A trojan virus wiped my computer out. Solved/Closed

Question

Hello, 

A trojan virus wiped my computer out.  I tried to do a system restore  with no luck.  I keep getting error messages that say--

Failed to save all components for the file\System 32---This error may be caused by a PC hardware problem.  

It will pop up about 20 times every few minutes.  I just reactivated Norton internet security but that is not helping with the remaining 12 issues my computer says I have.  

I get a data recovery screen that pops up as well but I want to make sure it is legit before I type in my credit card info.

Any help would be appreciated.

Thanks!

Configuration: Windows 7 / Firefox 6.0.2

Ambucias · Accepted Answer

@fersuapin,

Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it. 

Please follow the following procedure carefully and to the letter. 

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning. 

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever. 

To kill the processes: 

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found. 

It is very important that you let Malwarebyte run for as long as it takes, in some cases the creators of Malwarebyte suggest that you go do something like watch a rerun of "Gone with the Wind" or read Tolstoy's "War and Peace".

Once your computer is clean and working normally just to be on the safe side 
*Turn off system restore and wait 30 seconds, 
*Turn it back on and create a new restore point. 

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed. 
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process. 
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging. 

(Malwarebyte may reboot your computer, don't be alarmed. Should it happened, relaunch Malwarebyte to complete the FULL scan) 

Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications. 

Please let us know about the results or I may throw a curse on your system which will cause to bark all the time.:)))

Best regards

Ambucias · Answer

To help you, I must make a diagnostic and to do so, I require a log. 

Open this link and download ZHPDiag : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 


Register the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop. 

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here

Anonymous User · Answer

IMPORTANT:

Dont type in your credit card info.Data recovery is a Rogue software

Its easy to recover your files.Your files have been hidden.

Go to run and type

%temp%

Now if you find a folder called smtmp,just copy the folder to somewhere other than temp folder

Now upload the log as per amubcias instructions

fersuapin · Answer

Hi Everyone, so I got this exact same problem but I have no idea what to do, what do you guys recommend me? I do not want to type my credit card info, but it actually made me believe I had a hardware problem, I just cant find out how it got infected... so please, how do I find my files? all the files in the C drive are there, but my documents etc appear blank...

loukas78 · Answer

I got the same problem.
I run rogue kill, malwarebyte and the kaspersky tool and remove the virus.
However, my desktop has not recovered yet and its black. What should I do to recover it? I tried to rename the explorer.exe but I was not allowed. Please help me guys

Anonymous User · Answer

@loukas78 


For xp 

Go to run and type 

cmd and press ok 

Now copy and run this command 

Echo y | reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDesktop 


Now go to task manager-click on explorer.exe and end the process and relaunch it  

Go to file-new task and type 

explorer and click ok

This should bring your desktop back 


For vista and 7 open command prompt as administrator and run the command

loukas78 · Answer

Sorry but it seems I can not follow your instructions.

I have Windows Vista installed in my PC. 

I tried to open command prompt as administrator.
A black window opened up (like DOS environment). 
C\Windows\system 32  was written.
I tried to copy paste the command. 

I coudn't.

 So I typed it and then  I got an answer: The system was unable to find the specified registry key or value.

What should I do? I think your instructions are right but I can not follow them.

Anonymous User · Answer

No probs lets try this  

open the registry(go to run and type regedit and click ok)  

Navigate to the following key:  

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  

Remove the following  key  

 NoDesktop  

or   

If you find this key  

No view context menu   >>> set it to 0  


 Reboot the system.  

If you do not find these keys ,Check here  

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer


Now if you can right click on the desktop

go to VIEW >> select '' show desktop icons ''

loukas78 · Answer

I did not find the first  two keys but I found this 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

What should I do? Should I delete it?

Anonymous User · Answer

No never delete it. 

Navigate to this  

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  

Search for the keys on the right pane.If you are getting no desktop or no view context menu,say me what else do you find there? 



IF YOU ARE ABLE TO RIGHT CLICK ON THE DESKTOP 


Right click >>> view >>> show desktop icons 


If you are unable to right click on the desktop 

 go to run and type 

gpedit.msc 

User Configuration -> Administrative Templates -> Windows Components -> Windows Explorer. In the right hand pane, find "Remove Windows Explorer's default context menu", open its properties by double clicking it. If it's enabled or not configured, disable it  

Now reboot the PC 


If that doesnt work 


Just say me the entries you find on the right pane of this key 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer  


Also check for these folders 

go run and type 

%temp% 

C:/windows/temp 

Do you find something called smtmp folders? 

Let me know

loukas78 · Answer

The entries I find on the right pane are the default and the Bind directory to property set storage.
And I searched and found the smtmp folder. It contains folders 1, 2,4. 

I am able to right click on the desktop and see 70% of the stuff I had there before. However, the background screen is still black and I "miss" some folders Moreover, when I click start I see only the computer folder (on the folders right side)

Anonymous User · Answer

//I am able to right click on the desktop and see 70% of the stuff /// 


You should have said this to me before..previous tricks are for NO DESKTOP and not for this 

You are very lucky because you have the SMTMP folder,now do this 


1. Copy the entire content of this folder: 
C:\Users\user_name\AppData\Local\Temp\smtmp\1 
and paste it to this folder: 
c:\program data/microsoft/windows/start menu 

2. Copy the entire content of this folder: 
C:\Users\user_name\AppData\Local\Temp\smtmp\2 
and paste it to this folder: 
C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch 


3.Copy the entire content of this folder: 
C:\Users\user_name\AppData\Local\Temp\smtmp\4 
and paste it to this folder: 
C:\Users\Public\Desktop 



You have to manually PIN THE START MENU ICONS if you cant find it 


Let me know how it works

loukas78 · Answer

Steps 1 and 2 done.
Step 3 not cause the Public folder doesn't have a desktop folder...So I can't paste the stuff...
Desktop stil black...it contains all the folders that I can see through windows explorer HOWEVER I think (not sure) I am missing some files compaired to the pre-virus state...

Anonymous User · Answer

loukas78

You need to run unhide command ,You should have created a new thread which would not have brought a confusion in procedure,anyway


Go to start and type

cmd and right click on it and select '' run as administrator''

Now run this command

attrib -h c:\*.* /s /d

Wait for files to be unhidden.

I dont think you may need to copy the files from smtmp for desktop.It will automatically come up on running this command

Let me know

loukas78 · Answer

Access denied - C:\WINDOWS	wain_32.dll
Access denied - C:\WINDOWS	wunk_16.exe
Access denied - C:\WINDOWS	wunk_32.exe
Access denied - C:\WINDOWS\winhelp.exe
Access denied - C:\WINDOWS\winhlp32.exe
Access denied - C:\WINDOWS\winsxs
Access denied - C:\WINDOWS\WMSysPr9.prx
Access denied - C:\WINDOWS\_default.pif
Not resetting system file - C:\$RECYCLE.BIN
Not resetting system file - C:\boot
Not resetting system file - C:\bootmgr
Not resetting system file - C:\hiberfil.sys
Not resetting system file - C:\IO.SYS
Not resetting system file - C:\MSDOS.SYS
Not resetting system file - C:\pagefile.sys
Not resetting system file - C:\System Volume Information

C:\Windows\system32>

These are SOME of the LAST lines that I got after running the command...

loukas78 · Answer

I think the run finished. The above written lines were the last ones.

I have not seen any change. I am sure I am still missing some desktop items (not to mention the black screen...)

I rebooted but no change...

loukas78 · Answer

Just before you message me I deleted all temporary files. So the smtmp are not there! I emptied the recycle bin. 
I think I just suicide!!!!
Is there a way to recover them???

Anonymous User · Answer

Try this

 Download Recuva 

https://ccm.net/downloads/security-and-maintenance/5003-recuva/

Install it and when you get the recuva screen 

  Click Cancel on the wizard.
  Click on Options... >> Actions Tab. Check "Restore folder structure."
  Run a regular scan on the system drive.

When complete, use the filter box in the upper right to filter  and type

*.lnk

 Select all the files and recover them to a folder of your choosing.
Now you should get back the smtmp folder

loukas78 · Answer

I am not getting the smtmp folder...
I am getting other kinds of stuff. Please think that On the "recovered folders path" given by the software NO FILE SEEMS TO HAVE BEEN recovered from a place like C:\Users\user_name\AppData\Local\Temp\smtmp

I found several tmp documents coming from C:\Users\user_name\AppData\Local\Temp 

BUT NONE FROM the smtmp folder.....

loukas78 · Answer

No smtmp folder exists.... :(

Anonymous User · Answer

Do not filter,  

Just scan for files,and see if you can recover your lost icons  

Check your recycle bin too  

If you do not get your icons,just copy the icons of softwares from C:/program files folder and create a shortcut in desktop  

I think you have successfully replaced your startmenu icons so missing some desktop icons should not worry you because it can be replaced


About the black screen

Go to start and type

services.msc and press enter


Make sure that themes service started
Now select a theme in display properties and see how it works

loukas78 · Answer

sundar7701

First of all thank you for your help. 
I think I "traveled" from Europe to USA through the north pole (didn't follow the easiest way) in order to solve the problems...
You really helped me. I followed your last orders and I have  ~90% of the previous desktop conditions with the screen looking great (i am missing some shortcuts but I don't remember all the programms that I had on the desktop).
Moreover, I have a couple of last questions:
1. Is there any "light" anti-virus or anti... call it whatever you want that I should install on my PC? I prefer something that won't slow it down and work in real time. I have Windows Vista installed on a HP Pavilion dv6000 laptop, with Intel Core(TM)2 CPU T 5200@1.6GHz, 1.00 GB RAM and a 120 GB hard disk
2. Does missing the smtmp folder makes my laptop valnerable or disoperationable etc???
3. What short of anti spyware-malware  or .... so should I regularly run? I have spybot and Malwarebytes. The first one doesn't seem to detect lots of stuff anymore
THANKS A LOT BODY

Ambucias · Answer

Hello Loukas,

Spybot is far outdated. 

If you wish a free antivirus application, I highly recommend AVG which you can download here:

https://www.avg.com/en-us/free-antivirus-download

If you decide to adopt AVG, Spybot may create a conflict, so you must uninstall Spybot.

As for your the smtmp folder, it just might be still in you system, it is usually hidden and you can't see it.  That the little trick on the part of this Trojan Horse, it hides in the stable.  If it was not deleted it's there.

I also believe that it's hidding in your system recovery.

If you wish for me to make a final check for virus, I will pass on the results to you and Sundar.

, I require a log. 

Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 


Save the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop. 

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here

Best regards

loukas78 · Answer

Here is the link

https://authentification.site/files/30885385/ZHPScan.txt

Please let me know of what you think.
Except of Malwarebytes do you suggest any other kind of anti spyware-malware software?

loukas78 · Answer

I don't think the previous file is the good one.
(I couldn't find any under the name ZHPDiag.txt. so I send you that one).
DISREGARD IT.


I have just pasted  the scan in a text file and uploaded through the website you gave me

https://authentification.site/files/30885676/ZHP_My_scan.txt

THIS MUST BE WHAT YOU WANT. Please suggest me softwares as well.
Thank you very much

Ambucias · Answer

Loukas,

I already mentioned an antivirus to you (AVG) which is free.

Otherwise, from experience, Kaspersky, F-Secure and AVG pro, as far as I am concerned are the best. You are worried that the antivirus may slow down your computer.  At the moment anything will slow down your computer because I just saw that you have only 17% of available RAM left.  If I were you, I would seriously consider buying 1gb additional RAM.

Looking at your log: 

1. you have 
a) parasite called Parasite.Pugi and 
b) an adware called .open candy..
c) another adware called: Adware.AskBarDis

2. You contracted the initial virus on Bittorent

3. You no longer require Malwarebyte, Superantispyware, E-set online scanner and Spybot - Search & Destroy. I suggest removing them to avoid conflicts with the antivirus software you will install.

4. There is also some Norton Symantec junk on your machine

5. I question the necessity for you to have Net framework.

6. You may have an autorun infection on F

If you don't mind, lets get rid of the bugs

1. On your desktop, you have ZHP Fix, please launch it
2. Copy the following files in it:

O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} . (...) -- C:\Program Files\vShare\vshare_toolbar.dll    
O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} . (...) -- C:\Program Files\vShare\vshare_toolbar.dll    
O18 - Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} . (...) -- C:\Program Files\vShare\vshare_toolbar.dll  
  O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
O43 - CFD: 7/31/2011 - 1:12:48 PM - [31275710] ----D- C:\Users\MAKIS\AppData\Roaming\OpenCandy    
O43 - CFD: 8/1/2011 - 1:53:22 AM - [0] ----D- C:\Users\MAKIS\AppData\Local\OpenCandy    
O69 - SBI: SearchScopes [HKCU] {043C5167-00BB-4324-AF7E-62013FAEDACF} - (Web Search...) 
O69 - SBI: SearchScopes [HKCU] {C93ADDC3-D3CF-4E1B-8C10-BE14B17055B2} - (Ask.com) 
C:\Users\MAKIS\AppData\Roaming\OpenCandy    
C:\Users\MAKIS\AppData\Local\OpenCandy 
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) /h ccCommon (file missing)

Now click on GO

Your system is now free of infection.

Let me know.

P.S. Next you wish to recover your icons do this:

reboot your computer in the Safe mode with command prompt. 

Once Windows loaded, command prompt (black window) opens. Type notepad and press Enter. 

A notepad window opens. Type the following text into notepad: 

[Version] 
Signature="$Chicago$" 
Provider=Myantispyware.com 

[DefaultInstall] 
AddReg=regsec 

[regsec] 
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0 
HKLM, Software\Microsoft\Windows NT\CurrentVersion\Winlogon,Shell,0x00000020,"Explorer.exe" 

Save this as fix.inf to your Desktop (remember to select Save as file type: All files in Notepad). Close Notepad. 

In the command prompt type Explorer.exe and Press Enter. Windows Explorer opens. Locate the fix.inf, click right button and select Install. Close Windows Explorer. 

In the command prompt type shutdown -r and press Enter. Your computer will be rebooted.

loukas78 · Answer

I Did all the previous carefully. 
No changes on the desktop ( should the installation of fix.inf have taken much time? While doing this in safe mode no window poped up on the screen. I am not sure it worked)
I uninstalled some programs through control panel. HOWEVER I don't know what to do with 
4,5,6 in your last contact.

ALSO CAN YOU EXPLAIN ME WHAT YOU MEAN BY "You contracted the initial virus on Bittorent". I have never use this bittorent!!!

Here is the report from ZHPFix

Rapport de ZHPFix 1.12.3365 par Nicolas Coolman, Update du 18/10/2011
Fichier d'export Registre : 
Run by MAKIS at 10/23/2011 5:27:49 PM
Windows Vista Home Premium Edition, 32-bit Service Pack 2 (Build 6002)
Web site : http://www.premiumorange.com/zeb-help-process/zhpfix.html

========== Registry Key ==========
DELETED Key: CLSID BHO: {043C5167-00BB-4324-AF7E-62013FAEDACF}
NOT FOUND Key: Service: AudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
DELETED Key: SearchScopes :{043C5167-00BB-4324-AF7E-62013FAEDACF}
DELETED Key: SearchScopes :{C93ADDC3-D3CF-4E1B-8C10-BE14B17055B2}
NOT FOUND Key: Service: CLTNetCnService) /h ccCommon (file missing)

========== Registry Value ==========
DELETED Toolbar: {043C5167-00BB-4324-AF7E-62013FAEDACF}

========== Registry Data Items ==========
ERROR CLSID PAPP: {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484}

========== Repertory ==========
DELETED Folder: C:\Users\MAKIS\AppData\Roaming\OpenCandy
DELETED Folder: C:\Users\MAKIS\AppData\Local\OpenCandy

========== File ==========
DELETED File: c:\program files\vshare\vshare_toolbar.dll
NOT FOUND File: c:\program files\vshare\vshare_toolbar.dll
DELETED File: c:\windows\system32\drivers\xaudio.exe
NOT FOUND Folder/File: c:\users\makis\appdata\roaming\opencandy
NOT FOUND Folder/File: c:\users\makis\appdata\local\opencandy


========== Summary ==========
5 : Registry Key
1 : Registry Value
1 : Registry Data Items
2 : Repertory
5 : File


End of clean in 11mn AMs

========== Report File ==========
C:\ZHP\ZHPFix[R1].txt - 10/23/2011 5:27:49 PM [1560]

Thank you again for your help

Ambucias · Answer

Hello Loukas,

Seems that the Fix worked.  The deleted items don't make icons return.

Sorry but the fix I gave you didn't work it was too late.

You have bittorent in your system which is a peer to peer application. Most often, infections are transmitted through downloads.

As I told you, your RAM is at a critical point.  While you are thinking of investing here is a small tool which you can use to stop unnecessary applications for starting at boot time.  That should save some ram.

https://www.malwarebytes.com/mwb-download/

If you never use Net Framework you don't need it, it's only for certain special applications, you can delete it.

After you deleted netframework, download, install and run this totally free yet very efficient registry cleaner :

https://ccm.net/download/download-13339-eusing-free-registry-cleaner

Click on scan ans once finished on repair.

The above may also rid traces of Norton

Don't be surprised is you get hundreds of errors.

As for the autorun, I suggest you wait to see if you encounter any problem on "F".  There are all kinds of solved topics on autorun on this forum including the faq.

Good luck

jbcorcor · Answer

I got this virus the other day and this post helped me get rid of it in the amount of time it took to download the programs and run a scan. THANK YOU for the help!!!!!!!

Anonymous User · Answer

loukas78

Follow the steps provided by ambucias and that should make your PC clean.
Do not download fake softwares,in your case you should have downloaded '' Data recovery software which had caused you so much trouble.

I think you have got almost all the answers from ambucias

// Does missing the smtmp folder makes my laptop valnerable or disoperationable etc??? //


SMTMP folder is not your system folder but a folder created by the virus to backup your icons.It doesnot have any executable that can bring back your virus.Losing it will not cause you any trouble.


jbcorcor

Appreciate your feedback

loukas78 · Answer

Ambucias and sundar,
I followed your last instructions as well as the previous ones. I got rid off a lot of stuff with the registry cleaner.
I am also planning to buy an extra RAM. AVG is already installed on my PC.
You were really patient, helpfull and topic specific.THANK YOU SO MUCH

Anonymous User · Answer

you are welcome

safe surfing!!!

gutoBrazil · Answer

Hi,
i'm brazilian, I have this problems.
after you remove de malware you have to set de explorer settings, -> see my file and directories hidden.

the file and the programs are HIDDEN thats why we don't see the files on the pastes and directories,

A trojan virus wiped my computer out.

33 responses

Similar discussions

Subscribe To Our Newsletter!