Practical computer tips, with a smattering of digital philosophy
I’m happy to report that I just stumbled across a bit of information that fixes a serious flaw/oversight in my malware removal how-to guide, and sheds a great deal of light on the inner workings of one of the more obnoxious families of malware currently slithering around on the Internet.
For those of you who are anxious to get to the fix, check the symptoms section (directly below) to make sure that these instructions apply to your situation, and then jump straight to the larger text at the very bottom of the page.
The malware that this fix addresses is a rather common breed, often bundled in with some larger malware packages – but there’s no question it’s an extremely nasty monster in its own right, because it has the ability to:
Those of us who know a bit about networking will probably be tempted (as I was, repeatedly) into thinking that this bug simply relies on the age-old trick of mucking with the hosts file – which makes it all the more infuriating when you open your hosts file and discover that it is apparently completely uncompromised. No, this particular varmint is considerably more subtle and sophisticated than a simple hosts-file corrupter. In fact, it’s not even an executable, nor an executable .dll – which means that there’s no way to either find or kill it using a task manager (even Process Explorer) – because it technically isn’t a task. As it turns out, the bug is actually nothing less than a full-blown system driver, powering a virtual device that actually doesn’t exist – but one which (as far as Windows is concerned) is every bit as real as your mouse or graphics card. And in the course of investigating this bug, I’ve discovered that Windows seems to protect all files associated with active devices in such a manner that they are completely impossible to see, much less delete. Which means that the general malware-removal method I outlined previously will do absolutely nothing to kill this thing – except, of course if the driver is no longer loaded. That means that those who opt to clean out their system32 and system32/drivers directories via a Linux live CD will have no trouble at all – but those who aren’t inclined towards that kind of thing will need a different solution.
Go to Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.
Scroll down to “Non-plug and Play Drivers” and click the plus icon to open those drivers.
Then search for “TDSSserv.sys”
Right click on it, and select “Disable”
Note: If you select Uninstall, it will install itself again when you reboot the system, so DON’T select Uninstall.
Restart your pc.
You can now update your Antirus/Malware/Rootkit softwares and the go.google rubbish will stop.
Its now up to the Anti-Virus/Malware/Spyware companies to make an effort to stop this, and not rely on simple basic home PC user’s like myself to save the world
In simple terms, TDSSserv.sys is a service/server redirecting all software updates to 127.0.0.1 (your own computer) so they won’t update
If you’re an extremely zealous/through sort, you could even go and remove (*carefully*) all the instances of “TDSS” in the registry, but I’ve never done so, and no computer I’ve worked on has suffered as a result. Once the driver files themselves are decomissioned/deleted, the bug is vanquished.
Google search optimization section (ignore this):
cannot run malwarebytes, cannot install malwarebytes, searches redirected, google not working, cannot use google, go somewhere else, broken, cannot acces, cannot update anti-virus, blocked
I had the great honor of becoming acquainted with yet another malicious “anti-malware” program this evening, and in the process, I discovered yet another place where these bugs can hide their files. Actually, the cloaking tactics used by particular scourge were some of the most fiendishly clever I’ve ever seen. First off, the malware piggybacked on a system process (in typical rootkit style), making it impossible (a) to find out the name of the malicious process from the Process Manager, and (b) equally impossible to directly kill the process (without shutting down Windows, of course). But this is hardly atypical malware behavior; the real kicker was where the malware had decided to deposit its files. Here’s how I found them:
The bug in question was one of the ones that hijacks IE and displays bogus “unsafe browsing” warnings at regular intervals – and after a half-an-hour of fruitless poking around, it occurred to me that these alerts might actually supply a way for me to track them back to their source. Sure enough, when I viewed the source HTML for the warning page, I discovered that the page was linked back to a directory in the user’s Application Data directory – to be more specific, a directory named Google. The bug had even been cheeky enough to put an empty subfolder named something like “Saved search results” in the directory – along with a bunch of .dll and .exe files with random names. Tada.
After being thoroughly outraged (and, I must admit, a bit amused) by this program’s sheer audacity, the removal process was a simple matter of moving the entire Google directory somewhere else (I have no idea why this is, but while files being used by active processes cannot be moved, their parent folders can), and then deleting it when Windows was restarted. (Killbox didn’t work on these, by the way).
At any rate, here’s the updated list of all the places I’ve found malware lurking to date:
C:Windows (most often .dll files with random names – though some call themselves things like “sysrestore32.exe” (in case you can’t tell, that’s definitely not what the system restore executable is called)
C:Windowssystem32 (same as above)
%USERPROFILE%Local SettingsTemp (same as aoove; I’ve also seen winlogon.exe and winlogun.exe here).
*Because this link takes you directly to the file itself, and there’s no documentation on the server that’s hosting it, the best I can do to prove that this is what I claim it is (if you were skeptical, bravo) is to point you to other sites that have recommended the use of this program: here’s one from Expert’s Exchange (sign-in required), and here’s another from some random forum.
The point here is that you need to either:
(1) identify and kill every single process that is either actively using or was spawned by the files in question, or
(2) switch to an environment in which it’s totally impossible that any such process could be running.
The first option allows you to work within windows – but probably won’t help you if your computer is infected with a rootkit, which cloaks itself so well that the system thinks the rootkit code is actually part of a system process (which means that as long as that system process – explorer.exe, say – is running, you’re not going to be able to delete the malicious files. Period). The second option, by contrast, is guaranteed to allow you to delete/move any file you wish – but requires the use of a Linux boot CD. Depending on which option you choose, here’s some additional helpful information
1. If you elect to try the first option (which, being more straightforward for most people, is probably a good first step), there are two utilities that will make your search-and-removal task a great deal easier: ProcessExplorer, and KillBox:
I’m afraid I don’t have the time or energy at the moment to detail the various ways in which you might use these applications to your advantage – but the programs are both fairly intuitive, and ProcessExplorer has excellent documentation, so you shouldn’t have much trouble.
2. As for the second option, I can only say that I do plan on writing a primer on how to obtain and use a Linux Boot CD for a wide variety of system-rescue purposes – but not right now. So if you know exactly what I’m talking about, and just need help with mounting your system drive, go for it (don’t forget to specify -t ntfs -o rw, since you want to delete stuff). Otherwise, if you really cannot find any other way to permanently delete the files in question, you’ll either have to consult an online Linux tutorial, or consider the possibility of reformatting your hard disk and reinstalling Windows.
Browser hijacking, which prevents any web browser from being able to get to anti-malware websites, and causes the browser to be redirected to random shopping websites whenever you try to click on a link from a search engine (google, yahoo, you name it).
Disappearance of the “Display”, “Screen Saver”, and “Advanced” tabs in the Display Control Panel.
Disappearance of the Folder Options Control Panel
Crippling of Windows Security Center
Disabled Windows-key shortcuts (Winkey-R; Winkey-D, etc.)
Disabled Command Prompt
Disabled Registry Editor
Appearance of cockroaches on the desktop, accompanied by a warning informing the user that that there “are bugs on the system” I’m not kidding.
Of all the issues I was thinking of discussing first, this one seems by far the most urgent, since the epidemic of computers being infected by malware masquerading as anti-malware is growing worse by the minute.
If you’ve come to this page by way of a google search for the aforementioned “applications,” chances are you’ll already have encountered (and possibly tried to follow) several different sets of conflicting instructions for removing your nasty parasite. While many of these how-to guides do offer useful advice, most are unfortunately somewhat incomplete; they point you to a few heavy-duty, heavily-specialized anti-malware applications that can detect MOST – but not all – of the artifacts associated with the bugs infesting your computer. After some 20 hours of fiddling with the programs recommended by these sites, as well as some other top-notch diagnostic utilities, I’ve managed to devise a removal method that is extremely fast, straightforward, and effective, and that doesn’t really require the use of ANY third-party applications at all! Because I suspect most of you are primarily looking for a quick fix, I’ll spell out exactly what you need to do first; those of you who are interested in the derivation of this technique, and proof that my suggestions are based on empirical evidence, please see the section following this step-by-step procedure. Without further ado:
Basically, antivirus 2008 xp, antivirus 2009 xp, antispware 2008 xp, and whatever other titles these bugs have decided to call themselves all work roughly the same way: they embed randomly-named files with misleading extensions in your system folders, and then use valid windows components (rundll32.exe, for example) to execute themselves. Several features of this design are, I am forced to admit, fiendishly clever. Because the malicious files have randomly-generated names (kjO1xpf.log, for example), neither you nor your antivirus application can check the files against a list of dangerous filenames. [Update: for malware from other families, there’s a chance that a different, but equally devious tactic will be used to disguise the dangerous files: they may be give names that are identical, or nearly identical, to the names of critical windows files. winlogon.dll seems to be a popular one.] Furthermore, because most of the damage is done by files that aren’t themselves executables, tracking them down by means of process analysis (looking at the list of currently-running processes on your computer) is also nigh on impossible, because the processes associated with the bug (other than the “Antivirus 200?…” process, which doesn’t actually do anything other than annoy you, and can be instantly re-generated by its hidden helper-files) are almost all instances of some Windows component (again, like rundll32.exe) which look completely legitimate.
However, these bugs have a couple of critical weaknesses: though they can engage in some pretty sophisticated spoofing, they cannot change the time and date that their files were created, and they cannot identify their files as Microsoft products. Typically, all the files responsible for generating and sustaining these bugs are created within the same two-day period – and because they’ve chosen to store themselves in a folder filled with system files, which generally aren’t modified very often, they are likely to be the vast majority of those files that appeared in that particular time/date range. Therefore, here, more or less, is what you need to do (I’d recommend doing all of this with Windows explorer in “detailed list” view mode – it makes sorting and finding things a lot easier).
– Restart the computer.
I’ve developed this strategy over the course of several months, during which time I’ve had the pleasure of encountering no less than five heavily-infected laptops: four being plagued by variants of the “antivirus 200x XP” bug, and one suffering from a variety of bugs that were almost certainly from a different family (see below). In all five cases, I was able to completely remove the malware (granted, in a couple of cases some artifacts remained, but these were just consequences of all the disgusting policy-hijacking these programs love to engage in; no trace of an active infection remained. And I suspect that if I’d used the policy fixers I now know about on those machines, those remnants would have disappeared).
At any rate, I just had an opportunity to joust with a particularly bad infestation on a laptop – and though the process took over 3 hours, the information I gleaned in the process was extremely valuable. What was particularly remarkable about this situation was that though none of the bugs on the machine in question seemed to have any direct relation to the “Antivirus 2009 XP” family of malware, the procedure described above proved equally effective here – with a few minor tweaks. In other words, my experience this evening has confirmed something I’ve suspected for quite some time: many malware developers are apparently relying on a relatively narrow and predictable set of techniques to conceal their wares – and though these techniques are often extremely effective at bamboozling anti-virus engines, many of them cannot survive even the most cursory examination by a human who knows what to look for.