Comments on: Digital Immunodeficiency Disorder?

Question: Digital Immunodeficiency Disorder?

Rhaomi — Sun, 25 Jan 2009 17:44:21 -0800

My laptop's been infected by something that is interfering with all the usual solutions. Please help!

After the recent hacking attempt that brought down Mefi, I scanned my laptop for any problems it may have picked up from it. AVG detected one threat, a trojan, which it promptly deleted. But that wasn't quick enough, apparently.

Now, my Windows XP setup is exhibiting weird behavior all around, and everything I've tried to do to fix it has been blocked. Here are all the symptoms:

Firewall - was originally turned off; I'm not sure for how long. I've since turned it back on.

Security software - AVG isn't detecting anything, but there's obviously something still wrong. Attempting to update the virus database throws an error. Most troubling, I cannot install the newest version of AVG as its website is blocked. Ditto for all the other major antivirus vendors -- trying to access their websites results in a page error.

Tech support sites - Same as above. Something is blocking all attempts to connect to the major tech help sites. I knew enough to check my hosts file, but can see no problems there. At least AskMe still works...

Google search - Searching Google for solutions leads to a standard results page. But when I click on a result, instead of going to the relevant page, it opens up a new tab and goes to a random spam site. This happens on Yahoo and other search sites as well. I can still get to the page I want by copying the URL and pasting, but it's slowing me down. And of course any link that points to a support site won't work.

Other browsers - I'd been using Firefox 3 up to this point, so I tried the other browsers on my system on the off chance they'd work better. No luck -- Google Chrome refuses to connect to *any* website, and Internet Explorer crashes immediately after launching.

System Restore - fed up with all the problems, I tried to roll back my system to a point before the infection. But to my great surprise, all the old system restore points have been deleted.

So to sum up: AV software is borked, security and support sites are blocked, searching is hampered, and I can't go back to an older system configuration. Any ideas?

PS: I know you are not my tech support, but like I said, all the more dedicated help sites I'd normally consult have been disappeared. Thanks for your time and patience!

By: Justinian

Justinian — Sun, 25 Jan 2009 17:59:07 -0800

For an infestation this serious I would suggest nuking the site from orbit. It's the only way to be sure.

(format and reinstall the operating system).

By: gemmy

gemmy — Sun, 25 Jan 2009 18:00:17 -0800

Might be the Downadup/Conflicker worm that's spreading like wildfire.

Removal instructions.

Use a proxy server to get around the "can't get there to download stuff" issue. I like Proxify.com, but there are tons of them out there.

By: Susurration

Susurration — Sun, 25 Jan 2009 18:05:41 -0800

You will probably need to boot Windows from a CD to remove this infestation. There is an excellent generic Windows boot CD, with anti-malware apps included, at http://www.ubcd4win.com/
The software is free to download and has copies of all the drivers and disk utilities that you are likely to need (you can download the latest updates for your favorite anti-malware utilities before you burn the project -- see the CD creation instructions). Its originator can be trusted (i.e. it is free from malware) -- he has been running this project for about 5 years (he has the cease-and-desist letters from Microsoft to prove it!). You will need to burn the recovery/AV boot CD on a different PC, obviously! The CD takes about 20 minutes to make up and you'll need a Windows XP install CD to compile it. This has saved my bacon a few times - I highly recommend it.

By: DarkForest

DarkForest — Sun, 25 Jan 2009 18:06:56 -0800

Trinity Rescue Kit is a bootable linux cd that will allow you to virus scan a windows machine.

By: imjosh

imjosh — Sun, 25 Jan 2009 18:08:36 -0800

Check to see if the virus changed your Hosts files to block the sites you can't get to.

Location and default info.

http://en.wikipedia.org/wiki/Hosts_file#Location_and_default_content

Alternately you can download the new AVG or the newest AVG definitions on another computer and install them.

You'll also do well to run either CCleaner or Lavasoft's Adaware and see what they turn up.

By: Rhaomi

Rhaomi — Sun, 25 Jan 2009 18:45:06 -0800

Hey, everybody, thanks for the feedback.

First off, after 80,000 items AVG turned up one more threat, which I've nuked. I'll let it finish it's deep scan before trying anything else, which could take awhile.

Even better, I've discovered that I can bypass the website blocks using Google's cache -- this is letting me access the tech help sites and is giving me a few more options to try. In particular, this site is describing the same symptoms I'm getting, and linked to this site with a potential fix which they said worked. I'll try that when the scan is done. (Currently at just over 200,000 items scanned...)

I'll follow up if and when I get this thing fixed.

By: tdismukes

tdismukes — Sun, 25 Jan 2009 18:52:59 -0800

I'll second Susurration's recommendation of ubcd4win. I had to rescue my mom's pc from a serious infestation a few weeks ago, and the bootable disc was what saved the day.

By: patnok

patnok — Sun, 25 Jan 2009 19:06:40 -0800

sounds like what we had a couple weeks ago. malwarebytes fixed it. had to install it from a disk.

By: patnok

patnok — Sun, 25 Jan 2009 19:09:35 -0800

win32/vundo

By: cosmonaught

cosmonaught — Sun, 25 Jan 2009 19:10:50 -0800

I've had nothing but luck running HijackThis (freeware) from Trend Micro, and then either analyzing the logs, or posting them on a message board and having someone help (a few forums: 1 2 3).

By: Rhaomi

Rhaomi — Sun, 25 Jan 2009 21:02:21 -0800

Persistent little bastard. I let AVG do its full run and deleted everything it found, then rebooted. Nothing has changed -- Google still redirects, sites still blocked, etc. I did a bit more research and learned that sometimes these ~~viruses~~ virii can rewrite the location of your HOSTS file, creating a clone of it squirreled away somewhere with a list of blocked sites and telling your browser to use that one. That way if you check the normal location it looks fine, even though it isn't.

Anyway, the folks in the thread I was reading used an app called Malwarebytes (which patnok had also recommended). I couldn't get to the main site for it, naturally, so I went to one of the standard download sites and got it there. Problem is, I can't install it. This nefarious little bugger is interfering with the setup process.

I'll have to check the registry for the cloned file they mentioned -- that should help fix it.

By: Rhaomi

Rhaomi — Sun, 25 Jan 2009 21:05:36 -0800

FUCK. This jackass-of-all-trades has also disabled regedit. Now I'm going to have to figure out how to get *that* up and running before I can do anything else.

What next, a routine that automatically translates all onscreen text into Sanskrit?

By: HopperFan

HopperFan — Sun, 25 Jan 2009 21:06:40 -0800

We've had problems with Antivirus 2009 (and the behavior your PC is exhibiting sounds like its doings) - Malwarebytes used to be the answer, but further nasty variants in the past week or so have quashed that notion. As much as I detest the tired old "nuke it from orbit!" cliche, it's probably the right thing to do.

By: HopperFan

HopperFan — Sun, 25 Jan 2009 21:12:00 -0800

If you continue to work on it, though, one question (and I may have missed this info): You're trying to install/run Malwarebytes in safe mode/no networking, correct?

By: HopperFan

HopperFan — Sun, 25 Jan 2009 21:16:21 -0800

Antivirus 2009 info here. (don't know if you'll be able to access it)

By: Xuff

Xuff — Sun, 25 Jan 2009 21:18:04 -0800

You might have some luck booting into Safe Mode and installing/repairing things from there if you don't want to go the boot-from-CD route. However, I've seen some malware that disables Safe Mode as well (or makes it bluescreen on startup), so that may not work.

If you'd like to try it restart the computer and repeatedly hit the F8 key until you're presented with a menu of options including Safe Mode.

Having said that, however, the others who recommend a format and reinstall are probably right. An infection this bad is usually a lot more trouble than it's worth; it'll likely require much more effort and time than starting from scratch and restoring from backups.

Good luck!

By: Rhaomi

Rhaomi — Sun, 25 Jan 2009 21:27:51 -0800

HopperFan: I am now (currently writing this from my iPod) -- but it *still* won't install, even in Safe Mode. So, WTF, basically.

Xuff: I may have to do that. If I don't get it done by tomorrow I'll see about starting from scratch.

By: defcom1

defcom1 — Sun, 25 Jan 2009 22:41:19 -0800

if you need to get to regedit, find the regedit.exe in system32 and rename to regedit.com It will run, usually it's not blocked.

(c:\windows\system32\regedt32.exe) to regedt32.com under win xp.

By: defcom1

defcom1 — Sun, 25 Jan 2009 22:43:07 -0800

oh, and rebooting while you suspect you're infected - usually not a good idea. If you don't get all the little bits out, on reboot it usually digs itself in again deeper. (for future reference).

By: Rhaomi

Rhaomi — Mon, 26 Jan 2009 00:01:16 -0800

Well, I've made some progress. While in safe mode, I noticed some items in the Startup area that I had not created. On investigating, I found all of them were created right around when I started experiencing problems. These items were:

C:\WINDOWS\ihufogutudi.dll
C:\WINDOWS\TEMP\winlognn.exe
C:\Docume~1\[username]\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\Ivazonafazeqeq.dll

I managed to find and delete these files in safe mode -- well, all of them except for csrssc.exe. This was in my user folder, and I couldn't access it as the administrator (?). So I switched to my profile (still in safe mode). But! All of the hidden files were, well, hidden, and the option to show hidden files was missing. In fact, the "Tools > Folder Options" menu was missing.

So I rebooted into normal mode. Still missing. Did some tinkering, recovered the option, deleted that sucker once and for all. Or not.

While checking up to see if I missed anything, the csrssc.exe file recreated itself (!) and disabled regedit once again.

By: Rhaomi

Rhaomi — Mon, 26 Jan 2009 00:06:46 -0800

(It also re-hid all the folders, btw.)

By: taz

taz — Mon, 26 Jan 2009 01:26:53 -0800

eek! Do you know what this is called yet, Rhaomi?

By: Xuff

Xuff — Mon, 26 Jan 2009 01:56:41 -0800

Removal instructions for what you've got can be found here:

http://forums.whatthetech.com/csrssc_exe_other_problems_t91807.html

If that site won't load because of the infection let me know and I'll throw up a temporary mirror of the content for you.

By: Rhaomi

Rhaomi — Mon, 26 Jan 2009 02:36:24 -0800

"Victory at all costs, victory in spite of all terror, victory however long and hard the road may be; for without victory there is no survival."

Like the quote? It's from Winston Churchill. I found it by searching GOOGLE. Without being SPAMMED. WOOOOOOHOO.

As is the case for most of these issues, the solution was pretty simple, if difficult to track down. I wasted a lot of time trying to isolate and kill that csrssc.exe file, which kept getting recreated randomly. I ended up deleting it in safe mode as the administrator -- I had to change the ownership and permissions of the container folder to get at it, though.

Anyway, I did more searching using the base URL of the spam site redirect: "go.google.com". That led me to this site, which suggested the site block/redirect/antiviral interference problem stemmed from a certain service.

Here are their instructions:

Thank you for your help. I'm not finished yet, but I did discover something important for those of us who are so completely hijacked that we can't download or run the anti-malware programs. My sister (aka "the LAN Goddess") found this on www.Troublefixers.com and I am copying it verbatim. It fixed my problems with loading and running the software, at least. Maybe now we can get to the bottom of this.

We have received a comment on this post which will again help you remove go.google.com redirect virus given below

Last Method to Remove Go.google.com virus

Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to "Non-plug and Play Drivers" and click the plus icon to open those drivers.

Then search for "TDSSserv.sys"

Right click on it, and select "Disable"

Note: If you select Uninstall, it will install itself again when you reboot the system, so DON'T select Uninstall.

Restart your pc.
You can now update your Antirus/Malware/Rootkit softwares and the go.google rubbish will stop.

Its now up to the Anti-Virus/Malware/Spyware companies to make an effort to stop this, and not rely on simple basic home PC user's like myself to save the world

In simple terms, TDSSserv.sys is a service/server redirecting all software updates to 127.0.0.1 (your own computer) so they won't update.

Ron

It worked like a charm, at first. Google worked, antivirus sites worked, the Malwarebytes installer worked. I then ran the AVG updater to get the latest virus definitions. The updated info allowed what I assume to be the original infection to be detected. I tried to delete it but it threw up a blue screen of death. A final, useless gambit! After restarting I immediately ran AVG and knocked the infection out. I'm now running one last scan to clear out any lingering problems, and will check tomorrow for residual stuff like keyloggers and adware.

Thanks so much you guys for your patience and help! I hope my slog helps out a few fellow victims out there, too.

By: Rhaomi

Rhaomi — Mon, 26 Jan 2009 02:37:30 -0800

Oh, and patnok gets brownie points for identifying the trojan -- one of them was indeed of the vundo "strain".

By: Rhaomi

Rhaomi — Mon, 26 Jan 2009 02:51:02 -0800

Lastly, for posterity, here are the instructions I used to access the registry and show hidden folders after initially being denied:

ENABLE REGEDIT - This will allow access to the registry editor if a virus has blocked it.

Start -> Run -> type in gpedit.msc

In the window's left-hand pane, expand User configuration, then Administrative Templates, then select System

Double-click "Prevent access to registry editing tools" on the right and change it to Disabled

SHOW HIDDEN FOLDERS - This will allow you to reveal all hidden folders if there is no "Folder Options" in your folders' Tools menu.

Start -> Run -> type in regedit

Using the folder tree on the left, navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Double-click the item "Hidden" on the right and change the value to "1".

By: HopperFan

HopperFan — Mon, 26 Jan 2009 06:27:39 -0800

Trojans are only part of the issue : "Like any other of its predecessors, Antivirus2009 uses trojans, such as Zlob or Vundo, to spread."

Glad you got it worked out!

By: SuperSquirrel

SuperSquirrel — Mon, 26 Jan 2009 07:03:42 -0800

A huge thank you for all this info! Halfway to FINALLY cleaning out the crap out of my daughter's pc, which has been a long-standing ulcer-inducing THANG.

By: Rhaomi

Rhaomi — Mon, 26 Jan 2009 07:45:11 -0800

Final (?) update: First thing this morning, installed Malwarebytes and let it scan. It turned up twice as much stuff as AVG did, including the registry change that had hidden the "folder options" menu. Everything seems to be free and clear now!

By: PeterParker

PeterParker — Thu, 19 Feb 2009 12:51:27 -0800

Make sure you reboot your computer immediately after removing the viruses. Often times they can simply regenerate themselves if you don't.