Major Virus ProblemsSolved/Closed

Question

Hello, 
I have just encountered a virus that is causing me major problems. First i should tell you that i am using a Dell Inspiron 1545 updated from windows vista to 7(32 bit). I am pretty good with computers as long as i understand what I'm supposed to do. So, when i was scanning for a virus on my computer with Microsoft security essentials, i found a trojan virus (history deleted don't remember name) and deleted it, just for it to reappear again, with the same name after a suggested restart from the antivirus program. Then, i was suggested to restart again, but it came under a different name. After some searching, i tried different antivirus programs but no change...(they would all stop working when i hit scan?) Then, the next day, i got the same message, but with the virus under the name virus Backdoor: Win 32/Smadow.gen!B. I tried to restart the computer but i got a black screen with a error like "checking file on system. c the type of file is ntfs error"and then when it started, it got an error immediately. Then, my internet had several problems when i tried to connect to my wireless network. The troubleshoot gave me two error involving invalid ip and network proxy. Fro some reason now, mse is not giving me a virus, and when i looked in the virus folder, and under recent changes, it showed me a weird account which i could not delete, even when i was administrator. I have no idea where to start to fix my computer. Please respond as soon as you can, and if you need further detail, please ask. I know i did not go into all the details I could, because i did not know where the problem was.

Thank you so much for your time

Ambucias · Answer

Greetings,

It looks like you have a worm type of virus.

To help you, I must make a diagnostic and to do so, I require a log. 

1. Boot your machine in safemode with networking

2. Open this link and download ZHPDiag2 : 

https://www.zebulon.fr/telechargements/securite/systeme/zhpdiag.html 

(This is a new version on the tool, so the site may be temporarely in French) 

Save the file on your Desktop. 

Double click on ZHPDiag.exe and follow the instructions. 

the tool created two icons ZHPDiag and ZHPFix (we will use ZHPFix at the next step). 

Double click on the short cut ZHPDiag on your Destktop. (If necessary click on the Hardhat icon to change the language to English) 

Click on the Magnifying glass and run the analysys. 

Wait for the tool to finished (maybe a long time) 

Close ZHPDiag. 


To transmit the report, click on this link : 

https://authentification.site 

Click on Parcourir and search the directory where you installed ZHPDiag (usually C:\Program Files\ZHPDiag). 

Select the file ZHPDiag.txt. 

Click on "upload » 

Copy the url and post it here

Catch you and the worm later

mihneabulu · Answer

Thank you so much for  the help. I downloaded and ran the application, and it gave me an error about my network connection not working. Also, another icon appeared named MBRCheck on the desktop. Then, when I clicked the first of the two icons, it told me a similar error. So, there is one problem, I could not go the the URL, but I saved the text document on a flash drive and sent it from another computer.
Here it is:
http://www.speedyshare.com/files/30800473/ZHPDiag.txt

When you are done, here is the delete password:
gokidovamebe

Anyways, thanks for the help!

Ambucias · Answer

Hello again,

The MRB icon is normal.

He is what I see:

1. You Microsoft Security Center has been overridden

2. Your Microsoft Firewall has benn overridden

3. There is an adware (PUP infection) Meta Stream in Viewpoint Media Player, SigmaTel Audio Service (STacSV.exe)

4. Suspicious because I don't know what it is: C:\Windows\system32\userinit.exe,C:\Windows\system32\Scvhost.exe,C:\Windows\system32\Scvhost.exe

(Your Java, I Tune and Quick Time applications need to be updated. There is not infection related)

5. Skype has a virus : Malware.Bot

6. There is a rogue trojan horse named: STacSV in system tools 2011.

7. The toolbar S&D My Websearch is a BT infection.

The source of most all of the infections were the downloads you did with Azureus.

You have far too many antivirus applications which conflicted with one another.  Just one is sufficient and you must delete them and keep just one. Clam is not the best.

Not to make this message too long, I will end here and return shortly with the clean-up solution.

Ambucias · Answer

I'm Back (not Mozart:-)

There are hundreds of infected items in your system and registry so we will not use ZHp Fix as we would be working on it for a week.

Remember that after we clean your system, you must delete all of the antivirus applications you have and keep only one.  You also must ensure, after the clean-up to reactivate your firewall.

You may wish to print the following

1. Go here and download SDFix to your desktop

https://proposedsolution.com/downloads/download-sdfix-exe/

2. To outwit the rogue which may prevent running, rename SDfix to Kioskea.exe.

3. Install SDfix to its default location c:\

4. Reboot your system in safemode (That is a must)

5. Once booted, click on start and run type:

C:SDFixRunThis.bat  and click ok  You will get a black window. 

6. Press Y and enter

The process may take 30 minutes, be patient

SDFix will restart your machine and at the end you will get a log which you can co? and paste here.

Good luck

mihneabulu · Answer

Ambucias,
Again thanks for the help.

I just had a problem:

When I try running the program like it says in the text document that tells the instructions, but when i did this it opens a blue screen, but closes immediately. This also happened with the two other anti-virus programs that I tried.
I ran the whole thing in just safe mode (no networking) and did everything just as you had said. Is there something I missed, or is the virus acting up to stop it from running.

And  my question from before,

I did very few downloads with Azureus a long time ago. Then I "supposivly" uninstalled it. Why does it still appear and how can I delete it?

Sorry about the antivirus question, I now understand the reason.

Ambucias · Answer

Hello Minhea,

I don't know if you missed something, you said that you did everything as I said.

 Obviously Azureus is still there, I saw it.  How to remove comes after this clean-up.

I would like you to remove all expect one of the antivirus applications you have and keep the one you purchased.  You must completely delete Malwarebyte as it may be corrupted and we will need a fresh copy.

Follow the instructions below:

Please follow the following procedure carefully and to the letter. 

You have a rogue virus Trojan Horse which is self protective, thus it will prevent any antivirus from fonctionning. 

You must kill the evil processes which the virus is presently running amd preventing you from running any antivirus. If you don't it will keep reproducing the files for ever. 

To kill the processes: 

1. Download to your desktop and run Rogue Kill: 

https://download.bleepingcomputer.com/grinler/rkill.com 

2. You should now see a window that shows all of your desktop icons, including the rkill.com program. 

3. Double-click on the rkill.com in order to automatically attempt to stop any processes associated with the Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. 

If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by the Horse when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate the processes . So, please try running Rkill until malware is no longer running. 

As a matter of a fact, if you get messages, it is a sign that the virus is agonizing with excrutiating pain, so you can just grin while it is suffering!:)))

Please, DO NOT REBOOT your computer or the processes will come back to haunt you! 

Download to your desktop Malwarebyte. 

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/ 

Once on your desktop, we must still outwit the virus. 

Right click on the MBAM icon and click on rename. Rename it kioskea.exe. 

Install Malwarebyte and launch it. From the second tab, update it. 

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found. 

I'm signing out now but I will be looking for your feedback in 10 hours from now.

Good luck

mihneabulu · Answer

Hello,

I have just finished scanning, and everything worked great, just as you said. Just one thing, just as I had said before, I cannot connect to the internet, and update it. I found about ten viruses, Everything worked, but my computer still seems to be very slow and glitchy. My network connection still is connecting to the wireless network, but has errors with the internet. Also, it takes a very long time to log on, restart and do mostly anything while in windows. 

Here is the report:
Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6705

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

10/18/2011 9:08:35 PM
mbam-log-2011-10-18 (21-08-30).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 312794
Time elapsed: 36 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{D518921A-4A03-425E-9873-B9A71756821E} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\Software\DC3_FEXEC (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Scvhost.exe (Backdoor.Bot) -> Value: Scvhost.exe -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\couponalert_2pei\Installr\1.bin\2pEZSETP.dll (PUP.FunWebProducts) -> No action taken.
c:\program files\windows live\messenger\msimg32.dll (PUP.FunWebProducts) -> No action taken.
c:\program files\windows live\messenger\riched20.dll (PUP.FunWebProducts) -> No action taken.

Anonymous User · Answer

You did not scan mbam properly

After mbam scan finishes,check mark all the infections and remove it,paste the clean log 


Run this eset online scanner

https://www.eset.com/?country=FR&path=/us/online-scanner

Now run this tdsskiller,let us know if it finds hidden files

https://support.kaspersky.com/downloads/utils/tdsskiller.exe

Post the logs ,ambucias will analyze the logs soon

Ambucias · Answer

Now it's time to run SDFix in safe mode

Good luck

mihneabulu · Answer

Hello Again,

First to sundar7701:

I scanned with MBAM again and got no viruses.

I first tried the eset online scanner, but I had no internet access which was needed to install the program.

I used the tdsskiller and a threat was detected.
It was called: Rootkit.Win32.ZAccess.g and I "cured"? it. (Log at end)

Then, after I restarted it...MY INTERNET CONNECTION WORKED

So, I used the est online scanner from before, and scanned my computer. Still scanning, but found like 6 threats in Win32/Registry Booster Aplication and one in a variant of java/Agent.DU trojan. 

I also updated MBAM and going to scan it again with the updated version
 
Log too big, so I did the speedy share thing: http://www.speedyshare.com/files/30830039/TDSSKiller.2.6.11.0_19.10.2011_15.48.10_log.txt

To Ambucias:
After all this is done, I will scan with the other program

Thank you you guys so much
(by the way, how are there soooooo many viruses on my computer!!!)

Ambucias · Answer

mihneabulu,

I'm happy that the TDSSSkiller worked.  There is no need for you to run SDFix as it would do almost the same or almost the same job as TDssskiller.

If you clear and delete the previous ZHP Diag from your machine, I will glad to analyse a new one to ensure that every thing is honky dory.  If you do not delete the previous log, you may post it again.

I will let Sundar answer about about so many viruses on a computer. 

My question to you is which antivirus application do you have now?

Best regards to you and Sundar

mihneabulu · Answer

I'm Back, (Again:)

I think the last MBAM scan did the trick. I got one virus, but my computer is running great! No more errors! YAY!

Her is the log file:
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7985

Windows 6.1.7601 Service Pack 1
Internet Explorer 9.0.8112.16421

10/19/2011 10:56:12 PM
mbam-log-2011-10-19 (22-56-12).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 329070
Time elapsed: 2 hour(s), 46 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\Windows\system32\userinit.exe,C:\Windows\system32\Scvhost.exe,C:\Windows\system32\Scvhost.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Ambucias · Answer

@Sundar

Please stand-by!

@mihneabulu

There are still some malware which has overridden your MS Security.

We will do some manual deletion:

Go into safe mode to overide and evil processes.

For this part, you must ensure that you copy and paste the very exact same thing.  Always check twice.

1. Click start and then run, type regedit and okay

2. Press ctrl+f to open the search window.

3. Type metastream

press ok to begin the search, once an item is found, please ensure that it contains the exact same words as you typed.  

Everytime an item is found, press del and confirm your choice.

Press F3 to continue the search and delete the items found until no more are found.

4. Once completed, click on edit and again on search

Type metastream and okay

Repeat the procedure above until no items are found.

5. Right click on start and open Explorer.

Delete the following files:

C:\Program Files\Viewpoint\Common\ViewpointService.exe    

C:\Program Files\Viewpoint    

C:\ProgramData\Viewpoint    

6. Go to your control panel add-remove program and ensure that Viewpoint Media Player is removed.

7. Reboot and again go to your control panel, Ms security centre and ensure your firewall is activated.

Please do let me know

Anonymous User · Answer

For windows defender issue try this

Open regedit and navigate to

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender

On the right pane,you will have 

disable antispyware value ,just delete it

Restart the PC

I asked you for mbam log because i wanted to check your userinit value
but i noticed that it looks clean in your zhpdiag log. 

For other issues,ambucias will guide you through before proceeding with uninstalling softwares

Ambucias · Answer

Gentlemen please!  There are too many cooks in the sauce!  Lets solve one thing at a time.

@mihneabulu

I told you that Windows Defender was overridden and that's what we are trying to repare.

I believe that I gave you the link to download and install AVG and I don't know where you got the idea that it is for 64 bit.  The link number is 64.

https://ccm.net/downloads/security-and-maintenance/6953-avg-antivirus-free-for-pc/

You deleted MSE?  Why?

1. On you desktop, you have a short cut ZHP Fix, double click on it.

Copy and paste the following:

HKLM\SOFTWARE\Microsoft\Security Center] AntiVirusOverride: Modified 

 HKLM] [@viewpoint.com/VMP] - (.Unknown owner - MetaStream 3 Plugin r4.) -- C:\Program Files\Viewpoint\Viewpoint Media Player
pViewpoint.dll 
HKLM] -- ViewpointMediaPlayer    
HKLM\Software\MetaStream
HKLM\Software\Viewpoint
HKLM\Software\MozillaPlugins\@viewpoint.com/VMP
HKLM\Software\Classes\axmetastream.metastreamctl
HKLM\Software\Classes\axmetastream.metastreamctl.1
HKLM\Software\Classes\AxMetaStream.MetaStreamCtlSecondary
HKLM\Software\Classes\AxMetaStream.MetaStreamCtlSecondary.1
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlaye

2.Click on H

3. Please send me a report

4. We will deal with the other issues later.  We will get the virus out first.

See you in the morning

Ambucias · Answer

mihneabulu

I said that MSE was overridden which mean that the Malware disabled it to be able to get into your system without being blocked.

Leave it uninstalled for now and please ask before taking any other initiatives.

Before we get your system a fresh new start on life, I would like to make sure that there are no traces of Metastream, Viewpoint and Azureus left.  We will then be able to install AVG.  You can delete AVG from your desktop for now.

1. Download and install CCleaner and use it to clean:

a) all of your temporary files (first icon in the left column)

b) Click on the tools box and then on the applications tab, if you see any of the following: Viewpoint, MetaSteam, Azureus, Malwarebyte, Superantispyware, remove them using that tool. (if you see any other unusual application, let me know)

2. Download, install and run this totally free yet very efficient registry cleaner :

https://www.eusing.com/free_registry_cleaner/registry_cleaner.htm

Click on scan and leave it run

In your case, you may get from 30 to 1,000 registry errors

Once the scan is finished, click on repair.  Eusing free will delete the errors but make a back-up in case of need.

3. Delete any previous ZHP Diag report you have and generate a new one for me on Speedyshare.

See you later alligator

Ambucias · Answer

mihneabulu,

You have sent me the very same log as before showing the same infections.  You had to clear all previous reports stored by ZHP Diag.

If you must completely uninstall ZHP Diag and reinstall it again.

Anonymous User · Answer

mihneabulu 

http://download.microsoft.com/download/8/3/D/83DA9B2F-3246-4C1E-996B-1381F667247D/MicrosoftEasyFix50202.msi

Download and run this

There are two modes

Default and aggressive

Use default one first.If that doesnt work try aggressive one.

Let us know how it works

Ambucias · Answer

We still have some adware traces:

Please lauch ZHP Fix and paste the following:

 [HKLM\Software\MozillaPlugins\@viewpoint.com/VMP] 
 [HKLM\Software\Viewpoint]    
C:\Program Files\Viewpoint    

Click on GO

Uninstall the following applications:

ESET Online Scanner
SUPERAntiSpyware.com®SUPERAntiSpyware
Alch®ClamWin Antivirus
ClamWin®AntiVirus

Ambucias · Answer

mihneabulu,

Thank you for the ZHP Fix log.

Looks okay now and your Windows update should work by going to all programmes and then to Windows update. (ZHP Diag did not show that it needed updating,  however, all of your software which is Apple related can use an update.)

I would appreciate your communication in the instructions I have sent to you.

1. Did you ensure that your Windows Firewall is activated ?

2. Did you delete the antiviruses applications I mentioned before?

If you did everything that I recommended and that 

a) you system is running smoothly, 
b) that your firewall is on

I consider that my virus job is done

Best regards

Major Virus Problems

33 responses

Similar discussions

Subscribe To Our Newsletter!