TechSpot

Got something really nasty this time with lots of symptoms

By TheCosmicEnergy
Jun 9, 2007
  1. Hello, this is my first time at this site. I tried to get help from SpywareInfo.com, but they were unsuccessful in fixing my problem. That was back at the end of February. I have just been too discouraged about it to mess with it since then, but now I am ready to give this another shot before I resign myself to doing a reinstall. I'm hoping someone here will see something that the other guy didn't. All this occured after trying to use a Keygen for Kespersky Internet Security (don't worry, the irony was not lost on me). It feels like there is something still running in the background undetected as of yet. For instance, during a computer restart/startup, it takes about 3 times longer than it used to, as if there is a program running first to throw a wrench in the works before my actual personal settings are loaded.

    Some of my main symptoms are:
    • Loss of sound. The computer doesn't recognize that there are any sound devices connected.
    • Most Windows Services are basically unavailable. A lot of them, that would be running/started under normal circumstances before these problems arose, aren't running, and they can't be started manually. Also, their "properties" can't be accessed. Out of 103 services, only 6 are started.
    • I can "copy" but I can't "paste" in most situations (the paste option in the right click menu is "grayed out" and is unavailable). However, I can copy and paste from a .txt file.
    • Desktop acts as if it is locked. Can't even move desktop icons around. The same is true for all folders also. Can't move icons & can't "move to" or "copy to".
    • Some programs such as Spyware Doctor will not open. Some programs will open, but have lost some functionality. Such as Nero only partially works.
    • Printer and scanner no longer show up as being connected/installed, so I have no functionality with either of them.
    • AVG Anti-Virus update service won't complete an update.
    • Windows "Search" sidebar function is unavailable (opens as just a blank sidebar).
    • Windows Updates won't work.
    That is the majority of symptoms.


    Moderator: I've copied and pasted your logfiles in notepad and attached them. Please do not copy and paste your files in the future.

    I'll post the other logs below in the next post.

    I'll post an AntiSpyware Log as soon as I run a scan.

    Thanks for the help ahead of time,
    CosmicEnergyº°`°º¤ø,¸¸,ø¤º°`°º¤ø
     

    Attached Files:

  2. momok

    momok TS Rookie Posts: 2,265

    Hi TheCosmicEnergy and welcome to techspot. =)

    Considering you've gotten help and still have not found a fix to your problems, do have mental preparations for failure in case the problems on your system is beyond fixing.

    That said, I will do my best to help you resolve your problems.

    Have HijackThis fix these entries:

    O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User '?')
    O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')

    O17 - HKLM\System\CCS\Services\Tcpip\..\{FCB696C3-5580-4239-A512-142AD2927420}: NameServer = 205.152.37.23,205.152.132.23 < Fix this if you do not recognise the domain to be from your ISP.

    Please provide the results of the AVG Anti Rootkit scan in your next reply too, and attach a fresh HijackThis, ComboFix and AVG Antispyware log.


    Regards,
    Your friendly momok =)

    This thread is for the use of TheCosmicEnergy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. TheCosmicEnergy

    TheCosmicEnergy TS Rookie Topic Starter

    Hello and thanks for your help. I deleted the first two entries from HijackThis, but I wasn't sure about the third one having to do with possibly being from my ISP. How can I tell if it is from my ISP or not?

    The AVG Anti Rootkit came up clean.

    HijackThis Log:
    View attachment 18683
    AVG Antispyware Log:
    View attachment 18684
    ComboFix Log:
    View attachment 18685

    Thanks Again,
    Cosmicº°`°º¤ø,¸¸,ø¤º°`°º¤ø
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Go to http://www.all-nettools.com/toolbox and enter 205.152.37.23 in the whois box. Check if the details tally with yours. If it doesn't, run HijackThis and fix the O17 entries.

    Please download and run CCleaner via step 9 of the instructions HERE.

    I noticed that your AVG log displays 'No Action Taken' for all the files detected.
    I suggest you run AVG again and quarantine the files. Pictorial instructions HERE.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the autoruns log in your next reply.

    Regards,
    Your friendly momok =)

    This thread is for the use of TheCosmicEnergy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Barlettaborn

    Barlettaborn TS Rookie

    I think if it's too bad, It would be worth backing up essential files, and just poping your windows disk in, and reinstalling your OPS.
    Especially if things are getting progressively worse.
     
  6. TheCosmicEnergy

    TheCosmicEnergy TS Rookie Topic Starter

    Yeah, I'm glad I didn't have HijackThis "fix" that 017 entry. It is from my Bellsouth DSL ISP.

    For CCleaner: I already performed that when I followed all the "steps" in the "before posting" thread.

    For the AVG Antispyware Log quoting "no action taken": I saved the log before I quarantined.

    Autoruns Log:
    View attachment 18688

    Thanks again for your help guys,
    Cosmicº°`°º¤ø,¸¸,ø¤º°`°º¤ø
     
  7. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I would like you to boot into safe mode, and unhide all your system files. Then search for this file:
    C:\WINDOWS\system32\seppgm.sys

    If you find it, please delete it.

    I agree with Barlettaborn: you should backup any essential documents. Right now, I cannot see any traces of infection, however, from the looks of it, it is very likely that your system may be corrupted/damaged from the infection.

    In such a case, I would recommend trying a Windows repair.

    For information on how to repair your Windows XP/2000 system files, please see HERE.

    Let me know how everything goes.


    Regards,
    Your friendly momok =)

    This thread is for the use of TheCosmicEnergy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. TheCosmicEnergy

    TheCosmicEnergy TS Rookie Topic Starter

    OK, no seppgm.sys was present.

    Also, I used the link you provided to the page instructing how to repair Windows. On there is a link to a memory test on memtest.org. I downloaded the .ISO file, but can't figure out how to use it. I couldn't find any instruction on their site either. Any idea about using that?

    Ramblin' On,
    CosmicEnergyº°`°º¤ø,¸¸,ø¤º°`°º¤ø
     
  9. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Actually I recommended a system repair, so you can go ahead to do the repair. However, I've provided the instructions for using memtest HERE should you still wish to try first.

    Do let us know the results of your repair.


    Regards,
    Your friendly momok =)

    This thread is for the use of TheCosmicEnergy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. TheCosmicEnergy

    TheCosmicEnergy TS Rookie Topic Starter

    I know, I just happened to see the memtest when I was reading over the page on "Repairing" the system. Thought I would do it just for kicks. So that's it then, huh? Nothing else to try before trying the system repair?
    Thanks,
    Cosmicº°`°º¤ø,¸¸,ø¤º°`°º¤ø
     
  11. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Do go ahead with the system repair and let me know the results. I'm not sure if I have any other ideas to suggest right now.


    Regards,
    Your friendly momok =)

    This thread is for the use of TheCosmicEnergy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. TheCosmicEnergy

    TheCosmicEnergy TS Rookie Topic Starter

    Hello Momok (or whoever may be reading this). IIIIIIIIIIIIII'm baaaaack! Ended up doing a fresh install to fix the corrupted system files I had. I tried to do a repair using the system recovery disc, but the system recovery disc that I made was done after my troubles began, so I assume it also was corrupt or incomplete. It would not complete the repair at the end of the process. However, I aquired a fresh copy of Windows XP and an external hard drive and backed up my files and settings before I did the reinstall. Afterwards, all is good and all original symptoms are gone...........except for a more recent slight infestation of something. If you would be so kind as to give this log a looking over, I would appreciate it. Symptoms are:
    1. Every time I reboot, AVG resident shield pops up 3-5 times with detections of SHeur.ZQ, Downloader.Generic5.QB, Downloader.Generic4.THB, and a couple others. They usually show up listed in different places with different file names each time they show up.
    2. When I start IE, I get some bandwidth hogging popup windows. I am thinking they are due to some BHOs that don't belong there, one of which I believe to be ddcyv.dll. When I disable it, the popups stop, but every time I reboot, it re-enables itself. A couple of the other ones sound like they don't belong either (such as etbbeefr.dll & ssqonlm.dll), but I thought I would get your advice first before officially killing any of them.
    3. Also recently, every scan using AVG Internet Security has been consistently coming up with this result each time: Object - C:\WINDOWS\system32\drivers\etc\hosts Result-Change Status-Changed
    Also a question about all-in-one scanners eg AVG Internet Security: are the all-in-one scanners as good as using separate indivdual scanners? I like the idea of one scan doing it all (in general) of course I still use AdAware and SpyBot anyway, but what is the general consensus on all-in-one programs versus individual scanners. I don't want to sacrifice functionality for the sake of ease-of-use.

    Hijack This Log:
     
  13. momok

    momok TS Rookie Posts: 2,265

    Hi,

    It sounds like a real handful we are dealing with here. Firstly I'd like you to do the following:

    Very Important: Malware infections may possibly lead to identity theft, loss of funds from bank accounts, misuse of credit card information etc. Therefore I strongly encourage you to read this thread HERE before deciding what course of action to take regarding your infection.

    Let me know if you wish to format or clean.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

    Once you have downloaded SpyBot from the instructions, visit HERE to learn how to lock your Hosts File.

    Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

    Also, please let me know the results of the AVG Antirootkit scan


    Regards,
    Your friendly momok =)

    This thread is for the use of TheCosmicEnergy only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...