My landlord’s PC is positively riddled with malware, and he has enjoined me to help fix it.
Now I am a Mac guy, so I don’t know the subtleties of Windows XP. I’m hoping that someone out there with knowledge of both platforms might help me out.
We have the McAfee suite of protection utilities. Also I have downloaded and run Spybot, AdAware, Pop-up Blocker, and installed the Google toolbar.
In spite of this, we get numerous pop-ups, even when Internet Explorer is not running (though I get the impression that in Windows, IE is built into the system and in a way is always running–correct me please if I’m wrong). IE is currently hijacked so that no matter what URL is requested, it instead always brings up the same page, a search site.
There are things I have read concerning booting in Safe mode before attempting virus removal, turning off [the function whereby the system automatically backs up data–the name escape me right now], etc.
The McAfee virus scan has an annoying (or in any event, I don’t understand it) quirk, wherein after it has identified problem files, it invites you to delete them. So I delete them, and invariably get “Some of these files cannot be deleted; would you like to quarantine them?” Yes, I guess (why can’t they be deleted?). So now the problem files have either been deleted or quarantined. I go to quit the program, and get “Are you sure you want to quit without deleting all problem files?” No, of course not; delete them. “These files cannot be deleted . . .” And so on.
Any advice (or useful links) would be appreciated.
Windows won’t let you delete a file that’s currently in use. So, McAfee is finding the infection in something that’s currently running - it would dearly love to delete the file, but can’t. That’s why you’ve been advised to boot into Safe Mode to do the virus removal - Safe Mode only runs the bare minimum of things it absolutely requires to get the machine running.
Alas, it sounds like this machine is so infested, that may still not take care of it. The home page hijack problem, for example, could be any one of a dozen different things, and some of them are fiendishly difficult to eradicate. McAfee won’t do anything about that - AdAware or Spybot might, but there are some IE hijackers that bury themselves too deeply for either of them.
I can’t think of a good way to say this, but if you’re a Mac guy, your chances of restoring this machine to good health are pretty slim. A machine this loused up would be a challenge for an experienced Windows person.
It sounds like a candidate for a complete reformat and reinstall, but that will have to be done very carefully to avoid reinfestation with the scumware that’s attached itself to the machine. It’ll be a long, laborious process, and there are a lot of complications. For example, to get the OS patched properly, you’ll need to go online. But going online without the patches in place already may expose the machine to reinfestation. Catch-22.
I might suggest taking the machine to a computer shop and paying them to blow everything away and start over. Make sure they install the anti-virus package and get it updated. Ditto for all of the OS patches. Ditto for ZoneAlarm, AdAware, and Spybot. The key question is: how old is this machine? The cost of cleaning it up might be more than the cost of a shiny new machine.
You could try a few things before giving up. I would disable the Messenger Service that runs by default on all XP machines. Look under Control Panel>Adminstrative Tools>Services. Check the box that makes The Messenger Service start manually. This is an exploit that is a favorite of scammers.
Next I would open msconfig and try to determine what programs are running on startup. To get there go to Run>type msconfig>select the Startup Tab and review the list of programs that are currently starting each time the machine boots. Check off suspicious ones and reboot. A little box will appear asking if you want to keep the changes and check it and OK out. If you have questions maybe repost here for more assistance.
Is Adaware using the latest reference? They update at least 2 times per week. The same goes for Spybot although they seem harder to get.
Then if you can get to the Internet there are some online scans that may help. Trend Micro has a good one. I think Panda does too.
Install all the Critical Updates for XP as well. I hope you have a good line as it may take a while if the machine has not been updated for a while.
One more thing. If you get it cleaned up nicely enough download and instruct the man to use Mozilla Firefox. It will save a lot of headaches with this type of stuff. Good browser too.
Spybot updates are much less frequent than AdAware’s. And there has long been some sort of glitch with the primary European download site for the Spybot updates. If Spybot tells you that there’s an update, but it “hangs” when you try to download it, switch to one of the other sites. The latest version of Spybot has actually changed the mirror sites listed, so that problem may now be cured.
Thanks y’all for the advice. It may take me awhile to report back as I have a fair amount of real-life work coming up.
But please keep it coming anyway, thanks. And if this thread can serve as a cross-platform knowledge resource, that would be great. Understanding is key.
In any event, I followed the advice there (and here), and I was careful to begin by turning off System Restore and rebooting into Safe Mode (I guess under XP it’s technically called Diagnostic Mode?).
I also installed Mozilla Firefox, and asked him to try using that instead of IE.
Anyway, things seem to be working now, although we’ll see what happens when he gets on there and visits some of the more disreputable corners of the Web.
Thanks for all the help, and if I have further problems, I’ll post in the main malware thread.
H
