Last Try Before I Shoot Old Yeller
May 27, 2008 6:47 PM   Subscribe

Windows XP TrojanFilter: I caught a trojan, cleaned it out, and now...100% CPU usage making my computer unusable, and I can't turn on Windows Update besides. With System Restore off, and every piece of software I've run so far telling me it's now clean, how can I fix my system without wiping my hard drive?

My computer runs fine in safe mode, and I used Autoruns to delete some suspicious looking dll files. I'd use my Sony VAIO a690's restore partition, but I'm worried it won't do the trick. I don't have enough media to fully back up my computer, and I don't seem to have a Windows XP disk. With my tech wizard friends out of town, I'm stuck, and these kinds of problems aren't my forte. Any ideas before I reluctantly start from scratch?

(I've been using up to date versions of Norton Antivirus, Ad-Aware free version, Spybot S&D, and HighjackThis.)
posted by StrikeTheViol to Computers & Internet (18 answers total) 1 user marked this as a favorite
I'd imagine the restore partition acts as your XP disc. I know for one thing that Dell did not send me Vista discs when I bought a new laptop a year ago--it's possible Sony plays the same game.

As much of a pain as it can be to restore a machine, this sounds like a situation where it's worth it. As for backing up all of your stuff, external hard drives can be had pretty cheap, and I'd assume you don't need more than 100 GB. That kind of drive wouldn't cost you more than a hundred dollars, and it's a good thing to have around for general backup in case of a hard disk failure.

Good luck!
posted by kjackelen05 at 7:09 PM on May 27, 2008

can you boot in safe mode?
if you can, download and install process explorer and put a shortcut to it in the startup folder and then reboot. It will tell you exactly what program is hogging your cpu.
posted by jak68 at 7:23 PM on May 27, 2008 [1 favorite]

The Task Manager should be able to tell you who's using up the CPU. You get that by hitting "Control-Alt-Delete".

But sometimes you have to be patient; under adverse conditions (like yours) it may take minutes to pop up after you hit the keys.
posted by Class Goat at 7:28 PM on May 27, 2008

I would just use task manager as Class Goat describes. Easier to use than process explorer and does the trick.

I would also disable your AV and spyware software temporarily. I've seen it do what you describe.
posted by jmd82 at 8:02 PM on May 27, 2008

Response by poster: Heh, I know that Task Manager doesn't show anything I can easily pick out as fishy..I tried disabling my AV and no luck...the only think I can think of off the top is an instance of run32.dll, but after I terminate the process it does nothing.
posted by StrikeTheViol at 8:18 PM on May 27, 2008

Does it work OK in Safe Mode?

If so, use Spybot Search & Destroy's "System Startup" tool to disable all your startup programs, and try again in normal mode. Add things back stepwise and reboot until you find out what's killing you.

I'd lay money on a malfunctioning Norton Antivirus, myself.

Read this thread before you get to the point of having Had. Enough.
posted by flabdablet at 8:44 PM on May 27, 2008

What process is being so piggy? If it's svchost, try this - at a dos prompt: tasklist /SVC to see what's using svchost.
posted by theora55 at 8:47 PM on May 27, 2008 [1 favorite]

Seconding the suggestions about Norton, svchost, etc. But if it does come down to wiping the disk, you don't need to back up everything...just the data you can't restore from installation disks. If you've been reasonably disciplined about where you put stuff, you should be able to backup My Documents and put it back in later. When I was a Windows user (I'm a Mac user now) I tended to need to restore my system every six months or so...not that anything went wrong with Windows as such, but I did a lot of software testing, installing and uninstalling, etc. I could rebuild my laptop to a productive from bare metal in a couple hours, and perhaps another half day to fully tweak it to my specs (between bouts of doing my regular work).

A portable hard drive is your best friend.
posted by lhauser at 9:44 PM on May 27, 2008

try running superantispyware free version. I've had better luck with it when it comes to trojans than spybot.
posted by meta87 at 10:34 PM on May 27, 2008

how can I fix my system without wiping my hard drive?

Regardless of what anyone else says in this thread, you can't. This is not negotiable. There is no way of weaseling out of it.

Like it or not, you MUST nuke and reinstall to ever be sure you have a clean system again. This is absolute and not open to debate. Once you've been compromised, code can hide anywhere. If you audit every byte on the drive from another, known-clean computer, even THEN you could still miss some flavors of virus.

Microsoft's own system engineers have been known to be baffled by some spyware installations.

You have to nuke it. Any other solution can leave you compromised.
posted by Malor at 11:37 PM on May 27, 2008 [1 favorite]

Some Trojan damage the system as a side effect of their propagation, or simply out of spite.

For some Trojan, the implementation of cleanup routines is really hard because the Trojan might be programmed to fight against its removal.

Even when removal does work and the propagation stops, the antivirus will not repair the damage to the system. That damage might be irreversible, short of a reinstall.

You document files might also have been damaged by the Trojan. They might also be damaged further each time you boot your computer, if the attempt at removing the Trojan by the antivirus wasn't effective.

This is the worst case scenario. Given the above, my policy is to reinstall Windows after an infection, unless I can confirm that the Trojan is not of a damage causing variety. I use databases of the technical specifications of viruses to do that research.

You say you don't have enough media for a backup. Go buy enough media. Then buy some more, enough to do regular backups of your system. The three most come causes of data lost are theft, accidental overwrite, and virus. You just got hit by #3, don't let it happen again. See also this blog post of mine on backup.
posted by gmarceau at 11:41 PM on May 27, 2008

Best answer: I don't think damage would typically represent as 100% computer usage; it would more likely show as a bluescreen or popping error messages. It sounds more like the virus wasn't fully cleaned. Or maybe one of those "suspicious" deleted DLLs shouldn't have been, and a driver needs to be reinstalled. Using the process explorer download mentioned above to check which program/process is hammering the CPU is a good start.

Also, do you know your way around the registry editor? Registry editing can catch a lot of inserted spyware and viruses. You have to be a bit careful mucking with the registry, but it's not rocket science. Ensure that you do registry editing in safe mode because some viruses work in tandem with their memory images, constantly reinserting themselves into the registry if you delete them. Otherwise you have to find and kill their process and then use the registry editor in the same sesssion. Can be done, but it's harder.

OK, now I'm going to piss some people off concerning previous comments. Can't be helped, it's time to say it, because you and everyone else who reads these comments have been getting some bad advice here, elsewhere on AskMe, and the net in general. So here goes....

You do not have to nuke it. I've pussy-footed around from saying this so directly before, but it's time to make a stand: the "always nuke" advice for spyware or viruses is simply wrong.

I have read more horror stories of lost data from reinstalls than from people who took the time to clear out an infestation. People have even posted to AskMe bemoaning a post-nuked computer situation. Recently someone I personally know had an issue when I wasn't available to clean their computer, took to one of those "nuke-it to be sure" people and boom! lost data, hours of recovery with the good fortune that it was data that could be recovered. It is very hard to anticipate all the data you may lose in a full nuke, you think you got everything and ooops, you forgot some seldom-used thing that takes hours to get back if you even can. Look at it this way: if you already forget or neglect to back the data up, you'll probably forget it needs to be saved before the wipe.

As part of tech support, I have cleared dozens of computers of bad infestations without once doing a full restore. Am I a brilliant crime-fighting superhero? Sad to say, but no. Yet I have never come across an infestation that could not be cleared with patience and pluck. Are they out there? Sure. So are man-eating tigers.

Every person wants to believe that there are evil geniuses out there with nothing better to do than infest computers, and they are such devious evil geniuses that the stupid smucks who actually get paid to do fix these things can't fight them except by burning everything in sight down to scorched earth. It's a great story, plot line to a million movies. It is also baloney. B-A-L-O-N-E-Y. Alternatively, B-O-L-O-G-N-A. There are instances of serious infestation where recovery is unlikely, but you know what? You probably don't have one if your computer boots and runs your programs. Do you move millions of dollars through your computer? No? You're probably not getting personal attention from one of those evil genius custom jobs, then.

Of course, if you have a vanilla setup with all your data safely stored on an external drive or the net, and you're sure about that, then a full nuke can be faster and easier than a tedious recovery from a bad infestation. But that's a different situation than what's described here.

It's time to make a stand against this ridiculous attitude, so I'll try to do my part. Any Metafilterian who has an infestation and has no local or available help to clear it, for whom AskMe doesn't give a good solution, who can reasonably communicate in English, and who has a modicum of patience, drop me a note and I'll do what I can to help you out e-mail, chat, MetaMail, meet at a local safe site, or freaking carrier pigeon if you suppy the pigeon. But please, do not auto-nuke on a virus or spyware infestation. It is a last resort that is usually avoidable.
posted by mdevore at 9:43 AM on May 28, 2008 [6 favorites]

Heartily, lustily, joyfully cheering mdevore. Couldn't agree more strongly, on technical grounds.

However, it has to be said that nuke-and-pave is the course that most commonly makes economic sense to people who are not accustomed to accounting for the cost of their own labour.

Taking a Windows box from factory condition to useful working condition is something that pretty much every Windows user has already done, and therefore already knows how to do, without paying for expert assistance. It's a long, slow, painful process, and it's usually not done terribly well, which is why so many Winboxen end up vulnerable to assorted infestations. That vulnerability is made worse by the fact that the default factory configuration generally looks like this: a single Computer Administrator user account, IE as the default browser, poor-quality commercial virus protection set to expire in mere months, no useful apps installed, loads of branding bloatware. Without that expert assistance, most people don't end up setting their box up to stay safe.

It generally takes me a solid day's work to get a fresh Windows installation to the point where the customer is happy that it's going to do what they want it to, and I'm happy that it's not likely ever to get infested provided they follow the advice I've spent all day giving them. I generally charge AU$100 for this.

It takes me about the same amount of time to convert a heavily infested Windows box into one that works properly and will continue to do so, since removing an infestation generally doesn't take more than about twice as long as performing the minimal bare-metal Windows installation. Most of the time is spent removing bloatware and reconfiguring the box so it will keep on working safely, training the customer about the new annoyances to be expected from running as a limited user, and so forth. I generally charge $100 for this as well, or less if I don't reckon the customer can afford $100.

But that's me, and the way I work makes no economic sense whatsoever. Somebody with my skills and background ought to be making at least AU$60 per hour, not $100 for a day that has often stretched to 12 hours. But I'm not a greedy man, and I'm making enough to pay the bills, so I don't care. Essentially, making people's computers work properly for them is my hobby. I object to the idea that a $900 computer of which $200 was paid for the operating system should actually require another $700 worth of work before it actually does what it was bought for. So I work my arse off just to be able to stay in denial about that. I work for people I know personally, who live near my home, and I don't solicit business by advertising. And as you'd expect from somebody working so far below the market rate, I'm always slightly busier than I want to be.

The thing is, most people don't live near somebody like me or mdevore. Most people have to rely on commercial support. And because the idea of paying close to $1000 just to get their computer set up properly is so far removed from what the sales guy at the computer store told them their computer would cost, most people feel the same way about that idea as I do: not. gonna. happen. The general expectation is that if something goes wrong with your home computer, fixing it will cost $100 or less.

That's about what the computer shop in the main street charges for a nuke and pave to factory condition, or for basic virus or spyware removal. And of the two, nuke and pave needs far less technical skill, and the manager can safely entrust it to the PFY in the back room without risking much blowback.

It only takes one missed piece of a trojan for it and all its little friends to come swarming back in, and if the service tech misses that once piece on one in twenty malware removals, that generates enough complaints to start making the shop look bad. People have a tendency to get more upset, often quite loudly so, by what they perceive as shoddy work than by having to re-do their whole computing environment from ground zero.

That environment has zero economic value to the computer shop. Putting the customer's world back together costs the customer, not the shop. So, from the shop manager's point of view, not only is nuke and pave more profitable, but it's less likely to prompt complaints. Which is why so many nuke and paves end up getting done, and why there's this widespread expectation that they are the Right Thing. After all, the store told me they Had To Do It That Way To Be Sure, and they wouldn't lie to me would they?

For me, and I suspect for mdevore, this situation is maddening. It's as if the standard treatment for persistent tinea was amputation below the knee.

mdevore, I absolutely applaud the sentiments you've expressed above, but I think you may well be underestimating the amount of skill you actually do bring to bear on your more difficult malware removals. I also think you underestimate the amount of time your generous offer above is going to cost you.

So, that's Windows Economics 101. Bottom line: it's gonna cost you, one way or the other, unless you hook up with a friendly local geek who gives a shit.

Now let's look at Ubuntu Economics 101.

It takes me maybe two hours to do a bare-metal Ubuntu install, and another hour of training, to get a computer to the point where it's capable of doing useful work for the customer and I'm confident that it will continue to do so while maintained solely by the customer. That's about a quarter of the time it takes me to achieve the same thing with Windows. And this is not because I'm more familiar with Ubuntu than with Windows. Although I wouldn't use a Microsoft product on my own computer if you paid me, I spend most of my working life dealing with Winboxen in various states of disarray. I know Windows well enough.

It's because Ubuntu is open, and most of its problems are due to bugs rather than to deliberate vandalism, which means that (a) most of the problems have simple workarounds, generally easily found on the Ubuntu forums or in the Launchpad bug tracking system and (b) the update system fixes most of them anyway.

Ubuntu has a tiny minority market share, which is keeping it comfortably under the malware radar. It also has a Unix cultural inheritance, which means there's no incentive at all to run it with admin rights turn on for everyday jobs, which means nobody does, which means malware can't get a toehold anyway. So it won't waste your time with malware.

Ubuntu supports more hardware out-of-the-box than any other OS I've ever seen. When you buy a new printer, or a new Bluetooth dongle, or a new just about any damn thing, you just plug it in, and it just works. No faffing about with manufacturer-supplied CD-ROMs required.

Finally, the Gnome environment that comes standard with Ubuntu is, on balance, more pleasant to work with than Windows Explorer, and the preinstalled apps deal smoothly and easily with most people's basic computing needs without requiring them to spend another cent.

So. IF you can't find a local me, or a local mdevore, and IF you're about to do the nuke and pave because you perceive that as your best economic option, DO seriously consider paving at least half of your nuked computer with Ubuntu. The current version (Hardy Heron) looks beautiful, works well, and is a Long Term Support release so it will still be looking beautiful and working well for the next three years.

Most people can remove persistent tinea by switching from permanently damp Nikes to Birkenstocks and sensible cotton socks.
posted by flabdablet at 7:55 PM on May 28, 2008

Response by poster: So mdevore was right, and he helped me out for free to prove it! Still working out kinks as I type, but the short answer is registry editing, patience, and an extremely helpful and generous MeFite. Thanks mdevore!
posted by StrikeTheViol at 8:21 PM on May 28, 2008

You do not have to nuke it. I've pussy-footed around from saying this so directly before, but it's time to make a stand: the "always nuke" advice for spyware or viruses is simply wrong.

This is bullshit. Part of what I do is computer security. Once a machine has been compromised, you cannot know it is clean unless you wipe it. Any advice to the contrary is incorrect.

Yes, you can sometimes clean a machine if you don't wipe it. But you can't ever know for sure you got everything. Most modern viruses download new code, sometimes customized per installation. Virus scanners often won't find it. You can clean the primary vector of infection and completely miss the payload.

Just because a machine LOOKS clean doesn't mean anything. The best viruses are subtle; they use your machine to send spam, capture and store your keystrokes for password information, and provide a backdoor into the system for bad guys to look around. There are some proof-of-concept viruses that hoist themselves into virtualization space, where they are completely invisible to any process running on the OS, and yet retains absolute control over the machine. And all of this can happen without a virus checker having ANY IDEA that anything is going on, and your system can look completely normal while all these things are happening.

There are millions of infected PCs in the wild. Why is that? In many cases, it's because the owners believed the bad advice that PCs can be disinfected without nuking.

Spammers LOVE it when "experts" give that advice.
posted by Malor at 7:34 AM on May 29, 2008

My goodness, you're using the Invisible Pink Elephant argument. How can I prove that there aren't Invisible Pink Elephants, really small ones, living in my computer? Well, I can't. Must be in there, huh?

You know what? You don't know that your very own computer doesn't have ten viruses living in it right now. No symptoms? Wow, that's my major-grade virus there, it's so damn sneaky that it's getting past an expert such as yourself. I would recommend you nuke your computer every five days, at least it keeps those hopeless odds more towards your side. Paranoia abounds, and you're helping it along. Doesn't the world live in a enough fear and binary thinking already? Computer works or kill it, works or kill, works or kill, yadda yadda yadda.

According to your argument, we know there's a virus if it's crude enough to show symptoms, but sophisticated enough to avoid eradication by anyone who has any training or experience, no matter what. Wow, that's some weird set of rules for nuking right there, the virus has to be simultaneously really stupid and really smart. Something wrong with that concept, maybe nuking isn't the right answer always.

Spammers and their ilk love fear, uncertainty, and doubt when it comes to computers, because nobody knows who to believe, what to believe, and what to do. Millions think maybe they have a bug, maybe they don't, who can tell, they'll just muddle along and hope everything is OK. Every so often people will stupidly nuke their computer because Joe's Spyware said the had an infected cookie, to little effect, of course. They could be educated on basics about viruses and what to do, to help reduce the FUD, or hey, they could just say I'll hit the damn thing with a ten-pound sledge if it misbehaves too much. Yeah, spammers love people who post bullshit, just like you did.
posted by mdevore at 9:00 AM on May 29, 2008 [2 favorites]

Once you know your machine has been compromised, you cannot be sure it's clean again unless you wipe it. You just can't. Can't can't can't. Any argument to the contrary is ignorant. Rootkits are very good these days; even finding one is extremely difficult, and removing one is harder still... and then how do you know you got all of it?

You, sir, do not have the technical qualifications to tell someone that their computer is clean after a known infection. You are doing them a profound disservice by pretending to have knowledge you don't have. It's especially egregious what you've done to this poor person: you have convinced them that they are clean and safe when nothing could be further from the truth.

A false sense of security is the worst possible outcome after a known compromise.

In my opinion, there should be some kind of professional review board, and you should be sanctioned for irresponsible behavior. You have done this person a profound wrong. You convinced them that they are safe and secure when you can make no such actual guarantee. You're telling the ignorant what they want to hear, instead of the actual truth.

What you've done to this asker really should be a crime.
posted by Malor at 11:59 AM on May 29, 2008

And you sir, have gratuitously insulted someone about whom you know nothing, because they had the temerity to disagree with your strongly held (and wrong) position. I missed your counterarguments, no doubt they were masked by the abuse. "Yes it is, not it isn't, yes it is, no it isn't" doesn't make for a compelling or convincing debate. Maybe someone could stop flapping their fingers and actually help a person out, demonstrate a virus can have its teeth pulled and the crippling removed in real life -- oops, I forgot, I did that. Is that what crawled up your nose?

I didn't say he was clean and perfect, or safe. No one can ever offer that guarantee. Life's like that. I offered to help out with a problem. A problem was found, it was corrected. Are there other problems? Might be, could be, probably not a virus though. I hope most people don't live in constant fear of the big bad unstoppable virus. Most common viruses can be stopped with work, if one has the time and wishes to spend the effort. Sometimes the effort is too much to spend, and sometimes the effort spent falls short. Life is also like that.

But I have made a living using computers for the last two decades. I have spent about twenty-five years giving back to the open source/public domain and computing community because of all they've given me. I have contributed hundreds of thousands of lines of code to the public domain, and tens of thousands of hours of uncompensated help. I've written free and commercial tools for computers going back to the mid-1980's, and offered help on forums going back to the BBS's heyday. I believe in helping people and getting helped in return, and I'm quite careful about my responsibilities when doing it.

That all doesn't make me a Computing God or particularly special compared to many other people, including some on MetaFilter who are Big Names in the computing community and should get all the accolades that go with that, but it probably makes me a bit more intolerant of people who act like punks online. It shouldn't, but it does because I'm not nearly perfect, and outrageous comments can still anger me once in while. Nor do I expect thanks from people, though it's nice when I get it. What I would like to expect not to get, but occasionally do still get, is egregious abuse from random internet griefers like you.

And we're off-topic on the question by now. If you want to insult me, continue in e-mail where you can feel appropriately vindicated and I can ignore you. Win-win, all around. AskMe is not the venue for this crap.
posted by mdevore at 1:01 PM on May 29, 2008 [4 favorites]

« Older What does a star on the side of a house mean?   |   Please help me find the artist behind this print Newer »
This thread is closed to new comments.