Removing malware of a particular kind

Question

I need to remove some malware from my computer. It is a trojan, and very annoying. It blocks access to Google and search sites. The trojan, with its name spelled out on each line cause it seems to block sites when i reference it in a url, is

a r t (some text to mess it up) e m (more text i s

First off, what is it, what does it do? Second, why can't I access google or yahoo or any other search sites at all?

Third, can it be removed via McAffee? It says it quarantined it when I scanned

I found a suspicious process "c"s"r"s"s".exe and it will not let me terminate it, and this is what Mcaffee says it is. Why on earth isn't Mcaffee getting rid of it? I even blocked internet access for this program.

Thanks so much, I get kinda freaked out with things like this...

Here is my entire Hosts file:

127.0.0.1   go.mail.ru
127.0.0.1   nova.rambler.ru
127.0.0.1   google.ad
127.0.0.1   www.google.ad
127.0.0.1   google.ae
127.0.0.1   www.google.ae
127.0.0.1   google.am
127.0.0.1   www.google.am
127.0.0.1   google.com.ar
127.0.0.1   www.google.com.ar
127.0.0.1   google.as
127.0.0.1   www.google.as
127.0.0.1   google.at
127.0.0.1   www.google.at
127.0.0.1   google.com.au
127.0.0.1   www.google.com.au
127.0.0.1   google.az
127.0.0.1   www.google.az
127.0.0.1   google.ba
127.0.0.1   www.google.ba
127.0.0.1   google.be
127.0.0.1   www.google.be
127.0.0.1   google.bg
127.0.0.1   www.google.bg
127.0.0.1   google.bs
127.0.0.1   www.google.bs
127.0.0.1   google.com.by
127.0.0.1   www.google.com.by
127.0.0.1   google.ca
127.0.0.1   www.google.ca
127.0.0.1   google.ch
127.0.0.1   www.google.ch
127.0.0.1   google.cn
127.0.0.1   www.google.cn
127.0.0.1   google.cz
127.0.0.1   www.google.cz
127.0.0.1   google.de
127.0.0.1   www.google.de
127.0.0.1   google.dk
127.0.0.1   www.google.dk
127.0.0.1   google.ee
127.0.0.1   www.google.ee
127.0.0.1   google.es
127.0.0.1   www.google.es
127.0.0.1   google.fi
127.0.0.1   www.google.fi
127.0.0.1   google.fr
127.0.0.1   www.google.fr
127.0.0.1   google.gr
127.0.0.1   www.google.gr
127.0.0.1   google.com.hk
127.0.0.1   www.google.com.hk
127.0.0.1   google.hr
127.0.0.1   www.google.hr
127.0.0.1   google.hu
127.0.0.1   www.google.hu
127.0.0.1   google.ie
127.0.0.1   www.google.ie
127.0.0.1   google.co.il
127.0.0.1   www.google.co.il
127.0.0.1   google.co.in
127.0.0.1   www.google.co.in
127.0.0.1   google.is
127.0.0.1   www.google.is
127.0.0.1   google.it
127.0.0.1   www.google.it
127.0.0.1   google.co.jp
127.0.0.1   www.google.co.jp
127.0.0.1   google.kg
127.0.0.1   www.google.kg
127.0.0.1   google.co.kr
127.0.0.1   www.google.co.kr
127.0.0.1   google.li
127.0.0.1   www.google.li
127.0.0.1   google.lt
127.0.0.1   www.google.lt
127.0.0.1   google.lu
127.0.0.1   www.google.lu
127.0.0.1   google.lv
127.0.0.1   www.google.lv
127.0.0.1   google.md
127.0.0.1   www.google.md
127.0.0.1   google.com.mx
127.0.0.1   www.google.com.mx
127.0.0.1   google.nl
127.0.0.1   www.google.nl
127.0.0.1   google.no
127.0.0.1   www.google.no
127.0.0.1   google.co.nz
127.0.0.1   www.google.co.nz
127.0.0.1   google.com.pe
127.0.0.1   www.google.com.pe
127.0.0.1   google.com.ph
127.0.0.1   www.google.com.ph
127.0.0.1   google.pl
127.0.0.1   www.google.pl
127.0.0.1   google.pt
127.0.0.1   www.google.pt
127.0.0.1   google.ro
127.0.0.1   www.google.ro
127.0.0.1   google.ru
127.0.0.1   www.google.ru
127.0.0.1   google.com.ru
127.0.0.1   www.google.com.ru
127.0.0.1   google.com.sa
127.0.0.1   www.google.com.sa
127.0.0.1   google.se
127.0.0.1   www.google.se
127.0.0.1   google.com.sg
127.0.0.1   www.google.com.sg
127.0.0.1   google.si
127.0.0.1   www.google.si
127.0.0.1   google.sk
127.0.0.1   www.google.sk
127.0.0.1   google.co.th
127.0.0.1   www.google.co.th
127.0.0.1   google.com.tj
127.0.0.1   www.google.com.tj
127.0.0.1   google.tm
127.0.0.1   www.google.tm
127.0.0.1   google.com.tr
127.0.0.1   www.google.com.tr
127.0.0.1   google.com.tw
127.0.0.1   www.google.com.tw
127.0.0.1   google.com.ua
127.0.0.1   www.google.com.ua
127.0.0.1   google.co.uk
127.0.0.1   www.google.co.uk
127.0.0.1   google.co.vi
127.0.0.1   www.google.co.vi
127.0.0.1   google.com
127.0.0.1   www.google.com
127.0.0.1   google.us
127.0.0.1   www.google.us
127.0.0.1   google.com.pl
127.0.0.1   www.google.com.pl
127.0.0.1   google.co.hu
127.0.0.1   www.google.co.hu
127.0.0.1   google.ge
127.0.0.1   www.google.ge
127.0.0.1   google.kz
127.0.0.1   www.google.kz
127.0.0.1   google.co.uz
127.0.0.1   www.google.co.uz
127.0.0.1   bing.com
127.0.0.1   www.bing.com
127.0.0.1   search.yahoo.com
127.0.0.1   ca.search.yahoo.com
127.0.0.1   ar.search.yahoo.com
127.0.0.1   cl.search.yahoo.com
127.0.0.1   co.search.yahoo.com
127.0.0.1   mx.search.yahoo.com
127.0.0.1   espanol.search.yahoo.com
127.0.0.1   qc.search.yahoo.com
127.0.0.1   ve.search.yahoo.com
127.0.0.1   pe.search.yahoo.com
127.0.0.1   at.search.yahoo.com
127.0.0.1   ct.search.yahoo.com
127.0.0.1   dk.search.yahoo.com
127.0.0.1   fi.search.yahoo.com
127.0.0.1   fr.search.yahoo.com
127.0.0.1   de.search.yahoo.com
127.0.0.1   it.search.yahoo.com
127.0.0.1   nl.search.yahoo.com
127.0.0.1   no.search.yahoo.com
127.0.0.1   ru.search.yahoo.com
127.0.0.1   es.search.yahoo.com
127.0.0.1   se.search.yahoo.com
127.0.0.1   ch.search.yahoo.com
127.0.0.1   uk.search.yahoo.com
127.0.0.1   asia.search.yahoo.com
127.0.0.1   au.search.yahoo.com
127.0.0.1   one.cn.yahoo.com
127.0.0.1   hk.search.yahoo.com
127.0.0.1   in.search.yahoo.com
127.0.0.1   id.search.yahoo.com
127.0.0.1   search.yahoo.co.jp
127.0.0.1   kr.search.yahoo.com
127.0.0.1   malaysia.search.yahoo.com
127.0.0.1   nz.search.yahoo.com
127.0.0.1   ph.search.yahoo.com
127.0.0.1   sg.search.yahoo.com
127.0.0.1   tw.search.yahoo.com
127.0.0.1   th.search.yahoo.com
127.0.0.1   vn.search.yahoo.com
127.0.0.1   images.google.com
127.0.0.1   images.google.ca
127.0.0.1   images.google.co.uk
127.0.0.1   news.google.com
127.0.0.1   news.google.ca
127.0.0.1   news.google.co.uk
127.0.0.1   video.google.com
127.0.0.1   video.google.ca
127.0.0.1   video.google.co.uk
127.0.0.1   blogsearch.google.com
127.0.0.1   blogsearch.google.ca
127.0.0.1   blogsearch.google.co.uk
127.0.0.1   searchservice.myspace.com
127.0.0.1   ask.com
127.0.0.1   www.ask.com
127.0.0.1   search.aol.com
127.0.0.1   search.netscape.com
127.0.0.1   yandex.ru
127.0.0.1   www.yandex.ru
127.0.0.1   yandex.ua
127.0.0.1   www.yandex.ua
127.0.0.1   search.about.com
127.0.0.1   www.verizon.net
127.0.0.1   verizon.net

assuming those "'s are to break it up, that process is the Client Server Runtime Process, and you can't kill it because it's vital to windows' continued living. — Phoshi, Oct 01 '09 at 21:40
It is to break it up, and that is the infected file. Thanks, that makes sense.. — Cyclone, Oct 01 '09 at 21:42
Well, if I were a virus engineer, hijacking a vital process would be a nice start. System restore? — Phoshi, Oct 01 '09 at 21:43
@phoshi I don't have a backup of my files, it is imperative that they are not lost. What is this virus and what does it do? — Cyclone, Oct 01 '09 at 21:45
I'm afraid I've no idea what it does. Any files you have that aren't .exe should be entirely safe to back up without fear of possible reinfection, but any that are should be treated with suspicion until you can verify their integrity. Got an external HDD handy? :/ — Phoshi, Oct 01 '09 at 21:48
Ive got a backup from three days ago on my new MyBook 1 TB, but it was plugged in at the time of infection (mcaffee scans reveal no malware on it though, so its safe I think.....) — Cyclone, Oct 01 '09 at 21:52
possible duplicate of What to do if my computer is infected by a virus or a malware? — Ƭᴇcʜιᴇ007, Nov 12 '11 at 19:35

score 3 · Accepted Answer · answered Oct 01 '09 at 21:41

3

Can you locate the executable? If so, boot into a linux LiveCD and blast it off the face of your filesystem. It may well recreate itself, if it's got hidden agents hiding around, so grab a copy of Autoruns and check what's loading behind your back.

edit: And have you checked your Hosts file?
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
That's where Pre-DNS level filtering happens, worth a look.

answered Oct 01 '09 at 21:41

Phoshi

23,383

No, can't do it, don't have linux on a LiveCD – Cyclone Oct 01 '09 at 21:43
Everybody should have a linux liveCD! Can you boot into safe mode, then? – Phoshi Oct 01 '09 at 21:45
Idk lol, whats that? – Cyclone Oct 01 '09 at 21:51
I believe you tap F8 at some point during bootup. I tap it continually after POST, myself ;) Safe mode basically doesn't execute anything but what's necessary, so it's always worth a try. – Phoshi Oct 01 '09 at 21:59
AHA! My Hosts file has many things, all pointing to localhost – Cyclone Oct 01 '09 at 21:59
Look at my post edit, thats my Hosts file. – Cyclone Oct 01 '09 at 22:01
Ding Ding Ding! Make sure to set it to "Read Only" when you're done :) – Phoshi Oct 01 '09 at 22:01
Woah, that's quite... yeah. Probably best to remove those :) – Phoshi Oct 01 '09 at 22:02
How do I fix it? Also you are my new favorite person on the Internet. – Cyclone Oct 01 '09 at 22:02
Just empty the file entirely? – Cyclone Oct 01 '09 at 22:03
If that's all that's in there, then yeah, they're all very nasty things :( – Phoshi Oct 01 '09 at 22:08
:D Its all fixed!!!!!!! – Cyclone Oct 01 '09 at 22:46

score 2 · Answer 2 · edited Mar 20 '17 at 10:17

With out deeply inspecting your computer with a wide range of tools I doubt you will be able to manually remove the malicious software entirely. If you miss even a piece of it, as @ChrisF mentioned, it will probably try and undo any of your attempts to remove it. And in the age where viruses will not only hide themselves in system files but will corrupt your machine multiple instances of themselves and other viruses as well, it is almost impossible to manually clean a machine with any level of confidence that it is once again secure.

The only way to assure the virus is gone is to format the hard drive and do a clean reinstall of the OS. Now if you need to get your data off I would get a USB hard drive or some other external drive and an Ubuntu live CD (you can download an ISO and burn a copy to a CD).

Boot to the live CD and use Ubuntu to transfer your files to the external USB drive.
Once the files are backed up reformat the machine and reinstall the OS.
Once the computer is fully functional:
- Install anti virus,
- Disable autorun of CD's and USB drives
Plug in your backup drive and do a thorough virus scan of the drive to make sure none of your data is the source of the virus. It does no go to re-image when the source of the virus is a corrupted pdf, video, image, document, or other file.
Once the virus scan reports your backup as clean of infection move your files back over and reinstall your applications.

Good luck and good hunting.

score 1 · Answer 3 · answered Oct 01 '09 at 22:13

The reason you can't get to Google and the other search sites is because the virus has added all those lines to your hosts file. The line:

127.0.0.1 google.com

will mean that all requests to google.com will be redirected back to your machine, which obviously can't serve them.

As Phoshi says you should remove these lines from the hosts file. However, I would guess that the virus will try to recreate them the next time you boot the PC. By making the file read only it won't be able to update it again and you'll be able to connect to the sites previously blocked.

score 0 · Answer 4 · answered May 07 '10 at 02:26

0

Try Combofix It works well with problem such as this, best run it in safemode http://www.combofix.org/download.php

answered May 07 '10 at 02:26

http://www.mywot.com/en/scorecard/combofix.org#comment The site you linked to has viruses – Cyclone May 07 '10 at 20:49

Removing malware of a particular kind

4 Answers4