Many Viruses please help

I have done all the steps in the run and read me first section. (Well what it would let me do anyways) This is my sisters computer and she has been having many problems with it. She didnt have any virus protection installed and is still using only SP1 (cannot use Windows Update). It is a IBM ThinkPad R31. So I installed AVG Free Addition and did a scan. It came back with 75 infections I will name some for you: I-Worm/Bagel " "Bagel.MP " "Bagel.FW There were a few more I think? Also it found Trojan Small.P. couldn't start in safe mode ,could not install or run CounterSpy, Bitdefender or Panda Active Scan. So I will only be able to Attatch Getrunkey log, shownew log and HJT log. Or I guess I won't as there is no button to click on????? I am in advanced mode with no pop up blocker that I'm aware of!!! Please advise
Hope someone can help!! Thanks

Mneenee

 

In avanced mode there is a button that has a paerclip on. that will open a window to attach files.

Try adding forums.majorgeeks.com* to the trusted zone as IE maybe blocking the javascript to open the new window.

 

Nope it willnot allowme to click on it. Same thing happened with panda and bitdefender???

Thanks

Mneenee

 

OK paste the logs here and prvoide me with the links as a temporary measure.

http://rafb.net/paste/

 

K I have no idea if I did that right??



Mneenee

 

You need to give me the link that it goes to so I can then go to it and view the files.

(I will actually attach them here myself)

 

Ok I think this is what yo9ur looking for: http://rafb.net/paste/results/xTuo6O40.html

 

you say you can't run in safe mode ? That HJT log doesn't look like it was run in normal mode.

 

I am in normal when tryingto run in safe mode it just keeps asking me if I want to run safe mode?? so I'm not sure whats going on.Do you want me to reboot and run another HJT?

Mneenee

 

Well you do want to run in safe mode so you click what ever it says to click if you want to continue working in safe mode. you need to run the scans and cleaner from safe mode but we need the hjt log in normal mode.

Have you tried using a different browser such as firefox so you can attach the logs ?

 

I can notstart in safe mode when I do it from msconfig it says there was an error and when trying to do it from F8 key it just keeps repeating itself asking how I want to start up.When I click on safemode it asks the same thing over and over again??? I don'tknow what Firefox is lol?

Mneenee

 

Alrighty I downloaded Firefox and am now able to upload attatchments WOOOHOOO!!! so here they are. I did also restart and do another HJT log not sure if it will be any differentbut who knows. Thanksfor the help.

Mneenee

 

I did a stop sign scan here were the results:

c:\temp.zip <Win32.HLLM.Beagle.pswzip>

c:\documents and settings\user\application data\m\data.oct <Trojan.BeagleProxy>

Hope this is helpful. I should also mention that the help and support as well as search are not working.

 

Ok I got a little help from the software forum and retrieved some of my system files back. So now I can use system restore search help and support and get into windows update but cannot install updates. Also still cannot run in safe mode. also Avg is not detecting beagle anymore but am going to do another scan. Also I still cant install counter spy it says internal error and some numbers. It is now letting me run bitdefender at the moment and i will try panda active scan after this. Please help going on hour 16 and tired lol

Mneenee

 

ok couldnt do panda active scan but bitdefender found quite a few things.I will attatch bdscan and HJT.hope this is helpful.

Mneenee

 

You need to tell 'your sister' to STOP DOWNLOADING AND SHARING ILEGAL COPIES OF SOFTWARE

Please delete all of the following and rerun the scans. Please also remove any other files that have been downloaded ilegally as these will more than likely be infected too.

 

Whoa ok what do you mean by download illegal coppies of stuff. I highly doubt that she would do that as she is very well respected and most unlikely to do that. I will delete the files you asked me to but don't really appreciate the assumption of yes "my sister." I have been here before for my own comp and you can check my logs in previous forums if you dont believe me. Anyhow thanks for the help.

Mneeneee

 

OK, just remove them, The files have come from somewhere and as you can see from the names, they arn't good. Regardless of where they came from they need to all be removed, as they ARE dangerous.

I could really use a shownew log too, once you have removed them please can you get a shownew log and a runkeys log as per the instructions. as well as rerunning the bitdefender scan.

 

Ok just running Bitdefender and will get backto you with the attatchments. Could these downloads be comming from her wireless network?? Or is there a way to tell if she is set on a shared wireless network?? Thanks

Mneenee

 

K all done. Here are the reports.Again the getrunkeys did not show anything so that is why it is not here. It will not allow me to upload shownew as is says that I already uploaded it earlier??? Please advise Thanks

Mneenee

 

That probably indicates that its the same as the previous log which means it still hasn't been run right. try renaming it and adding a blank line to the log and reuploading it.

Notice your bitdefender log looks a bit cleaner now!

You'd better have a look in the the folder where most of those were and check nothing else is lurking in there, you can do this by running a command prompt and using the command below.

Goto Start --> Run

Type in CMD and hit enter

copy the below command (by highlighting and right clicking and selecting copy and pasting into the command prompt window in the same manner. NOTE: CTRL-V won't work in the command prompt window.)

dir "C:\Documents and Settings\user\Application Data\m\shared" >> c:\foldercontents.txt

Hit enter

Upload the log in c: called c:\foldercontents.txt

 

Ok have done everything you said. I completely deleted the contents of that m/shared folder it was all junk. Thank you so much do you need another HJT log?

Mneenee

 

Here is the HJT log Just in Case.

 

Sorry I'm a bonehead here are the new HJT Show New and runkeys logs. I have fixed quite a bit of things since last posting here. I have been able to update to win xp sp2 and am now current with all the updates. The only big problem I seem to be having is not being able to boot into safemode. I have tried using the repair sfc /scannow method but it doesn't seem to be working. Please advise and thank you again.

Mneenee

 

Thanks for getting back to me Chaslang, I know you guys are very busy. I deleted the file in HJT but I still cant boot into safe mode? do you want me to delete those files anyway? Thanks

Mneenee

 

Ok I deleted the files anyway. Here is the HJT log. It did let me delete them all. I still cannot boot into safe mode totally confused. Everything else seems to be okay! Thanks

Mneenee

 

Ok well when I try to start in safe mode from the F8 key it lets me select safemode and looks like it is going to load, but then it beeps and brings me back to the page where you can select safe mode, safe with networking etc. I have tried all of them but the only 2 that will actually finish loading are normal mode and last known good configuration.

Now when trying to get into safe mode from msconfig Boot.ini, it gives me a warning "Out of memory" then either stops responding or lets me click ok then tells me that I have to restart for the changes to take effect, upon restarting it just loads me into normal mode. I have been to the software forum and they are stumped too. They figured it was probably malware? So I am at a loss now have no idea what to do? Any ideas would be much appeciated. And thank you so much for your help. Oh yeah and did I mention that I even tried to do a repair through sfc /scannow that didnt work either.

Mneenee

 

Ok was reading the post Big Problem (beginning with HLDRR.exe) This is what I had. one of the many forms of Bagle.He is experiencing the exact same problem in safe mode as i am unfortunately he cant even boot into normal mode I have found a few articles that may be of some help but I am no good with reading or finding the code hope this will help all of us lol.

http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=119057 and

http://www.bleepingcomputer.com/startups/hldrrr.exe-14993.html and

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_BAGLE.EY&VSect=T

I have checked my registry and I have this reg key

HKEY_CURRENT_USER\Software\FirstRRRun
FirstRRRun = "dword:00000001"

with a subfolder: FirstRuxzx

Hope this helps.

Mneenee

 

Ok did what you said. the registry key is gone. Unfortunatly I still cant boot into safe mode?? This is driving me nuts lol Any more ideas? Thanks

Mneenee

 

Here it is but it didn'tfind anything.


Mneenee

 

Not sure how to run it from command prompt window? Could you tell me. I just did it through start run sfc /scannow. Thanks

Mneenee

 

My sister had to take her laptop on a business trip so I won't be able to try that until maybe Tuesday. I'll let you know haw it goes. Thanks

Mneenee