Sign in with
Sign up | Sign in
Your question

Really Annoying Virus Help!!

Tags:
  • Security
  • Virus
  • Computers
  • Windows 7
Last response: in Windows 7
Share
November 7, 2011 9:12:40 PM

Hello, I have this really annoying virus on my computer that just will not die. Malware bytes removes it and search and destroy doesnt see it. And ive searched everywhere on how to remove this thing but when I think its all good, I reboot my computer out of safe mode and go back to normal Win7 but then all of a sudden my cpu is at 100% usage and S&D says something is trying to be entered into my registry. Oh and the name of the program that keeps being installed is System Security 2012, and just randomly, firefox will open and make a new tab and take me to admiral search or something. This literally came out of nowhere. Im on my laptop now and re using malwarebytes as I speak. Please, Please some help would be amazing.

EDIT: 11/7/11 5:23 P.M. CST Malwarebytes just finished scanning, found one infection "rogue.system.security" thats the system security 2012 virus but, theres something else that malwarebytes and S&D is not finding, because after I remove this and go back into normal Win7, my CPU usage goes to 100% and something tries to reinstall this crap on my computer. Also the site that keeps automatically appearing in firefox is "admiralsearchsystem.com"

EDIT2: 11/7/11 7:56 P.M. CST Ok, so i have a new issue.....My computer is fine...sorta. I just re installed firefox. i dont have any rogue programs poping up anymore, but now I cant go on certain websites like google, yahoo, bing, facebook. But i can go on engadget and espn just fine. When I go to a site i just mentioned like yahoo a page pops up that says your computer may be infected download security protection 2012 blah blah its obviously fake, and using firefox's google search, it redirects everything i search. hijackthis is showing a lot of things but idk whats bad and whats not.



Thanks in advance

P.S. I have a high understanding of computers so any solutions would gracefully be accepted.

More about : annoying virus

November 7, 2011 9:26:22 PM

I was in the same boat as you with my gf's netbook. And just like you I had a fair understanding of computers. The only thing I could do was tempory and it would always come back. What I did was create a new user. Log into it, run all the scans that would find it and reboot/scan from start up. Malware bytes/spybot/avast all from boot and they all found dozens of infected files. I deleted the old user account, re ran it all again. Went on google and found examples of the registry keys it infected and deleted them. I went to msconfig to make sure nothing booted on startup. Since it was a netbook i could not do a clean install of xp. In the end after months of dealing with that stupid virus she bought a new laptop and the netbook is in the garbage.

Try some of the stuff I said since the new user might work for you since it sorta did for her and she had xp. Windows 7 might be better at getting rid of it.
m
0
l
November 7, 2011 9:30:01 PM

There has to be another way to kill it, or someway to find out what is trying to reinstall everytime I boot into normal Win 7 from safe mode. I have 1.2 TB of files and a lot of work and hw thats due plus this is my only day off work to spend time on this......
m
0
l
Related resources
November 7, 2011 9:32:51 PM

Try creating a new user and running the scans, you don't have to delete the old one. It usually gave my gf 2-3 days before it managed to come back. And you'll see that when you do that method it comes back with a diff name. From my research its pretty old, so I don't know why microsoft hasn't patched the hole it uses.
m
0
l
November 7, 2011 9:35:54 PM

I'm not sure what antivirus you're using but I put Avast on hers and after starting a new user it would usually find 8-10 infected files.. Microsoft security essentials didn't even know there was a virus..
m
0
l
a b $ Windows 7
November 7, 2011 9:40:37 PM

the system security thing...... did you try start/run-type msconfig in the box and then hit enter..... look under start up and services to see if there is anything there...... deselect ( remove check mark ) if there is.

did you try disabling windows restore before trying to remove it ?

google cwshredder and see if it finds anything.

anything in add/remove from the control panel ?

did you try trend micro house calls ?..... google it and run it.
m
0
l
a b $ Windows 7
November 7, 2011 9:48:02 PM

you can also try highjackthis. run it and see what's running and kill what you don't like.
m
0
l
November 7, 2011 10:25:07 PM

Alright so I just found 2K files that i did not trust including two .exe files that were hidden in the roaming folder under appdata and just deleted all of that. I removed the rogue software virus and am now doing a full malware bytes scan im 32 min in over 12K files scanned and 0 infections. Although that damn auto new tab thing just happened and took firefox randomly to that admirable site again. I am doing all of this in win7 safe mode. There has to be some sort of bug or program that is auto installing this crap once my computer restarts. I used S&D to imunize files and fix registry errors. Im debating whether to use combofix or not. I also just completely cleared firefox cache and cookies and browser history. Im out of ideas here. what is highjackthis?
m
0
l
November 7, 2011 10:43:22 PM

You can mess with this thing for a week and never get it fixed. If you have a spare computer copy your files to it and reformat this one. I had similar crap on my daughter's computer but didn't want to waste 10 days mucking with it. I booted in safe mode, slapped on an external, grabbed her data including school work and re-installed. Only took a couple hours and I had a system I knew was clean. I think my son-in-law's dad was looking at porn on it while he was visiting, lol. At least thats what my daughter claimed, I said ...right....
m
0
l
November 7, 2011 10:50:14 PM

Take that infected computer and run a format on it.

You will lose everything on that computer including that virus.

Before you do, take a look at ippages dot com and enter that virus address it was seeking. You should get a IP group with subnet.

Write that down and enter a special firewall rule to block it coming and going when you rebuild the computer...

ON a fresh virgin hard drive.
m
0
l
November 7, 2011 10:50:17 PM

Ok, so since i thought it was a little weird that MWB only found 1 infection in the quickscan and 0 in the full, i decided to uninstall and reinstall MWB to its latest version, so im doing the quickscan now and It found over 1646 infections and climbing as im typing.....


EDIT: 2997 infections...... and climbing
m
0
l
November 7, 2011 10:51:30 PM

Final count 3334 infections.....
m
0
l
November 7, 2011 10:53:56 PM

lol that a lot of infections!!
i use kaspersky barclays in the UK give it free if you have internet banking with them :D  but there's a free trial of 30 days, that should get rid of it. kaspersky is rated one of the best anti virus's around :) 
m
0
l
a b $ Windows 7
November 7, 2011 10:54:15 PM

At this point it sounds like a clean install of Windows might be your best bet.
m
0
l
a b $ Windows 7
November 7, 2011 10:56:20 PM

uninstall firefox, reboot, and reinstall it.
m
0
l
November 7, 2011 10:57:20 PM

ok so im deleting the infections now and rebooting, majority of the infections were in the registry....thank you MWB. Hopefully this should fix it but im gunna run other scanners just in case, but ive never seen 3334 infections on one computer in my life. Lol no porn involved I promise @gokanis
m
0
l
November 7, 2011 11:14:12 PM

I think im good now, S&D keeps spamming a pop up message asking allow or deny change "value:D elete" or something. im running MWB again, I think the virus screwed with my copy of windows cause it thinks its not genuine but everything looks and is running normally
m
0
l
November 7, 2011 11:56:16 PM

Ok, so i have a new issue.....My computer is fine...sorta. I just re installed firefox. i dont have any rogue programs poping up anymore, but now I cant go on certain websites like google, yahoo, bing, facebook. But i can go on engadget and espn just fine. When I go to a site i just mentioned like yahoo a page pops up that says your computer may be infected download security protection 2012 blah blah its obviously fake, and using firefox's google search, it redirects everything i search. hijackthis is showing a lot of things but idk whats bad and whats not.
m
0
l
November 8, 2011 12:05:04 AM

We used to scan the old College computer desktops from classrooms in our IT courses.

Thousands and thousands of adware, spyware, keys and bunches of stuff from all manner of sources resided in these machines in addition to open pathways for complete and utter identity theft if one should choose.

Eventually we hacked each other in the isolated lab behind a proxy (To protect the rest of University).

What really got me was the one demonstration from the teacher in the Server room that handled our traffic. Nothing is hidden. No matter how much you clean, delete or otherwise try to cover your tracks. The only thing that is hidden was the occasional tunnel traffic from someone who does not need a degree in this stuff anyway.
m
0
l
November 8, 2011 12:06:51 AM

x Heavy said:
We used to scan the old College computer desktops from classrooms in our IT courses.

Thousands and thousands of adware, spyware, keys and bunches of stuff from all manner of sources resided in these machines in addition to open pathways for complete and utter identity theft if one should choose.

Eventually we hacked each other in the isolated lab behind a proxy (To protect the rest of University).

What really got me was the one demonstration from the teacher in the Server room that handled our traffic. Nothing is hidden. No matter how much you clean, delete or otherwise try to cover your tracks. The only thing that is hidden was the occasional tunnel traffic from someone who does not need a degree in this stuff anyway.



So do u have a solution to my problem?
m
0
l
a b $ Windows 7
November 8, 2011 12:19:34 AM

The only solution that will fix everything is a clean install of Windows as I stated above. It sucks I know, but back up everything and just do it. It will save you hours of frustration.

Make sure you actually run some protection on the new install. I use Avira and Malwarebytes ( I run Malwarebytes once a month but it never finds anything, Avira is good ).
m
0
l
a b 8 Security
a b $ Windows 7
November 8, 2011 12:55:39 AM

It sounds like you've done a pretty good job at attacking this problem so far. When you scan in 'safe mode,' I assume you mean safe mode with networking? If not, then your virus scanner databases are not updating. That will render your scans almost pointless.

I'm not sure why you are hesitating on using combofix. I use it regularly, and have never had an issue with it.

Here's a step by step guide on how I attack these things.
http://www.tomshardware.com/forum/248626-45-simple-free...
m
0
l
a b $ Windows 7
November 8, 2011 1:14:42 AM

C:\Windows\System32\drivers\etc\hosts

Move that file (and its similar looking backup file) to somewhere else.

Let Window regenerate a new hosts file again.

Run S&D as admin and reapply immunisation.

See it that gets rid of the redirection problem.
m
0
l
November 8, 2011 11:27:11 AM

Should I run Combofix in safe mode (Yes, I have been using with networking)? I tried in reg Windows but it would stop after level 50 or stage 50. Ya I've killed off most of this problem, only thing that is left is this redirect crap. Its like a proxy overide. It only affects it looks like the major sites such as google, bing, facebook, and yahoo. But when i go to espn or engadget it is ok. But when I type anything through the address bar I see on the bottom it "asking admirablesearchsystem" then it goes through. Sometimes it does not go through and instead redirects me to some fake antivirus site. Reintalling windows would be a last last last resort for me if i can just kill this off. i have no time for formatting and reinstalling everything, plus I have a lot of games that i may not be able to reinstall because of product key being used once.
m
0
l
a b 8 Security
a b $ Windows 7
November 8, 2011 12:42:05 PM

Does it give some kind of error at stage 50?
m
0
l
November 8, 2011 12:52:13 PM

wschamps42 said:
So do u have a solution to my problem?


Already stated in my first post in your problem. Format and install fresh.

Nothing made in software can survive a DOD Format.
m
0
l
November 8, 2011 12:55:01 PM

Firstly download a program called: "Removefakeantivirus" found here: http://freeofvirus.blogspot.com/2009/05/remove-fake-ant...
Its a program that specifically disables the processes and registry entries of the virus.

Then run a program called "superantispyware" to remove the viruses found here:
http://www.superantispyware.com/

Reboot and run CCleaner to remove any unused registrys that are deleted from the removal of the virus.

Boom now your done, virus removed. This has worked about 98% of the computers ive fixed, unless its a vmundo one.

EDIT EDIT EDIT:
This is one hell of a nasty one it seems, i researched and found a thread to remove it 100% for you manually.
http://freeofvirus.blogspot.com/2011/11/remove-system-s...
m
0
l
November 8, 2011 1:14:37 PM

Disable System Restore and then connect your boot drive to another computer via a USB adapter and run the scans from the other computer. I have fixed infections like yours and that was the only way I was successful. When it is clean move it back to your computer and enable System Restore. The other option is to use a bootable utility CD with anit-virus/anti-malware utilities on it.
m
0
l
a b $ Windows 7
November 8, 2011 1:30:54 PM

I think I mentioned that before. I also suggested googling trend micro house calls and doing a scan. Did you do that ?

Install some firefox addons.

addblock plus
better privacy
ghostery
and others if you think they may be of any use.
m
0
l
November 8, 2011 1:52:30 PM

The computer is almost certainly infected with a root kit. All you are doing is removing all the crap the root kit is installing, not the root kit itself. Boot to recovery/repair mode from a Windows install disk and fix your MBR to get rid of the root kit. Sophos has a free root kit scanner that you can run if you want to verify that a root kit is there (have to make a bootbale CD.)
m
0
l
November 8, 2011 2:18:57 PM

+1 one on the root kit. One quick and dirty way to clear up these kinds of messes it combofix. Its a really powerful tool, and should be handled with care, but always managed to fix neverending issues with virus for me.

http://www.combofix.org/
m
0
l
November 8, 2011 8:02:32 PM

Thanks for the awesome ideas. Deff gunna try the mbr root kit scan. For the combofix no error messages appear it just literally stops at 50. Thats in reg win7. Should I run it in safe mode?
m
0
l
a b 8 Security
a b $ Windows 7
November 8, 2011 9:39:36 PM

Yes, Combofix should be ran in safe mode with networking.

If it's hanging on stage, open the task manager, and see what processes are running. If there are any that are related to an installed software, such as daemon tools, AnyDVD, or others, end them, and then retry the scan.
m
0
l
November 9, 2011 4:05:11 AM

aford10 said:
Yes, Combofix should be ran in safe mode with networking.

If it's hanging on stage, open the task manager, and see what processes are running. If there are any that are related to an installed software, such as daemon tools, AnyDVD, or others, end them, and then retry the scan.


Ok, I am running combofix now in safe mode with networking. It is on stage 5 scanning for infected files mode. Sorry for the late posts Ive been at work and school all day. I will update as the process continues. As i am waiting for this, if this does not work, any suggestions on the whole rootkit thing? I think i've heard of rootkit once before. Is this accurate and should i use any of the free programs on this post "http://forums.techarena.in/guides-tutorials/1000985.htm"

Thanks again for everyone's help!

EDIT: Windows Is now rebooting, Combofix almost done, I saw it complete the stages this time and delete a few things folders and such before it restarted so we shall see. Should I run malwarebytes again or do anything else while in safe mode before going back to reg Windows?
EDIT2: Alright combofix finished and it deleted a few things, Im re running malwarebytes just incase. Also, I am going to run GMER to scan rootkit
m
0
l
a b 8 Security
a b $ Windows 7
November 9, 2011 4:33:37 AM

The software that is in my guide is fully capable of removing most malware, including rootkits. Once Combofix has finished, and restarted, it's a good idea to run Malwarebytes and superantispyware again, in safe mode with networking, just to verify that the system is clean.
m
0
l
November 9, 2011 4:45:27 AM

Alright everything came back clean, we shall now see.....
m
0
l
November 9, 2011 4:51:11 AM

Alright I Am ALLLLLL GOOOD :-D I love combofix and malwarebytes!! Honestly, everything is even faster than before the virus. Anyone recommend honestly a really good program to prevent this from happening again? In any case Thank you all for all of your help and advice!! You all saved my ass for work, saved me money for new hard drives, and and a headache for reformatting :-) Thank you all again.
m
0
l
a b 8 Security
a b $ Windows 7
November 9, 2011 11:29:14 AM

Good to hear! :) 

Personally, I use the free Avast. Microsoft Security Essentials is also a good one.
m
0
l
November 9, 2011 1:26:54 PM

Hey guys Bad news, I am not all clear. I ran win 7 for a little after the combofix and everything was running perfectly and even faster than before, then after going to bed and leaving my computer on I wanted to see if overnight anything would pop up or something and so I ran malwarebytes again and updated before I ran it, it found 23 infections... it cleared them, then i rebooted my computer and my CPU was @ 100% and I could barely even start win7. I had to leave so I powered it off.....Idk its looking like a format is in sight. Thanks for the help everyone but this damn virus beat me it looks like. Im gunna back my files up and reformat my HD. But I have a couple questions for that. First, I have games on my PC, once I reformat and reinstall the games, will I be able to play the games again? Because I have used the product code when I first got the games? (These are CD Based). I know from using steam that I can redownload and install my games from their servers and should be ok. Also, for the new Battlefield 3 it uses Origin. Does anyone know if I will be able to redownload and play my game again even though I used the code with my current computer before formatting?

EDIT: I also forgot to ask, on my Hard Drive I have 2 partitions, one for my Win 7 and another for XP. Do I only have to format Win7 or both?
m
0
l
a b 8 Security
a b $ Windows 7
November 9, 2011 3:47:26 PM

Yes, you can always reinstall those CD based games. If they reject your key, then you can call their support line. Yes, steam can be redownloaded. I've never used Origin, so I'm not sure there.

Do you have the problem in both partitions?

If you want to try and save some work, I have one more suggestion....
1.TFC
http://www.geekstogo.com/forum/files/file/187-tfc-temp-...
2.RKILL
http://www.bleepingcomputer.com/download/anti-virus/rki...
3.tdsskiller
http://support.kaspersky.com/faq/?qid=208283363
4.combofix
m
0
l
November 10, 2011 2:56:36 AM

aford10 said:
Yes, you can always reinstall those CD based games. If they reject your key, then you can call their support line. Yes, steam can be redownloaded. I've never used Origin, so I'm not sure there.

Do you have the problem in both partitions?

If you want to try and save some work, I have one more suggestion....
1.TFC
http://www.geekstogo.com/forum/files/file/187-tfc-temp-...
2.RKILL
http://www.bleepingcomputer.com/download/anti-virus/rki...
3.tdsskiller
http://support.kaspersky.com/faq/?qid=208283363
4.combofix



I dont think so I have not been on my XP partition in months way before i had a virus.
m
0
l
November 11, 2011 1:46:17 AM

Sorry to hear the same thing happened to you. It's unbelievable how annoying that virus is. You think its completely gone then bam 2-3 days later its back. I was hoping someone could suggest a fix since I'm still worried about getting this thing again.
m
0
l
!