I scanned with Spybot and found Virtumonde so I had it fix it. Then I rebooted and went into safe mode and pulled out my network cable and ran the scan again as well as AdAware and Avast. It was still there so I removed it again and rebooted back in normal mode... and it is still there.

Problems Occurring:
Google search links go to random places on first click. (Second time they work just fine.)
Lots of Internet Explorer Pop ups when running Firefox.
Large quantities of used RAM that are not documented in Task Manager.
Programs load slow...(but not they normal slow computer slow) It is like it has to search for where it is then it loads the program instantly.
Windows Explorer does the same as loading programs when switching folders.
Other odds and ends...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:42 PM, on 12/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Rxokicozi] rundll32.exe "C:\WINDOWS\Szane.dat",e
O4 - HKLM\..\Run: [vqwstrwtmiest] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [e7LBFID2j1Preb] C:\Documents and Settings\JUser\Application Data\Microsoft\Windows\qolab.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C62FC49C-C55D-11DA-97D5-000BDB1ABB7B} (NolijWeb.NolijWeb_Logon) - file://\\Katana\Nw\NolijWeb.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wavojami.dll,C:\WINDOWS\system32\mafazupe.dll,C:\WINDOWS\system32\wusiwuto.dll,C:\WINDOWS\system32\mahalemo.dll,fjfvpc.dll,C:\WINDOWS\system32\jutokuki.dll lyedva.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c96888cdc376f0) (gupdate1c96888cdc376f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 5473 bytes

Thank you for any and all support,
Chris

Hi chris_0076

Rename HijackThis.exe to chris_0076.exe and post back a fresh HijackThis log, please :)

Thanks for the reply... but the symptoms have gotten much much worse. I can no longer get on to that computer, and all of the restore points have been deleted. When ever I turn it on it goes to the desktop and loads a few icons then it just stops. Last known good configuration does not work because it sees that as being a good boot because it makes it all the way to the desktop.

I do not think that it will do much good if I post a log from Safe mode....

Any ideas?

Thanks,
Chris

I went into safe mode and ran another Spybot scan and it found 22 things :mad:... I restarted and was able to go into normal mode. It has been working fine so far, but Virtumonde is still here... and I also noticed that it will not allow me to do anything with System Restore at all.

Anyways here are the logs:

HijackThis.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:29 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Rxokicozi] rundll32.exe "C:\WINDOWS\Szane.dat",e
O4 - HKLM\..\Run: [vqwstrwtmiest] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll"
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C62FC49C-C55D-11DA-97D5-000BDB1ABB7B} (NolijWeb.NolijWeb_Logon) - file://\\Katana\Nw\NolijWeb.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wavojami.dll,C:\WINDOWS\system32\mafazupe.dll,C:\WINDOWS\system32\wusiwuto.dll,C:\WINDOWS\system32\mahalemo.dll,fjfvpc.dll,C:\WINDOWS\system32\jutokuki.dll ouyxpw.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c96888cdc376f0) (gupdate1c96888cdc376f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 5493 bytes


Chris_0076.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:34 PM, on 1/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\Chris_0076.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {01698E7A-FB68-441C-989D-28B341D1C033} - (no file)
O2 - BHO: (no name) - {0d6d9717-ba61-4f7a-bc2e-18b5aa35fb2a} - (no file)
O2 - BHO: {a71913a9-4f3c-e5a9-a954-f50579d803e1} - {1e308d97-505f-459a-9a5e-c3f49a31917a} - C:\WINDOWS\system32\ouyxpw.dll
O2 - BHO: (no name) - {3E0366A4-9A52-452A-A719-40136CDF182A} - C:\WINDOWS\system32\mlJYrrqP.dll
O2 - BHO: (no name) - {3E47454F-88D6-415F-9487-A6DD9498AFA6} - (no file)
O2 - BHO: (no name) - {4961599b-e270-408a-9751-097d90cfa075} - (no file)
O2 - BHO: (no name) - {4EEFA112-AB29-4CC4-A0D9-8DCEB03A0698} - (no file)
O2 - BHO: (no name) - {532892D1-073F-4CDD-9B6E-3CC601DD0D17} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5746f1d0-f079-4d1f-8f47-1fa761c71237} - (no file)
O2 - BHO: (no name) - {6d5ee4e7-bd4e-4346-94ae-d13cd52f4dba} - (no file)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ddcBSJbA.dll
O2 - BHO: (no name) - {73cee713-756c-4db7-9feb-4216a74b421e} - (no file)
O2 - BHO: (no name) - {8FC025C4-FF29-42EB-B948-031AA58040DF} - (no file)
O2 - BHO: (no name) - {A0C04D9F-CF3A-4818-A66B-87DB27DCA9B6} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: agadoo browser enhancer - {BE2D9D94-B96F-170C-0690-CDAA7E2E2313} - C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll
O2 - BHO: (no name) - {C3CF227F-2834-4B58-80A0-AA02ADA7192A} - (no file)
O2 - BHO: (no name) - {CC4789A4-807F-4193-826D-9BEB1699B429} - (no file)
O2 - BHO: (no name) - {D08A92D9-B5FD-46E1-974C-8A3DA21C2186} - (no file)
O2 - BHO: (no name) - {E480AFE2-95BD-4D2A-8558-1B26BDD52693} - (no file)
O2 - BHO: (no name) - {e7ad38ba-2c55-4595-827e-35e1f16d5dee} - C:\WINDOWS\system32\jujukeyo.dll (file missing)
O2 - BHO: (no name) - {EA149AE3-8CC5-4EC7-8EB7-22EA6E693178} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Rxokicozi] rundll32.exe "C:\WINDOWS\Szane.dat",e
O4 - HKLM\..\Run: [vqwstrwtmiest] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\mnwbmtxjlnhwuouff.dll"
O4 - HKUS\S-1-5-19\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [3DxAssociateFileExts] C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxViewer\register.exe "FileExts" (User 'Default user')
O4 - Global Startup: Start 3DxWare.lnk = C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe
O8 - Extra context menu item: &Search - ?p=ZUfox000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {C62FC49C-C55D-11DA-97D5-000BDB1ABB7B} (NolijWeb.NolijWeb_Logon) - file://\\Katana\Nw\NolijWeb.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wavojami.dll,C:\WINDOWS\system32\mafazupe.dll,C:\WINDOWS\system32\wusiwuto.dll,C:\WINDOWS\system32\mahalemo.dll,fjfvpc.dll,C:\WINDOWS\system32\jutokuki.dll ouyxpw.dll
O20 - Winlogon Notify: ddcBSJbA - C:\WINDOWS\SYSTEM32\ddcBSJbA.dll
O20 - Winlogon Notify: xxyaBUkL - xxyaBUkL.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c96888cdc376f0) (gupdate1c96888cdc376f0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe

--
End of file - 7620 bytes

Yes that is due to infection.

We will continue with ComboFix.

Please download ComboFix from one of these locations:

Link 1 (http://subs.geekstogo.com/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Well... it found some things and said that it needed to restart, so it did. When it rebooted it pulled up a window saying that some memory comand dealling with winlogon did not work. There were two options (Debug and Ok) both went to a stop error. (0x00000005) or I think that is how many zeros it had.

Rebooting with last known good configuration now.

Thank you for update.

Please check if C:\ComboFix.txt exists after reboot.

....I'm not liking the no editing posts....

Anyways... tried to boot with last known good configuration and it did the same thing. Tried it with safe mode and it still did the same thing.

It is beginning to seem as though the more I do the worse it gets...

Did you disable avast! before running combofix as instructed?

If not, that might have caused it.

Yes I disabled it, then it rebooted and turned it back on, but it would not let me turn it off...

So you are unable to logon now?

Yes, I am unable to log on now. It says that it is a memory error with winlogon. Then it tells me to Close it or Debug it, both of which lead to stop error c000021a

Did you install recovery console before combofix run?

If so, we can try to restore registry backup via it.

Yes it was installed but it does not work. It just comes up to a blank screen with an underscore.

I did some research on the stop error and found this:

http://support.microsoft.com/default.aspx?scid=kb;en-us;156669

Should I try to proceed with this?

Yes, you can try those next.

If no go, next option is likely repair installation of windows.

I was afraid you were going to say that I would need to do a repair installation... I no longer know where the XP cd is... but I will be able to get a new one on Tuesday.

I will try to use the other method. Hopefully it will work.

Thank you for update, keep me informed :)

I have searched and I have searched and found nothing that I understand or find to be relevant... guess I will be computerless until Tuesday...

I did read on some sites that even doing a repair install did not fix it... I hope that is not the case.

Impossible to say at this point because we are not 100% sure what exactly is broken.

I hope too that reformat isn't needed, however data can be likely saved using live linux and external hard drive before that if so.

The internet has failed me...

Right now I am in the process of downloading Knoppix to see what I can do. I might be getting an external hard drive this weekend as well.... and if none of that works then I'll just have to wait until Tuesday.

I have booted up now using Knoppix. If you know of any fixes with it could you please tell me?

I think I found the Combofix.txt that you were talking about



ComboFix 09-01-01.02 - JUser 2009-01-02 12:07:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.669 [GMT -5:00]
Running from: C:\Documents and Settings\JUser\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090102-0] *On-access scanning enabled* (Updated)
.



Do you think that I would be able to run Combofix from Knoppix if I used wine and could that fix it?

This has likely been the reason:

AV: avast! antivirus 4.8.1296 [VPS 090102-0] *On-access scanning enabled* (Updated)

Running combofix won't help but are you able to access windows directory via knoppix?

Yes I am able to all of my files. Is there something that I can do with it?

Then let's do this:

While using knoppix, backup these files first to another folder (important!):

System, Security, Sam, Software and Default inside this folder:

C:\Windows\System32\Config

After that:

Copy same files from C:\Windows\ERDNT\hiv-backup to C:\Windows\System32\Config, ask yes if asks to overwrite and let me know if it works now.

Arrgg... it will not let me write to the folder... I guess I will just have to wait till I get my XP disk.

Yes, I am afraid so then.

I think I have backed up all of my importaint files and am starting to repair my installation *crossed fingers*.

... well it did not work. Frst off it did not have the option of repair install because it was already installed when I got this computer. Then I tried the recovery console to try to fix it, I used chkdsk and fixmbr... they did not work. Then I tried the thing that you said.... now it says that I need a password to get into the recovery console... and it is not blank, or admin, or any of the basic ones.

Any ideas? Should I just proceed and do a full install?

That is might be easiest way, yes.

It worked I am now back up and running.

Did not have to do a full install. It ended up recognizing my Windows partition and let me use the repair function.

As soon as it was done I set a restore point and now I am wondering... is there a way to save that off of this computer?

All of my problems are fixed, nothing is going slow or anything.

Thanks!
Chris

Do you mean export restore point?

Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.