So! I had a fun time in the last week or so, taking care of a family PC that had been dropped at my doorstep with a plea to clean it of various ailments. I figured it had been a while since I dove into hands-on troubleshooting, so why not? This could be fun! I dubbed it the Project PC, and live tweeted the process. Now that it's complete, here's the rundown of what happened, and how we fixed it.
Engage nerd voice.
On our first boot, we were met with a rogue anti-spyware application called System Tool. This is one of the most common types of infections out there. Basically, it'll pop up all these warnings and run fake scans and offer to clean your PC for a small fee. It's dirty pool, but people end up with them all too easily.
Well, as you surf around the internet, you've probably noticed advertisements on web pages. Some of them are designed to look like warnings and dialog boxes that are part of Windows, prompting you to click and correct a fake problem on your computer. That downloads the installer, and presto. You've just infected yourself.
Getting rid of this particular nuisance meant using some tools built into Windows, like Task Manager to locate unfamiliar processes, and MSConfig to manage the applications and services that start up with your computer. Once I stopped the program from running, it was a breeze to locate the executable and delete it.
That was the easy part.
After this cleanup, I noticed that the ping.exe process was running hard in the background, chewing up almost 160 MB of memory at a time. That's not normal. There weren't any more odd programs running that I could spot, so I decided it was time to bring in a real Anti-Virus program.
Since we're dealing with a pretty low-powered machine, I decided to go with Microsoft Security Essentials, which has a nice, small footprint on the system performance. I Googled the phrase, and clicked on the correct result... and was redirected to a download page for another fake antivirus app.
So, what now? Well, now we send in the big guns.
The runaway Ping and redirection are caused by a Rootkit known as TDSS. This is the real source of our problems. If we continue redirecting legitimate search results to malware download sites, it's only a matter of time until we get seriously messed up again. Not only that, but TDSS has a few hooks into the computer that allows all sorts of bad things to happen. The ping, for example, was this PC participating in a remotely coordinated Denial of Service attack - where a series of compromised systems would continually slam at a server online until it's no longer able to manage incoming traffic. The bad guy was still in control here, so we had to find and remove the rootkit.
TDSS is a nasty customer. It inserts itself as the driver tdx.sys - a file protected by Windows so that it cannot be removed. You would normally have to boot into a second Operating System in order to delete the file. Luckily, there's a tool by Kapersky designed to beat this exact rootkit, aptly named TDSSKiller. I grabbed it, and sucessfully killed TDSS.
We rebooted, and good news! There was no sign of infection. Bad news, the computer was now no longer able to get online. It refused to obtain an IP address from my router, which would be necessary for doing internet-type things.
I checked in the system log and found that the service DHCP, which is responsible for obtaining an IP address, was being held up due to a dependancy on the previously removed tdx.sys. Ah, whoops. I should have figured that a root kit that hijacks your browsing experience would have inserted itself into the computer's networking setup.
I couldn't find documentation online that proved the file was necessary at all, so instead of restoring it, as I didn't have system disks, I just popped into the registry and removed the dependancy (this was in HKLM/system/currentcontrolset/services/dhcp in case you need to know). On the next boot, we got online with no problem, and no redirects. We were essentially clean. But there was a bit to do yet.
I ran further scans with Malwarebytes and cleared out some junk files with CCleaner. I also went about fixing the attributes on the user's personal files - which TDSS had set as invisible and read only. Finally, I went about uninstalling various toolbars and crap applications - online casinos, Limewire, and the virus addled pirated versions of silly Popcap games that were downloaded using it. There were also some "Free" screensavers, icons and such from the peddler Freeze dot com. This all paints a pretty likely picture of how the rootkit landed on this computer in the first place. Left to their own devices, we're guaranteed to end up right back at square one soon enough.
Remember, if you try to get something for free that usually costs money - and don't know what you're doing - you're setting yourself up for a butthurt PC.
So now that we were clean, I needed to stage an intervention. Stop junk from getting here in the first place. Here are the preventative measures I set up:
- It all starts with Google Chrome. If you haven't used it yet, this browser is fast, lightweight, and generally doesn't support the attack vectors that end up loading junk via Internet Explorer.
- I added in the AdBlock extension to prevent those happy flashing ads from loading and enticing our user into bad downloads.
- I set the default search as DuckDuckGo, letting us bypass the link farms and crap sites that litter Google's search results.
- I set the PC up for OpenDNS, which should actively block malware sites from being able to load.
Next, I needed to set up some alternatives to correct bad surfing behaviour. I added Facebook and Grooveshark to the desktop as an application shortcuts using Chrome. This should let our user network and listen to music without having to do searches and risk landing on bad sites. I put a shortcut to the Chrome app store there as well, labelling it "Apps and Games". There are plenty of free games available here that should scratch that itch without needing to download junk.
For ongoing care, the first thing I'll do when I hand the PC back is email the user an invite to my Soluto network. This will let me remotely monitor and correct issues before they become major headaches.
Now, this was all a lot of work. The preferred (and quick) solution to an infection like this is of course to just wipe everything and reinstall. But without any system disks on hand, I needed to defeat it the old school way. I'm pretty proud of my work, and hope it's a while before I need to deal with this particular machine again.