Fucking viruses

[Rogue 9]

My computer has a virus of some sort that is hijacking Google searches and redirecting the links to the results to ad pages instead of the intended destinations. It is also blocking access to the sites of legitimate antivirus and anti-spyware providers and preventing my antivirus programs from updating. It appears to have also brutally murdered Spybot, which will not open at all. Repeated scans have found and eliminated some elements of the infection (AVG made reference to and eliminated Win32/Heur the first couple of times and a virus called FakeAlert once, but they haven't reappeared in subsequent scans from safe mode), eliminating some serious Internet connection lag and lockup problems as well as a phony antivirus that installed itself called Antivirus Pro 2009, but the Google problem and antivirus suppression remains. This has been going on since shortly before I posted the latest HijackThis log in the appropriate sticky thread.

I do not know where this came from. I wasn't doing anything I don't normally do, and this computer has gone nearly two years without a major virus problem until now. A friend of mine thought it might be Vundo, but I got a removal tool for it, and the tool claims that it isn't present. Does anyone know what might be the problem and how to fix it?

[NecronLord]

I had something similar earlier this year. I shifted some of them - eventually - by manually deleting them from the drive and registry. But I'd reccommend trying to get the best, most recent anti-virus software you can find, if it won't run. Also, consider professional maintainance; mine eventually packed in to a degree that I backed up most of my files and said "sod it, I need a new PC anyway."

[Braedley]

http://www.malwarebytes.org/
I was introduced to this a few weeks ago when I started working at a computer store. It is teh awesome!!one!

[Rogue 9]

Yeah, the virus has decided that it doesn't want me to go to that page, so it won't load.

It is also blocking access to the sites of legitimate antivirus and anti-spyware providers and preventing my antivirus programs from updating.

[Solauren]

Can you start in Safemode?

[MoralCompass]

Yeah, the virus has decided that it doesn't want me to go to that page, so it won't load.

It is also blocking access to the sites of legitimate antivirus and anti-spyware providers and preventing my antivirus programs from updating.

Can you access rapidshare or another downloading site? If so, a board member that you trust could upload the installer files of some AV programs for you to download.

[Rogue 9]

Can you start in Safemode?

Yes, and did what I thought was a thorough cleaning from it, but I apparently missed some.

[Rogue 9]

Okay, I've downloaded the Malware Bytes thing on another computer, and am transferring it via a thumb drive. Here's hoping the install routine works; I managed to download the latest version of Hijack This, but it's install routine won't run.

[Bounty]

If you have backups of your personal files, it might be quicker and easier to just reformat and reinstall rather than hunt down an infection you might not be able to fix.

[Rogue 9]

Yeah, I'm thinking of doing that. I have a secondary hard drive that's data only, and I know it isn't infected; if this last round of scans doesn't work, I'm going to pull all the stuff I can't replace to that and format the primary.

The only reason I haven't done that already is because of HP's fucktarded scheme of putting system backups on a drive partition rather than giving you an OS disk, so it's kind of hard to boot from CD. I hope I can figure out how to get the operating system back on once I get it off, and in any case I'm never buying from them again.

[Bounty]

As long as you have your key, you can just pull the install CD off the net.

[Ariphaos]

http://www.malwarebytes.org/
I was introduced to this a few weeks ago when I started working at a computer store. It is teh awesome!!one!

Download this, install but don't run yet.

http://www.internetinspiration.co.uk/roguefix.htm

Get roguefix. Don't run yet.

Reboot. Select 'safe mode with command prompt'

Run Malwarebytes from wherever you installed it from the command line. Don't reboot.

Do the same for roguefix.

That combo will usually take care of nearly anything, but do not let explorer.exe run before you apply these fixes at least once.

[Rogue 9]

Okay, giving it a shot. The scans are running now. (I'm on a different machine for the moment.) Thanks; here's hoping this works.

[Rogue 9]

Malwarebytes identified and killed a rootkit. By all indications, it's cleaned the machine; the symptoms of the virus are gone. I'm naming my firstborn after Anti-Malware's designer.

[Dominus Atheos]

The only reason I haven't done that already is because of HP's fucktarded scheme of putting system backups on a drive partition rather than giving you an OS disk, so it's kind of hard to boot from CD.

Are you crazy? I love that feature. You just hit f10 or f11 when the computer starts up and the re-imaging starts. Then since it's from the hard drive, it only takes 15 minutes until the computer is back to it's factory configuration. When I have to use disks on someones computer, it takes 2 hours or more. Apparently I'm not the only one who likes it since HP, Dell, Lenovo, Gateway and Acer all have the same setup. Most of them even have backup utilities built into them. It makes fixing other people's computers a lot quicker.

[Rogue 9]

Until the hard drive gets corrupted.

[Dominus Atheos]

Until the hard drive gets corrupted.

There's very little that's going to corrupt a hard drive bad enough to irrecoverably wipe out all the partitions that doesn't either mean you need to replace the entire thing, or will jump across hard drives. Anyway, all of those vendors provide a way to make your own recovery disks from that partition.

[Battlehymn Republic]

Whoa. I've never heard about a virus that's so canny about blocking attempts to kill it. I've always been paranoid that some day someone will write a malicious program to screw Spybot or Ad-Aware... what is this thing?

[Ariphaos]

The main installation vector is called virtumundo.

[Braedley]

Whoa. I've never heard about a virus that's so canny about blocking attempts to kill it. I've always been paranoid that some day someone will write a malicious program to screw Spybot or Ad-Aware... what is this thing?

Actually, one of the other techs had one of those to deal with today. Still not as bad as a laptop I have to deal with tomorrow. The owner won't be liking that phone call tomorrow.

[Braedley]

Just to let everyone know, we had 4 more cases of this smitfraud variant. In each case, the infection wasn't caught early enough, and it looks like the machines will need to be nuked. So if you do get infected with this variant, act fast and hope for the best.

Also that laptop I refered to (totally unrelated), the hard drive took a slow but massive crap throughout the day. At the beginning of the day, I could see every file on it, but an hour before quiting time, I couldn't see a thing. Eventually, windows wouldn't even recognize the drive.

[Ariphaos]

Just to let everyone know, we had 4 more cases of this smitfraud variant. In each case, the infection wasn't caught early enough, and it looks like the machines will need to be nuked. So if you do get infected with this variant, act fast and hope for the best.

...I just got rid of three of these without nuking and helped a friend with her own machine.

I think I'm going to put up detailed instructions on my website, this sort of attitude is rarely needed, except as an advisement option.

[Vehrec]

What I want to know is how does this sucker spread-and how can I prevent it from getting to me?

[Braedley]

Use Firefox with Ad-Block Plus (and a good subscription list), and always on anti-virus/anti-malware. That's about the only thing that will prevent infection. Aside from that, keep your AV and AM definitions up to date (have your programs check at least once a day if they run at startup), don't do stupid shit like run untrusted .exes, and use a decent firewall.

As far as how it spreads, I don't know for sure, but probably through a compromised website.

[Dominus Atheos]

Holy jesus's shit!

Apparently Microsoft just cleaned this thing off of nearly a million machines by way of a windows update:

The Malicious Software Removal Tool (MSRT) is a small program Microsoft pushes out to computers on Patch Tuesday to clean out a list of malware. On this month's Patch Tuesday, Microsoft added scans for a malware file that masks itself as security software, and it found plenty of copies.

Win32/FakeSecSen has gone by various names, including Micro Antivirus 2009, MS Antivirus, Spyware Preventer, Vista Antivirus 2008, Advanced Antivirus, System Antivirus 2008, Ultimate Antivirus 2008, Windows Antivirus, XPert Antivirus, Power Antivirus, and Ultra Antivirus 2009. Furthermore, it is skinnable, so each of these variants has a different GUI, although the basic functionality is the same: bother users with warnings of malware until they pay up.

The Microsoft Malware Protection Center recently released some data on how the removal tool performed this month: FakeSecSen was removed from 994,061 machines. That number isn't the highest Microsoft has recorded before, and the number of removals depends on which malware Microsoft adds each month and how widespread it is.

The company did note, however, that for every one thousand machines in the US scanned by MSRT during the last seven days, roughly five were infected with FakeSecSen rogues. That's quite high for just one piece of malware, but things could have been much worse, according to Microsoft:

Normally each FakeSecSen installation contains one EXE, one or two DAT files, one Control Panel applet (CPL), one desktop shortcut and sometimes one uninstaller. It is interesting that only 20 percent of these removals contain executables of FakeSecSen. This indicates either the other 80 percent had at one point been infected by FakeSecSen and the threat was then manually and partially removed, or the machines were cleaned by other AV products/tools, or FakeSecSen had failed to install, etc.

Once Microsoft gets into the game of free real-time antivirus solutions, it will be worth watching how infection rates fare, instead of just taking note of cleanup numbers each month.

The bolded part is why myself and other people who know a lot about computer security will always recommend an nuke and pave whenever someone is infected with spyware. Even if you think you removed the program, it may leave bit's and pieces of itself on your computer. Sometimes those bit's and pieces will only slow down your computer, but don't be surprised to find that there's a keylogger stealing everything you type on the keyboard, or that your computer is a zombie that's sending spam email as part of a botnet.