Removing malware of a particular kind

0

I need to remove some malware from my computer. It is a trojan, and very annoying. It blocks access to Google and search sites. The trojan, with its name spelled out on each line cause it seems to block sites when i reference it in a url, is

a r t (some text to mess it up) e m (more text i s

First off, what is it, what does it do? Second, why can't I access google or yahoo or any other search sites at all?

Third, can it be removed via McAffee? It says it quarantined it when I scanned

I found a suspicious process "c"s"r"s"s".exe and it will not let me terminate it, and this is what Mcaffee says it is. Why on earth isn't Mcaffee getting rid of it? I even blocked internet access for this program.

Thanks so much, I get kinda freaked out with things like this...

Here is my entire Hosts file:

127.0.0.1   go.mail.ru
127.0.0.1   nova.rambler.ru
127.0.0.1   google.ad
127.0.0.1   www.google.ad
127.0.0.1   google.ae
127.0.0.1   www.google.ae
127.0.0.1   google.am
127.0.0.1   www.google.am
127.0.0.1   google.com.ar
127.0.0.1   www.google.com.ar
127.0.0.1   google.as
127.0.0.1   www.google.as
127.0.0.1   google.at
127.0.0.1   www.google.at
127.0.0.1   google.com.au
127.0.0.1   www.google.com.au
127.0.0.1   google.az
127.0.0.1   www.google.az
127.0.0.1   google.ba
127.0.0.1   www.google.ba
127.0.0.1   google.be
127.0.0.1   www.google.be
127.0.0.1   google.bg
127.0.0.1   www.google.bg
127.0.0.1   google.bs
127.0.0.1   www.google.bs
127.0.0.1   google.com.by
127.0.0.1   www.google.com.by
127.0.0.1   google.ca
127.0.0.1   www.google.ca
127.0.0.1   google.ch
127.0.0.1   www.google.ch
127.0.0.1   google.cn
127.0.0.1   www.google.cn
127.0.0.1   google.cz
127.0.0.1   www.google.cz
127.0.0.1   google.de
127.0.0.1   www.google.de
127.0.0.1   google.dk
127.0.0.1   www.google.dk
127.0.0.1   google.ee
127.0.0.1   www.google.ee
127.0.0.1   google.es
127.0.0.1   www.google.es
127.0.0.1   google.fi
127.0.0.1   www.google.fi
127.0.0.1   google.fr
127.0.0.1   www.google.fr
127.0.0.1   google.gr
127.0.0.1   www.google.gr
127.0.0.1   google.com.hk
127.0.0.1   www.google.com.hk
127.0.0.1   google.hr
127.0.0.1   www.google.hr
127.0.0.1   google.hu
127.0.0.1   www.google.hu
127.0.0.1   google.ie
127.0.0.1   www.google.ie
127.0.0.1   google.co.il
127.0.0.1   www.google.co.il
127.0.0.1   google.co.in
127.0.0.1   www.google.co.in
127.0.0.1   google.is
127.0.0.1   www.google.is
127.0.0.1   google.it
127.0.0.1   www.google.it
127.0.0.1   google.co.jp
127.0.0.1   www.google.co.jp
127.0.0.1   google.kg
127.0.0.1   www.google.kg
127.0.0.1   google.co.kr
127.0.0.1   www.google.co.kr
127.0.0.1   google.li
127.0.0.1   www.google.li
127.0.0.1   google.lt
127.0.0.1   www.google.lt
127.0.0.1   google.lu
127.0.0.1   www.google.lu
127.0.0.1   google.lv
127.0.0.1   www.google.lv
127.0.0.1   google.md
127.0.0.1   www.google.md
127.0.0.1   google.com.mx
127.0.0.1   www.google.com.mx
127.0.0.1   google.nl
127.0.0.1   www.google.nl
127.0.0.1   google.no
127.0.0.1   www.google.no
127.0.0.1   google.co.nz
127.0.0.1   www.google.co.nz
127.0.0.1   google.com.pe
127.0.0.1   www.google.com.pe
127.0.0.1   google.com.ph
127.0.0.1   www.google.com.ph
127.0.0.1   google.pl
127.0.0.1   www.google.pl
127.0.0.1   google.pt
127.0.0.1   www.google.pt
127.0.0.1   google.ro
127.0.0.1   www.google.ro
127.0.0.1   google.ru
127.0.0.1   www.google.ru
127.0.0.1   google.com.ru
127.0.0.1   www.google.com.ru
127.0.0.1   google.com.sa
127.0.0.1   www.google.com.sa
127.0.0.1   google.se
127.0.0.1   www.google.se
127.0.0.1   google.com.sg
127.0.0.1   www.google.com.sg
127.0.0.1   google.si
127.0.0.1   www.google.si
127.0.0.1   google.sk
127.0.0.1   www.google.sk
127.0.0.1   google.co.th
127.0.0.1   www.google.co.th
127.0.0.1   google.com.tj
127.0.0.1   www.google.com.tj
127.0.0.1   google.tm
127.0.0.1   www.google.tm
127.0.0.1   google.com.tr
127.0.0.1   www.google.com.tr
127.0.0.1   google.com.tw
127.0.0.1   www.google.com.tw
127.0.0.1   google.com.ua
127.0.0.1   www.google.com.ua
127.0.0.1   google.co.uk
127.0.0.1   www.google.co.uk
127.0.0.1   google.co.vi
127.0.0.1   www.google.co.vi
127.0.0.1   google.com
127.0.0.1   www.google.com
127.0.0.1   google.us
127.0.0.1   www.google.us
127.0.0.1   google.com.pl
127.0.0.1   www.google.com.pl
127.0.0.1   google.co.hu
127.0.0.1   www.google.co.hu
127.0.0.1   google.ge
127.0.0.1   www.google.ge
127.0.0.1   google.kz
127.0.0.1   www.google.kz
127.0.0.1   google.co.uz
127.0.0.1   www.google.co.uz
127.0.0.1   bing.com
127.0.0.1   www.bing.com
127.0.0.1   search.yahoo.com
127.0.0.1   ca.search.yahoo.com
127.0.0.1   ar.search.yahoo.com
127.0.0.1   cl.search.yahoo.com
127.0.0.1   co.search.yahoo.com
127.0.0.1   mx.search.yahoo.com
127.0.0.1   espanol.search.yahoo.com
127.0.0.1   qc.search.yahoo.com
127.0.0.1   ve.search.yahoo.com
127.0.0.1   pe.search.yahoo.com
127.0.0.1   at.search.yahoo.com
127.0.0.1   ct.search.yahoo.com
127.0.0.1   dk.search.yahoo.com
127.0.0.1   fi.search.yahoo.com
127.0.0.1   fr.search.yahoo.com
127.0.0.1   de.search.yahoo.com
127.0.0.1   it.search.yahoo.com
127.0.0.1   nl.search.yahoo.com
127.0.0.1   no.search.yahoo.com
127.0.0.1   ru.search.yahoo.com
127.0.0.1   es.search.yahoo.com
127.0.0.1   se.search.yahoo.com
127.0.0.1   ch.search.yahoo.com
127.0.0.1   uk.search.yahoo.com
127.0.0.1   asia.search.yahoo.com
127.0.0.1   au.search.yahoo.com
127.0.0.1   one.cn.yahoo.com
127.0.0.1   hk.search.yahoo.com
127.0.0.1   in.search.yahoo.com
127.0.0.1   id.search.yahoo.com
127.0.0.1   search.yahoo.co.jp
127.0.0.1   kr.search.yahoo.com
127.0.0.1   malaysia.search.yahoo.com
127.0.0.1   nz.search.yahoo.com
127.0.0.1   ph.search.yahoo.com
127.0.0.1   sg.search.yahoo.com
127.0.0.1   tw.search.yahoo.com
127.0.0.1   th.search.yahoo.com
127.0.0.1   vn.search.yahoo.com
127.0.0.1   images.google.com
127.0.0.1   images.google.ca
127.0.0.1   images.google.co.uk
127.0.0.1   news.google.com
127.0.0.1   news.google.ca
127.0.0.1   news.google.co.uk
127.0.0.1   video.google.com
127.0.0.1   video.google.ca
127.0.0.1   video.google.co.uk
127.0.0.1   blogsearch.google.com
127.0.0.1   blogsearch.google.ca
127.0.0.1   blogsearch.google.co.uk
127.0.0.1   searchservice.myspace.com
127.0.0.1   ask.com
127.0.0.1   www.ask.com
127.0.0.1   search.aol.com
127.0.0.1   search.netscape.com
127.0.0.1   yandex.ru
127.0.0.1   www.yandex.ru
127.0.0.1   yandex.ua
127.0.0.1   www.yandex.ua
127.0.0.1   search.about.com
127.0.0.1   www.verizon.net
127.0.0.1   verizon.net

Cyclone

Posted 2009-10-01T21:35:55.457

Reputation: 544

possible duplicate of What to do if my computer is infected by a virus or a malware?

– Ƭᴇcʜιᴇ007 – 2011-11-12T19:35:36.813

2assuming those "'s are to break it up, that process is the Client Server Runtime Process, and you can't kill it because it's vital to windows' continued living. – Phoshi – 2009-10-01T21:40:30.380

It is to break it up, and that is the infected file. Thanks, that makes sense.. – Cyclone – 2009-10-01T21:42:38.673

Well, if I were a virus engineer, hijacking a vital process would be a nice start. System restore? – Phoshi – 2009-10-01T21:43:49.887

@phoshi I don't have a backup of my files, it is imperative that they are not lost. What is this virus and what does it do? – Cyclone – 2009-10-01T21:45:03.800

I'm afraid I've no idea what it does. Any files you have that aren't .exe should be entirely safe to back up without fear of possible reinfection, but any that are should be treated with suspicion until you can verify their integrity. Got an external HDD handy? :/ – Phoshi – 2009-10-01T21:48:40.580

Ive got a backup from three days ago on my new MyBook 1 TB, but it was plugged in at the time of infection (mcaffee scans reveal no malware on it though, so its safe I think.....) – Cyclone – 2009-10-01T21:52:07.657

Answers

3

Can you locate the executable? If so, boot into a linux LiveCD and blast it off the face of your filesystem. It may well recreate itself, if it's got hidden agents hiding around, so grab a copy of Autoruns and check what's loading behind your back.

edit: And have you checked your Hosts file?
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
That's where Pre-DNS level filtering happens, worth a look.

Phoshi

Posted 2009-10-01T21:35:55.457

Reputation: 22 001

No, can't do it, don't have linux on a LiveCD – Cyclone – 2009-10-01T21:43:40.717

Everybody should have a linux liveCD! Can you boot into safe mode, then? – Phoshi – 2009-10-01T21:45:35.767

Idk lol, whats that? – Cyclone – 2009-10-01T21:51:20.170

I believe you tap F8 at some point during bootup. I tap it continually after POST, myself ;) Safe mode basically doesn't execute anything but what's necessary, so it's always worth a try. – Phoshi – 2009-10-01T21:59:20.513

AHA! My Hosts file has many things, all pointing to localhost – Cyclone – 2009-10-01T21:59:36.440

Look at my post edit, thats my Hosts file. – Cyclone – 2009-10-01T22:01:25.920

Ding Ding Ding! Make sure to set it to "Read Only" when you're done :) – Phoshi – 2009-10-01T22:01:28.683

Woah, that's quite... yeah. Probably best to remove those :) – Phoshi – 2009-10-01T22:02:26.933

How do I fix it? Also you are my new favorite person on the Internet. – Cyclone – 2009-10-01T22:02:33.563

Just empty the file entirely? – Cyclone – 2009-10-01T22:03:12.610

If that's all that's in there, then yeah, they're all very nasty things :( – Phoshi – 2009-10-01T22:08:24.863

:D Its all fixed!!!!!!! – Cyclone – 2009-10-01T22:46:47.077

2

With out deeply inspecting your computer with a wide range of tools I doubt you will be able to manually remove the malicious software entirely. If you miss even a piece of it, as @ChrisF mentioned, it will probably try and undo any of your attempts to remove it. And in the age where viruses will not only hide themselves in system files but will corrupt your machine multiple instances of themselves and other viruses as well, it is almost impossible to manually clean a machine with any level of confidence that it is once again secure.

The only way to assure the virus is gone is to format the hard drive and do a clean reinstall of the OS. Now if you need to get your data off I would get a USB hard drive or some other external drive and an Ubuntu live CD (you can download an ISO and burn a copy to a CD).

  • Boot to the live CD and use Ubuntu to transfer your files to the external USB drive.
  • Once the files are backed up reformat the machine and reinstall the OS.
  • Once the computer is fully functional:
  • Plug in your backup drive and do a thorough virus scan of the drive to make sure none of your data is the source of the virus. It does no go to re-image when the source of the virus is a corrupted pdf, video, image, document, or other file.
  • Once the virus scan reports your backup as clean of infection move your files back over and reinstall your applications.

Good luck and good hunting.

tvanover

Posted 2009-10-01T21:35:55.457

Reputation: 1 133

1

The reason you can't get to Google and the other search sites is because the virus has added all those lines to your hosts file. The line:

127.0.0.1 google.com

will mean that all requests to google.com will be redirected back to your machine, which obviously can't serve them.

As Phoshi says you should remove these lines from the hosts file. However, I would guess that the virus will try to recreate them the next time you boot the PC. By making the file read only it won't be able to update it again and you'll be able to connect to the sites previously blocked.

ChrisF

Posted 2009-10-01T21:35:55.457

Reputation: 39 650

Done, read comments above. – Cyclone – 2009-10-01T22:47:36.950

0

Try Combofix It works well with problem such as this, best run it in safemode http://www.combofix.org/download.php

user36381

Posted 2009-10-01T21:35:55.457

Reputation:

http://www.mywot.com/en/scorecard/combofix.org#comment The site you linked to has viruses – Cyclone – 2010-05-07T20:49:12.573

Asked: 2009-10-01T21:35:55.457

Viewed: 1 752 times

Active: 2010-05-07T02:26:37.297