Help my posessed computer!
December 14, 2008 8:20 AM   Subscribe

Firefox and sometimes IE opens random websites on its own , in new windows. I ran AVG scan and Anti Spyware as well as the Rootkit module. But even when it says my system is clean, the new windows come up in Firefox, about every two minutes. I noticed that Firefox doesn't even need to be running at first for this to occur. AVG resident shield does find sometimes a Trojan virus in some random dll (just popped up again, it's called Trojan Vundo) and I press heal or move to vault, but that didn't fix the problem. I also ran hikackthis and tried to delete whatever I deemed unnecessary or suspect from the registry, also deleting the associated files on the hard drive. But to no avail. My system is windows XP. Any other good free programs I can try to clean up my system? What about good cheap payware? AVG has been good until now but obviously it cannot cope with this new threat even in its most up-to-date form.
posted by spacefire to Computers & Internet (22 answers total) 9 users marked this as a favorite
Give Malwarebytes' Anti-Malware a shot. I've had very good luck with it easily getting rid of a number of things neither Spybot nor Antivir could find, even while just doing a quick scan - which generally lasts only ten minutes or so.
posted by The Great Big Mulp at 8:28 AM on December 14, 2008 [2 favorites]

Response by poster: Thanks Mulp, I will download that one as well.

right now I am running a program recommended on CNET: superantispyware. It found a bunch of things, but then again so did AVG and they kept reappearing. I hope this one works beter.

It seems the malefactors are connected to a program called gadcom, and also getmodule32.exe, both of which I eliminated last night and which reappeared this morning bearing trojans and whatnot.
posted by spacefire at 8:31 AM on December 14, 2008

If you have Vundo, you need Vundofix.
posted by Inspector.Gadget at 8:37 AM on December 14, 2008

More generally than Vundo--

Copy the names of the malwares that reappear after scanning.
Stick each one in google to find the fix for it (like finding Vundofix to cure vundo)
Most will have a program to fix them, but some may have just a long series of instructions.
Generally, the fix program just executes the long series of instruction.

If you want to do an instruction list, print it first. You usually reboot somewhere along the way.
Then follow the directions.

Also, you may find that threats reported by the scan is not found by the removal program.
Scanning programs generate plenty of false alarms.
(For example, superantispyware wanted to delete a program called remover.exe
but that remover.exe was a (tiny) program I had written myself -- superantispyware just didn't like the name)

Good luck.
posted by hexatron at 8:49 AM on December 14, 2008 [1 favorite]

Sounds like something I had once and it was a bitch to fix. The forum at Majorgeeks helped me out. Read the "malware removal guide" and if you follow all the steps, then you should have no problem getting rid of it.
posted by MaryDellamorte at 8:49 AM on December 14, 2008


1 Turn off system restore
2 Work in Safe Mode whenever possible
3. Seconding MalwareBytes Anti-Malware
4. 30-day free trial of Kaspersky
posted by mandal at 9:01 AM on December 14, 2008

You should completely re-install your system. Once it becomes infected, you can never really trust it again. E.g., given how anti-spyware software has been failing for you, how will you know you can trust anything to say your system is 100% clean? No, you must say goodbye to the installation and start clean.
posted by jeffamaphone at 9:14 AM on December 14, 2008

Nuke the site from orbit, it's the only way to be sure. No, I'm not being glib. Back up your data and reinstall your operating system and all of your apps. Otherwise you will never know whether you missed is some piece of spyware that you missed sending your bank account password to bad people. (Well, I guess you will know when your bank account is emptied.)
posted by grouse at 9:15 AM on December 14, 2008

I've had similar issues with Vundo for a long time. In the end, it took a combination of Spybot's Teatimer registry monitoring tool and the freeware CurrProcess viewer (which shows the running processes and all their associated DLLs) to figure out the sort of files I should be looking for in the registry and on the disk. Then I had to manually go through the registry to remove the keys and use MoveOnBoot to delete the files on the disk.

Vundofix didn't work for me, but this MalwareBytes Anti-Malware program did not seem to exist at the time, so it may be worth a shot.
posted by Krrrlson at 9:20 AM on December 14, 2008

Ugh, I just got done cleaning this off my husband's computer. Turn off System Restore. Run SUPERAnti-Spyware. Over and over. Until it is gone.
posted by headspace at 9:28 AM on December 14, 2008

Another vote for reinstalling. It's the only way you'll have peace of mind, and there are more than enough spam/DOS-spewing machines on the net already so you'd be doing us all a favour.

You also need to make sure it doesn't happen again. Were you up to date with patches? Avoiding dubious software? Using stricter-than-default settings to minimise risk? Keeping Windows secure requires a certain amount of knowledge and caution, you can't just rely on an anti-virus package.
posted by malevolent at 9:55 AM on December 14, 2008 [1 favorite]

Before you reinstall, I'd second the people above recommending SPECIFIC fixes for each worm or trojan you have.

I put generic anti-spyware programs one step above the viruses themselves, because they are, in my experience, utterly useless. I have never seen one defeat a serious threat, although I'm sure it's possible.

Specific problems on your system need specific solutions, not some "omg miracle spyware defeater!!!!1" snakeoil.

And if you can't find a SPECIFIC solution, then you may have to reinstall.
posted by drjimmy11 at 10:27 AM on December 14, 2008

I just used MalwareBytes Anti-Malware to get Vundo off of my machine a few days ago. It worked like a charm.
posted by Faint of Butt at 11:00 AM on December 14, 2008

I had the same thing. I tried everything suggested, nothing worked for more than a couple days. I re-installed and changed ALL of my passwords. It's a long and somewhat painful process, but the only way I could be confident.
posted by Arquimedez Pozo at 11:53 AM on December 14, 2008

You can't delete a running program. Viruses have defenses against being stopped, and also reinstall themselves into the registry if you try to clean the registry while they are running.

It helps to boot off a CD, like Bart PE or Ultimate Boot CD, instead of booting the infected system, to delete the problem files.
posted by and for no one at 1:12 PM on December 14, 2008

Vundo was a real pain to remove for me. I reinstalled Windows.
posted by Duke999R at 1:12 PM on December 14, 2008

Response by poster: thanks for all the replies. after running superantispyware I don't have firefox windows pop up anymore. but it is possible that the next restatr will bring them back. So i'll try everything listed here :)
posted by spacefire at 3:27 PM on December 14, 2008

My experience was similar to faint of butt. we loaded the software from a mem stick. so far so good.
posted by patnok at 3:27 PM on December 14, 2008

I've killed Vundo manually, but it was trickier than earlier generation virus crap, though certainly not so difficult as to require a reinstall. The problem is that it hooks Windows Explorer, so it's hard for automated programs to kill the thing. The hooks persist into Safe Mode. I didn't have luck with anti-virus programs myself, but others here and elsewhere have reported success with automated anti-Vundo measures such as the AV programs listed here, so you may want to try other suggestions first.

Let me tell you how I wiped out a virus infestation, including Vundo, and then decide if you want to try. Assuming you are reasonably comfortable working with computers, you need not buy into the jingoistic "nuke from orbit" route to eliminate a common, non-custom, virus, and yet you can still be reasonably confident your computer is clean. The steps may sound a little complicated, but it's not a huge deal, just a matter of logically stepping through what you need to do. These are stripped-down instructions, but I think they cover the basics. Also note that this is just one path to recovery, there are other utilities and ways to get there. Suggested improvements and optimizations from other members are welcome.

But first, let me repeat the mantra that it's only worth doing all this if the time you spend killing the virus is substantially less than the time you would spend recreating your computer environment from an reinstall. Reinstalls are commonly recommended because they're cheap and easy to do, and clear the infestation. But they can be a bad idea if the wipe and reinstalls costs you many hours, or days, to properly recover from and get back to the computer setup you want.

Enough digression. If you want to take a crack at it, download ShellExView and run it. This utility shows what extensions have hooked into your browser and explorer. With Vundo, you should see several unauthorized hooks. Scroll across and check their filenames, those are what you want to kill. Save those filenames, including their location.

Now download AutoRuns. This program shows what loads at startup. You'll probably see some virus crap here, as well. Save those filenames.

If you have a problem running some programs, you can usually swat running nasty processes using Process Explorer and temporarily get a clean system, or at least clean enough to run the utilities you need.

Now you need to be able to boot a stand-alone operating system from a separate CD or DVD so that you can rename or remove files without those files being active. Burn an ISO of the operating system so it will boot from the CD/DVD, though you may have to set your BIOS options to do a CD/DVD boot before the hard disk. I usually boot a Linux disk which allows editing NTFS-formatted disks, which I believe both Knoppix and Ubuntu allow one to do. After you boot the disk, navigate to your C: or system disk and simply rename the files so that they won't be found at startup (don't delete them yet, in case you're wrong). Give them a common unique extension so you know what ones you renamed. If you have problems figuring out what to do, just ask, plenty of people here know their way around Linux.

Got the files renamed? Reboot the computer. If you got everything, you should be clear and later on can safely delete those files you renamed. You will get error messages about missing files due to the renaming, but you don't want those files to run anyway. You can clear the error messages out later using the above utilities and perhaps REGEDIT, but for now, just ignore them. If the computer doesn't boot properly, you might have renamed a file you shouldn't have. Try the boot disk again and restore any filenames which were mistakenly changed.

If you are reasonably careful, you needn't worry too much about re-virusing. An active Windows firewall and common sense will cover almost any situation you might encounter, assuming you aren't in a job where you attract the personal attention of true hackers and computer-savvy bad guys. I don't have active anti-virus here, opting for one which only runs weekly, and the only thing it has ever found are attachments to e-mails that I've haven't thrown away yet. You already know not to open those type of things. Heck, even Macs and Linux can have a virus or trojan problem if the operator doesn't pay attention to what they are doing.

If you have questions about how to do something, encounter problems, or new more details on what needs to be done, just drop a note here for everyone, or you can e-mail me directly.

Also, as I have said before, I stand behind what I've said here about a reinstall not being always necessary, despite pushback from those of opposing viewpoints. As proof of this, I will try my best to fix a virus infestation for anyone's computer on MetaFilter if they need it done, have made a good faith effort to fix the problem on their own, and are sure a reinstall is not a good alternate for their situation. Unfortunately, what with the economic times and severe stock market retrenchment, I can no longer offer to cover shipping myself. Currently my overall record from all tech support work for manual virus clears stands at about 50-0 in my favor with viruses, although I'm sure the day will come when one of the little bastards will beat me, probably as a custom job. There are one or two users here who have publicly commented that they have cleared literally thousands of virused machines, so the "clean not wipe" idea is hardly unique or held only by the uneducated and untrained. It's been successfully done, and continues to be successfully done by many. There is a good chance you can do it too.
posted by mdevore at 3:28 PM on December 14, 2008 [4 favorites]

to see what will be loaded on startup, go to the start menu, type run, and type "msconfig" without quotes. Click over to the startup tab. Note: unchecking viruses won't necessary prevent the virus from changing it back, as I found out last night.

I have to second the majorgeeks. I didn't actually post, just followed directions based on somebody with the same problem, but it worked fine.
posted by gryftir at 3:43 PM on December 14, 2008

You can shutdown Windows Explorer, then kill things from a command prompt. To shut it down in Vista CTRL+SHIFT+RCLICK on the background of the Start menu, select Shutdown. To shut down Explorer in XP and earlier Start->Shutdown->CTRL+ALT+SHIFT+CLICK Cancel. Use taskkill /f /im [process-name] to kill things from the command window.

As far as "clean, not wipe" goes, that may be fine if you completely understand all aspects of the virus. Most normal people do not. I don't have the time to do all that sort of investigation. You have no way of knowing if a given virus has been eliminated or if it is just hiding. There are some very advanced ways of having processes run but not be visible in task manager. Once you have a virus running in kernal space, you've basically lost. You can try to clean the drive from another non-infected system (i.e. take the drive out and mount it in a different machine under a different OS) and clean it that way.

And how do you know what malicious software does? You can research it on A\V sites, but those descriptions are usually not technical enough to make this decision. No, you have to attach a debugger to your machine and see what is going on for yourself. Very few people can do that. Call me paranoid, but I don't trust the guys at A\V companies. I've never met them. I have no idea what their technical skills are. I only met a few people at Microsoft who I would trust to be smart enough to tell me if a machine is truly clean or not.

No, given what you have to lose (identity theft, your data, your ISP shutting you down, etc) it just isn't worth it. Format and re-install leaves no question.
posted by jeffamaphone at 7:04 PM on December 24, 2008 [1 favorite]

Self-diagnosed and accepted paranoia is still paranoia.

Look, no one ever knows that their computer is safe with 100% assurance, not even following a complete reinstall of an OS. If the incentives and rewards are high enough, practically any computer can be (re)compromised in almost no time at all. But, of course, here we aren't talking about a machine that controls billions of dollars and warrants personal attention from genius hackers. We're talking about a simple virus automatically duplicated across tens of thousands of machines (or more), a basic attack with very recognizable behaviors.

If this were a sophisticated attack, you wouldn't see symptoms. That's unprofessional and stupid. A professional attack would just steal your computer life and remove itself, without you being any the wiser until the real-world consequences came home to roost. That's how you compromise a system. Not some kiddie bullshit redirect to ads or porn sites, all half-ass protected by obvious shutdowns and blocks of front-line security.

How do I know what malicious software does? How do you know what any software does? The days of being able to pull up a debugger and/or a disassembly to see and understand every bit of code is in the long past. If you're old enough, you might remember computer press stories in the '80s and '90s about boobytraps and timebombs in software that unscrupulous programmers placed in case of a future conflict with a company. The software would run fine, often for years. But if the programmer were crossed, the trap triggered, and the computers would screech to a halt.

Even most MS-DOS applications were too complicated for people to "know" that they were safe. We'd have to back to the CP/M generation to be able to fully vet programs and verify the execution address space. So do we all just run CP/M and TRS-DOS and AppleDOS on our 8080, Z-80, and 6502 8-bit bangers? Because maybe there could be an evil unconquerable virus lurking in the megabytes and gigabytes of machine code that runs for a typical user configuration nowadays? Sure, you could do that. Or you keep the modern processors and operating systems, yet paralyze yourself with fear, spending hours reinstalling software and rebuilding your computer every single time something abnormal occurs. Or you could do something else.

Ultimately everything in life is a risk, even staying in bed. Some risks are sufficiently low they aren't worth constantly worrying about if basic precautions are taken (e.g. firewalls, backups, minimal levels of operator attention). Pushing the "Nuke from orbit! Wipe it!" overreaction for a common virus promulgates unnecessary fear, doubt and uncertainty in a world already riddled and rotten with unnecessary fear, doubt and uncertainty. It is the computer-level equivalent of the zero-tolerance policies already used to keep our population under control. "We had to kill it to save it."

I say there's a better way. A middle road to walk between none and extreme. And, barring extraordinary circumstances not in the original post, this situation is a good opportunity to try walking that middle road.
posted by mdevore at 4:32 AM on December 26, 2008

« Older Lusitania Songspiel, Bitte?   |   Licorice Search in NYC? Newer »
This thread is closed to new comments.