Infected computer and can't start safe mode

I have antivirus live, which has infected my computer and can't start safe mode to start programs to delete the virus. When I try and start safe mode I get a blue screen and the computer just freezes and have to restart. I can get into normal mode but can't run any removal programs. Please any help to get into safe mode would be great.
Thanks

Please download Ice Sword from HERE

1. Download the zip to your desktop and extract it.
   
2. Open the Ice Sword folder and then launch IceSword.exe.
   
3. Will IceSword open?
   

Yes, downloaded and installed now.

Hello.

• Now, on the left hand side tool, hit the Process button at the top of the list.
  
• Just above the list, there is a log button, press that and save the log to your Desktop.
  
• Next, hit the Startup on the left side list.
  
• Press the log button again.
  
• Post the two logs in your next reply.
  

Process:

System Idle Process
System
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxtray
C:\WINDOWS\system32\igfxtray.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxhkcmd
C:\WINDOWS\system32\hkcmd.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
igfxpers
C:\WINDOWS\system32\igfxpers.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SynTPEnh
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Broadcom Wireless Manager UI
C:\WINDOWS\system32\WLTRAY.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SigmatelSysTrayApp
stsystra.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DVDLauncher
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
dla
C:\WINDOWS\system32\dla\tfswctrl.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunesHelper
"C:\Program Files\iTunes\iTunesHelper.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YSearchProtection
"C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ifnmwqei
C:\Documents and Settings\Shane\Local Settings\Application Data\ehocmf\xgfasysguard.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
jfvlenxc
C:\Documents and Settings\Shane\Local Settings\Application Data\xvellx\xxacsysguard.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe
C:\WINDOWS\system32\ctfmon.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Search Protection
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
YSearchProtection
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
swg
"C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
ifnmwqei
C:\Documents and Settings\Shane\Local Settings\Application Data\ehocmf\xgfasysguard.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
jfvlenxc
C:\Documents and Settings\Shane\Local Settings\Application Data\xvellx\xxacsysguard.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe (Remark£º)

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
desktop.ini


C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk
C:\Program Files\Digital Line Detect\DLG.exe (Remark£º)

C:\Documents and Settings\Shane\Start Menu\Programs\Startup
desktop.ini

hello Belahzur - you helped me in the past with a similar problem and i just noticed that this person has the exact same issue as one of our workcomputers is experiencing right now. Can I also post the log info from the 2 files? or do iI have to start my own question?
thanks
buff

Start your own topic please buff.

---

lasvegasguy21 - I see the malicious items loading via the Run key, but don't see them active in the process list, can you try running MBAM for me.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

I tried downloading that and when I click on it, it seems noting happens but can see if running in the process. I had to close some .sysguard process or I can't do anything on my computer. If you need to see these I can restart and try to get those names in the scan log. I tried that Malwarebytes' Anti-Malware before looking for help and just can't run it or get into safe mode to run it.
Thanks

In the Startup tab, select the following one-by-one using the "Name" category, and hit the red X in the top left corner above the left side list:

ifnmwqei
jfvlenxc
ifnmwqei
jfvlenxc

Select yes to each one when prompted with the "Are you sure" alert.

Reboot normally.
Can you run MBAM now?

This is in Ice Sword right? The red X in Ice Sword closes the program(Ice Sword), or it down when I click it.

My bad.

• In IceSword, press the Registry button on the bottom left of the program.
  
• Drag the middle bar further to the right so you can see the paths.
  
• Follow this path to the Run key:
  
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  
  
• Left click once on the Run key, then in the right side pane, find the run following run values:
  
  ifnmwqei
  jfvlenxc
  
  
• Right click each one, hit delete.
  
• Now follow the path for the next Run key:
  
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  
  
• Delete the same exact named run values as before.
  
• Now reboot normally, can you run MBAM now?
  

I did all that and still can't run MBAM. I checked and those files are still deleted. nȯne of those sysguard poped up in my processes this time. I have those in a log before deleting them from my active process if you need them.
Thanks

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 10-01-04.01 - Shane 01/08/2010 13:48:35.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.757 [GMT -7:00]
Running from: e:\new folder\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Shane\Local Settings\Application Data\ehocmf
c:\documents and settings\Shane\Local Settings\Application Data\ehocmf\xgfasysguard.exe
c:\documents and settings\Shane\Local Settings\Application Data\xvellx
c:\documents and settings\Shane\Local Settings\Application Data\xvellx\xxacsysguard.exe
c:\program files\Common Files\Uninstall
c:\windows\system32\config\systemprofile\Templates\info.tmp
c:\windows\system32\drivers\H8SRTnkvrsoucvy.sys
c:\windows\system32\drivers\ndisrd.sys
c:\windows\system32\dzwbgch3y.dll
c:\windows\system32\H8SRTmxfuwprrtq.dll
c:\windows\system32\H8SRTpfpvtowuje.dat
c:\windows\system32\H8SRTvyftiuoqcm.dll
c:\windows\system32\H8SRTyxwilxrujk.dll
c:\windows\system32\kbdsock.dll
c:\windows\system32\mshlps.dll
c:\windows\system32\ndisapi.dll
c:\windows\system32\srcr.dat
c:\windows\Temp\157d9bf1.exe
c:\windows\Temp\5bc83b60.exe

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_H8SRTd.sys
-------\Legacy_NDISRD
-------\Service_H8SRTd.sys
-------\Service_NDISRD


((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 19:53 . 2010-01-08 19:53 44544 ----a-w- C:\afburr.exe
2010-01-08 19:53 . 2010-01-08 19:53 29695 ----a-w- C:\khkil.exe
2010-01-08 19:53 . 2010-01-08 19:53 242688 ----a-w- C:\qfhtgw.exe
2010-01-08 19:53 . 2010-01-08 19:53 52224 ----a-w- C:\eujbmv.exe
2010-01-08 19:53 . 2010-01-08 19:53 27136 ----a-w- C:\jdmhvwpg.exe
2010-01-08 19:53 . 2010-01-08 19:53 22016 ----a-w- C:\vwylecru.exe
2010-01-08 18:06 . 2010-01-08 18:06 -------- d-----w- c:\program files\TrendMicro
2010-01-08 15:37 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 15:37 . 2010-01-08 15:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 15:37 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 02:54 . 2010-01-08 02:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-08 02:48 . 2010-01-08 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-08 02:48 . 2010-01-08 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-08 02:48 . 2010-01-08 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-08 02:25 . 2010-01-08 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-08 02:23 . 2010-01-08 02:23 -------- d-----w- c:\program files\Common Files\iS3
2010-01-08 02:23 . 2010-01-08 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-08 02:00 . 2010-01-08 02:00 -------- d-----w- c:\documents and settings\Shane\Local Settings\Application Data\Threat Expert
2010-01-08 01:52 . 2010-01-08 20:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-07 23:57 . 2010-01-08 02:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\bpdiqc
2010-01-07 23:56 . 2010-01-08 02:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\drgyat
2010-01-04 01:17 . 2010-01-08 01:16 857 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-04 01:14 . 2010-01-04 01:14 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-03 15:38 . 2010-01-03 15:38 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 18:06 . 2010-01-08 18:06 388096 ----a-r- c:\documents and settings\Shane\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-08 00:13 . 2008-08-27 17:38 20292 ----a-w- c:\documents and settings\Shane\Application Data\wklnhst.dat
2010-01-07 22:55 . 2008-09-08 03:56 -------- d-----w- c:\program files\Incomplete
2010-01-07 22:55 . 2008-09-08 03:47 -------- d-----w- c:\program files\K-Lite Pro
2010-01-07 19:11 . 2007-03-26 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-07 19:11 . 2010-01-07 19:11 12840432 ----a-w- c:\documents and settings\All Users\Application Data\Google Updater\cache\packdata_ci_earth_5.1.3533.1731_en_setup.exe
2010-01-03 16:04 . 2006-11-29 20:14 85592 -c--a-w- c:\documents and settings\Shane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 21:32 . 2008-09-08 03:49 -------- d-----w- c:\documents and settings\Shane\Application Data\FileVOoM
2009-12-17 16:38 . 2006-12-21 03:06 -------- d-----w- c:\program files\Dl_cats
2009-12-10 17:20 . 2008-08-27 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 07:46 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-10 18:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-10 18:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-10 18:51 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-10 18:51 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-10 18:51 112128 ----a-w- c:\windows\system32\rastls.dll
2009-07-18 18:19 . 2006-12-06 05:24 88 --sh--r- c:\windows\system32\8EC486DAE2.sys
2009-07-18 18:19 . 2006-12-06 05:24 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-20 24576]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\K-Lite Pro\\K-Lite.exe"=
"c:\\Program Files\\K-Lite Pro\\IeEmbed.exe"=

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/20/2006 5:04 PM 30192]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 22:42]

2010-01-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-26 03:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://tsslvpn.terracon.com/CACHE/sdesktop/install/binaries/instweb.cab
.
- - - - ORPHANS REMOVED - - - -

Notify-TPSvc - TPSvc.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 13:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3500)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-08 14:01:38 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-08 21:01

Pre-Run: 38,256,463,872 bytes free
Post-Run: 38,881,087,488 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D1BEF94720290FF774204D4B038FB797


Anything else that I need to do? Is there anything you see on my computer that may have caused these problems?
Thanks

Hello.
Please move Combo-Fix.exe to the Desktop.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   File::
   C:\afburr.exe
   C:\khkil.exe
   C:\qfhtgw.exe
   C:\eujbmv.exe
   C:\jdmhvwpg.exe
   C:\vwylecru.exe
   
   DDS::
   uInternet Settings,ProxyServer = http=127.0.0.1:5555
   uInternet Settings,ProxyOverride =
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

Any way to post the whole document or just have to put it into multiple post? It says file is to big to send all in one.
Thanks

Break it up into more than one post. If it's the @snapshot that's making it a long log, cut out that bit, snapshots bit isn't important.

ComboFix 10-01-04.01 - Shane 01/08/2010 14:12:54.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1015.679 [GMT -7:00]
Running from: e:\new folder\Combo-Fix.exe
Command switches used :: e:\new folder\CFScript.txt

FILE ::
"C:\afburr.exe"
"C:\eujbmv.exe"
"C:\jdmhvwpg.exe"
"C:\khkil.exe"
"C:\qfhtgw.exe"
"C:\vwylecru.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\afburr.exe
C:\eujbmv.exe
C:\jdmhvwpg.exe
C:\khkil.exe
C:\qfhtgw.exe
C:\vwylecru.exe

.
((((((((((((((((((((((((( Files Created from 2009-12-08 to 2010-01-08 )))))))))))))))))))))))))))))))
.

2010-01-08 18:06 . 2010-01-08 18:06 388096 ----a-r- c:\documents and settings\Shane\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-01-08 18:06 . 2010-01-08 18:06 -------- d-----w- c:\program files\TrendMicro
2010-01-08 15:37 . 2010-01-07 23:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-08 15:37 . 2010-01-08 15:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-08 15:37 . 2010-01-07 23:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-08 02:54 . 2010-01-08 02:54 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-08 02:48 . 2010-01-08 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-08 02:48 . 2010-01-08 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-08 02:48 . 2010-01-08 02:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-08 02:25 . 2010-01-08 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2010-01-08 02:23 . 2010-01-08 02:23 -------- d-----w- c:\program files\Common Files\iS3
2010-01-08 02:23 . 2010-01-08 15:11 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-01-08 02:00 . 2010-01-08 02:00 -------- d-----w- c:\documents and settings\Shane\Local Settings\Application Data\Threat Expert
2010-01-08 01:52 . 2010-01-08 20:41 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-07 23:57 . 2010-01-08 02:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\bpdiqc
2010-01-07 23:56 . 2010-01-08 02:27 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\drgyat
2010-01-07 19:11 . 2010-01-07 19:11 12840432 ----a-w- c:\documents and settings\All Users\Application Data\Google Updater\cache\packdata_ci_earth_5.1.3533.1731_en_setup.exe
2010-01-04 01:17 . 2010-01-08 01:16 857 ----a-w- c:\windows\system32\krl32mainweq.dll
2010-01-04 01:14 . 2010-01-04 01:14 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-03 15:38 . 2010-01-03 15:38 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-08 00:13 . 2008-08-27 17:38 20292 ----a-w- c:\documents and settings\Shane\Application Data\wklnhst.dat
2010-01-07 22:55 . 2008-09-08 03:56 -------- d-----w- c:\program files\Incomplete
2010-01-07 22:55 . 2008-09-08 03:47 -------- d-----w- c:\program files\K-Lite Pro
2010-01-07 19:11 . 2007-03-26 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-01-03 16:04 . 2006-11-29 20:14 85592 -c--a-w- c:\documents and settings\Shane\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-01 21:32 . 2008-09-08 03:49 -------- d-----w- c:\documents and settings\Shane\Application Data\FileVOoM
2009-12-17 16:38 . 2006-12-21 03:06 -------- d-----w- c:\program files\Dl_cats
2009-12-10 17:20 . 2008-08-27 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 07:46 . 2004-08-10 18:51 832512 ------w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-10 18:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-10 18:51 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-10 18:51 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 05:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:53 . 2004-08-10 18:51 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54 . 2004-08-10 18:51 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54 . 2004-08-10 18:51 112128 ----a-w- c:\windows\system32\rastls.dll
2009-07-18 18:19 . 2006-12-06 05:24 88 --sh--r- c:\windows\system32\8EC486DAE2.sys
2009-07-18 18:19 . 2006-12-06 05:24 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-09 761947]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-25 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-03-15 257088]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-20 24576]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\K-Lite Pro\\K-Lite.exe"=
"c:\\Program Files\\K-Lite Pro\\IeEmbed.exe"=

S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/20/2006 5:04 PM 30192]
.
Contents of the 'Scheduled Tasks' folder

2010-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 22:42]

2010-01-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-26 03:46]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
DPF: {705EC6D4-B138-4079-A307-EF13E4889A82} - hxxps://tsslvpn.terracon.com/CACHE/sdesktop/install/binaries/instweb.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-08 14:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-01-08 14:18:02
ComboFix-quarantined-files.txt 2010-01-08 21:18
ComboFix2.txt 2010-01-08 21:01

Pre-Run: 38,878,072,832 bytes free
Post-Run: 38,843,092,992 bytes free

- - End Of File - - 6B837122AFE99562F88EFC36B0D57155
Thanks

Okay, lets get MBAM scan done, then I think we can put this to bed.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/8/2010 2:52:32 PM
mbam-log-2010-01-08 (14-52-27).txt

Scan type: Quick Scan
Objects scanned: 117400
Time elapsed: 4 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\krl32mainweq.dll (Trojan.DNSChanger) -> No action taken.


Anything else? Thanks

Did you remove what MBAM found? it says no action taken.

I did. I saved that before I hit remove and my computer had to restart so I didn't have the text I copy and pasted.

Okay.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Thanks. Everything seems to be running good. Do you anything that would cause to get that spyware?
Thanks for all the help. I ran that scan again to make sure it was gone and nothing was found.

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/8/2010 3:07:45 PM
mbam-log-2010-01-08 (15-07-45).txt

Scan type: Quick Scan
Objects scanned: 117505
Time elapsed: 4 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Okay, this should be fine now.