Wednesday, August 10, 2011

Root, kit, or die

Don't go there!

You might not realize the extent to which you're living the Google lifestyle until suddenly you can't any longer. It happened to me over a week ago. Google stopped working. The search engine seemed okay, but clicking on a result entailed unpredictable consequences. Most of the time I would not get the webpage I had selected. The results seemed random. It was perplexing. More than perplexing. It was maddening.

If you're technologically savvy, you know that weird computer behavior is a good indication of a viral infection. It wasn't long before I realized that some weird bug was affecting the way Google behaved. Naturally, I quickly resorted to ... Google to figure out what was wrong!


It took a few moments to find a work-around. Google was, after all, doing a perfectly fine job of finding websites related to search-engine viruses. Instead of clicking on an individual result and trusting Google to take me there, I instead copied and pasted the URL directly into the browser. Success! After visiting several sites, I learned that my computer had contracted a form of the “Google redirect virus.” Google referrals were being hijacked and directed to sites that were benefiting from extra hits from infected computers.

Example of a rogue page from a redirected Google item

Some of the rogue pages that popped up were plausibly connected to the original Google search, even if it they weren't the pages you asked for. But tell me, would you trust a supposedly anti-virus program that offers itself as a solution to the Google redirect virus if the virus itself suggests it to you? Sorry, Stopzilla, there is no way that I am trying you!

The virus in question creates a “rootkit” problem, where a “rootkit” is a program that gives privileged access to the functions of a computer. Rootkits can be damnably elusive. I've tried ferreting out my computer's infection with utilities from Norton, AVG, Sophos, Zookaware (SpyZooka), Enigma Softweare (SpyHunter), and Kaspersky. Lots of adware cookies were demolished in the process of scanning my computer, but the redirect virus was not caught. Damn. I was especially disappointed when Kaspersky's vaunted TDSSKiller did not track down and kill the lurking rootkit.

My new problem was keeping track of which anti-virus scanner I had used and then disabling or uninstalling those that wanted to fight each other. (You can definitely have too much of a good thing, and anti-virus programs are not fond of polygamy.) I've discovered that Anti-Malware from Malwarebytes is the most active combatant in the battle with the rootkit virus. It often (but not always!) detects attempts to redirect my clicks on Google results and prevents them. I'd much rather, of course, expunge the rootkit entirely and go back to clicking with abandon. But so far it is not to be.

Suggestions, anyone, on the best way to smash a rootkit virus on a PC running Windows 7?


Blake Stacey said...

eHow suggests going to Device Manager and disabling TDSServ.sys (it's made visible by clicking "View/Show Hidden Devices"), then running an anti-malware program to remove the registry entries for the rootkit.

My own inclination would be to nuke it from orbit: reformat, reinstall, restore data from backups. Past a certain point, that might be less hassle than the alternatives. . . .

crankykhayman said...

I've never had to go through this process so take my suggestion with a grain of salt. Mark Russinovich has been writing about this kind of thing and building tools to help with it for ages. He now works for MS and continues to write on the MS Technet blogs.

A quick search of his blogs reveals a post about something called a rootkitrevealer, which sounds promising.

Good luck.

Dae said...

Probably not terribly helpful now, but maybe for the future - I built my computer with two harddrives - one for the OS and very little else, and one for everything else. I have gotten a virus once, and since the drive with the OS is (usually) the one with the problem, the 'nuke it from orbit' solution is only a day or so's worth of hassle - just reformatting the drive, and reinstalling the OS and relevant drivers.

William said...

Reformat it with an Ubuntu disc...

But even that might not save you, since now some ISPs are reportedly highjacking search results.

Anonymous said...

The problem with running anti-malware tools on a 'ive' drive is that the rootkit has ways to protect itself. You might try:

1) Disconnecting your boot HDD.
2) Doing a fresh Windows install on a different HDD.
3) Reconnect the infected drive, but boot from the fresh install. (It might be even better to boot, then reconnect the original boot HDD, e.g. in a USB enclosure.)
4) Run the anti-malware tools and scan the infected drive.

chrischaos said...

i chose die buahahaha
dantes inferno

neotropic said...

My scan has detected 1 malicious program in your computer.

It is called MS/WIN7.

Uninstall it and everything will be fine.

Chakat Firepaw said...

One of the big problems with getting rid of rootkits is that once you have them, you can't trust anything on your drive to be free of them[1].

What it comes down to is that there is only one reliable way to get rid of them: Flush your system and reinstall from read-only media and fresh downloads.

[1] Sure, you've gotten rid of the active code... but how were you to know that it slipped reinfection routines into minesweeper?

David Morning said...

You could try booting an ubuntu live cd as William suggested, but then install clamav on the live distro and running a virus scan on the hard disk. Since it isn't running the OS on the infected drive it might pick up things which an av running in windows doesn't. I've also had good results with CCleaner to block a virus from booting at startup then running a virus scan

Tualha said...

You might look for a local Linux user group and ask them if they can help. There are bootable Linux CDs specialized for fixing broken Windows systems. I don't know too many details, but someone in your local LUG might.

Aside from googling for your city, county, or nearest metro area, there's this list (probably old data):


Good luck.

Kaleberg said...

I think you have to drain all the software out of your computer and put in new software. That's the best explanation I've ever heard. You'll have to do a complete reinstall of everything and then a selective restore of your files. You have my condolences.

Gene O'Pedia said...

William's reference to the fact that some ISP's might be rerouting their customers's search results using Paxfire is certainly a frightening thought. But your own problems sounded much more severe than what an ISP would want to do. I think. I hope.

Is it possible that your ISP was infected? Possible, and easy to check. Just do a search from your computer and have a friend on a different ISP do the same search.

Try different search engines, too, and compare the results.

Did you try using System Restore, and set Windows back a few days? Always worth a try and often fixes the problem. I have run into a virus that disabled that tool, or deleted all the past history it uses. But it's worth a try and easy to find out if it worked or not.

Bottom line is, none of us wants this issue getting in the way and slowing things down. After all, you're already Halfway There.

Anonymous said...

Load some form of Linux (I personally prefer Kubuntu) on to a partition on your drive. The GRUB bootloader will prevent the rootkit from surviving a reload of Windows. You also might want to make sure your version of Windows is fully up to date.