HELP: Virus is keeping my computer alive?

[zheng.93]

Hi guys, been a while since I last posted :)

Anyways I've a funny problem with my Win7 laptop that's leaving me stumped!

Well here's how the story goes.....

I bought myself an iPad, which I loved until I decided to try to connected to this laptop. Unfortunately I got this error that "Apple Mobile Device" couldn't start, so I followed instructions on how I should remove this program called "Megakey" that was interfering with the service.

I HAD megakey installed, but obviously it wasn't uninstalled properly as a normal search popped up this file:

C:\Programdata\Megamedia\Megakey\msadm.dll

I couldn't delete it as it was being used by a whole load of other programs (As Unlocker told me so).

What I did next was to extract the megakey.exe file from their website using 7zip, transferred the uninstall.exe from megakey.exe into that folder containing msadm.dll and executed uninstall.

After rebooting, msadm.dll was removed, like finally :)

However!!

Once msadm.dll was removed, for some strange reason my browsers such as Firefox and IE couldn't work. When typing any address (google.com, facebook.com, neowin.net) into the web browser, FF would just leave me stuck in the empty tab while IE just says there's a connection problem (where conducting any diagnostics doesn't work, as usual).

After much thought I realised that it could be the msadm.dll that's affecting it, so I created the same folder in program data and transferred msadm.dll from my previously extracted megakey.exe back into the SAME folder.

Strangely, after putting that .dll file back, I could use firefox and IE all over again!

Does anyone know why this is occuring? I'm stumped, and so are my friends. Could it be that msadm.dll is actually supporting my computer and has become an infectious, cancerous-like parasite? Is there a way for me to remove msadm.dll without losing connectivity and thus allowing me to connect the iPad?

Hope to hear from you guys!

Thanks :)

[Detection]

Remove the file, folder, and anything else that shouldn't be there

Reset IE, make sure FF and other browsers are not set to run through any proxy

Run Malwarebytes

Empty temp folders

Disable anything suspicious in msconfig

[Hum]

The virus has corrupted your browsers, to force you to go to other sites.

I would try System Restore first, if you use it.

Next you could uninstall Megakey, and delete msadm.dll, then run the Registry cleaner, such as the one with CCleaner (free download).

That can get rid of the useless registry entry that is causing a problem, that you 'need' the msadm.dll file.

You could run a good anti-virus scan as well.

Lastly I would save your bookmarks, and remove Firefox, then Reinstall.

good luck ....

[Gaara sama]

Oh Boy just restart your pc in save mode and run Malewarebyte save mode with network .

[zheng.93]

Thanks for your reply :)

I did try to do a system restore but megakey was uninstalled like months ago, and I only realised there's remnants of it lying around today. So restoring my system back to when I did not have megakey installed is...impossible? Not sure about that =/

I can't delete msadm.dll as it's being 'used' by many other programs such as services.exe, firefox.exe, svchost.exe and some norton process. The only way I could delete it was using the uninstaller, and also by using my old dual boot of iATKos to delete it.

I tried deleting it, running CCleaner AND a virus scan using Norton Internet Security, but I still cannot use the browser.

@gaara sama you're suggesting SAFE mode, then running malwarebytes?

[zheng.93]

Remove the file, folder, and anything else that shouldn't be there

Reset IE, make sure FF and other browsers are not set to run through any proxy

Run Malwarebytes

Empty temp folders

Disable anything suspicious in msconfig

Everything in msconfig that I don't need/not sure what they are, are already disabled. Temp folders are clean. Running malwarebytes now :)

[Guolung]

Try Kaspersky labs TDSS killer too, just to be sure.

[Joey S]

Sounds like a rootkit or something of that ilk. Take a look at your browser's connection settings and confirm it isn't using a proxy of some kind.

[zheng.93]

Sounds like a rootkit or something of that ilk. Take a look at your browser's connection settings and confirm it isn't using a proxy of some kind.

Firefox says no proxy is being used! :(

Try Kaspersky labs TDSS killer too, just to be sure.

Thanks! Trying out now....

Kaspersky TDSS Killer detected "sptd" as suspicious, from C:\Windows\system32\Drivers\sptd.sys

It will remove after reboot...gonna reboot now :)

Anyway so far Malwarebytes hasn't churned up anything yet.

[StrikedOut]

Yeap, Safe mode but either download all the updates before rebooting into safe mode of go safe mode with networking. Safe mode only sarts with services that are required to run, this usualy leaves most 'locked' files and folders open to be deleted. I would also clear out all your restore points too (turn off system restore then turn it back on).

Have you removed Firefox and reinstalled to see if it works then?

[Bad Boy Nibbler]

Firefox says no proxy is being used! :(

Thanks! Trying out now....

Kaspersky TDSS Killer detected "sptd" as suspicious, from C:\Windows\system32\Drivers\sptd.sys

It will remove after reboot...gonna reboot now :)

Anyway so far Malwarebytes hasn't churned up anything yet.

sptd is not something to worry of as it used by dameon tools and probley other programs though not sure which if i remember rightly sptd also have there own uninstaller website wise

[zheng.93]

Yeap, Safe mode but either download all the updates before rebooting into safe mode of go safe mode with networking. Safe mode only sarts with services that are required to run, this usualy leaves most 'locked' files and folders open to be deleted. I would also clear out all your restore points too (turn off system restore then turn it back on).

Have you removed Firefox and reinstalled to see if it works then?

At that point when I deleted the .dll file, reinstalling didn't work o.o

I will go into safe mode tomorrow morning as it's already 12.13am now =/ Sorry but thanks soo much for all your generous help thus far!

sptd is not something to worry of as it used by dameon tools and probley other programs though not sure which if i remember rightly sptd also have there own uninstaller website wise

So I shouldn't remove it?

[Bad Boy Nibbler]

At that point when I deleted the .dll file, reinstalling didn't work o.o

I will go into safe mode tomorrow morning as it's already 12.13am now =/ Sorry but thanks soo much for all your generous help thus far!

So I shouldn't remove it?

that really depends the only time i seen sptd get installed is for virutal cd - dvd emulation software like alchol 120 dameon tools if you don't used such tools it not needed if you do your gonna need it

[zheng.93]

Hi,

I'm currently on safe mode with networking. Tried to delete but it still says it cannot be deleted as it is being used by another program. Unlocker doesn't seem to be working in safe mode and hence I cannot find out which program is using the .dll file in safe mode. My guess is svchost.exe? =/

[zheng.93]

Update: I used megakey's uninstall.exe to remove the .dll file. When restarted back to safe mode with networking, I got the message "windows help and support cannot start". Thereafter, any attempts to use firefox and ie yields no results, I'm just stuck on an empty tab.

Kaspersky tdss and malwarebytes scans yield no results as well, they say my computer has no malware or rootkits.

Tried reinstalling firefox as well, but once again I still can't connect to the Internet.

The only way I can connect to the Internet again is to put back the megakey .dll file into program data.

Ahhhhh! Any ideas? :/

[ViperAFK]

The virus most likely set a proxy server in your web browser... In IE go to internet options > connections > lan settings and uncheck proxy, make sure only "automatically detect settings" is checked.

In firefox its options > advanced > network > connection > settings

[redvamp128]

You could try a portable version of the browsers- also try spybot search and destroy-

http://portableapps.com/apps

[zheng.93]

The virus most likely set a proxy server in your web browser... In IE go to internet options > connections > lan settings and uncheck proxy, make sure only "automatically detect settings" is checked.

In firefox its options > advanced > network > connection > settings

Yes, on firefox it's no proxy, and in IE "automatically detect settings" is checked.

You could try a portable version of the browsers- also try spybot search and destroy-

http://portableapps.com/apps

Spybot? I haven't used that in years.....I thought malwarebytes and others were more efficient! Anyway I've already used Kaspersky TDSS, malwarebytes AND norton full system scan....still nothing!

Will try your portable apps suggestion now :)

[Azies]

At this point I would probably consider restoring/reformatting. That install looks too far gone to save, especially with the slight language barrier.

[Brandon H Supervisor]

have you tried an "sfc /scannow" yet?

if you haven't yet, run that in an admin level cmd window in safe mode or if you can from the recovery mode command prompt on the Windows 7 install disk

[zheng.93]

Portableapps doesn't work.

Slight language barrier?

Will try your suggestion brandon!

[RiverCampher]

'Nuke it, it's the only way to be sure' - Aliens.

Backup using a Linux live CD to whatever media you want or partition and move what you need over.

Format the OS partition and reinstall.

I wouldn't ever trust a rooted version of windows. Especially if you use passwords/credit card/bank information on the internet.

[zheng.93]

The thing is the .dll file isn't causing me any problems, aside from not being able to connect to my iPad. Seems too much of a hassle, but yeah, I'll probably do it if I can't get the file out by next week.

Anyways sfc /scannow gave a report that "Windows Resource Protection found corrupt files but was unable to fix some of them"

[jnelsoninjax]

^That is a good indication that the only way you are going to recover is to do a format and reinstall. It seems that this virus has corrupted core windows files and the only for sure way of recovering from this would be to reinstall windows. It is a PITA to do, but faced with everything else your choices seem rather slim.

[JustGeorge]

Can you "ping" a website? Open cmd prompt-> type ping www.google.com and hit Enter. If you get a reponse, then maybe try rebuilding your TCP/IP stack:

http://support.microsoft.com/kb/299357

http://answers.microsoft.com/en-us/windows/forum/windows_7-networking/how-to-reset-tcpip-stack-in-windows-7/82560f98-de0c-4e75-ae48-9938bc980f47

Make sure to run the cmd prompt as admin by right-clicking cmd and selecting to run as admin.