HELP: Virus is keeping my computer alive?

By zheng.93
in Microsoft (Windows)

 Share

Recommended Posts

Collaborator

zheng.93

Posted
Posted

Hi guys, been a while since I last posted :)

Anyways I've a funny problem with my Win7 laptop that's leaving me stumped!

Well here's how the story goes.....

I bought myself an iPad, which I loved until I decided to try to connected to this laptop. Unfortunately I got this error that "Apple Mobile Device" couldn't start, so I followed instructions on how I should remove this program called "Megakey" that was interfering with the service.

I HAD megakey installed, but obviously it wasn't uninstalled properly as a normal search popped up this file:

C:\Programdata\Megamedia\Megakey\msadm.dll

I couldn't delete it as it was being used by a whole load of other programs (As Unlocker told me so).

What I did next was to extract the megakey.exe file from their website using 7zip, transferred the uninstall.exe from megakey.exe into that folder containing msadm.dll and executed uninstall.

After rebooting, msadm.dll was removed, like finally :)

However!!

Once msadm.dll was removed, for some strange reason my browsers such as Firefox and IE couldn't work. When typing any address (google.com, facebook.com, neowin.net) into the web browser, FF would just leave me stuck in the empty tab while IE just says there's a connection problem (where conducting any diagnostics doesn't work, as usual).

After much thought I realised that it could be the msadm.dll that's affecting it, so I created the same folder in program data and transferred msadm.dll from my previously extracted megakey.exe back into the SAME folder.

Strangely, after putting that .dll file back, I could use firefox and IE all over again!

Does anyone know why this is occuring? I'm stumped, and so are my friends. Could it be that msadm.dll is actually supporting my computer and has become an infectious, cancerous-like parasite? Is there a way for me to remove msadm.dll without losing connectivity and thus allowing me to connect the iPad?

Hope to hear from you guys!

Thanks :)

Grand Master

Hum

Posted
Posted

The virus has corrupted your browsers, to force you to go to other sites.

I would try System Restore first, if you use it.

Next you could uninstall Megakey, and delete msadm.dll, then run the Registry cleaner, such as the one with CCleaner (free download).

That can get rid of the useless registry entry that is causing a problem, that you 'need' the msadm.dll file.

You could run a good anti-virus scan as well.

Lastly I would save your bookmarks, and remove Firefox, then Reinstall.

good luck ....

Collaborator

zheng.93

Posted
  • Author
Posted

Thanks for your reply :)

I did try to do a system restore but megakey was uninstalled like months ago, and I only realised there's remnants of it lying around today. So restoring my system back to when I did not have megakey installed is...impossible? Not sure about that =/

I can't delete msadm.dll as it's being 'used' by many other programs such as services.exe, firefox.exe, svchost.exe and some norton process. The only way I could delete it was using the uninstaller, and also by using my old dual boot of iATKos to delete it.

I tried deleting it, running CCleaner AND a virus scan using Norton Internet Security, but I still cannot use the browser.

@gaara sama you're suggesting SAFE mode, then running malwarebytes?

Collaborator

zheng.93

Posted
  • Author
Posted

Remove the file, folder, and anything else that shouldn't be there

Reset IE, make sure FF and other browsers are not set to run through any proxy

Run Malwarebytes

Empty temp folders

Disable anything suspicious in msconfig

Everything in msconfig that I don't need/not sure what they are, are already disabled. Temp folders are clean. Running malwarebytes now :)

Collaborator

zheng.93

Posted
  • Author
Posted

Sounds like a rootkit or something of that ilk. Take a look at your browser's connection settings and confirm it isn't using a proxy of some kind.

Firefox says no proxy is being used! :(

Try Kaspersky labs TDSS killer too, just to be sure.

Thanks! Trying out now....

Kaspersky TDSS Killer detected "sptd" as suspicious, from C:\Windows\system32\Drivers\sptd.sys

It will remove after reboot...gonna reboot now :)

Anyway so far Malwarebytes hasn't churned up anything yet.

Mentor

StrikedOut

Posted
Posted

Yeap, Safe mode but either download all the updates before rebooting into safe mode of go safe mode with networking. Safe mode only sarts with services that are required to run, this usualy leaves most 'locked' files and folders open to be deleted. I would also clear out all your restore points too (turn off system restore then turn it back on).

Have you removed Firefox and reinstalled to see if it works then?

Collaborator

Bad Boy Nibbler

Posted
Posted

Firefox says no proxy is being used! :(

Thanks! Trying out now....

Kaspersky TDSS Killer detected "sptd" as suspicious, from C:\Windows\system32\Drivers\sptd.sys

It will remove after reboot...gonna reboot now :)

Anyway so far Malwarebytes hasn't churned up anything yet.

sptd is not something to worry of as it used by dameon tools and probley other programs though not sure which if i remember rightly sptd also have there own uninstaller website wise

Collaborator

zheng.93

Posted
  • Author
Posted

Yeap, Safe mode but either download all the updates before rebooting into safe mode of go safe mode with networking. Safe mode only sarts with services that are required to run, this usualy leaves most 'locked' files and folders open to be deleted. I would also clear out all your restore points too (turn off system restore then turn it back on).

Have you removed Firefox and reinstalled to see if it works then?

At that point when I deleted the .dll file, reinstalling didn't work o.o

I will go into safe mode tomorrow morning as it's already 12.13am now =/ Sorry but thanks soo much for all your generous help thus far!

sptd is not something to worry of as it used by dameon tools and probley other programs though not sure which if i remember rightly sptd also have there own uninstaller website wise

So I shouldn't remove it?

Collaborator

Bad Boy Nibbler

Posted
Posted

At that point when I deleted the .dll file, reinstalling didn't work o.o

I will go into safe mode tomorrow morning as it's already 12.13am now =/ Sorry but thanks soo much for all your generous help thus far!

So I shouldn't remove it?

that really depends the only time i seen sptd get installed is for virutal cd - dvd emulation software like alchol 120 dameon tools if you don't used such tools it not needed if you do your gonna need it

Collaborator

zheng.93

Posted
  • Author
Posted

Hi,

I'm currently on safe mode with networking. Tried to delete but it still says it cannot be deleted as it is being used by another program. Unlocker doesn't seem to be working in safe mode and hence I cannot find out which program is using the .dll file in safe mode. My guess is svchost.exe? =/

Collaborator

zheng.93

Posted
  • Author
Posted

Update: I used megakey's uninstall.exe to remove the .dll file. When restarted back to safe mode with networking, I got the message "windows help and support cannot start". Thereafter, any attempts to use firefox and ie yields no results, I'm just stuck on an empty tab.

Kaspersky tdss and malwarebytes scans yield no results as well, they say my computer has no malware or rootkits.

Tried reinstalling firefox as well, but once again I still can't connect to the Internet.

The only way I can connect to the Internet again is to put back the megakey .dll file into program data.

Ahhhhh! Any ideas? :/

Grand Master

ViperAFK

Posted
Posted

The virus most likely set a proxy server in your web browser... In IE go to internet options > connections > lan settings and uncheck proxy, make sure only "automatically detect settings" is checked.

In firefox its options > advanced > network > connection > settings

Collaborator

zheng.93

Posted
  • Author
Posted

The virus most likely set a proxy server in your web browser... In IE go to internet options > connections > lan settings and uncheck proxy, make sure only "automatically detect settings" is checked.

In firefox its options > advanced > network > connection > settings

Yes, on firefox it's no proxy, and in IE "automatically detect settings" is checked.

You could try a portable version of the browsers- also try spybot search and destroy-

http://portableapps.com/apps

Spybot? I haven't used that in years.....I thought malwarebytes and others were more efficient! Anyway I've already used Kaspersky TDSS, malwarebytes AND norton full system scan....still nothing!

Will try your portable apps suggestion now :)

Grand Master

Brandon H Supervisor

Posted
  • Supervisor
Posted

have you tried an "sfc /scannow" yet?

if you haven't yet, run that in an admin level cmd window in safe mode or if you can from the recovery mode command prompt on the Windows 7 install disk

Experienced

RiverCampher

Posted
Posted

'Nuke it, it's the only way to be sure' - Aliens.

Backup using a Linux live CD to whatever media you want or partition and move what you need over.

Format the OS partition and reinstall.

I wouldn't ever trust a rooted version of windows. Especially if you use passwords/credit card/bank information on the internet.

Collaborator

zheng.93

Posted
  • Author
Posted

The thing is the .dll file isn't causing me any problems, aside from not being able to connect to my iPad. Seems too much of a hassle, but yeah, I'll probably do it if I can't get the file out by next week.

Anyways sfc /scannow gave a report that "Windows Resource Protection found corrupt files but was unable to fix some of them"

Grand Master

jnelsoninjax

Posted
Posted

^That is a good indication that the only way you are going to recover is to do a format and reinstall. It seems that this virus has corrupted core windows files and the only for sure way of recovering from this would be to reinstall windows. It is a PITA to do, but faced with everything else your choices seem rather slim.

Grand Master

JustGeorge

Posted
Posted

Can you "ping" a website? Open cmd prompt-> type ping www.google.com and hit Enter. If you get a reponse, then maybe try rebuilding your TCP/IP stack:

http://support.microsoft.com/kb/299357

http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/how-to-reset-tcpip-stack-in-windows-7/82560f98-de0c-4e75-ae48-9938bc980f47

Make sure to run the cmd prompt as admin by right-clicking cmd and selecting to run as admin.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Posts

    • New PowerToys update fixes memory leaks and other issues

      By Dutchie64 · Posted

      Yup, that's a doozy right there 😄
    • New PowerToys update fixes memory leaks and other issues

      By Dutchie64 · Posted

      It's a bundle of tools created by a variety of people, so things can go wrong sometimes. It's a great addition to Windows, and I use a lot of the tools on a daily basis. Also, it's still a 0.**** release so quick updates are to be expected 😉
    • Why Delta Chat is the best decentralized messenger you have probably never tried

      By Nas · Posted

      Oh, I did. And it's even worse than I was hoping! Besides a lot of techno-babble jargon (yes I understand 100% of it but it's still all just techno-babble) there's 2 key points that make me super-weary about even considering testing this out. -- By default, after installation, a relay is automatically set up, so you do not need to care about that. * Non-chatmail apps use email servers as a long-term message archive while chatmail clients use email servers for ephemeral instant message relay. * Supporting the full variety of classic email setups would require considerable development and maintenance efforts, and complicate making chatmail-based messaging more resilient, reliable and fast. -- Basically, the end-user device is the 'server' (relay) so there is NO ARCHIVING whatsoever because every message is necessarily ephemeral. Great for techno-paranoia (and for illicit activities preferring no tracks to cover) but terrible for everybody else. It's also ironically contradictory to engineering principles of redundancies besides the transport layers due to the explicit absence of any persistent storage. Instead of 'classic email address' retaining multi-GB messaging archives on its server, now every device must retain 100% of those storage demands. (Email messages were originally meant to be short correspondences, not the multi-MB attachments boondoggle that now exists with unlimited spam engines flooding every potential recipient.) Any device swap or reset (or loss) makes the entire message history go bye-bye forever... lest there's an off-device auto-archival "relay" mechanism that's really a separate server that holds onto all transported messages (an email server) that utilizes 'chatmail email address' identities (like an email server) and its own persistent storage archive (like an email server). But... this solution is hoping to exist alongside real-world email address identities (based on the email server relay pathway) but simply render messages in chat thread format in an ephemeral manner (with contents being encrypted, and messages auto-expiring) ... In the end, it's a chat app/experience for the Web3/P2P-at-all-costs zealots. (I have accts on all sorts of federated web3 services so I understand the technical and non-technical alike.) For any practical users, however, it's just another service to download/install, register, cross-share id cards/qr codes, but know that there's no history/archive whatsoever (by design) so no account/message recovery whatsoever... update the device, install a bummed update patch, or dare upgrade your device... all history, poof, gone. Ya gotta start everything over again like they're a brand new person.
    • You've tried DuckDuckGo and Brave Search, now get serious with SearXNG

      By zikalify · Posted

      You've tried DuckDuckGo and Brave Search, now get serious with SearXNG by Paul Hill Over the last decade, it has become quite trendy to dump Google Search in favor of privacy-preserving alternatives such as DuckDuckGo, Startpage, and Brave Search. These search engines have done a very good job at highlighting dodgy practices by Google, such as adjusting search results based on what it thinks you’ll like (filter bubble) and stalking you around the web to advertise to you. While these search engines are good starting points when compared to non-private services like Google, there are still quite a few issues with them. For example, both DuckDuckGo and Brave Search require running non-free JavaScript in your web browser, which is comparable to running proprietary software on your computer, meaning you can be sure about what it’s actually doing in the background. Another issue is that these search engines are hosted on the respective companies’ servers, and you are using a service that you don’t control. Finally, DuckDuckGo, while offering privacy features, relies heavily on Microsoft’s infrastructure for its results and, in the past, has permitted Microsoft tracking scripts. If you are looking for a more private search solution than DuckDuckGo, Brave Search, and Startpage, then I recommend taking a look at SearXNG. It is a privacy-respecting metasearch engine that can be used via different public instances, which is useful for mobile users, or you can install it on your computer or server and run it locally with maximum control. Unlike Google, Bing, or Brave Search, which crawl the web and have their own search indexes, SearXNG is a metasearch engine, meaning it taps other search engines, stripping your identifying data, such as IP address, user agent, and cookies, in the process. Your search query is sent to the other search engines you enable before aggregating the results. SearXNG has deployment flexibility. If you are a casual user or a mobile user and don’t want to run SearXNG locally, you can use a public instance that is hosted by someone else. The main problem with this is that you are putting trust in the maintainer of the instance regarding stuff like logs that they may keep; good hosts should have a privacy policy explaining their policies. If you are trying to use SearXNG, you can also install the software on your device and then head to 127.0.0.1:8080 in your browser and search from there. While you don’t have to worry about a third-party admin like the public instances, search engines could ultimately block your IP address if they frown on you pulling in their search results locally. If you want to run it locally, it’s a good idea to use proxies or VPNs to hide your actual IP. You don’t have to worry about this with a public instance, as search engines never see your IP address. The main privacy benefit of using SearXNG is that it isolates your identity from the underlying engines that it’s capable of searching, such as Google and Bing. These search engines will only see requests coming from a generic server, so they can’t profile you and create a bubble filter that influences what results you see. This also ensures that your search engine doesn’t turn into an echo chamber that prevents you from reading alternative points of view. As a free software project, you are allowed to inspect SearXNG to make sure there are no negative features bundled inside. This sets it apart from the privacy search engines mentioned earlier because you can’t check their source code. As a meta search engine, you are not restricted to getting results from one source. Due to the fact that it scrapes content from other websites, your SearXNG instance will periodically get blocked from different providers, so it’s good to select a range of sources as a backup. While enabling all of the services will give you great results, this can make searching slower. I am personally happy with slower searches for the best results, but you can always check which providers are slowing down your search from the search results page and disable them to speed things up. If you want decent results quickly, enable the main search providers such as Google, Brave, DuckDuckGo, Qwant, Bing, and Yahoo. This way, you get wide coverage without the latency. On the Engines tab in Preferences, do note that there are different tabs, such as General, Images, and Videos, with their own providers that can be toggled and are not covered by "Enable all" while on the General tab, so be sure to dig into each. Just a note, if you want to enable everything, press "Enable all" in one tab, then hit save at the bottom of the page, then do the next tab, and so on. If you press "Enable all", then do that in each tab, and then save, nothing will stick. When I had just some of the search engines enabled, I searched “define nefarious” and results came back with the definition of “define” - obviously that was a sucky result. However, when I had everything enabled, it found dictionary pages for the word “nefarious” and even had an inline definition on the sidebar, which is quite nice too - that was delivered by WolframAlpha for anyone wondering! Probably the worst thing about this meta search engine is that the engines you select are saved with a cookie, so you must enable them on every new device you use SearXNG on, including if you decide to go into incognito mode with your web browser. Honestly, I would say this is the most annoying aspect, and perhaps if your browser lets you choose a separate private browsing search engine, then it would be best to use DuckDuckGo for this portion of your browsing. Another weakness of SearXNG is the random blocking of it by search providers. When you are on the results page, expand the “Response time” box, and it will show things like “Suspended: too many requests” or “access denied”. This is why it is good to enable several providers so that there is always a fallback to get results from. I won’t pretend SearXNG will be for everyone, however, if you enable all of the providers and put up with the slower response time, the results can be really amazing. Even if you don’t want to use it as your daily driver, keeping a bookmark handy that links to it is a good idea if you ever feel like doing a deep dive into a niche topic where other search engines are just failing to bring up any good result, due to the amount of sources it looks on. If you’re interested in radical user control over the software you use, installing SearXNG locally can also be a good idea, but be prepared to be temporarily blocked from sites if you trigger bot sensors without a VPN. Personally, I’ve opted to use a public instance, rather than install it myself. If you want to use it via a public instance, head over to searx.space to find a provider. Let us know in the comments if you have used SearXNG or its predecessor, Searx. What do you think about the quality of the results?
    • Windows 11 is getting redesigned taskbar settings in new build

      By Captain_Eric · Posted

      Dear Neowin, If it is not too much trouble, can you start using the new-ish designations for Insider Preview? "Experimental" is different than "former Dev" as it can apply to different models, eg 26H1 or 26H2 etc, right? No need to seed confusion IMHO. And, please "finally" update your graphics. OK?

  • Recent Achievements

    • Week One Done
      flexorcist earned a badge
      Week One Done
    • One Month Later
      Woland13 earned a badge
      One Month Later
    • Week One Done
      Woland13 earned a badge
      Week One Done
    • One Year In
      bernmeister earned a badge
      One Year In
    • Week One Done
      Scoobystu earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      503
    2. 2
      +Edouard
      226
    3. 3
      PsYcHoKiLLa
      158
    4. 4
      Steven P.
      75
    5. 5
      FloatingFatMan
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!