Monday, November 17, 2008

How to remove zlob.dnschanger.rtk and recycled boot.com

It is said that a computer with no firewall and antivirus softwares is 99.99 percent vulnerable to online threats and attacks as soon as it's connected to the Internet. Once it's connected to the Internet, it takes less than 20 minutes to get that computer victimized. This is what I read on one of the pages of a very thick book on Computer Security and Hacking.

Yesterday, I was working on a client's computer, it was new machine with no operating system. He had his legit copy of microsoft windows and I had to make more things work than just installing Microsoft Windows. It was the search for drivers and stuff like that plus couple of things to be tweaked according to his wish. I got the box and started working on it. Installation finished, all drivers loaded from various sources online and I was about to check some stuffs on Google. But as soon as I clicked some search links, it took me to some strange websites, most of them were so fake and seemed advertisement. Within that less than 15 minutes period of being online, the operating system was compromised. It was infected. It was my bad, that I forgot to load security softwares first.

Now it was pretty hard for me to bust that virus. I checked hidden startups on 'msconfig', checked running processes on task manager, but couldn't get any clue. I tried installing free AVG antivirus off the grisoft.com, but at the last moment of installation, AVG simply refused to get installed. I quickly installed Spybot Search and destroy, ran it quickly to check problems. Meantime, I downloaded Ad-Aware and installed and ran that too. Both of them, detected and tried fixing it. Looked like they fixed it. But the very next moment, virus got activated.

The computer I worked on was infected with some "zlob.dnschanger.rtk" and "resycled boot.com". That's what I saw on Spybot's result. I saw Zlob.dnschanger.rtk at first and later I found "resycled" wrongly spelled folder on every drive's root followed by a link to Autorun.inf and the program associated with it called boot.com

Believe me, this was the hardest malware that I've found till this date. I ran Hijack This, checked the process and actually found the suspicious one, but It wouldn't also delete that. It looked like it deleted but very next moment, running 'scan and save log', I could see the same thing popping up. Actually, "Hijack This" is considered a last resort to kill malwares. In my case, it failed too. I dived into registry, manually tried to remove the entries. It pretended it deleted but very next moment, it came back again. So, to me I compared the situation with Hindu mythology like where 'RAWANA's Head' popping up every time the LORD RAMA's arrow beheaded it's neck. Ummmm... All these things took more than an hour and I thought it's not wise to spend this much time to freshly installed system. My second thought was to nuke the Operating system and re-installed Windows again.

I've a strange itch to play with malwares, actually, I've a separate pen drive for that same purpose. I inserted my pen drive, loaded couple of things and the next moment, I could see 'resycled' folder on my pen drive. I successfully transferred the culprit to my pen drive. I formatted the computer and re-installed everything once again. This time, I loaded all the needed security softwares like AntiVirus,Firewall, Anti spywares etc. I loaded drivers and finished the system quickly.

This morning, I turned on my computer, where I've a sandbox system setup which is actually Operating System inside Operating System. If you know anything about VMware Virtualisation, then you know what I'm talking about. We call it sandbox. Anything you do inside that Virtualized Operating system, it's not gonna hamper the real operating system outside. The inside Sandbox system was Windows XP too. It was unprotected to be true. I quickly inserted my pen drive and ran something off there. After few seconds, I could see 'resycled' folder on my virtualized operating system. It was time for me to see how it's working. This is one hellava crazy virus which is doing more than one thing.

Some of the properties of this virus zlob.dnschanger.rtk(there are many many variants of this culprit) on my system:
- It changed my secondary DNS. That means, every time some dead link is found, it took me to somewhere else(some strange website with no page found message) instead of same old regular 'Address not found' page. That means, every time we send or request pages, it'll be parsed from that Odd DNS server. In other way, they'll read whatever we send out information from our computer.

- All the search result links of Google Search when clicked were re-directed to somewhere else than the destined links. Most of those links were purely looked advertisement and malicious. You'll go mad in situation like that. It looks like they want to make some money off us. The only solution I found for that time being is to copy the link and paste it manually on the address bar and hit the Go button or Enter key to prevent oneself going to malicious sites.

- It's deep rooted in the system and the process that it runs is also hidden. I tried to find the suspicious process using Microsoft's Process monitor but I gave up when I saw more than 64,000 processes running. Windows' default task manager is defunct in this case.

- It massively uses CPU's resource. As you go on surfing net, your computer slowly gives up till it becomes unresponsive meaning HANG..

There might be some other properties of this virus, but these are what I experienced. Other than that, while eradicating this thing, I found it's leaving it's traces all over the drive's root. Double-clicking any of your drive would technically hang your system. I had to right-click and select explore to see stuffs in my drive's root. That's how I saw strange folder 'resycled' and figure that it's actually the remnants of this zlob virus.

There is an effective way of removing zlob.dnschanger.rtk, resycled folder and boot.com
This virus deleted Spybot search and destroy on next restart. It didn't let AVG antivirus to be installed. Upon researching from my other computer, I found some tools to deal with this virus. Like ComboFix and Malwarebytes' Anti-Malware.
I first tried ComboFix. ComboFix didn't solve the problem. Malwarebyte's Anti-Malware was only hope, I ran it and to my wonder, It solved the problem.

Here is the step by step instructions how to remove this particular virus.

1. Since this is generating Autorun.inf Virus on every root drives, first disabled the autorun feature of your operating system.
a. Click Start-->Run
b. type 'gpedit.msc' for group policy editor(it's only in Windows XP PRO)
c. Under both Computer and User configuration, click->Administrative Templates->System
d. enable 'Turn off Autoplay' and select all drives. (you'll know when you reach
that screen, for now don't worry)
This will help prevent the virus to self trigger every time we clicked the root drive. I want you to set this option for your all computers, as most of the virus these days are triggered from the AUTORUN feature of windows.

2. Turn off the System Restore for now. Right Click 'My Computer' -> select properties -> 'System Restore'-> and select option for 'Turn off System Restore'. Click Ok-Ok when needed.

3. Click Start->Run-> type 'msconfig' and hit Enter key. Click 'Startup' Tab. Remove all suspicious startup stuffs from the list. Uncheck where needed

4. Download Malwarebytes' Anti-Malware. Install it and run it.

5. Malwarebyte's Anti-Malware detected virus and I saw something like this below in my case:
This cleverish virus is unusual and hard to kill manually. Looking at this, it was very hard to bust it in traditional way. Look where it has been keeping itself and on what names. It has used some of the file names and locations to keep itself which I was thinking is legitimate and harmless. These all remnants were responsible for DNS hijacking and frequent popups


6. As soon as you see this screen above, select all those Check boxes next to red lines and click 'Remove Selected'.

7. During the removal process, you might see the screen like this below:

It's asking you to restart. Restart the system, as it needs to update the DNS settings and refresh the memory. That's it.

Next restart will be your virus free computer. Now, install all that security softwares in your safebox. Happy virus-free computing.


Thank you for reading my post.

6 comments:

Nurse Jen Doll said...

You should do a post on that virus named 'antivirus 2009' it's quite annoying. My friend's laptop got infected with it and mine almost did, except Norton actually caught it before it hit me (I still did a full system scan, though).

-Nurse Jen Doll
www.nursejendoll.com
Your Daily Reality Nursing

Navin said...

You know Jen Doll,
actually, if one follows this article, it'll remove not only the malwares that I've written about in here but also many other virus and malwares including "Antivirus 2009".
I think it's "Ultimate Antivirus 2009" - the devil in disguise

Recently, my friend successfully removed 'Ultimate Antivirus' virus from his computer after he went through this same article and I'm very glad to read his success story.

slee0904 said...

Thanks for this post, quite a review of this virus. I also used Malwarebytes. TC

Navin said...

slee0904, thanks

W01fman said...

Wow, great article. Saved my system. What a nasty virus. I give them props for the autorun on every drive!!

tips29 said...

How to remove resycled/boot.com

http://www.tips29.com/2009/01/how-to-remove-resycledbootcom.html

Copyright © 2014
Designed by Navin