Major Virus Problems

Solved/Closed
mihneabulu - Oct 17, 2011 at 03:13 PM
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Oct 23, 2011 at 10:24 AM
Hello,
I have just encountered a virus that is causing me major problems. First i should tell you that i am using a Dell Inspiron 1545 updated from windows vista to 7(32 bit). I am pretty good with computers as long as i understand what I'm supposed to do. So, when i was scanning for a virus on my computer with Microsoft security essentials, i found a trojan virus (history deleted don't remember name) and deleted it, just for it to reappear again, with the same name after a suggested restart from the antivirus program. Then, i was suggested to restart again, but it came under a different name. After some searching, i tried different antivirus programs but no change...(they would all stop working when i hit scan?) Then, the next day, i got the same message, but with the virus under the name virus Backdoor: Win 32/Smadow.gen!B. I tried to restart the computer but i got a black screen with a error like "checking file on system. c the type of file is ntfs error"and then when it started, it got an error immediately. Then, my internet had several problems when i tried to connect to my wireless network. The troubleshoot gave me two error involving invalid ip and network proxy. Fro some reason now, mse is not giving me a virus, and when i looked in the virus folder, and under recent changes, it showed me a weird account which i could not delete, even when i was administrator. I have no idea where to start to fix my computer. Please respond as soon as you can, and if you need further detail, please ask. I know i did not go into all the details I could, because i did not know where the problem was.

Thank you so much for your time
Related:

33 responses

Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 17, 2011 at 04:05 PM
Greetings,

It looks like you have a worm type of virus.

To help you, I must make a diagnostic and to do so, I require a log.

1. Boot your machine in safemode with networking

2. Open this link and download ZHPDiag2 :

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html

(This is a new version on the tool, so the site may be temporarely in French)

Save the file on your Desktop.

Double click on ZHPDiag.exe and follow the instructions.

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step).

Double click on the short cut ZHPDiag on your Destktop. (If necessary click on the Hardhat icon to change the language to English)

Click on the Magnifying glass and run the analysys.

Wait for the tool to finished (maybe a long time)

Close ZHPDiag.


To transmit the report, click on this link :

https://authentification.site

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag).

Select the file ZHPDiag.txt.

Click on "upload »

Copy the url and post it here

Catch you and the worm later
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 18, 2011 at 05:12 AM
Hello again,

The MRB icon is normal.

He is what I see:

1. You Microsoft Security Center has been overridden

2. Your Microsoft Firewall has benn overridden

3. There is an adware (PUP infection) Meta Stream in Viewpoint Media Player, SigmaTel Audio Service (STacSV.exe)

4. Suspicious because I don't know what it is: C:\Windows\system32\userinit.exe,C:\Windows\system32\Scvhost.exe,C:\Windows\system32\Scvhost.exe

(Your Java, I Tune and Quick Time applications need to be updated. There is not infection related)

5. Skype has a virus : Malware.Bot

6. There is a rogue trojan horse named: STacSV in system tools 2011.

7. The toolbar S&D My Websearch is a BT infection.

The source of most all of the infections were the downloads you did with Azureus.

You have far too many antivirus applications which conflicted with one another. Just one is sufficient and you must delete them and keep just one. Clam is not the best.

Not to make this message too long, I will end here and return shortly with the clean-up solution.
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 18, 2011 at 05:41 AM
I'm Back (not Mozart:-)

There are hundreds of infected items in your system and registry so we will not use ZHp Fix as we would be working on it for a week.

Remember that after we clean your system, you must delete all of the antivirus applications you have and keep only one. You also must ensure, after the clean-up to reactivate your firewall.

You may wish to print the following

1. Go here and download SDFix to your desktop

https://proposedsolution.com/downloads/download-sdfix-exe/

2. To outwit the rogue which may prevent running, rename SDfix to Kioskea.exe.

3. Install SDfix to its default location c:\

4. Reboot your system in safemode (That is a must)

5. Once booted, click on start and run type:

C:SDFixRunThis.bat and click ok You will get a black window.

6. Press Y and enter

The process may take 30 minutes, be patient

SDFix will restart your machine and at the end you will get a log which you can co? and paste here.

Good luck
1
As I'm not at home right now, I cannot do this process. But i have a quick question. Why do i have to delete an anti-virus? Also, I deleted azures a long time ago, but i see it somehow is still there. Could you help me fully delete it so i have no more problems?
Thanks
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 18, 2011 at 04:54 PM
Hello Minhea,

I don't know if you missed something, you said that you did everything as I said.

Obviously Azureus is still there, I saw it. How to remove comes after this clean-up.

I would like you to remove all expect one of the antivirus applications you have and keep the one you purchased. You must completely delete Malwarebyte as it may be corrupted and we will need a fresh copy.

Follow the instructions below:

Please follow the following procedure carefully and to the letter.

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever.

To kill the processes:

1. Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

2. You should now see a window that shows all of your desktop icons, including the rkill.com program.

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step.

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running.

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it kioskea.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

I'm signing out now but I will be looking for your feedback in 10 hours from now.

Good luck
1

Didn't find the answer you are looking for?

Ask a question
Anonymous User
Oct 19, 2011 at 01:46 AM
You did not scan mbam properly

After mbam scan finishes,check mark all the infections and remove it,paste the clean log


Run this eset online scanner

https://www.eset.com/?country=FR&path=/us/online-scanner

Now run this tdsskiller,let us know if it finds hidden files

https://support.kaspersky.com/downloads/utils/tdsskiller.exe

Post the logs ,ambucias will analyze the logs soon
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 19, 2011 at 04:12 AM
Now it's time to run SDFix in safe mode

Good luck
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 19, 2011 at 04:39 PM
mihneabulu,

I'm happy that the TDSSSkiller worked. There is no need for you to run SDFix as it would do almost the same or almost the same job as TDssskiller.

If you clear and delete the previous ZHP Diag from your machine, I will glad to analyse a new one to ensure that every thing is honky dory. If you do not delete the previous log, you may post it again.

I will let Sundar answer about about so many viruses on a computer.

My question to you is which antivirus application do you have now?

Best regards to you and Sundar
1
I'm Back, (Again:)

I think the last MBAM scan did the trick. I got one virus, but my computer is running great! No more errors! YAY!

Her is the log file:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7985

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/19/2011 10:56:12 PM
mbam-log-2011-10-19 (22-56-12).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 329070
Time elapsed: 2 hour(s), 46 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\Scvhost.exe,C:\Windows\system32\Scvhost.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
1
URHHHHH...
Never mind...same Windows defender error.... :(
Took a while to appear
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 21, 2011 at 04:49 AM
@Sundar

Please stand-by!

@mihneabulu

There are still some malware which has overridden your MS Security.

We will do some manual deletion:

Go into safe mode to overide and evil processes.

For this part, you must ensure that you copy and paste the very exact same thing. Always check twice.

1. Click start and then run, type regedit and okay

2. Press ctrl+f to open the search window.

3. Type metastream

press ok to begin the search, once an item is found, please ensure that it contains the exact same words as you typed.

Everytime an item is found, press del and confirm your choice.

Press F3 to continue the search and delete the items found until no more are found.

4. Once completed, click on edit and again on search

Type metastream and okay

Repeat the procedure above until no items are found.

5. Right click on start and open Explorer.

Delete the following files:

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Viewpoint

C:\ProgramData\Viewpoint

6. Go to your control panel add-remove program and ensure that Viewpoint Media Player is removed.

7. Reboot and again go to your control panel, Ms security centre and ensure your firewall is activated.

Please do let me know
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 21, 2011 at 05:25 AM
I forgot. Once you are done the above and feel you have a healthy system, to ensure a better protection, please:

Delete your present Clam antivirus which is the pits. It has no realtime scanner and each file must be scanned manually to detect an infection.

Instead install the following free antivirus:

https://ccm.net/downloads/security-and-maintenance/6953-avg-antivirus-free-for-pc/

Also delete the following which may create conflicts:

Surperantispyware
E- Set online scanner
Malwarebyte
0
Anonymous User
Oct 21, 2011 at 05:03 PM
For windows defender issue try this

Open regedit and navigate to

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender

On the right pane,you will have

disable antispyware value ,just delete it

Restart the PC

I asked you for mbam log because i wanted to check your userinit value
but i noticed that it looks clean in your zhpdiag log.

For other issues,ambucias will guide you through before proceeding with uninstalling softwares
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 21, 2011 at 05:22 PM
Gentlemen please! There are too many cooks in the sauce! Lets solve one thing at a time.

@mihneabulu

I told you that Windows Defender was overridden and that's what we are trying to repare.

I believe that I gave you the link to download and install AVG and I don't know where you got the idea that it is for 64 bit. The link number is 64.

https://ccm.net/downloads/security-and-maintenance/6953-avg-antivirus-free-for-pc/

You deleted MSE? Why?

1. On you desktop, you have a short cut ZHP Fix, double click on it.

Copy and paste the following:

HKLM\SOFTWARE\Microsoft\Security Center] AntiVirusOverride: Modified

HKLM] [@viewpoint.com/VMP] - (.Unknown owner - MetaStream 3 Plugin r4.) -- C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
HKLM] -- ViewpointMediaPlayer
HKLM\Software\MetaStream
HKLM\Software\Viewpoint
HKLM\Software\MozillaPlugins\@viewpoint.com/VMP
HKLM\Software\Classes\axmetastream.metastreamctl
HKLM\Software\Classes\axmetastream.metastreamctl.1
HKLM\Software\Classes\AxMetaStream.MetaStreamCtlSecondary
HKLM\Software\Classes\AxMetaStream.MetaStreamCtlSecondary.1
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlaye

2.Click on H

3. Please send me a report

4. We will deal with the other issues later. We will get the virus out first.

See you in the morning
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 22, 2011 at 05:02 AM
mihneabulu

I said that MSE was overridden which mean that the Malware disabled it to be able to get into your system without being blocked.

Leave it uninstalled for now and please ask before taking any other initiatives.

Before we get your system a fresh new start on life, I would like to make sure that there are no traces of Metastream, Viewpoint and Azureus left. We will then be able to install AVG. You can delete AVG from your desktop for now.

1. Download and install CCleaner and use it to clean:

a) all of your temporary files (first icon in the left column)

b) Click on the tools box and then on the applications tab, if you see any of the following: Viewpoint, MetaSteam, Azureus, Malwarebyte, Superantispyware, remove them using that tool. (if you see any other unusual application, let me know)

2. Download, install and run this totally free yet very efficient registry cleaner :

https://www.eusing.com/free_registry_cleaner/registry_cleaner.htm

Click on scan and leave it run

In your case, you may get from 30 to 1,000 registry errors

Once the scan is finished, click on repair. Eusing free will delete the errors but make a back-up in case of need.

3. Delete any previous ZHP Diag report you have and generate a new one for me on Speedyshare.

See you later alligator
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 22, 2011 at 04:42 PM
mihneabulu,

You have sent me the very same log as before showing the same infections. You had to clear all previous reports stored by ZHP Diag.

If you must completely uninstall ZHP Diag and reinstall it again.
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 22, 2011 at 04:45 PM
I forgot

Here is what you can use to uninstal the applications:

https://ccm.net/downloads/security-and-maintenance/4641-revo-uninstaller/
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 22, 2011 at 04:46 PM
Here is better fresher link to AVG 2012 download:

https://www.avg.com/en-us/free-antivirus-download
0
Anonymous User
Oct 22, 2011 at 11:52 PM
mihneabulu

http://download.microsoft.com/download/8/3/D/83DA9B2F-3246-4C1E-996B-1381F667247D/MicrosoftEasyFix50202.msi

Download and run this

There are two modes

Default and aggressive

Use default one first.If that doesnt work try aggressive one.

Let us know how it works
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 23, 2011 at 05:39 AM
We still have some adware traces:

Please lauch ZHP Fix and paste the following:

[HKLM\Software\MozillaPlugins\@viewpoint.com/VMP]
[HKLM\Software\Viewpoint]
C:\Program Files\Viewpoint

Click on GO

Uninstall the following applications:

ESET Online Scanner
SUPERAntiSpyware.com®SUPERAntiSpyware
Alch®ClamWin Antivirus
ClamWin®AntiVirus
1
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 23, 2011 at 09:56 AM
mihneabulu,

Thank you for the ZHP Fix log.

Looks okay now and your Windows update should work by going to all programmes and then to Windows update. (ZHP Diag did not show that it needed updating, however, all of your software which is Apple related can use an update.)

I would appreciate your communication in the instructions I have sent to you.

1. Did you ensure that your Windows Firewall is activated ?

2. Did you delete the antiviruses applications I mentioned before?

If you did everything that I recommended and that

a) you system is running smoothly,
b) that your firewall is on

I consider that my virus job is done

Best regards
1
Thank you so much for the help. I downloaded and ran the application, and it gave me an error about my network connection not working. Also, another icon appeared named MBRCheck on the desktop. Then, when I clicked the first of the two icons, it told me a similar error. So, there is one problem, I could not go the the URL, but I saved the text document on a flash drive and sent it from another computer.
Here it is:
http://www.speedyshare.com/files/30800473/ZHPDiag.txt

When you are done, here is the delete password:
gokidovamebe

Anyways, thanks for the help!
0
Ambucias Posts 47356 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 18, 2011 at 04:21 AM
Hello,

Please stand-by I am analysing your log.
0
Ambucias,
Again thanks for the help.

I just had a problem:

When I try running the program like it says in the text document that tells the instructions, but when i did this it opens a blue screen, but closes immediately. This also happened with the two other anti-virus programs that I tried.
I ran the whole thing in just safe mode (no networking) and did everything just as you had said. Is there something I missed, or is the virus acting up to stop it from running.

And my question from before,

I did very few downloads with Azureus a long time ago. Then I "supposivly" uninstalled it. Why does it still appear and how can I delete it?

Sorry about the antivirus question, I now understand the reason.
0
Hello,

I have just finished scanning, and everything worked great, just as you said. Just one thing, just as I had said before, I cannot connect to the internet, and update it. I found about ten viruses, Everything worked, but my computer still seems to be very slow and glitchy. My network connection still is connecting to the wireless network, but has errors with the internet. Also, it takes a very long time to log on, restart and do mostly anything while in windows.

Here is the report:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

10/18/2011 9:08:35 PM
mbam-log-2011-10-18 (21-08-30).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 312794
Time elapsed: 36 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\DC3_FEXEC (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scvhost.exe (Backdoor.Bot) -> Value: Scvhost.exe -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\couponalert_2pei\Installr\1.bin\2pEZSETP.dll (PUP.FunWebProducts) -> No action taken.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> No action taken.
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> No action taken.
0
Hello Again,

First to sundar7701:

I scanned with MBAM again and got no viruses.

I first tried the eset online scanner, but I had no internet access which was needed to install the program.

I used the tdsskiller and a threat was detected.
It was called: Rootkit.Win32.ZAccess.g and I "cured"? it. (Log at end)

Then, after I restarted it...MY INTERNET CONNECTION WORKED

So, I used the est online scanner from before, and scanned my computer. Still scanning, but found like 6 threats in Win32/Registry Booster Aplication and one in a variant of java/Agent.DU trojan.

I also updated MBAM and going to scan it again with the updated version

Log too big, so I did the speedy share thing: http://www.speedyshare.com/files/30830039/TDSSKiller.2.6.11.0_19.10.2011_15.48.10_log.txt

To Ambucias:
After all this is done, I will scan with the other program

Thank you you guys so much

(by the way, how are there soooooo many viruses on my computer!!!)
0
  • 1
  • 2