All messed up

[disbanded]

I got a pretty bad virus yesterday called Internet Security 2010. I was able to finally get that off, I thought, but I am still having some other problems.

Now my computer is running very, very slow and every time I go to a webpage - I get redirected to another.

On another note, I used McAfee, but felt like it let this virus thru, so I downloaded the free version of AVG, but it keeps finding a file that is not a problem and classifies it as a virus, so the Threat detected screen keeps popping up every few minutes. So, maybe I will go back to McAfee.

Here is my Hijack log and the Malwarebytes log. Thanks for your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:27 AM, on 12/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BELKIN~1\BELKIN~1.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
C:\Program Files\Belkin Automatic Power Management Software\jre\bin\javaw.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\RunServices: [BelkinAPM] C:\Program Files\Belkin Automatic Power Management Software\BelkinAPM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.mcafee.com
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/08948e0e8bd2aa5a5a14/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6796.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178638478592
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178661988280
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://adobe.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://misskas01.missionitservices.com/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FF1CD9A3-00CD-45C1-8182-4EEC229A182D} (Plaxo Auto-Import Utility) - http://www.plaxo.com/activex/plx_upldr-2k-xp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: BelkinAPM - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~1.EXE
O23 - Service: BelkinAPMmanager - ZeroG Software - C:\PROGRA~1\BELKIN~1\BE8806~1.EXE
O23 - Service: BelkinAPMmonitor - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~4.EXE
O23 - Service: BelkinAPMRMI - ZeroG Software - C:\PROGRA~1\BELKIN~1\BELKIN~3.EXE
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
O23 - Service: Google Update Service (gupdate1ca17b4ba813524) (gupdate1ca17b4ba813524) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

--
End of file - 10807 bytes






Malwarebytes' Anti-Malware 1.42
Database version: 3410
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/23/2009 1:40:50 PM
mbam-log-2009-12-23 (13-40-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297511
Time elapsed: 40 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{9831E5C3-EA42-485C-AA43-7A0E8B2D9D2C}\RP604\A0191057.sys (Rootkit.Agent) -> No action taken.
C:\System Volume Information\_restore{9831E5C3-EA42-485C-AA43-7A0E8B2D9D2C}\RP604\A0191058.sys (Rootkit.Agent) -> No action taken.

 

[Respital]

Please run another full scan with Malwarebytes' and delete the infections that it finds as the log has indicated that you have not removed the infections.

 

[johnb35]

Your hijackthis log is clean. Can you give me a list of what files are popping up in avg? I trust AVG more than I trust Mcafee, always have and always will.

 

[disbanded]

AVG keeps calling this a virus and it pops up every few minutes.

C:WINDOWS\system32\ws2_32.dll

Virus found Win32/Patched

And it says this -

Object it white-listed (critical/system file that should not be removed)


And I am still having the same problems as before, even after I deleted the Malwarebytes stuff. My computer froze and had to be restarted, and I am still getting redirected every webpage I go to.

 

[disbanded]

I should also say that I have a subscription to McAfee, but am not happy with it since I got this virus (and it slows down my computer a lot).

I only have the free version of AVG, which doesn't allow me to Ignore any files I don't want detected as a threat. Maybe I should buy the subscription for AVG. This is my work computer, so it must be as safe as possible.

 

[johnb35]

Lets see if you have any hidden infections. Please download combofix to your desktop, please download and follow the instructions here

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Click on the bleeping computer link about part way down. After running it there will be a log displayed on your screen, please copy and paste that log back here in a reply.

 

[disbanded]

Well, my computer froze up again (I'm on my laptop now) and won't restart. I keep getting a scary blue screen of death that says

Stop: c000021a Fatal system error
The windows logo process system process terminated unexpectedly

 

[johnb35]

Turn the pc back on and start tapping F8 to access the safe mode menu. When it loads choose "last known good configuration" to see if it lets you boot into windows.

 

[disbanded]

No go. I was able to use the last configuration that worked, but I still got the blue screen again.

 

[Respital]

No go. I was able to use the last configuration that worked, but I still got the blue screen again.

Try using the windows recovery CD and when the options come up choose to repair the install.

 

[disbanded]

When trying to reboot using the windows cd I got this warning message

A problem has been detected and windows has shut down to prevent damage.

BAD_PULL_CALLER

 

[johnb35]

Try reseating your memory sticks. Did you add any new hardware or install any new software lately?

 

[disbanded]

No new hardware. I actually got the Windows cd to start up and hit R for repair, but it takes me to a C prompt and says type Exit to cancel repair and restart windows. What do I type to do the Repair?

 

[johnb35]

I actually think you are trying to go into recovery console, not windows repair. Follow this guide here.

http://pcsupport.about.com/od/operatingsystems/ss/instxprepair1_2.htm

It has screen shots so you can follow it easily.

 

[disbanded]

As I am going thru the XP installation - it takes me to a screen and says that my XP Pro is an Upgrade cd and I need to insert my old Windows cd to verify the cd I am using.

As far as I know, I have never had another Windows cd besides the Upgrade. I have had it for years and have reloaded it on many computers - and I have never had this issue. Can anyone help me get passed this?

 

[johnb35]

As I am going thru the XP installation - it takes me to a screen and says that my XP Pro is an Upgrade cd and I need to insert my old Windows cd to verify the cd I am using. ?

If you are using an upgrade cd, then you do need an OS cd prior to XP (98, ME, 2000) You can't perform an upgrade or a fresh install without it.

I have had it for years and have reloaded it on many computers - and I have never had this issue.

You do know that is Illegal right? Unless you have uninstalled it from the previous computer and too many activations will make microsoft wonder whats going on.

And as far as getting past that point? You need to have qualifying media in order to use the upgrade cd. No IF's, AND's or BUT's about it.

 

[disbanded]

I actually did it legally and got a new cd code from Windows for every time I re-installed. I was changing hard drives, so everything was ok.

I found my original Windows cd from Dell, But I am still unable to get the Windows to work. I go thru the steps taht you guys provided, but when I get to the option to choose my Windows and hit R to Repair - there is no option to repair, only to set up Windows on the selected item, press Enter. Or create a partition in the unpartitioned space, press C, or to tdelete the seleccted partition, press D, but there is no option to Repair.

I hit Enter to set up Windows, but I get a screen that says the partition is either too full, damaged, not formatted, or formatted with an incompatible file system. To continue installing Windows, Setup must format this partition.

I don't want to format the hard drive if at all possible, so this is as far as I have gotten. Where is my option to Repair?

Right when I boot from the cd it says I can press F2 to go to Automated Recovery. Do I not want to do that?


OH, and I am using my original Dell Windows XP Home cd. I do not have anything older than that. Is this a problem too?

 

[johnb35]

If its not a dell computer then you can't use that cd. However, If there are errors on the harddrive, that may be the reason why the install can't see a current installation of XP. Try doing a disk diagnostic of the hard drive.

 

[disbanded]

Yeah, I don't have the Dell anymore, but that is where the original Windows came from. I was actually able to get past that screen, but the issue now is that there is no Windows XP to select at the Setup screen. I only have this -
C: Partition1 [Unknown] 131072 MB < 131071 MB free >

But it does not show a Windows XP Pro like the instructions you posted show in step 6. Why would this be missing?

 

[johnb35]

How big is this hard drive you have? If its only showing one partition, then thats all that was made on that drive. It looks like you have a clean drive with nothing on it right now so you can't do a repair, you would have to do a fresh install.