TechSpot

Serious infection - comp only works in SM

By kathee1314
Jan 21, 2009
  1. This problem began ~2 weeks ago. It first started as some popup that said Antispyware 2009 program and to DL it would help my comp, etc. I immediately closed those windows. And continued on using the web.
    And then whenever I used google search, a blank tab would open & in the URL it would be an ISP number, which eventually turned into the Sagispul problem.
    So then I started running Spybot & Adaware and it found lots of things, I deleted them, etc.
    But I realized my internet was a LOT slower than usual and definitely felt there was a lot more information going on / going out than normal. Plus when I checked my history, everytime after I use google, there would be an iconless page that apparently opened with just the name 'url'.
    So i installed Malaware, and ran it through. But the problem persisted.
    Then I installed Superantispyware and ran it through, and it found many things, and when it tried to delete everything at the end, before completion, my computer turned off, and then on again.
    Not a good sign.
    After that day, in Normal mode, even if I do not use the net, my computer would switch off and on by itself after 1 minute or so.
    I had to resort to SM to access anything and began the thorough 8 steps.
    PROBLEMS:
    -On two seperate occasions SAS would find 2 particular threats, and need to reboot to finish it, h/e there is some error that prevents it from thoroughly rebooting. (I can elaborate if needed)
    -I can NOT uninstall the old version of Java I have. I have a J2SE Update 9, and Update 10. I installed the newest one but cannot get rid of the old ones in SM (of course). So i go to Normal and everytime I click 'Remove', the popup that begins the removal opens but then freezes that way.
    -Worse still, it's getting harder and harder to use SM. As in, more and more constantly, after I click the 'Username' from Startup, the page just becomes pitch black with Safe Mode written, and basically zero activity. Then when I try to log off or switch users from the Task Manager, for some reason, there is a popup that says iexplorer.exe is Not Responding, etc. And sometimes when I click 'End Now', or even after I wait, it changes the computer to blank.

    Please help!!!!!!!
     
  2. AdriMagnon

    AdriMagnon TS Rookie Posts: 20

    Hi,

    This is a quick reply so if you need more of an explanation I can try and help tomorrow. Get the free version of ZoneAlarm. Install it and then reboot. If you have a lot of virri then when you have rebooted Zonealarm will start pop[ing up like mad asking if you want to let the various "programs" out to the internet. Say No to all of them and don't choose 'Remember this Answer'. Turn OFF SystemRestore. microsoft.com/kb/310405 and reboot and choose SafeMode. In SM do a virus scan and adaware scan. Reboot back into SM. Do the virus and adaware scan again. Now reboot into normal windows. There should be far fewer ZoneAlarm requests and should be faster. Do a virus and adware scan. Reboot after it is finished and go into normal windows. Hopefully the only ZoneAlarm popups will be for programs you are opening at the time.

    If your computer was badly compromised I recommend backing up your important data and doing a fresh OS install when you have a chance.

    Please let me know if this helps you.

    Adrian
     
  3. kathee1314

    kathee1314 TS Rookie Topic Starter

    Hi there!!!
    Thanks for the suggestions, except my PC got worse and even in Safe Mode with Networking, I cannot access the web, mozilla firefox just closes down, with one of those 'firefox has encountered a problem, Do you wish to report, etc, etc, 'Send', 'Don't Send'' windows, that automatically closes it... =\
    To be honest, I am absolutely illerate with computers and I am going to ask a really stupid question..
    If I want to backup my important files................
    how would I do that................ because that's the one thing I am most concerned about right now.
    Thank you!
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You've almost given too much information and not enough information at the same time!

    What we need:
    1. Malwarebytes log
    2. SuperAntispyware log
    3. HijackThis log.

    You need to attach all three in your next post. Don't worry about Java now. It won't uninstall because it's running. Once it's unchecked using msconfig, you will be able to uninstall it.

    And a not about using Safe Mode with Networking- your security programs don't load in this mode. If you need access to download a program, it would be better to use a flash drive.
     
  5. kathee1314

    kathee1314 TS Rookie Topic Starter

    The logs are attached in the original message!
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Well, my apology- but the logs did not show when I viewed your post!

    First off, do not use System Restore. The malware is in the restore points. We will drop the old points when the cleaning has been completed and create a new, clean one.

    On to the HijackThis log: I am amazed that you have almost 20 processes starting in Safe Mode that do NOT need to start on boot in any mode:

    1. [C-Media Mixer] (Not Required, often infrequently run tasks that can be run manually.)
    2. [QuickTime Task]
    3. [Camera Detector]
    4. [SunJavaUpdateSched] >> turn off as follows:
    Control Panel> Java> Update tab> UNCHECK 'check automatically for updates'> Apply> Answer Yes when asked to verify.
    5. [LVCOMS] (for Logitech Multimedia webcam)
    6. [LogitechGalleryRepair] (for Logitech ImageStudio))
    7. [EPSON Stylus Photo R200 Series] (printer)
    8. [Sony Ericsson PC Suite] >> for the Sony Ericsson P910 phone. This program can be used to synchronize your data between your PC and phone. You can start this program as necessary.
    9. [NBKeyScan] (Only required for if you have scheduled back-ups.)
    10.[NeroFilterCheck] (Associated with Nero Burning Rom CD writing software)
    11.[HP Software Update] (HP software updater. Removing this entry will free up some system resources.)
    12.[Adobe Reader Speed Launcher]

    13. O4 - Global Startup: Adobe Gamma Loader.lnk
    14. O4 - Global Startup: HP Digital Imaging Monitor.lnk
    15. O4 - Global Startup: Logitech Desktop Messenger.lnk (Automatically checks for software upgrades AND new products, services and special offerings from Logitech)
    16. O4 - Global Startup: Microsoft Office.lnk (Application which launches common MS Office components to help speed up the launch of Office programs. It's somewhat of a resource hog,)
    17. O4 - Global Startup: Qshelf.lnk (Microsoft Reference\Bookshelf 98\) (a reference often bundled with personal computers as a cheaper alternative to the Encarta Suite.)
    18. O4 - Global Startup: WinZip Quick Pick.lnk 9Windows XP has it's own extractor for compressed files)
    19. O4 - HKLM\..\\dumprep 0 -k (In connection with memory dumps. Not necessary to run system properly. Removing this entry will free up some system resources.)

    This refers to the Startup folders at:-
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK ALL of the processes above> Apply> OK.

    Start> Run> services.msc> right click> Properties on each Services below> change the Startup type to Manual.

    Now try to reboot the computer into Normal Mode. NOTE:You will get a nag message that you can ignore and close after changing 'don't show this message again.' Stay in Selective Startup.

    * Clear your existing system restore points and establish a new clean restore point:
    1. Go to Start > All Programs > Accessories > System Tools > System Restore
    2. Select Create a restore point, and OK it.
    3. Next, go to Start > Run and type in cleanmgr
    4. Select the More options tab
    5.Choose the option to clean up system restore and OK it.
    This will remove all restore points except the new one you just created.

    Let me know how the system runs now.
     
  7. kathee1314

    kathee1314 TS Rookie Topic Starter

    Hi there!
    I had difficulty understanding how to turn off #19
    "19. O4 - HKLM\..\\dumprep 0 -k (In connection with memory dumps. Not necessary to run system properly. Removing this entry will free up some system resources.)"

    As well as what this part addressed to:
    This refers to the Startup folders at:-
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\Owner\Start Menu\Programs\Startup"

    I did the steps you asked up to "Now try to reboot the computer into Normal Mode."
    1) It did not ask me: "You will get a nag message that you can ignore and close after changing 'don't show this message again.' Stay in Selective Startup." (Yes I did select 'Selective Startup' from msconfig)
    2) After logging into my username and the desktop began to load, the computer still turned off =\
    !!

    As well, I really think a big problem is in the Java application, b/c even when I try to open or access it in Safe Mode (to change settings, to stop updates, or to remove older versions), the computer freezes, or does not respond at all. I have not been able to access Java in any way at all =\

    Thank you for all the help you've given me!!!!
    I really don't know what to do next =\
     
  8. kathee1314

    kathee1314 TS Rookie Topic Starter

    Btw one more thing
    now when I am turn on my computer in SM, after logging on, cmd.exe pops up, with <C:\Document&Settings\Username>
    ...
    when I close the window, the screen is black, with the Safe Mode written

    =\

    The only way i've been accessing this board for this entire thread is through my brother's computer.. must say he's getting annoyed ^__^

    Please advice?!?!!!!!!!!!!!!

    (One last observation, i don't know if it's relevant.. but i noticed that when i sign onto gmail and my bank account on other computers, my gmail asks me to verify with one of those letter codes, and my bank accnt asks me a Security Question ... )
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Start> Run> msconfig> enter> Selective Startup> Startup tab> UNCHECK dumprep> Apply> OK.

    If it isn't showing on the left:
    Control Panel> Folder options> View tab> CHECK 'show hidden files & folders'> Apply> OK.

    Now go uncheck it. When through, remove the check from 'show hidden Files & folders..

    This was FYI only for #19.

    You only get the nag message IF you make a change on Startup. You didn't, so no message,

    Has the above stopped?

    If you use something like CCleaner and did not tell it NOT to remove your passwords, that's why you have to sign in again.

    Please tell me exactly what is new and what original problems were resolved- if any.

    If you are still getting any error messages, find the Error that corresponds to the time of the message, in the Event Viewer:

    Start> Run> type in eventvwr

    Please ignore Warnings. You do not need to include the lines of code in the box below the Description- i any. Please do not copy the entire log.
     
  10. kathee1314

    kathee1314 TS Rookie Topic Starter

    Hi there, thanks for all the help!!
    So yes, I have been able to uncheck the dumprep 0-k and it seems to have helped in the sense that in Normal mode.. the computer stays turned on for longer..
    Unfortunately after a few minutes, it still shuts off and reboots.

    In normal mode after I click on System Restore, nothing opens. it seems to be the same case for programs like SuperAntiSpyware, and mozilla firefox crashes too.

    In Safe Mode I can still access SuperAntiSpyware, just not in Normal.

    I'm stuck once again!

    Thanks for all the help, I really wouldn't know what to do if not for this board!!!!!!!
     
  11. Spyder_1386

    Spyder_1386 TS Rookie Posts: 498

    Backing up can be done by means of any external storage. Depending on the size of the data needing backup, you could use dv'd's, external hard-drives that can be purchased from any computer store and many retail stores as well. To backup to dvd, you might have to use programs such as Nero, again depending on the type of data needing backing.

    If there's anything else you'd like to know regarding backing up, please do ask.

    Spyder_1386 :)
     
  12. kathee1314

    kathee1314 TS Rookie Topic Starter

    Oh, okay =)
    So would I just move/copy the files onto the disc / USB / something of that sort?
    I'm most concerned about family pictures, because there's 3-4 years worth of that stuff on there..
     
  13. Spyder_1386

    Spyder_1386 TS Rookie Posts: 498

    Yea that's exactly it :) .... if you had a partition on your current hard-drive or maybe even two separate drives, you could have just used that. But that's what backing up generally means yes ... to copy or move files to a place that wont be affected by a system failure :) .... hope that helped ...

    Spyder_1386 :)
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Is this what you're trying to do?
    * Clear your existing system restore points and establish a new clean restore p
    oint:
    Did you follow my path in red?

    Do you get any message when you click on System Restore when 'nothing happens'? And when SAS and Firefox 'crash', do you get any message? IF you do, please follow the path to look for corresponding Errors in the Event Viewer: Previously laid out in Post #9:
    Run through the System Restore Troubleshooting:
    I need to get a better idea of just what is available to you in both Safe and Normal Modes.
    The only entries found in SAS ans Mbam were in System Restore points. Hopefully you can remove them. If you cannot at this point, Do No Use the System Restore function as you will reinfect the system.

    And by all means backup. The only potential problem of backing up when you have malware is the inclusion of malware in the backup files. But they can be scanned on an individual basis.

    I would also be interested in knowing how much installed RM you have since to have so many processes on startup.

    Edit: You CAN run Malwarebytes and SuperamtiSpryware in Safe Mode. You unless you use the flash drive to update first, you won't be able to update before new scan, which is important
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...