The Cockroach of the Internet
April 23, 2011 6:39 AM   Subscribe

My parents seem to have a fairly stubborn Trojan on their computer that periodically will forcibly install various Facebook-related apps. They don't even USE Facebook; but I check my own account when I visit them (about twice a year). I've just run Malware Bytes and run their Norton; Malware picked something up and killed it, but then it tried to install something again and I ran Norton, but that only found one cookie. Help?
posted by EmpressCallipygos to Computers & Internet (16 answers total) 2 users marked this as a favorite
 
What would Deezil do?
posted by flabdablet at 6:43 AM on April 23, 2011 [3 favorites]


More details, please. What apps? Any special pop-up messages? Can you check the Malwarebytes log and find out what it killed?

My Mwb logs are here:
C:\Documents and Settings\Administrator\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

... but check under here, too:
C:\Documents and Settings\YOUR_USERNAME\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs

Hard to kill something if we don't know what it is.

However, you could download a bootdisk/system checker from a free, top-rated Antivirus program like Avira, burn it on CD, and boot from there. Not sure which of these is what you want, but I suspect the first one:
avira-antivir-rescue-system
antivir-boot-sector-repair-tool
avira-antivir-removal-tool
posted by IAmBroom at 7:34 AM on April 23, 2011


I checked the Malware log -- the thing it found seems to have been called "Funwebproducts." It tried to install something called "Smiley Central."

But the reason I think there's something still on here is that I had it try to install a program called "Friendship finder" or something like that AFTER that Malware scan and fix.

Hard to kill something if we don't know what it is.

No shit.

What apps? Any special pop-up messages?

Smiley Central was one it tried to install; I also found that it had already installed something called "Yodool"; I found that in Progams Manager and uninstalled it, and it also tried to install that "friendship finder" or some such. No popups -- the computer would just spontaneously start running an installation app unprovoked. It seems to be behaving now, but I'm just worried.
posted by EmpressCallipygos at 7:51 AM on April 23, 2011


Sorry, that "no shit" was unneccesarily snarky. I only came here after googling "facebook apps virus" and such, and have only found that there IS a malware thing that does this, but I could not find a) the title, or b) any removal instructions. SoI got stumped.
posted by EmpressCallipygos at 8:02 AM on April 23, 2011


If you can catch it in the process of installing something you could run task manager and see what the process name is. Of course, they could randomize that, but it's a start.

FunWebProducts appears to be a browser based annoyance. It changes your home page and gives you lots of popups. If you aren't seeing that then it probably isn't that (although Smiley Central is related to FWP).
posted by It's Never Lurgi at 8:12 AM on April 23, 2011


Boot the computer up in safe mode then scan and delete with Malware Bytes. If that still can't get rid of everything, just use ComboFix
posted by astapasta24 at 9:23 AM on April 23, 2011 [1 favorite]


Deezil's got a good amount of info in his profile (1st post above). However it is not a one-fix-for-all. I would be cautious with combofix, make sure all their important data is backed up before using it.

I like to compare combofix to a hardcore dose of anti-biotics. Helps in many cases...but if used in the wrong scenario it can make the problem much MUCH worse. For the systems I clean, it's often saved as a last resort...and often not needed to be used at all.

If you'd like some walkthrough assistance with this issue...download and run a full scan within OTL.EXE which will provide a log that we can analyze to help pinpoint anything out of place.

For privacy when posting your log, I recommend using PasteBin which you can delete once things are cleared up. (since there's no delete or modify button on metafilter)
posted by samsara at 4:15 PM on April 23, 2011


You might also want to revisit their facebook security settings a little. Be sure to opt of out Instant Personalization (under App Settings/Edit). Have them change their password as well in case their account has been compromised. They may have had a particular Sality trojan that steals credentials and installs rogue apps just as you described.
posted by samsara at 4:37 PM on April 23, 2011


Norton is worse than useless. Get rid of it and use Kaspersky or, well, anything else.
posted by joannemullen at 5:27 PM on April 23, 2011


Hi all --

I booted it up in safe mode and ran Malware again; it didn't catch anything. And the computer seems to be behaving itself. Taking a lot of the bloat out of the startup also helped. I think that initial "Funweb" fix took care of things, and there was just one rogue proces that I cancelled the installation and deleted it, and that seems to have done the trick.

Unfortunately, any more serious fixes than that are off the table -- my parents are very, very computer-phobic, and anything bigger I do is going to get me accusations of "messing with the computer." Dad especially is very set in his ways when it comes to virus software, computer care, etc. (insanely, he will not turn the computer off because he heard somewhere that that was good for it, and flat-out refuses to brook alternate opinions on the topic), so I think Norton is going to stay.

My parents don't use it much -- it really only affects me when I visit (and I can't use my own computer, because they don't have a wireless router to let me hook onto their signal - alas). But we're in okay shape now, and I'm going home today anyway so we're at what passes for normal around here now. Thanks.
posted by EmpressCallipygos at 6:28 AM on April 24, 2011


I bought my parents a cheapo wireless router for just that reason.
posted by nevercalm at 9:14 AM on April 24, 2011


Actually, while we're at it, there's another puzzler about my parents' computer - something that's been happening for a while now.

Sometimes, the bottom task tray will suddenly start opening up a new tab, like a program is trying to open up -- but then the tab will go away. It's never prompted by anything I do, and it never reveals the name of the program it's attempting to open (I've tried quick right-clicking on it when I see it, but it goes away too fast), and there's no pattern to when it appears. I just see the tab pop up with a white rectangle in place of the icon, and then it goes away right away.

This has been going on for about a year now, and I've run a ton of virus scans on this thing (I know they're not doing it, so I try to do that for them while I'm visiting to at least SOMEONE does it), and often it never catches anything. Is there any way to figure out what this rogue program is? Or -- Task Manager pulls up a list of all the processes that ARE running. Is there a way to get a list of the programs that it just TRIED to open but failed? Because for the life of me I cannot figure out what this weird thing is, or whether it should be there.
posted by EmpressCallipygos at 7:57 AM on April 25, 2011


Trying out Hijackthis or OTL still applies for this. Malwarebytes and Virus scanners will only pick up on *known* malware (which on a good day is 40% of what's really out there). While hijackthis and OTL can simply show you things that are launching at startup or being hooked into your running processes.
posted by samsara at 5:13 AM on April 26, 2011


It's a Windows box, it relies on Norton for security, and it apparently has a deranged sysadmin. Who knows wtf is running on it at any given moment? You never will.

Don't do your Internet banking on that box.
posted by flabdablet at 6:23 AM on April 26, 2011


flabadblet -- oh, no way. (I'm not visiting often enough anyway!)

Samsara -- you can memail me if you like; but how exactly does one use "Hijackthis"? I've seen it invoked a lot, but never really been clear how it works, how to get a report, and what you do once you do run one.
posted by EmpressCallipygos at 6:41 AM on April 26, 2011


The usual way to use HijackThis is to run a scan, save that, and post it somewhere where somebody who Knows Stuff will cast an eye over it and identify anything suspicious.

All it does is scan a bunch of places that Windows allows stuff to be hooked into. Much of the stuff that's hooked into those places is harmless and/or necessary, so telling HJT to "fix" things without knowing exactly what you're doing and why is generally a good way to screw a Windows box up quite thoroughly.

Doing a bunch of HJT scans on a bunch of clean Windows boxes is a pretty good way to get familiar with what's supposed to be there.
posted by flabdablet at 7:16 AM on April 26, 2011 [1 favorite]


« Older Can-I-Eat-It Filter: The Unrefrigerated Jelly...   |   What would Einstein eat? Newer »
This thread is closed to new comments.