I just finished cleaning this nasty little infection off my dad's computer. I thought I'd post a little summary of what happened, and how to remove it. I wouldn't normally post something like this, but I was surprised by the apparent ease at which someone (like my dad, who is
not computer-illiterate) could be infected, the severity of the symptons and the significant difficulty of removal. Here is how this situation progressed:
1. I turned on the computer and booted into Windows XP, instantly hitting a BSOD about a Windows session error. Subsequent reboots resulted in the same thing. Booting into safe mode only yielded a cursor on a black screen, which zero functionality. Clearing the BIOS and resetting the CMOS did nothing. My first instinct was that I was dealing with a failed hard drive. Scenarios of dealing with Dell customer support began playing out in my head.
2. By sheer luck, I managed to boot into Windows using the "last known good settings". Everything appeared to be normal. Not having ruled out the possibility of a virus, I attempted to download Malwarebytes Anti-Malware. First problem-- Internet Explorer had been hijacked. All search results for anti-virus software (Malwarebytes, AVG, Kaspersky, etc.), when clicked, would foward me to phony antivirus sites and pop-ups. A manual scan of the registry and services yielded nothing.
3. No problem-- I whipped out my USB stick, downloaded and transferred Malwarebytes Anti-Malware, along with AVG for good measure, from my computer to the infected computer. I double-clicked on the Malwarebytes install executable-- nothing. Double-clicked again, same thing. Checking the task manager, I found that the Malwarebytes processes were stacking up without any activity. Curious. Somehow, AVG installed fine, and soon enough I had a full system scan complete, with about 50 infections, all in critical system files (explorer, winlogon,etc.) and labelled "win32/cryptor". I ran a purge, predictably with most of the infected files being left in quarantine instead of being deleted. After rebooting, I re-scanned to find that all the so-called clean files had been re-infected.
4. If AVG had not been able to identify what was infecting the computer, I probably would have been boned at this point. However, knowing its name allowed me to quickly find
this page. This revealed to me (as I had suspected at this point) that the rootkit infecting the computer (
CLB Rootkit infection aka TDSS, Seneka,GAOPDX and UAC Rootkit) not only prevents web browsers from reaching anti-virus sites, but it blocks the installation of certain anti-virus programs and will cripple others that have already been installed. Using the nifty tool that the website above links to, I removed the source infection. This essentially un-crippled the computer, allowing me to run Malwarebytes to remove the rest of the infection.
5. Perhaps the most startling revelation was that at this point I realized that Norton Antivirus software had been running on the computer this entire time. After a restart, Norton cheerfully decided to start working again. The boot problems I had initially encountered disappeared. Everything was back to normal.
6. After a brief conversation with my dad, it sounds like the infection was spread through one of those fake anti-virus popups, not unlike the ones that had hijacked the flash advertisements on Photobucket, which are far less servere.
In conclusion, I was surprised at the extent to which this rootkit was able to disable any and all attempts to remove it. Internet browsers,
hijacked. Antivirus install *.exes,
sabotaged. Antivirus software,
supressed. And the sneaky nature of the rootkit made it impossible to manually find certain infected files. If I didn't have the name of the infection, or an additional computer to use, I think my only option would have been to reformat the hard drive, something that I've never had to do to disinfect a computer.
Anyway, I just thought I'd share.
