Places malware hides, update #2: search engine redirection

I’m happy to report that I just stumbled across a bit of information that fixes a serious flaw/oversight in my malware removal how-to guide, and sheds a great deal of light on the inner workings of one of the more obnoxious families of malware currently slithering around on the Internet.

For those of you who are anxious to get to the fix, check the symptoms section (directly below) to make sure that these instructions apply to your situation, and then jump straight to the larger text at the very bottom of the page.

The malware that this fix addresses is a rather common breed, often bundled in with some larger malware packages – but there’s no question it’s an extremely nasty monster in its own right, because it has the ability to:

• Block access to the websites of all securty / anti-malware sofware vendors (if you can’t access kaspersky.com, or symantec.com, for example, this bug might be the culprit), thereby preventing your antivirus engine (assuming you’ve got one) from downloading virus definition updates.
• Hijack all the major search engines (google.com, yahoo.com, etc.) by turning every search result link into a redirect that sends you to some random commercial website.  That is, while the bug allows you to access and even submit requests to search engines, it somehow replaces all of the links provided by any given search with bogus urls, often starting with “go” (ie, go.google.com/…, or go.msn.com/…) that turn out to be redirects to webpages which are at best utterly useless, and at worst potential hosts for more downloadable malware (I think I’ve seen yellowpages.com and shopping.com, among others).
• Generally slow down your web browser
• Disable the Windows firewall on System startup
• Prevent anti-malware applications, particularly MalwareBytes Anti-Malware, from installing or running.
• Cause a variety of other mischief, which seems to vary somewhat on a case-by-case basis.  I’ve seen the first three symptoms on every system that’s been infected with this thing, however.

Those of us who know a bit about networking will probably be tempted (as I was, repeatedly) into thinking that this bug simply relies on the age-old trick of mucking with the hosts file – which makes it all the more infuriating when you open your hosts file and discover that it is apparently completely uncompromised.  No, this particular varmint is considerably more subtle and sophisticated than a simple hosts-file corrupter.  In fact, it’s not even an executable, nor an executable .dll – which means that there’s no way to either find or kill it using a task manager (even Process Explorer) – because it technically isn’t a task.  As it turns out, the bug is actually nothing less than a full-blown system driver, powering a virtual device that actually doesn’t exist – but one which (as far as Windows is concerned) is every bit as real as your mouse or graphics card.  And in the course of investigating this bug, I’ve discovered that Windows seems to protect all files associated with active devices in such a manner that they are completely impossible to see, much less delete. Which means that the general malware-removal method I outlined previously will do absolutely nothing to kill this thing – except, of course if the driver is no longer loaded.  That means that those who opt to clean out their system32 and system32/drivers directories via a Linux live CD will have no trouble at all – but those who aren’t inclined towards that kind of thing will need a different solution.

Happily, a solution has been found by an enterprising member of the tech community, who was so kind as to outline his procedure here (condensed version) and here (original source of fix).  The instructions are stellar, but they direct you to try to remove the thing using automated tools (most of which won’t work, because the virus will prevent them from running)  before telling you how to remove it manually.  Since this strikes me as an enormous waste of time, I’ve excerpted the manual removal instructions here:

Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.

Then search for “TDSSserv.sys”

Right click on it, and select “Disable”

Note: If you select Uninstall, it will install itself again when you reboot the system, so DON’T select Uninstall.

Restart your pc.

You can now update your Antirus/Malware/Rootkit softwares and the go.google rubbish will stop.

Its now up to the Anti-Virus/Malware/Spyware companies to make an effort to stop this, and not rely on simple basic home PC user’s like myself to save the world

In simple terms, TDSSserv.sys is a service/server redirecting all software updates to 127.0.0.1 (your own computer) so they won’t update

I would offer one addendum to these instructions: once the driver has been disabled and the system restarted, go ahead and delete all of the files in your system32 and system32/drivers folders starting with “TDSS”, as well as any other residual files that seem suspicious (again, see my original evil-file-identification algorithm for details).  There’s really no point in waiting around for your anti-virus program to delete them, which is exactly what will happen the next time you run a virus scan – which, by the way, you should do immediately.

If you’re an extremely zealous/through sort, you could even go and remove (*carefully*) all the instances of “TDSS” in the registry, but I’ve never done so, and no computer I’ve worked on has suffered as a result.  Once the driver files themselves are decomissioned/deleted, the bug is vanquished.

——————

Google search optimization section (ignore this):

——————————————–

cannot run malwarebytes, cannot install malwarebytes, searches redirected, google not working, cannot use google, go somewhere else, broken, cannot acces, cannot update anti-virus, blocked