Really Annoying Virus Help!!

[wschamps42]

Hello, I have this really annoying virus on my computer that just will not die. Malware bytes removes it and search and destroy doesnt see it. And ive searched everywhere on how to remove this thing but when I think its all good, I reboot my computer out of safe mode and go back to normal Win7 but then all of a sudden my cpu is at 100% usage and S&D says something is trying to be entered into my registry. Oh and the name of the program that keeps being installed is System Security 2012, and just randomly, firefox will open and make a new tab and take me to admiral search or something. This literally came out of nowhere. Im on my laptop now and re using malwarebytes as I speak. Please, Please some help would be amazing.

EDIT: 11/7/11 5:23 P.M. CST Malwarebytes just finished scanning, found one infection "rogue.system.security" thats the system security 2012 virus but, theres something else that malwarebytes and S&D is not finding, because after I remove this and go back into normal Win7, my CPU usage goes to 100% and something tries to reinstall this crap on my computer. Also the site that keeps automatically appearing in firefox is "admiralsearchsystem.com"

EDIT2: 11/7/11 7:56 P.M. CST Ok, so i have a new issue.....My computer is fine...sorta. I just re installed firefox. i dont have any rogue programs poping up anymore, but now I cant go on certain websites like google, yahoo, bing, facebook. But i can go on engadget and espn just fine. When I go to a site i just mentioned like yahoo a page pops up that says your computer may be infected download security protection 2012 blah blah its obviously fake, and using firefox's google search, it redirects everything i search. hijackthis is showing a lot of things but idk whats bad and whats not.



Thanks in advance

P.S. I have a high understanding of computers so any solutions would gracefully be accepted.

 

[Tyler-767]

I was in the same boat as you with my gf's netbook. And just like you I had a fair understanding of computers. The only thing I could do was tempory and it would always come back. What I did was create a new user. Log into it, run all the scans that would find it and reboot/scan from start up. Malware bytes/spybot/avast all from boot and they all found dozens of infected files. I deleted the old user account, re ran it all again. Went on google and found examples of the registry keys it infected and deleted them. I went to msconfig to make sure nothing booted on startup. Since it was a netbook i could not do a clean install of xp. In the end after months of dealing with that stupid virus she bought a new laptop and the netbook is in the garbage.

Try some of the stuff I said since the new user might work for you since it sorta did for her and she had xp. Windows 7 might be better at getting rid of it.

 

[wschamps42]

There has to be another way to kill it, or someway to find out what is trying to reinstall everytime I boot into normal Win 7 from safe mode. I have 1.2 TB of files and a lot of work and hw thats due plus this is my only day off work to spend time on this......

 

[Tyler-767]

Try creating a new user and running the scans, you don't have to delete the old one. It usually gave my gf 2-3 days before it managed to come back. And you'll see that when you do that method it comes back with a diff name. From my research its pretty old, so I don't know why microsoft hasn't patched the hole it uses.

 

[Tyler-767]

I'm not sure what antivirus you're using but I put Avast on hers and after starting a new user it would usually find 8-10 infected files.. Microsoft security essentials didn't even know there was a virus..

 

[swifty_morgan]

the system security thing...... did you try start/run-type msconfig in the box and then hit enter..... look under start up and services to see if there is anything there...... deselect ( remove check mark ) if there is.

did you try disabling windows restore before trying to remove it ?

google cwshredder and see if it finds anything.

anything in add/remove from the control panel ?

did you try trend micro house calls ?..... google it and run it.

 

[swifty_morgan]

you can also try highjackthis. run it and see what's running and kill what you don't like.

 

[wschamps42]

Alright so I just found 2K files that i did not trust including two .exe files that were hidden in the roaming folder under appdata and just deleted all of that. I removed the rogue software virus and am now doing a full malware bytes scan im 32 min in over 12K files scanned and 0 infections. Although that damn auto new tab thing just happened and took firefox randomly to that admirable site again. I am doing all of this in win7 safe mode. There has to be some sort of bug or program that is auto installing this crap once my computer restarts. I used S&D to imunize files and fix registry errors. Im debating whether to use combofix or not. I also just completely cleared firefox cache and cookies and browser history. Im out of ideas here. what is highjackthis?

 

[proxy711]

Highjackthis is just another malware removal tool.

if nothing seems to be working try combofix.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

[gokanis]

You can mess with this thing for a week and never get it fixed. If you have a spare computer copy your files to it and reformat this one. I had similar crap on my daughter's computer but didn't want to waste 10 days mucking with it. I booted in safe mode, slapped on an external, grabbed her data including school work and re-installed. Only took a couple hours and I had a system I knew was clean. I think my son-in-law's dad was looking at porn on it while he was visiting, lol. At least thats what my daughter claimed, I said ...right....

 

[x Heavy]

Take that infected computer and run a format on it.

You will lose everything on that computer including that virus.

Before you do, take a look at ippages dot com and enter that virus address it was seeking. You should get a IP group with subnet.

Write that down and enter a special firewall rule to block it coming and going when you rebuild the computer...

ON a fresh virgin hard drive.

 

[wschamps42]

Ok, so since i thought it was a little weird that MWB only found 1 infection in the quickscan and 0 in the full, i decided to uninstall and reinstall MWB to its latest version, so im doing the quickscan now and It found over 1646 infections and climbing as im typing.....


EDIT: 2997 infections...... and climbing

 

[wschamps42]

Final count 3334 infections.....

 

[fullforce]

lol that a lot of infections!!
i use kaspersky barclays in the UK give it free if you have internet banking with them but there's a free trial of 30 days, that should get rid of it. kaspersky is rated one of the best anti virus's around

 

[Deleted member 217926]

At this point it sounds like a clean install of Windows might be your best bet.

 

[swifty_morgan]

uninstall firefox, reboot, and reinstall it.

 

[wschamps42]

ok so im deleting the infections now and rebooting, majority of the infections were in the registry....thank you MWB. Hopefully this should fix it but im gunna run other scanners just in case, but ive never seen 3334 infections on one computer in my life. Lol no porn involved I promise @gokanis

 

[wschamps42]

I think im good now, S&D keeps spamming a pop up message asking allow or deny change "value:delete" or something. im running MWB again, I think the virus screwed with my copy of windows cause it thinks its not genuine but everything looks and is running normally

 

[wschamps42]

Ok, so i have a new issue.....My computer is fine...sorta. I just re installed firefox. i dont have any rogue programs poping up anymore, but now I cant go on certain websites like google, yahoo, bing, facebook. But i can go on engadget and espn just fine. When I go to a site i just mentioned like yahoo a page pops up that says your computer may be infected download security protection 2012 blah blah its obviously fake, and using firefox's google search, it redirects everything i search. hijackthis is showing a lot of things but idk whats bad and whats not.

 

[x Heavy]

We used to scan the old College computer desktops from classrooms in our IT courses.

Thousands and thousands of adware, spyware, keys and bunches of stuff from all manner of sources resided in these machines in addition to open pathways for complete and utter identity theft if one should choose.

Eventually we hacked each other in the isolated lab behind a proxy (To protect the rest of University).

What really got me was the one demonstration from the teacher in the Server room that handled our traffic. Nothing is hidden. No matter how much you clean, delete or otherwise try to cover your tracks. The only thing that is hidden was the occasional tunnel traffic from someone who does not need a degree in this stuff anyway.

 

[wschamps42]

We used to scan the old College computer desktops from classrooms in our IT courses.

Thousands and thousands of adware, spyware, keys and bunches of stuff from all manner of sources resided in these machines in addition to open pathways for complete and utter identity theft if one should choose.

Eventually we hacked each other in the isolated lab behind a proxy (To protect the rest of University).

What really got me was the one demonstration from the teacher in the Server room that handled our traffic. Nothing is hidden. No matter how much you clean, delete or otherwise try to cover your tracks. The only thing that is hidden was the occasional tunnel traffic from someone who does not need a degree in this stuff anyway.

So do u have a solution to my problem?

 

[Deleted member 217926]

The only solution that will fix everything is a clean install of Windows as I stated above. It sucks I know, but back up everything and just do it. It will save you hours of frustration.

Make sure you actually run some protection on the new install. I use Avira and Malwarebytes ( I run Malwarebytes once a month but it never finds anything, Avira is good ).

 

[aford10]

It sounds like you've done a pretty good job at attacking this problem so far. When you scan in 'safe mode,' I assume you mean safe mode with networking? If not, then your virus scanner databases are not updating. That will render your scans almost pointless.

I'm not sure why you are hesitating on using combofix. I use it regularly, and have never had an issue with it.

Here's a step by step guide on how I attack these things.
http://www.tomshardware.com/forum/248626-45-simple-free-guide-removing-malware

 

[Pyree]

C:\Windows\System32\drivers\etc\hosts

Move that file (and its similar looking backup file) to somewhere else.

Let Window regenerate a new hosts file again.

Run S&D as admin and reapply immunisation.

See it that gets rid of the redirection problem.

 

[wschamps42]

Should I run Combofix in safe mode (Yes, I have been using with networking)? I tried in reg Windows but it would stop after level 50 or stage 50. Ya I've killed off most of this problem, only thing that is left is this redirect crap. Its like a proxy overide. It only affects it looks like the major sites such as google, bing, facebook, and yahoo. But when i go to espn or engadget it is ok. But when I type anything through the address bar I see on the bottom it "asking admirablesearchsystem" then it goes through. Sometimes it does not go through and instead redirects me to some fake antivirus site. Reintalling windows would be a last last last resort for me if i can just kill this off. i have no time for formatting and reinstalling everything, plus I have a lot of games that i may not be able to reinstall because of product key being used once.