I got this nasty bug on my computer that hijacked my browser, prevented me from running Windows Update, and slowed down the processes on my computer to where I was pulling out my hair. When the computer booted, Windows Update would try and run, only to give me the standard "Windows Update was not able to finish" or something like that. Every time I followed a link - search result or otherwise - I was redirected to an advertising or marketing site. A couple of porn search terms were automatically inserted into a marketing search engine and I knew I had to do something.
I couldn't do a Google search - I would browse to Google only to have IE say Cannot Display the Page, with the Check your Connection button. Firefox and Opera wouldn't work either. I found that I could somewhat bypass browser redirects by pasting the shortcut of search results into the Address bar - instead of clicking on a link.
So I had a very difficult time. I would watch a svchost process eat up CPU cycles and consume memory while monitoring the Task Manager. I would kill the process and things would speed up again, but it did play havoc with my internet connection.
I knew I had a virus, trojan, or some other hijacker so I immediately enlisted the help of my virus and nastyware tools:
I ran Spybot S & D, Panda AntiVirus, MalwareBytes Anti Malware...
I downloaded and installed Ad-Aware, SpywareBlaster...
I ran Trend Micro's House Call Scanner... ATF Cleaner...
AND NOTHING WORKED!
None of these tools worked 100%. Ad-Aware did stop the annoying browser redirects, which was a bit more satisfying than Spybot. I still like Spybot, but the Tea Timer didn't do anything for redirects which were constant. BUT THEY DETECTED NOTHING!
Somehow, I was enticed to try the Windows Live OneCare Safety Scanner. Normally, I give low credence to the standard out-of-the-box Microsoft tools, but having no other immediate options, I went for it.
It took a long time, but the Windows Live OneCare Safety Scanner didn't miss a thing. There they were - several items:
two virus-infected exe files (which I was able to quarantine)
a java class infected with the TrojanClicker Win32/Yabector.B
another class infected with an exploit: Java/CVE-200805353.JJ
and right at the bottom of the list, an entry that said Win32/Alureon.H - alureon intelide
a very, very nasty rootkit virus. It's no wonder it wasn't detected. Windows LiveOne Scanner - Hooray for you!
Well, that at least gave me something to go on. Finally. Doing a search on Alureon.H brought me to the solution buried down in the bottom of this forum,
http://social.answers.microsoft.com/Forums/en-US/msescan/thread/f33efa3a-ac7d-429d-ae91-b2fcde1d0578
with the majority of "experts" saying to bite the bullet, save data and do a clean install of Windows. Been there, done that. I didn't want to do it again. Sigh. I NEVER want to do that again (if I can help it. What a pain!) At the bottom of the forum, a Dr. Trissell has the following procedure:
SOLUTION: For XP users who have the Virus WIN32/Alurion.H and who have unwanted Google search redirects and who can't manually access the microsoft update page, you have an infected RAS Automatic Connection Driver infection (rasacd.sys) and there are no antivirus programs which can fix it. Period. All they can do is detect it.
PRINT OUT THESE INSTRUCTIONS FOR USE IN THIS CURE.
(1) Go to your system drive, get into the i386 directory (e.g. C:\i386), and locate the rasacd.sys file (compresed and clean). Highlight it, right click and selectCopy.
(2) Go back to your main system directory (e.g. C:). Right click anywhere in the white space on the page (but not in a folder) and selectPaste. The Copy function automatically uncompresses the file. Check the directory to make sure it contains rasacd.sys.
(3) Click Start and Shutdown and when the menu appears, selectRestart.
(4) Watch the reboot carefully and when you get the black screen, look for the white letters (usually in the upper right corner) which sayF2 to enter Setup and F12 to enter boot menu - Quickly press the F12 key.
(5) Load your Windows Setup CD into the CD Drive. (Hopefully you didn't put the CD into the drive before I told you to. If you did, then stop the Windows installation and go back to step (3) above and start over).
(6) Using the up/down arrows, select the menu item that boots to a CD drive and pressENTER. Somewhere between this step and the next 2, you will be asked to log in as Administrator and key in the password (if there is none, just pressENTER.
(7) When prompted for "which system do you want to start," pick the option number which has the drive letter whereyour windows system is installed followed by the wordWINDOWS (e.g. 1 C: WINDOWS), key the number for that option, and press ENTER.
(8) The CD will transfer some files (watch the bottom of the screen). When it finishes, you get a menu. You want the option which repairs your system, soPRESS THE "R" KEY NOW.
(9) You will find yourself at a classic MS DOS black screen in your Windows directory (e.g. C:\WINDOWS>). Now follow these instructions exactly in my order.
(a) At the blinking cursor, type CD .. and press ENTER (you will now see C:>)
(b) After C:> type CD C:\WINDOWS\SYSTEM32\DRIVERS and pressENTER
(c) After C:\WINDOWS\SYSTEM32\DRIVERS> type RENAME rasacd.sys rasacd.old and pressENTER (don't forget the spaces between the three "words")
(d) Now after C:\WINDOWS\SYSTEM32\DRIVERS> type COPY C:\RASACD.SYS (followed by a space) and pressENTER
(e) Now type CD .. and you will see C:\WINDOWS\SYSTEM32>
(f) Now type CD DLLCACHE and press ENTER (you will see C:\WINDOWS\SYSTEM32\DLLCACHE>
(g) After C:\WINDOWS\SYSTEM32\DLLCACHE> type RENAME rasacd.sys rasacd.oldand press ENTER
(h) Now after C:\WINDOWS\SYSTEM32\DLLCACHE> type COPY C:\RASACD.SYS (followed by a space) and press ENTER
(i) YOU ARE ALMOST DONE. THE PROBLEM IS NOW CURED. After C:\WINDOWS\SYSTEM32\DLLCACHE> typeEXIT and press ENTER.
(10) Now you can remove the Setup CD from the drive and let the system reboot normally. When it is up and running, try a Google search and see that the problem is gone. Also go tohttp://update.microsoft.com and see that you now have no problems doing a manual windows update.
CONGRATULATIONS - YOU ARE NOW A CERTIFIED WIN32/Alureon.H removal technician.
I followed the procedure exactly as listed above (though to be honest, inserting the Windows XP CD at bootup produced the same screens as pressing F12, without having to wait to insert it into the CD tray). I rebooted my machine and thought it was done. It began installing Windows Updates and everything looked good. In fact it completed them. I tried a search in IE and actually got results without being redirected to some advertising or marketing site. I was excited and relieved. Until I tried browsing to Windows Update or Google. Neither page would display. Sigh. I wasn't done, it appeared.
Well, Dr. Trissell got it mostly correct. The Live OneCare Scanner mentioned intelide (which at first glance, I thought might have been a variant name of the virus) which I searched for on a different computer. I found out that it isn't a virus variant name, but a system32 driver as well. I followed Dr. Trissell's procedure again, substituting INTELIDE.SYS for RASACD.SYS.
That was the ticket. I have been virus-free for several reboots, several hours and I have successfully updated Windows - twice! I am so relieved that I don't have to do the Save Data, Reinstall clean Windows exercise. Dr. Trissell - whoever you are, THANK YOU!
