Badware (or why I can't get to Gmail.)
July 20, 2008 9:33 AM   Subscribe

I have some sort of malware on my Dell that constantly redirects me away from where I desire to go. Specifically, it seems to prevent Gmail from working. Also prevents any major search site from loading. Always redirects to some idiotic ad site.

Which means I can't even search Metafilter to find out if this has been asked before. Life without Google is hard!
I'm running an updated Firefox with windows XP. I have used: Hijackthis, Adaware, McAfee (worse than useless), Spyware Doctor, Ewido, Everything in the Best Buy toolkit
(kind of like hitman pro), and Sophos. I can detect and delete a gobbledigook DLL running as an .exe when I use Hijackthis, but it respawns when Firefox restarts. I'm not an idiot, but have only enough knowledge of the processes involved to be dangerous. It also seems to disable Windows Automatic Update service. I've done an end run around my inability to use Gmail by using thunderbird.

Any suggestions? If the only answers left are reformat, reformat and buy a new machine I can accept that.

FYI: I was running as an admin, a mistake not to be repeated, but something has disabled those privileges, and that something wasn't me.

And yes, my next computer will be a Mac.
posted by Arquimedez Pozo to Computers & Internet (18 answers total) 1 user marked this as a favorite
Don't even bother trying to deal with this... do a reinstall of the OS. You can't trust the machine anymore and I certainly wouldn't be trying to go to Paypal or doing any bill paying with that machine. Otherwise you can try editing \windows\system32\drivers\etc\hosts -- it should not say anything except lines with # and localhost -- if you see weird stuff in there it's been compromised.
posted by crapmatic at 9:42 AM on July 20, 2008

(but by the sounds of it it HAS been compromised, so my suggestion about editing hosts will only get you to your favorite websites... the machine still sounds hacked)
posted by crapmatic at 9:45 AM on July 20, 2008

If you're willing to blow away your machine, then I humbly suggest spending 20 cents on a burnable CD and a full day trying Ubuntu. You may just may salvage your machine, save $1500 not buying a Mac, and never have a virus again, all in one go -- all because you're not scared to try something new.
posted by cmiller at 10:04 AM on July 20, 2008 [1 favorite]

Trying to repair a system after it has been compromised this way is like running high octane in the hopes of getting better gas millage out of a blown motor

Depends... If this is just spyware, I'd say wrong.

Scan with Hijackthis first.

Download Process Explorer (link) and use the search function in the app to find all hooks to the DLL, find the .EXEs it's running in (through the Process Explorer app) and right-click, go to Properties, then check the threads; suspend all instances and delete with Hijackthis. Do this for all malware related DLLs.

You probably have Vundo or Outerinfo
posted by Dark Messiah at 10:04 AM on July 20, 2008

Alternatively, use ComboFix...

If the files STILL won't go away, create a cfscript.txt with the direct paths to the malware files. PLEASE READ THE WARNING ON COMBOFIX; there is a chance it will FUBAR your OS.... I haven't seen it happen, but it's possible.
posted by Dark Messiah at 10:06 AM on July 20, 2008

Shoot, hit Submit too early... you then just drag/drop the cfscript.txt onto ComboFix.exe and it will add those files to its routine.

Good luck!
posted by Dark Messiah at 10:08 AM on July 20, 2008

Reformat your PC. You've already done about 95% of what can be done to fix the machine. Even if you find the DLLs or exectuables in question, you're not finding the entries that autostart or automatically repair damage to the malware. Vista's gotten horrible press, but you will get a UAC prompt if malware tries to invade your Vista machine. And after initial setup, UAC is generally not that big a deal on a day-to-day basis. I would recommend making the jump if your machine will take 2 GB of RAM and has a fairly recent CPU. Mac OS X is great, but you're looking at buying a new machine at that point, so there's obviously a pretty big extra expense involved.
posted by cnc at 10:16 AM on July 20, 2008

I'd argue in favour of Vista's System Restore (it is amazing) over the UAC. On XP, when you run .EXEs it gives you a similiar warning to the UAC. I'm not bashing anyone here, but the UAC won't save anyone who is already prone to the Dancing Bunny Problem.

The infection the poster is describing is one I have removed 100's, if not 1000's of times. The only major problem is when the user account has no password; the malware often will add a gibberish password to all non-passworded accounts. They also tend to delete your System Restore points. (Which is the FIRST thing that should be done upon noticing an infection.)

In the end, software will not save a user from being tricked. End of story; the user is in control of the software, not vice-versa. Even Macs and Linux can get viruses if the user downloads an executable and runs it through an admin account. (I'm not debating the likelihood of this happening; the fact is it CAN.)

$200+ on a new OS will not be spent well. Get a decent anti-virus like AntiVir, or AVG, (one that actually does clean malware; this specifically does NOT include McAfee, Norton, or Trend Micro -- they are worthless, I could catch more viruses with a fishing net.)

On my Vista box, my only form of protection is the HOSTS file which I install on all systems which connect to my home network.
posted by Dark Messiah at 10:28 AM on July 20, 2008

Also, change all your passwords!
posted by meta_eli at 11:10 AM on July 20, 2008

Have you tried Safe Mode? It might keep the junk from running in Safe Mode, allowing it to be removed without it sneakily re-installing itself. Note that some have said that a scan is less effective this way, but since it doesn't work, you might as well try it.

Another thing you might try is to download and install a 30-day trial of full-blown anti-virus, anti-spyware software like Eset's NOD32, which I run with great results. I'd expect it to handle better than 'just' a spyware tool. And you don't have a lot to lose.

If you're going to reformat, of course, back up all your stuff. (In fact, if you're not going to reformat, but are going to muck around with lots of stuff, you might want to back up, too.) Yes, you may copy some 'infected' files to disk, too, but it's easier to scan and fix that from a clean system.
posted by fogster at 12:34 PM on July 20, 2008

"...but since it doesn't work, you might as well try it." = "...but since your current system doesn't work, you might as well try it."
posted by fogster at 12:36 PM on July 20, 2008

Have you tried booting into safe mode and deleting the DLL? If you still have your windows CD, you can boot off of that into 'repair' mode and delete the file that way, or even take the hard drive out, put it in a new machine, and delete the DLL that way.

Trying to delete the DLL while the program is still running is kind of a waste, because the program running can check to see if it's been deleted, and reinstall itself.

"Nuking for Orbit" (i.e. doing a complete reinstall of the OS) is the best way to fix this, but in theory it's possible to repair this problem if you know exactly what DLL is causing problems. But be careful.

And you should try Linux if you're not interested in windows My current PC has 8 cores and 4GB of memory and only cost me $1,200. A mac with those specs runs at least $3,200.
posted by delmoi at 1:03 PM on July 20, 2008

Have you tried windows defender yet?

How about doing a system restore to before this happened?

If that doesnt work Id just reinstall everything from scratch. You might want to move up to Vista too. Just make sure you have at least 1gig or ram. Or play with one of the popular linux's but XP or Vista as a limited user is pretty secure.
posted by damn dirty ape at 4:00 PM on July 20, 2008

Have you tried booting into safe mode and deleting the DLL?

Guaranteed not to work in most cases. Half-decent malware is smart enough to hook itself into EXPLORER.EXE and WINLOGON.EXE, both of which are required to use Windows in any Safe Mode option; EXPLORER won't run in Safe Mode w/Command Line, but WINLOGON is still running. (You can suspend WINLOGON but if you end the process, you will BSOD; and you can only end that process via something like Process Explorer, TaskManager will tell you to get stuffed.)

I've managed to do this via the recovery console, but there are typically other files (with similar names) that will regenerate the infection.

One virus I removed, the only way to do so was to actually script a removal process (file by file) and then force WINLOGON to terminate; smart malware will regenerate itself by adding entries to the Task Scheduler and trigger @ Shutdown.

I can honestly say, removing this stuff was the best job I ever had. (The biggest thrill was hunting down a rootkit and finding it's controller hidden in BEEP.SYS.... God, what a nightmare, but drugs don't match the high of resolving something like that.)
posted by Dark Messiah at 4:01 PM on July 20, 2008

How about doing a system restore to before this happened?

System Restore does not delete files, it rolls back the registry and that's pretty-much it. Infections that consist of .DLL files will not be resolved, as the calls to those still-existing files will be made and, within minutes (at best), the infection will be back to full-strength.

System Restore is an excellent firs-step, however, as malware typically does not travel alone; and a prolonged infection will bring other types of malware onto the system. After the system is clean, DELETE your System Restore points and make a fresh one. I've seen techs clean systems very well, then a week later the user FUBAR'ed a printer install, rolled back far enough to re-infect themselves.

Windows Defender is.... Not good. I'll leave it at that.
posted by Dark Messiah at 4:05 PM on July 20, 2008

Half-decent malware is smart enough to hook itself into EXPLORER.EXE and WINLOGON.EXE

Very true. However, by booting up with an Ubuntu Live CD, you can easily delete this kind of malware.

Also, I find that most malware can be identified by time and date. Once you've identified a single malware .dll, you can search for other similarly dated "suspicious looking" files and delete them all or, better yet, move them elsewhere in case you goof.
posted by shinybeast at 7:26 PM on July 20, 2008

System Restore does not delete files, it rolls back the registry and that's pretty-much it. Infections that consist of .DLL files will not be resolved, as the calls to those still-existing files will be made and, within minutes (at best), the infection will be back to full-strength.

The calls are in the registry and should have been deleted with the restore. The dll would just be flat file somwhere. I dont see how it can be loaded if the startup entry (or whatever) in the registry was wiped.
posted by damn dirty ape at 9:10 PM on July 20, 2008

My computer has since decided to let me get to gmail, but I'm going to try Ubuntu anyway. I'm trapped in Windows all day at work, and I don't have the scratch for a Mac. Anchors Away!
posted by Arquimedez Pozo at 6:41 PM on July 23, 2008

« Older How do I navigate Newark Airport?   |   Motorola PVR FF driving me nuts! Newer »
This thread is closed to new comments.