Adware everywhere
February 7, 2007 1:53 PM   Subscribe

Please help me get rid of this spyware infection before I just give up and re-install Windows.

My PC is infected with what seems like at least 2 or 3 different varieties of spyware/adware/malware. This started happening a day or two ago after someone else in the house fell for a MySpace bulletin posted under someone else's phished/hacked account. I hardly ever actually use my PC so I didn't notice until this morning.

I've got a small blinking icon in my taskbar that alternates between an X in a circle and then a question mark. It pops up little messages about "Critical System Errors!". From what I understand, this is a malware program named VirusBurst.

The most noticeable problem though is whatever that's installed on here and is opening Firefox windows to various ads and webpages. It happens in bursts, up to 4 or 5 popups at a time, and seems to happen randomly. While typing this, it's only happened once, but in the time it took to get over to AskMefi it happened 2 or 3 times.

The worst part of all of this is that there seems to be yet another malware program that closes Lavasofts Ad-Aware or SpyBoy S&D before they even start. It will also close any browser window that I use to try to search for Ad-Aware or any other spyware removal tools. This is supposed to be something called CoolWebSearch, but every tool I try which is supposed to remove CoolWebSearch claims that it can't find it on my system.

So what can I do, other than giving up and reinstalling Windows (along with all the software and games that are currently installed)? I can post a HijackThis log if anyone asks for it.
posted by Venadium to Computers & Internet (14 answers total) 4 users marked this as a favorite
In my experience, re-installing Windows is less work than trying to get rid of CoolWebSearch by other means. YMMV
posted by winston at 2:09 PM on February 7, 2007

It is a smitfraud variant, and they are nasty. Click here for a good set of instructions of getting rid of it.
posted by Ateo Fiel at 2:10 PM on February 7, 2007

Fun Fun...

There's always Ewido you could try.. online, free..

Will do virus and spyware scanning quite nicely.. Boot into safemode (F8) and go there in IE. If IE7, use the no add-on mode.

If you can't get there try loading Portable Firefox from a USB drive, and download the demo.

I've also had good luck with Webroots antispyware.
posted by mattdini at 2:12 PM on February 7, 2007

At best, anti-spyware tools help prevent new infections. None can ever truly clean-up an infested system...there are just too many root-kit style tricks that the bad guys can use. I second the recommendation against trying to clean up the existing installation of windows.
posted by nomisxid at 2:29 PM on February 7, 2007

These can be nasty. You can never be sure you've completely eliminated it. Some of these programs replace key pieces of windows libraries with their own (slightly different) versions that enable them to regain control at any time.

If you're infected with several pieces of spyware that you know of, there's really no way of knowing for sure that you haven't been compromised by other forms of spyware (rootkits, etc) that are more or less undetectable, especially in your computer's current state.

It's time to wipe and reinstall.
posted by chundo at 2:37 PM on February 7, 2007

Run autoruns and unclick anything suspicious especially if it has a wacky filename or lives in a temp directory. You can google the .exe names to see what they are if you are unsure.

Now reboot in Safe Mode then run Spybot. Make sure to update all the definitions too. When that is done do a full virus scan. Use a free online virus scan like Housecall.

You'll probably have to reinstall but at least you can try to beat this thing. When youre done make a non-administrator account for your friends to play with.
posted by damn dirty ape at 2:52 PM on February 7, 2007

I would agree with Damn Dirty Ape about the suggestion to boot into Safe Mode with Networking in order to run your spyware scanners. When you boot up yout computer, press the spacebar to get a list of options.

Safe Mode loads the minimal amount of services and device drivers for Windows to run. Safe Mode with Networking gives you the ability to get on the internet to download updates for your spyware apps. I would avoid using any browser while in Safe Mode, since any security applications you have installed wouldn't be running.

Also try running System File Checker (Start-> Run-> type sfc /scannow). You will need the Windows install CD for this, but it will check all of the core Windows files and replace any that have been modified by spyware and viruses.

You can also try using System Restore to roll back to a restore point from before the spyware infestation began.

In regards to 'nuke from orbit' plan, you have two options for reinstalling -- inline install or format & install. An inline install will allow you to retain all of your applications and data (not stored in the c:\windows directory or subfolders). A format & install wipes your hard drive and reinstalls Windows.

You could also buy a new hard drive and install Windows on that, then hook your current drive up as a slave -- you should be safe from most spyware if you have a new boot drive, and you would be able to clean it thoroughly from your new clean Windows install.
posted by Jim T at 3:21 PM on February 7, 2007

I would recommend downloading and installing "HijackThis" from here and then posting the log in one of the forums. I haven't had a spyware problem in longer than I can remember, but when I did, this course of action always helped.
posted by eunoia at 3:34 PM on February 7, 2007

Somehow I missed the last line of your post. Sorry!
posted by eunoia at 3:35 PM on February 7, 2007

Once you're compromised, the only time you can ever truly trust the machine again is after a full reinstall.

Nuke it from orbit. It's the only way to be sure.
posted by Malor at 3:42 PM on February 7, 2007

The best advice I've ever gotten and now use every time is... boot in Safe Mode with System Restore turned OFF. Then If/when you find the bad/evil program, do NOT delete it, RENAME it. Often times they will detect being deleted and simply copy itself under a new name. Rename the bad thing, then re-boot normally and see if that fixed it. If it did, you might be able to delete it, but only if System Restore is OFF. Once everything is cleaned up, don't forget to turn system restore back on.

Now, having said all that, I have had to wipe the drive and reload a few times to. If you have to wipe the drive, to save your email, and address books, you can do some googling on that. Dont forget to save your personal folders to and virus scan them also.
posted by BillsR100 at 4:46 PM on February 7, 2007

I've said this before: if exterminators followed the tech support model, they'd recommend burning down your house to take care of the termites.

Hie thee forth to the forums at, and post a HijackThis log in the proper place. These people live for this kind of thing, and step-by-step removal advice will follow remarkably quickly.
posted by Drastic at 5:04 PM on February 7, 2007

Response by poster: Thanks for all the help everyone. Safe Mode w/ Networking worked as far as letting me actually launch AdAware, but it didn't detect nor remove all the infections. I suspect that not all of them are loaded into memory when the system is started in Safe Mode so they would be harder to detect.

I created a new XP user account and that seems to have at least stopped the constant pop-ups. I guess when I find the time I'll nuke it and reinstall everything I need, but until then at least my brother can play his games and use AIM uninterrupted.
posted by Venadium at 1:31 AM on February 8, 2007

Drastic, if you make any recommendation other than nuke and reinstall, you are doing people a bad turn. Once malicious code has run on a system, the ONLY way you can trust it again is if it's run through a full forensic examination from another, known-clean machine. With the advent of rootkits, you can't know that the computer is clean by running scans on the computer itself. You can prove it's 'dirty', but you can't prove it's clean.

Termites are not intelligent agents trying to hide themselves from the exterminator. It doesn't matter how much you think you know about computers or Windows. When spyware can coopt the functions of the operating system itself, there's just no other way to be sure.

Again: you are giving irresponsible advice. If you make claims to the contrary, you are demonstrating ignorance of just how pernicious malware can be.

With the advent of EFI, it's entirely possible that before too much longer, even a reinstall may no longer clean spyware. Seriously. Malware can install itself into an EFI BIOS, and can start executing and hoist itself into virtualization before the operating system even loads. It can be present, executing, and completely invisible to any agent running on the operating system.

Think of VMWare or Parallels, but for evil, not for good.

Please: stop giving security advice.
posted by Malor at 1:58 PM on February 8, 2007

« Older Stealing the Web   |   Logging applications using WMI Newer »
This thread is closed to new comments.