM on May 20, 2008


Delmoi, creating a second non-administrator account sounds to me like the wrong mindset. The first account - the one you use most of the time - should be non-admin. But if all you mean is that a box used by only one person should still have at least two accounts on it, only one of which is an administrator, of course I completely agree.

On a Windows box shared by multiple users, there should be a single administrative account called, say, Admin; Admin should have a teenager-resistant password; the hidden Administrator account should have a strong password (set this from a cmd window inside your Admin account with net user Administrator *) and never get used; and every other account should be non-admin. Also, the Admin account should have a really ugly desktop background (the Windows logo one, or the system manufacturer's default advertising one are good picks) and an irritatingly short screensaver timeout to remind you not to use it casually. The screensaver should also be set to drop you back to the logon screen so you have to supply the Admin password to get back in (this is another teen resistance measure). Get in, do the business, keep an eye on it, get out quick.

I've found that putting the following six items only in the Admin quicklaunch bar is helpful:

* Show Desktop
* Shortcut to C:\Documents and Settings\Admin\My Documents\Maintenance_notes.txt
* Add/Remove Programs control panel item
* Shortcut to C:\Documents and Settings\Admin\My Documents\Installers folder
* Shortcut to C:\Documents and Settings\All Users\Desktop folder
* User Accounts control panel item

Also, creating a Shortcuts folder in the All Users Desktop is a Good Thing. If you copy any desktop shortcut left behind by an installer into C:\Documents and Settings\All Users\Desktop\Shortcuts, and delete the original, then any of the non-admin accounts can easily copy and paste the shortcuts they want to their own desktops, everybody can turn off the idiot Desktop Cleanup Wizard, and idiot installers that put their desktop shortcuts on the Admin desktop instead of the All Users one don't cause grief.
posted by flabdablet at 8:17 AM on May 20, 2008 [2 favorites has favorites]


Nuke it from orbit THEN after you install everything (drivers, programs, configs, etc.) image the disk. Then if it happens again, you'll be in great shape.
posted by i_am_a_Jedi at 9:19 AM on May 20, 2008


This is pretty much resolved, but in general, one of the last things you want to do when you know you've been compromised is enter a password...like for ftp.
posted by juv3nal at 10:06 AM on May 20, 2008


What a fun time I am going to have. Yep, user account for me from now on. Live and learn!
posted by Guy_Inamonkeysuit at 10:26 AM on May 20, 2008


And if you really truly were running Windows XP Home Edition Version 2002, without at least Service Pack 2, well... don't say you weren't told.
posted by flabdablet at 10:48 AM on May 20, 2008


If you don't want to nuke your system from orbit, you can try following the steps I mentioned in this thread, but as others have mentioned, it may take some time until you can track down everything.
posted by pravit at 11:27 AM on May 20, 2008


« Older SATA I or II? Hopefully very s...   |   PLEASE help me find my grandfa... Newer »
This thread is closed to new comments.