Viruses...I didn't believe in them.

[monkey0506]

I am being slightly sarcastic in saying this, but I didn't really ever think that I would under any circumstances have to deal with a computer plagued by viruses. The computer I am currently using to post this however has made its sole goal in life to prove me wrong.

Last night, no more than 24 hours ago this computer was working fine. Then suddenly about 5 or 6 hours ago I tried to get online. There was a valid connection...but...somehow...any page I would go to...all the links were broken.

I first was trying to sign into MySpace and Internet Explorer crashed fatally about 3 times (and then immediately recovered the tab bringing me back to the MySpace main site (not logged in)) before I said, fine I'll go somewhere else for a bit. To my surprise when I got there every link on the page was pointing to some "googleredirect.com" which would search for the text of the link with the actual link appended (URL encoded) at the end of the link.

"So," I said to myself,  "Microsoft is really pushing IE 8 then" because as this isn't my computer, I was using Internet Explorer. I went through the grievous task of installing IE8 which is no small feat by any means...and the issue persisted. So I booted into Safe Mode. Everything seemed okay. I went ahead and took the opportunity then to install Firefox.

Rebooted back in normal mode and..."WTF!" The issue persists even in Firefox. That's about when "Security Center" pops up and tells me that the computer has 12 viruses ranging from simple key loggers to Trojans, Worms, Backdoors...I did find this a bit suspicious considering I had no idea what "Security Center" was, although it was skinned to look like Norton...it wasn't Norton.

That's when I saw where it was proposing one of the viruses to be at..."\windows\system32\rundll32.dll", recommended action DELETE? "Okay," I told my mom at this point, "that's NOT Norton. That's a virus."

This was the point at which the desktop background got replaced by the text that "SPYWARE HAS BEEN DETECTED!" and all sorts of propaganda along those lines...

So in Safe Mode I was able to get Norton to run a scan...but remarkably it didn't find anything. I never trusted Norton anyway. Personally I use avast! Home and it's never lead me astray. Oh look, avast! found no less than 7 viruses (although none in the locations proposed by "Security Center").

There's still one item that I can't seem to get rid of. The file doesn't exist. I've looked (including in hidden AND system files). avast! tells me if I try to move it to the "chest" (quarantine) that "the maximum number of secrets" (emphasis mine) has been exceeded...uh...WTF is a "secret" in terms of a computer? And what does it have to do with a virus in a non-existent location?

Anyway I know there've been threads like this...I just felt like venting a bit. Having never had to deal with viruses before I can now say to those who have, "I feel your pain." Luckily despite everything that was wrong the system is recoverable; but only because I have a fair bit of knowledge working with computers...

The one item I mentioned not being able to get rid of has been labeled as "Rootkit" malware. I'm not sure what a rootkit is, but I did message avast! support for further assistance.

[LUniqueDan]

Venting is the purpose of Gen-Gen

Rootkits are not viruses per se, but thingies that create / hide backdoors in your computer to maintain access to other kind of craps (Trojans, worms etc..)

For Rootkits use Avira Antivir (that's Avira's speciality) there's a rootkits menu on the top.

If it's rundll32 who are corrupt, (and not something who make it sounds corrupt) ... you won't have many other choice than Reinstall windows or use the win Recuperation Console.

Good luck

[Akatosh]

Ooh, I know that one. The program that does this sort of thing is a really annoying little bugger. If I recall correctly, it's adware that auto-installs itself if you visit a hijacked website and don't immediatly shoot down your browser via the task manager. The goal is pretty much to get you to buy a fake anti-virus program that does nothing but download more trojans.

I recommend firing up Knoppix or something among these lines and virus-scanning the hell out of your hard drive. Running some adware removal can't hurt either. Plus, yeah, scan for rootkits.

[Layabout]

Oooh nasty. Sounds like a case of not updating Windows (XP isn't it), not using a current broswer and having shitty AV software.

Post-XP systems have a thing called the Security Centre which monitors whether you are using a working firewall, up to date antivir, etc. It is primarily there for stupid people who use computers really.

Has someone else been using this computer? Surely you would know not to download things from popups or programs that want to install themselves, but other people using the computer might. If so, upgrade to Vista or 7 and Turn UAC to max power for their account. Give yourself the admin account. It's called smart computer usage. Idiots are the reason UAC exists, so utilise it. If you are still using XP, then you should get Windows 7 as it is released. It is a faster and more stable user experience. And it does not look like Fisher-fucking-price designed the interface.

And stay away from myspace while you are at it. It's full of Emo's.

[GarageGothic]

As for the maximum number of secrets error, this is what Microsofts own website says:

Error Message:
The maximum number of secrets that may be stored in a single system has been exceeded.

Explanation:
A secret is an encrypted piece of information, such as a password or user name.

User Action:
Contact the supplier of the running application.

From what I could find, apparently this limitation on encrypted files has something to do with U.S. national security. Are files stored in the Avast! quarantine chest encrypted? Perhaps you need to delete some files already in there.

Also, I recommend scheduling a boot-time scan in Avast!. That usually can remove infected files which are protected once Windows is running.

[Shane 'ProgZmax' Stevens]

This particular malware auto-disables several popular malware recovery programs when it first hits your pc, like anti-malware, spybot, adaware, and the like.  I ended up having to find an obscure program called superantispyware which completely erased it in one go, and then as a precautionary measure I re-installed spybot and anti-malware and ran these fresh copies.  It's one of the more invasive and irritating malware programs going around right now and it's quite easy to get.

[monkey0506]

Of course I know better than to be a retard when it comes to computers. Which is why I incorrectly assumed I would never have to deal with them. This computer is...erm...my mom's boyfriend's computer.

Just to be clear rundll32 is not infected, it was the fake antivirus program that was claiming it was. And Windows XP does have the "Security Center" as well, but that's not the same "Security Center" that was claiming it found all these viruses in core Windows components. This program was skinned to look almost identical to Norton 2008 (or so, I don't recall the exact Norton version it looked most like, but it's not the most recent versions) and tried to convince me to delete important system files.

I've run avast! both at boot-time and from the OS multiple times (from the OS using the most thorough settings, including scanning archived files). At this point it doesn't detect anything left at all. There was plenty. I deleted it all.

However, now it only detects a problem in the file "c:\windows\system32\geyekrxotpynky.dll" (which does not exist), and only when starting avast! (as if I wanted to run a full system scan; it is of course constantly scanning in the background).

I've tried all of the available options ("Move/Rename", "Delete", and "Move to chest") and only "Move to chest" yields any apparent result. The result is that it tells me the maximum number of secrets is exceeded and the file can therefore not be moved.

avast! support sent me Hijack This! and requested I send them the log of that which I did. Other than that they told me to take all the same steps I already have and see if I can come up with anything else.

As far as MySpace goes it may be chock full of emo prats but I'm not scared of them. They don't call me "The Enforcer" for nothing.

[Domino]

http://www.5starsupport.com/ipboard/index.php?s=10a9771d126103a24a21b2b10a60067e&showtopic=15483&view=findpost&p=59820

This helped me when my computer was being totally raped by viruses.

It does work, but follow the directions exactly.

Also, I switched from AVG free to ESET_NOD32 AV.

[rharpe]

To save yourself some time and headaches, try to restore to an earlier date. Some viruses break this option, but if you haven't tried... do it now!

1.) START -> PROGRAMS -> ACCESSORIES -> SYSTEM TOOLS -> SYSTEM RESTORE
2.) Restore my computer to an earlier time
3.) Choose a week or two before the incedent started to happen
(The computer will reboot and then it will tell you whether it was successful or not.)

Should this work, download AVIRA ANTIVIRUS, MALWAREBYTES, SPYBOT SEARCH & DESTROY, HIJACK THIS
Update each and every program and run the most thorough scan options.

Good luck!

[monkey0506]

I love you guys. I really do. Big shout-out to Dan (and of course rharpe) for suggesting Avira. I hate the way the program is so "in-your-face" all the time so I likely am not going to use it, but it did an awesome job cleaning up that rootkit.

As I said previously avast! has never let me down, it was just having some difficulty with this rootkit which had embedded itself nicely inside of Windows (in particular the Windows disk check and error reporting, interestingly enough).

To be absolutely certain I've been extremely, obsessively thorough in making sure that there are definitely no viruses remaining on this system. Here's what I've done:

1. Run boot-time scan via avast!
2. Run OS scan via Avira
3. Run OS scan via avast!
4. Uninstall avast!
5. Restart
6. Redownload and reinstall avast!
7. (Restart and) Run boot-time scan via avast!
8. Run OS scan via Avira
9. Run OS scan via avast!

Each of the scans was set to the absolute most thorough settings available. Sure, call me OCD but I was tired of this crap. As a final test, I verified that the redirecting/rerouting of the links has been corrected.

In particular last night (before I installed Avira) everything seemed to be working fine. So I tried to Google some information on this error I was having. I put something like "'maximum number of secrets' avast". The first link I would select would go through properly. The rest of the links were getting re-routed...but only if I left-clicked them. The actual link was still correct (i.e., if I copied it to Notepad) and I could open it in a new tab no problem. But if I tried to open it in the same tab it would try and prevent me from getting to the information. It doesn't do that anymore.

In short, rootkits are horse crap and if I ever see one again you better believe that it's Avira here I come.

P.S. I will definitely take a look at some of these anti-adware/anti-spyware programs and see if they come up with anything else. This computer is a complete mess (I hate using computers which are primarily operated by ignorant...computer illiterates).

[Khris]

I used to use Spybot myself but it let me down once. My new weapon of choice is superantispyware. It's simply the best.

[Paper Carnival]

A bit off-topic, but I discovered that after yesterday's update Avira keeps complaining of a virus when you run an executable compiled with this C code:

Code: ags

int main() {
    return 0;
}

Neat, huh?

[monkey0506]

Apparently the problem wasn't as solved as I thought. I ran Malware Bytes and Spybot Search and Destroy both of which found more items that needed to be corrected. Then I was looking up Ad-Aware when the problem reared its ugly head again, and decided to rub my nose in it. Ad-Aware by the way didn't turn up anything at all.

So then I used ComboFix (thanks Domino) which is a frightening experience. It made me feel like it was about to format the hard drive with some of the warnings/prompts it gives.

I didn't mention it before rharpe, but there aren't any System Restore points on this system so that option is out (ComboFix did create one though).

I'll probably take a look at superantispyware as well just to see what else it can come up with. avast! (in my experience) seems pretty good at preventative measures, but cleaning this crap up is annoying as all get-out. Particularly the way that it seems to detect when I'm trying to find it and then lay dormant for a while until I think I've finally gotten rid of it. Disgusting prick.

EDIT: superantispyware turned up nothing new. I forgot to mention I did also install a new HOSTS file.

Beyond that I also installed CCleaner which did a number to the registry, so I made sure to make back-ups every time before anything was removed. It did remove a ton of invalid entries though so it was definitely a good step.

Now I have Windows back on a "Normal" startup, it was on a "Selective" startup while I tried to make sure everything was cleaned out properly. Did a few more scans to be sure and everything seems good so far. Still keeping my fingers crossed before I make the mistake of saying "It's fixed!" again.

[m0ds]

No/yes you are right. Any computer that doesn't go online will always be virus free. When people buy computers they should buy 2. One for net, one not. The net one will get infected, but its okay, it will always just be the less important virus net machine... The other PC need not ever believe in viruses.

[monkey0506]

Well I'm about to the point of giving up. I still think there's something on here because any time I try Googling information about what I'm experiencing the thing goes crazy and starts redirecting all over the place. Maybe it's just Google that's got bugged. I don't know.

The point is I cleaned out like 10 viruses, 30 spyware programs, and a bucketload of invalid registry entries. The computer is running stable and in most cases without issue.

I actually signed up for some random "malware tech support" forum but they just irked me off even more because their forum doesn't allow you to register with a Gmail account. The two reasons given were that "it's creepy" and something to do with spammers in the forum.

I've had that Gmail account for 5 years (thank you AGSers) and I am not about to be discriminated against because someone else doesn't like my email provider. So I just ranted a bit there...ranted a bit here...and now...I'm off to bed.

[Mr Flibble]

AGS is one of the few forums which I actually registered my real email address on, most places get a big tasty mouthful of mailinator. Or whatever the second or third google hit is for the sites irritating enough to have blocked mailinator.

[Andail]

"The maximum number of secrets"...a beautiful beautiful phrase

[kaputtnik]

No/yes you are right. Any computer that doesn't go online will always be virus free. When people buy computers they should buy 2. One for net, one not. The net one will get infected, but its okay, it will always just be the less important virus net machine... The other PC need not ever believe in viruses.

This I would have seconded some months ago, but meanwhile I have had the displeasure to meet a whole new breed of viruses: Bit devouring USB flashdisk viruses! If you're collaborating with lots of people for university work or creative stuff, even your clean machine could have trouble with them - they nest in the USB disk's boot sector and you better not be around when that USB disk is plugged in!

Well, it's not really that bad, my AntiVir removed all of them until now. But they do exist!

[LimpingFish]

Sites that require you to register simply to browse them are donkey pipe.

Mailinator (or one of it's alias domains) usually works.

[monkey0506]

Well the company that made CCleaner (Piriform) also made a file recovery program called Recuva which I was going to use to see if any files might have been deleted which needed to be recovered (and possibly repaired) instead of just disappearing.

It refused to run because of the maximum number of secrets issue. Note that the site redirection has pretty well targeted any Google search at this point, but doesn't seem to have come up anywhere else recently.

I signed up for Piriform's forum and am working with a "specialist" trying to get this cleaned up. He keeps sending me all these different programs to run and asking me to post logs of a lot of the same scans over and over. Presumably something is (or at least is supposed to be) changing throughout the scans. He's sent me loads of different things so hopefully he knows what he's doing and it's going to get sorted out.

Anyway, the problem persists...but hopefully not for too much longer.

Edit: 25 July 2009

Well, it's "official" then:

Your logs are clean.

I furiously attempted to prove him wrong but the redirection seems resolved in all cases, avast! no longer gives an error that it was unable to scan the boot sector, I was able to run Recuva, Chkdsk, and the Disk Defragmenter (none of which were working previously). I don't know exactly what all he did, but he (apparently) did a great job!

If anybody else ever has any issues like this, I highly recommend contacting the anti-malware team over at Piriform's forums. It worked for me!