Windows Update Icons keep multiplying, unable to install/run security programs.

[marcelonagem]

Hi everyone!

A few days a go, I connected a infected pendrive in my machine, containing a Autorun.inf virus, and since that day, windows update icons keep appearing in my tray, but when I pass the mouse over them, they dissapear. Im also unable to install ou run almost every program related to security.
I tried to do a full scan with AVG, and Malware bytes, but the problem persists. I don't know what to do. I tried to unistall AVG to install Avast but I can't, maybe the virus is blocking me, I don't  know.
Are this two virus, related?
What can I do to get ride of them?

[essexboy]

Hi two things to do

First

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Second

Download OTL  to your Desktop
Secondary link

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%\*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir "%systemdrive%\*" /S /A:L /C
CREATERESTOREPOINT

• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Attach both logs

[marcelonagem]

I can't even open MCShield.
I had to rename the .exe file because I wasn't able to install it, everytime I clicked it opens, but closed right after. After I renamed it I could install it, but when I try to open the program it closes soon after.

[marcelonagem]

I was unable to run MC shield, but I with OTL was fine. Here is the log:

[magna86]

My apologies to essexboy for jumping, just wish to ask marcelonagem.

I can't even open MCShield.
I had to rename the .exe file because I wasn't able to install it, everytime I clicked it opens, but closed right after. After I renamed it I could install it, but when I try to open the program it closes soon after.

Did it throw/pop-up you some error when you try to install MCShield?
Could you describe it with litle more detail the part where you can't install MCShield, what exactly happens?
Can you please check do you have any logs in:
Start > all programs > MCShield > logs directory and attach them here?

Thanks for that, essexboy will continue to guide you through malware removal.

[marcelonagem]

Well, after some tries, I renamed the MCShield .exe and was able to install. But when I choose to open the MCShieldDS, I just get a message "Welcome to MCShield" and the program closes. There is a icon inside my tray of McShield, but I can't run a scan or something like that. I removed and connected my pen drive a few times, but I don't know if it is running a scan or not.
And also, I dont have any logs inside: Start > all programs > MCShield

Does the program run a automatic scan everytime I plug in my pen drive, or should I do it manually? If yes, how?? What I must be doing wrong?

[essexboy]

Yes it should do it on the insertion of any removable drive.  Run OTL so that I can clear what is there and wee will then retry McShield

[nandosesti]

Hello,
I am having the same problem that marcelonagem. Exactly.
Managed to install Mcshield but he is not active. In less than five seconds is closed.
Both the control center and the real-time monitor don't stay running.
I managed to run the OTL and let the results attached.
Please, help!

[essexboy]

@marcelonagem please do not edit your post, as I do not receive notifications for edits

@nandosest I will create a topic for you with your fix  http://forum.avast.com/index.php?topic=127618.new#new

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  
  

Code: [Select]

:OTL
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCtDzzyEyByE0FyD0AyCyDtN0D0Tzu0StByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1442488509
IE:64bit: - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCtDzzyEyByE0FyD0AyCyDtN0D0Tzu0StByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1442488509
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://start.funmoods.com/?f=1&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCtDzzyEyByE0FyD0AyCyDtN0D0Tzu0StByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1442488509
IE - HKLM\..\SearchScopes,Backup.Old.DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKLM\..\SearchScopes\{2D594506-951B-D88F-2E60-1BFC6264D3A3}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2481031
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCtDzzyEyByE0FyD0AyCyDtN0D0Tzu0StByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1442488509
IE - HKU\.DEFAULT\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-18\..\SearchScopes,DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Backup.Old.Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2481031
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\URLSearchHook: {88c7f2aa-f93f-432c-8f0e-b7d85967a527} - No CLSID value found
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\URLSearchHook: {e7cb019e-bf3b-4c48-9673-48c323b18e31} - No CLSID value found
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\SearchScopes,Backup.Old.DefaultScope = {afdbddaa-5d3f-42ee-b79c-185a7020515b}
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\SearchScopes\{043C5167-00BB-4324-AF7E-62013FAEDACF}: "URL" = http://vshare.toolbarhome.com/search.aspx?q={searchTerms}&srch=dsp
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\SearchScopes\{2D594506-951B-D88F-2E60-1BFC6264D3A3}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2481031
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\SearchScopes\{8C1A0609-27D8-4EEE-B24E-93B6E782BEC4}: "URL" = http://search.babylon.com/?q={searchTerms}&affID=110824&tt=4612_7&babsrc=SP_ss&mntrId=805f5a65000000000000001fc608474f
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=ironpub&chnl=ironpub&cd=2XzuyEtN2Y1L1QzutDtDtC0F0CyCtDzzyEyByE0FyD0AyCyDtN0D0Tzu0StByDtAtN1L2XzutBtFtCtFtCtFtAtCtB&cr=1442488509
IE - HKU\S-1-5-21-1802174033-395253039-4095520858-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.conduit.com?SearchSource=10&ctid=CT2481031
[2012/09/10 23:12:00 | 000,000,000 | ---D | M] (Funmoods.com) -- C:\Users\lucas\AppData\Roaming\mozilla\Firefox\Profiles\t5m7pjbu.default\extensions\ffxtlbr@funmoods.com
[2012/11/13 14:38:44 | 000,002,536 | ---- | M] () -- C:\Users\lucas\AppData\Roaming\mozilla\firefox\profiles\t5m7pjbu.default\searchplugins\browsemngr.xml
[2012/09/10 23:11:58 | 000,000,789 | ---- | M] () -- C:\Users\lucas\AppData\Roaming\mozilla\firefox\profiles\t5m7pjbu.default\searchplugins\Search.xml
[2012/11/13 14:38:24 | 000,002,349 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\babylon.xml
[2013/02/26 16:29:42 | 000,001,027 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\buscape.xml
[2013/02/26 16:29:42 | 000,001,212 | ---- | M] () -- C:\Program Files (x86)\mozilla firefox\searchplugins\mercadolivre.xml
O3 - HKLM\..\Toolbar: (no name) - {A4C272EC-ED9E-4ACE-A6F2-9558C7F29EF3} - No CLSID value found.
O3 - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O3 - HKU\S-1-5-21-1802174033-395253039-4095520858-1000\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKU\S-1-5-21-1802174033-395253039-4095520858-1003\..\Toolbar\WebBrowser: (no name) - {043C5167-00BB-4324-AF7E-62013FAEDACF} - No CLSID value found.
O3 - HKU\S-1-5-21-1802174033-395253039-4095520858-1003\..\Toolbar\WebBrowser: (no name) - {88C7F2AA-F93F-432C-8F0E-B7D85967A527} - No CLSID value found.
O3 - HKU\S-1-5-21-1802174033-395253039-4095520858-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found.
O3 - HKU\S-1-5-21-1802174033-395253039-4095520858-1003\..\Toolbar\WebBrowser: (no name) - {E7CB019E-BF3B-4C48-9673-48C323B18E31} - No CLSID value found.
O4 - HKLM..\Run: [Wondershare Helper Compact.exe] C:\Program Files (x86)\Common Files\Wondershare\Wondershare Helper Compact\WSHelper.exe File not found
O4 - HKLM..\Run: [USBAutorunChecker] C:\Program Files (x86)\USB Autorun Detective\autorunchecker.exe File not found
O4 - HKU\S-1-5-21-1802174033-395253039-4095520858-1003..\Run: [203] C:\Users\Casa\AppData\Roaming\3622\203.js ()
O4 - Startup: C:\Users\Casa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c7.js ()
O4 - Startup: C:\Users\lucasm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7c7.js ()
O16 - DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.72.0.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Reg Error: Value error.)
O16 - DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} http://mariaamaral.dyndns.org:8081/WebClient.exe (Reg Error: Key error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
[2013/06/13 20:11:57 | 000,000,000 | -HSD | C] -- C:\3720
[2012/09/10 23:12:17 | 000,384,844 | ---- | C] () -- C:\Users\lucas\AppData\Local\funmoods-speeddial.crx
[2012/09/10 23:12:08 | 000,031,465 | ---- | C] () -- C:\Users\lucas\AppData\Local\funmoods.crx
[2013/06/13 20:11:57 | 000,000,000 | -HSD | M] -- C:\Users\Casa\AppData\Roaming\3622
[2012/09/02 18:42:06 | 000,000,000 | ---D | M] -- C:\Users\lucas\AppData\Roaming\Babylon


:Files
C:\Users\Casa\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
C:\Users\lucasm\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.js
:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[bente20]

Hi guys,

I have experience the same problem that marcelonagem and nandosest, right down to the same problem with McShield.  I have manage to run OTL and have attach the text file.

Please help

Thank you

[TwinHeadedEagle]

Open your own topic and attach the logs there...

[bente20]

oooh sorry

will do

thnx