Major Virus Problems

Solved/Closed
mihneabulu - Oct 17, 2011 at 03:13 PM
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 - Oct 23, 2011 at 10:24 AM
Hello,
I have just encountered a virus that is causing me major problems. First i should tell you that i am using a Dell Inspiron 1545 updated from windows vista to 7(32 bit). I am pretty good with computers as long as i understand what I'm supposed to do. So, when i was scanning for a virus on my computer with Microsoft security essentials, i found a trojan virus (history deleted don't remember name) and deleted it, just for it to reappear again, with the same name after a suggested restart from the antivirus program. Then, i was suggested to restart again, but it came under a different name. After some searching, i tried different antivirus programs but no change...(they would all stop working when i hit scan?) Then, the next day, i got the same message, but with the virus under the name virus Backdoor: Win 32/Smadow.gen!B. I tried to restart the computer but i got a black screen with a error like "checking file on system. c the type of file is ntfs error"and then when it started, it got an error immediately. Then, my internet had several problems when i tried to connect to my wireless network. The troubleshoot gave me two error involving invalid ip and network proxy. Fro some reason now, mse is not giving me a virus, and when i looked in the virus folder, and under recent changes, it showed me a weird account which i could not delete, even when i was administrator. I have no idea where to start to fix my computer. Please respond as soon as you can, and if you need further detail, please ask. I know i did not go into all the details I could, because i did not know where the problem was.

Thank you so much for your time

33 responses

Thanks for all your help!!
I have Microsoft Security Essential, but I see that it is not the best. Which one do you recommend I use? I really don't know which one would do the job best.

Here is the new ZHP Diag document:
http://www.speedyshare.com/files/30832258/ZHPDiag.txt

Here is the ESET Log:
http://www.speedyshare.com/files/30832259/ESET_Log.txt

How should I delete azureus? Is there anymore useless junk I have on my computer that could "disappear."

And is it safe now to run my computer in normal mode, and how should I proceed in fixing things to normal?
0
Sorry for the delay but I also do not have permission to open windows defender even if I am signed in as admin. It gives me error code 0x800704
0
Anonymous User
Oct 20, 2011 at 12:04 AM
@mihneabulu


Let us finish the virus issue first.

There are still infections to clean.
Userinit infection is still persisting,you did not post the tdsskiller clean log.I want you to try rebooting once or twice and run tdsskiller.

DO NOT SKIP HIDDEN FILES(Tdsskiller may automatically skip hidden files) You need to manually click on delete option)

Post the clean log of tdsskiller

There will be traces of zero access rootkit which requires another troubleshooting.

Ambucias will help you soon
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 20, 2011 at 04:20 AM
I shall prescribe to you a very powerfull antidote that is able to kill and send any virus to the glue factory. It is of very last resort and should not be abused of, as matter of a fact, once you have used it, I suggest you delete it from your system.

To keep your system safe, you must follow the instructions hereunder to the letter:

First step, boot your system in safe mode with networking

1. Download Combofix to your desktop.

http://www.combofix.org/download.php

2.Close all open Windows including this one.

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

3. Double click on the ComboFix icon.

Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue.

4. Accept the disclaimer and the recovery

5.You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer.

ComboFix will disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings.

If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

During the process, please do not mouse click nor must you tap on the keyboard. Let the tool run.

Once you are done, report to me on how your system is behaving.

Good luck

Ambucias
0
Hello,

I finished scanning and when it restarted I got the document. I closed it for a while and when I opened it up again, I got the error below. Then when I tried opening any other program I got the same message, and a message about deleting it because it was not found.

"The location of it"
Illegal operation attempted on a registry key that has been marked for deletion.

So, I cannot give you the log from combofix, but it did have like 6 or 7 viruses found. Whats next:)
0
I can only open them as an admin, but it doesn't let me on the txt document.
0

Didn't find the answer you are looking for?

Ask a question
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 20, 2011 at 03:54 PM
I would like to know how your system is behaving and also another ZHP Diag log.
0
Ambucias,

My system is performing good, no more disk checking error or any start-up errors. Still can't turn on windows defender and the error about the registry objects. Here is the ZHP diag log:

http://www.speedyshare.com/files/30847136/ZHPDiag.txt
0
Anonymous User
Oct 21, 2011 at 12:00 AM
@mihneabulu

Illegal operation attempted on a registry key that has been marked for deletion.

THis is common error which comes after running combofix.I would recommend you to boot twice or thrice to see the issue disappears.If the error remains try this

Boot into safemode

Go to run and type

sfc /scannow

Let the scan run and reboot into normal mode .If you face this problem while running the command,create a new account and run it


if that solves the problem
Please attach your mbam log and CF log in your next post
0
I can feel I'm almost there.... But a couple of problems:

To sundar:
I did as you said and the error is gone. Still cant open windows defender because "This program is blocked by a group policy.

Here is the combofix log:
http://www.speedyshare.com/files/30858156/ComboFix.txt

Deleted mbam, so what log should upload?

To Ambucias:
I did the first part you told me with redgit and metastream, but only found one file and deleted it. Maybe I did something wrong? I also already deleted MSE as soon as my computer was running well enough, and all the other antivirus that I used, including clam. No I have no antivirus. Should I install avg? And is it for 64 bit because I have 32.

And to both of you, how should I delete those weird programs like Azureas and Surperantispyware and E- Set online scanner that you guys keep telling me about.
THANK YOU GUYS SOOO MUCH!!!
0
@Ambucias

I deleted MSE because you said it had a problem, I can reinstall it if it would help. Sorry;)

The AVG thingy would just open up a black window and close very quickly. Was that supposed to happen? Should I search it and download it from another site?

The ZHP Fix worked, I think. Here is the log:

Rapport de ZHPFix 1.12.3365 par Nicolas Coolman, Update du 18/10/2011
Fichier d'export Registre :
Run by MIHNEA at 10/21/2011 6:48:36 PM
Windows 7 Home Premium Edition, 32-bit Service Pack 1 (Build 7601)
Web site : http://www.premiumorange.com/zeb-help-process/zhpfix.html

========== Registry Data Items ==========
REPLACED Value AntiVirusOverride : Good (0) - Bad (1)

========== Other ==========
NOT SUPPORTED [HKLM] [@viewpoint.com/VMP] - (.Unknown owner - MetaStream 3 Plugin r4.) -- C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
NOT SUPPORTED [HKLM] -- ViewpointMediaPlayer
NOT SUPPORTED [HKLM\Software\MetaStream
NOT SUPPORTED [HKLM\Software\Viewpoint
NOT SUPPORTED [HKLM\Software\MozillaPlugins\@viewpoint.com/VMP
NOT SUPPORTED [HKLM\Software\Classes\axmetastream.metastreamctl
NOT SUPPORTED [HKLM\Software\Classes\axmetastream.metastreamctl.1
NOT SUPPORTED [HKLM\Software\Classes\AxMetaStream.MetaStreamCtlSecondary
NOT SUPPORTED [HKLM\Software\Classes\AxMetaStream.MetaStreamCtlSecondary.1
NOT SUPPORTED [HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ViewpointMediaPlaye


========== Summary ==========
1 : Registry Data Items
10 : Other


End of clean in 00mn AMs

========== Report File ==========
C:\ZHP\ZHPFix[R1].txt - 10/21/2011 5:47:19 PM [1328]
C:\ZHP\ZHPFix[R2].txt - 10/21/2011 6:48:36 PM [1328]
0
@Ambucias

Sorry for my initiative....really didn't mean to make a problem

I am already using CCleaner, so I didn't need to download it. On the uninstall list there was none of those programs, but on the applications tab of the cleaner window, an application called Vuze appeared, and I can swear I deleted it a long time ago, but it doesn't appear in my uninstall list. Also, another application, (game) called Civilization IV won't uninstall. I've had this problem for a while and searched it a while ago, but I gave up after at least 3 attempts failed to uninstall it. If you can help, here is what I get when I try to uninstall:

The first thing it tells me is that I should contact my vendor: firax games

Here is the link I get sent to but I have to do something for you to be able to see it, so I just copied it:

Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>


Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>

Here is the code on the error message:

Error Code: -5004 : 0x80041f42
Error Information:
*C:\Program Files\Common Files\InstallShield\Professional\RunTime\12\00\Intel32\iKernel.dll
>inc\CoCreate.cpp (44)
>SetupDLL\SetupDLL.cpp (1390)
PAPP:Sid Meier's Civilization 4

And while using Eusing free, I got 2000+ registry errors and repaired them, no problem.

Thanks :) :)
0
Sorry, almost forgot, here is my ZHP Diag report:

http://www.speedyshare.com/files/30868343/ZHPDiag.txt
0
@Ambucias

AVG 2012 is working great. Here is my ZHP Diag, sorry about that, don't know what happened:
http://www.speedyshare.com/files/30875122/ZHPDiag.txt

And still can't uninstall Civ IV, even with Revo same problem as before

Thanks
0
Never mind....fixed the problem.

Last problem I can see is that windows update keeps giving me error code Code 80096001 and fails to update. Any last bits of help?
0
@Sundar

I tried the fix it tool both ways, but no improvement with both. Windows update still will not update. Any other suggestions?

@Ambucias


I used ZHP Fix and here is the ZHP Fix report:

http://www.speedyshare.com/files/30883524/ZHPFixReport.txt

For some reason, these applications do appear in Revo uninstaller or anywhere when I look on my computer.
0
Thanks for all your help Ambucias and Sundar. I activated Windows Firewall and deleted the applications, but I don't know why you still see them. You guys made run better than before the actual virus, which I didn't think was possible. Thank you again so much.
0
Ambucias Posts 47310 Registration date Monday February 1, 2010 Status Moderator Last seen February 15, 2023 11,164
Oct 23, 2011 at 10:24 AM
mihneabulu,

You are totally welcome.

If you look at your ZHP Diag log you will see the applications. Mind you, it took me between 30 to 45 minutes to examine and analyse each report you sent me.

Au revoir
0