I found that googling (on another computer) for the names of the malware often gave me helpful hints for cleaning.
posted by k8t at 4:35 AM on May 20, 2008

No matter what anyone else here tells you, and whether you happen to like this or not, this is the only correct answer: you must erase and reinstall a machine that has been compromised to be sure it's clean again.

This is not negotiable. It's very unpopular, but if you ever want to KNOW you can trust that machine again, you will have to reinstall from scratch.
posted by Malor at 4:39 AM on May 20, 2008

Oh yes, what Malor said. Reinstalling Windows is likely FASTER than fixing the malware as well.
posted by k8t at 4:50 AM on May 20, 2008

3rding wipe.

Take off and nuke the site from orbit. It is the only way to be sure.
posted by mrbugsentry at 5:10 AM on May 20, 2008

Yeah, wipe. Just to note, some malware will block access to anti-malware/security sites to hinder your ability to remove said malware. Typically, this kind of blocking is on HTTP, but also blocking FTP wouldn't be surprising, i.e., let's cut off you off from your antivirus updates.
posted by chengjih at 5:17 AM on May 20, 2008

I just reinstalled yesterday morning. This last install lasted all of two weeks before getting infested with some crapware. Symptoms included a Norton AV popup when I got on the computer in the morning, then the front page of google would come up but not much else. All sites worked fine on another computer.

Once your machine has been compromised like that it can't be trusted. Nuke it from orbit, then look into using VMware or one of those nifty run-Linux-in-Windows installs for your pr0n browsing (or, in my case, Bittorrent sites).
posted by kableh at 5:42 AM on May 20, 2008

Delete it all, reinstall.
posted by grouse at 5:43 AM on May 20, 2008

You could try downloading and burning the Trinity Rescue Kit using a different, clean computer, then boot it on the sick one and do an offline virus scan. That's what I'd do first before going the nuke and pave. But then, I'm odd like that.
posted by flabdablet at 6:04 AM on May 20, 2008

No way would I continue to FTP, use Paypal, or do ANYTHING important on that machine until the OS has been reinstalled. If the machine is not used for anything important, you could probably try with virus removal software, but frankly I don't trust anything short of nuking Windows and starting again. I have seen some malware lately that is almost indistinguishable from a Windows service.
posted by crapmatic at 6:08 AM on May 20, 2008

Malware removers have their place -- cleaning up mild spyware infestations and getting enough control of a machine to back up data files -- but your machine sounds far too infected for you to ever be comfortable that you got it all, and you should be. So, yeah, n'thing the wipe and reinstall. That's especially true if this machine is being used to manage other people's websites. And, by the way, if a machine has been so badly compromised that it may well have rootkits or be part of a botnet, after I paved over it, I'd also go change any passwords that someone could have pulled off that machine by grabbing password stores or by keylogging.
posted by tyllwin at 6:13 AM on May 20, 2008

TRK also has ftp built in, if all you need to do is some quick ftp-ing. Or, if you want to do it in a graphical environment, boot your machine off an Ubuntu live CD, start Firefox, and install the oh so nifty FireFTP extension.

Also: if you have a heap of stuff on your busted Windows installation that's too much trouble to rebuild, and you'd rather pave without nuking, that will work; use Method 3 from this page. Just don't use any part of the old installation until you've done a thorough malware scan after booting the new one.
posted by flabdablet at 6:20 AM on May 20, 2008

rules

1. Never use IE for browsing the internet
2. Have real time virus checker that isn't a Symantec product
3. No peer to peer (OK Soulseek)

I've found Avast home is a good free anti virus app. Can be a resource hog, but you can shut most of that stuff off.

But once you infected with malware, reinstall. That's why adaware spybot etc are ok for cleaning up BHOs and the like, but they are not anti virus apps.
posted by mattoxic at 6:27 AM on May 20, 2008

While it's certainly difficult to fix an infested XP install, it isn't really impossible. It's just 99% of the time more trouble than it's worth. You either spend a day reinstalling, or several days hunting down and killing the infestation.

My 2 cents from a previous AskMe thread on helping to avoid this in the future: In short, make an SP3 disk to speed the install up, and use the free MS VirtualPC program to build yourself a virtual sandbox to protect your real OS when doing risky stuff online (like downloading programs or pr0n).
posted by caution live frogs at 6:34 AM on May 20, 2008

That java app exploits an old security hole in java that you probably dont have. Its fairly common but the payload rarely goes off. Zlob is a smitfraud spyware app, which can be removed with this.

Of course you should do an reinstall, but if you need it to chug along for a short while you can try that remover I linked to.

Lastly, your computer shouldnt be shutting off when doing disk scans. I wouldnt be surprised that you have spyware along with hardware troubles, so a new computer may be in your future. Or at least a new disk.
posted by damn dirty ape at 7:14 AM on May 20, 2008

Lastly, what you should be doing is making a user account for everyday usage that is not a local administrator. Only use the administrator account when you need to install or update software. That'll take care of 99% of spyware/virus issues right there. It may take a little getting used to but once you get used to logging in as admin or using RunAs you'll be ok.
posted by damn dirty ape at 7:16 AM on May 20, 2008

One more thing, if you delete your network card entry from hardware manager and let it reinstall (just reboot) you'll knock out whatever hooks those apps put in your network interface. This might get your FTP up.
posted by damn dirty ape at 7:19 AM on May 20, 2008

You can't get spy ware from 'pr0n', you have to download some executable. Thinking malware comes only from "bad" sites and avoiding them is a recipe for... getting Malware. In fact, malware has actually been bundled as anti-malware in the past.

You need to learn the difference between bad types of files and dangerous actions not bad 'types of sites'. You never want to download and run any executable, and you never want to allow a page to install an ActiveX control (if you're running IE), that sort of thing. Every once in a while a new exploit will come out, but those usually get fixed pretty quickly. You need to keep your browser up to date, but Firefox updates automatically.

Have you tried booting in safemode and running spybot there? That may work, although I'm not sure.

As others said, creating a second non-administrator account, or even using VMWare to create a virtual 'sandbox' are great ideas for avoiding problems in the future.
posted by delmoi at 7:34 AM on May 20, 2008

In my experience, caution live frogs is right, except that what takes up most of the time is not hunting down the infestation; that's generally fairly straightforward. What takes up all the time is putting Windows back together after the malware removal tools have had their wicked way with it. It's fairly common to find that malware has messed up the registry to the extent that Windows won't run properly after the malware's executables have been excised, and as far as I know none of the current crop of offline malware removers will fix an offline registry correctly. Paulsc has often recommended using a Windows repair install to put Humpty together again, but it doesn't always work.

Fixing malware properly is also getting steadily harder to do because the build quality of malware is getting steadily better. For my money, Windows security has hit the iceberg, and it's going down, and I can't see rescue boats on the horizon. I don't think Vista is going to help any, either, because the kludge it has in place to allow people to keep running admin accounts is so incredibly irritating. UAC really does stand for User Annoyed Constantly, and people will turn it off.

Running 100% non-admin for all day-to-day tasks is absolutely what's required. But I think the chances of that becoming the default configuration for Windows as shipped is about as likely as Linux becoming the market leader in desktop systems - it's never gonna happen. In fact, the very same cultural baggage that guarantees Windows its position as market leader also guarantees that it will remain insecure for the foreseeable future.

People who care about the security of their computers should run ABW - anything but Windows. Damn dirty ape has argued fairly vehemently against this advice, on the grounds that if everyone switches from Windows to Ubuntu, so will the malware writers and we'll be back at square 1. But most people don't care about security, and won't switch. Also, if Linux actually did stand a chance of knocking Windows' market share down significantly, it seems to me that the motivations driving that would lead to more diversity, not a replacement of the existing OS monoculture with a different OS monoculture, and that overall security levels would improve as a result.
posted by flabdablet at 7:57 AM on May 20, 2008

Delmoi, creating a second non-administrator account sounds to me like the wrong mindset. The first account - the one you use most of the time - should be non-admin. But if all you mean is that a box used by only one person should still have at least two accounts on it, only one of which is an administrator, of course I completely agree.

On a Windows box shared by multiple users, there should be a single administrative account called, say, Admin; Admin should have a teenager-resistant password; the hidden Administrator account should have a strong password (set this from a cmd window inside your Admin account with net user Administrator *) and never get used; and every other account should be non-admin. Also, the Admin account should have a really ugly desktop background (the Windows logo one, or the system manufacturer's default advertising one are good picks) and an irritatingly short screensaver timeout to remind you not to use it casually. The screensaver should also be set to drop you back to the logon screen so you have to supply the Admin password to get back in (this is another teen resistance measure). Get in, do the business, keep an eye on it, get out quick.

I've found that putting the following six items only in the Admin quicklaunch bar is helpful:

* Show Desktop
* Shortcut to C:\Documents and Settings\Admin\My Documents\Maintenance_notes.txt
* Add/Remove Programs control panel item
* Shortcut to C:\Documents and Settings\Admin\My Documents\Installers folder
* Shortcut to C:\Documents and Settings\All Users\Desktop folder
* User Accounts control panel item

Also, creating a Shortcuts folder in the All Users Desktop is a Good Thing. If you copy any desktop shortcut left behind by an installer into C:\Documents and Settings\All Users\Desktop\Shortcuts, and delete the original, then any of the non-admin accounts can easily copy and paste the shortcuts they want to their own desktops, everybody can turn off the idiot Desktop Cleanup Wizard, and idiot installers that put their desktop shortcuts on the Admin desktop instead of the All Users one don't cause grief.
posted by flabdablet at 8:17 AM on May 20, 2008 [2 favorites]

Nuke it from orbit THEN after you install everything (drivers, programs, configs, etc.) image the disk. Then if it happens again, you'll be in great shape.
posted by i_am_a_Jedi at 9:19 AM on May 20, 2008

This is pretty much resolved, but in general, one of the last things you want to do when you know you've been compromised is enter a password...like for ftp.
posted by juv3nal at 10:06 AM on May 20, 2008

And if you really truly were running Windows XP Home Edition Version 2002, without at least Service Pack 2, well... don't say you weren't told.
posted by flabdablet at 10:48 AM on May 20, 2008

If you don't want to nuke your system from orbit, you can try following the steps I mentioned in this thread, but as others have mentioned, it may take some time until you can track down everything.
posted by pravit at 11:27 AM on May 20, 2008

This thread is closed to new comments.