I'm infected. Please offer some assistance.

[buzmeg]

Here is my HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:20:18 AM, on 10/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSGTAG\MSGTAG.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\American Systems\EZ Macros\EZMacros.exe
C:\Program Files\ClipCache\clipc.exe
C:\WINDOWS\system32\svchost.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\fonts\services.exe
F3 - REG:win.ini: run=C:\WINDOWS\fonts\services.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\sdra64.exe,C:\WINDOWS\system32\ntos.ex e,
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpotmauSecretary] C:\Program Files\Spotmau\Desktop_Secretary\Spotmau_S.exe
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp 5a.exe" /source=HKLM
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis 3a.exe" /source=HKLM
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [RemoteControl9] "C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe"
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [EZ Macros] C:\Program Files\American Systems\EZ Macros\EZMacros.exe /m
O4 - HKLM\..\Run: [restorer64_a] C:\WINDOWS\system32\restorer64_a.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [reader_s] C:\WINDOWS\System32\reader_s.exe
O4 - HKLM\..\Run: [sysgif32] C:\WINDOWS\Temp\wpv621254983689.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINDOWS\Temp\_ex-08.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [ter8m] RUNDLL32.EXE C:\WINDOWS\system32\msxm192z.dll,w
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [MSGTAG] "C:\Program Files\MSGTAG\MSGTAG.exe" /startup
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SansaDispatch] C:\Documents and Settings\bobC.BUZMEG\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\bobC.BUZMEG\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Run: [HostsMan] "C:\Program Files\HostsMan\hm.exe" -s
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [restorer64_a] C:\Documents and Settings\bobC.BUZMEG\restorer64_a.exe
O4 - HKCU\..\Run: [mserv] C:\Documents and Settings\bobC.BUZMEG\Application Data\seres.exe
O4 - HKCU\..\Run: [reader_s] C:\Documents and Settings\bobC.BUZMEG\reader_s.exe
O4 - HKCU\..\Run: [svchost] C:\Documents and Settings\bobC.BUZMEG\Application Data\svcst.exe
O4 - Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Startup: CreateRP.VBS
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: PRINTKEY.EXE.lnk = C:\PRINTKEY.EXE
O4 - Startup: SLEEPER.lnk = C:\sleep\sleeper.exe
O4 - Global Startup: ClipCache Pro.lnk = C:\Program Files\ClipCache\clipc.exe
O4 - Global Startup: CreateRP.VBS
O4 - Global Startup: ERUNT AutoBackup.lnk = C:\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Firefox Preloader.lnk = C:\Program Files\FirefoxPreloader\FirefoxPreloader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: PRINTKEY.EXE.lnk = C:\PRINTKEY.EXE
O4 - Global Startup: scandisk.dll
O4 - Global Startup: scandisk.lnk = ?
O4 - Global Startup: SLEEPER.lnk = C:\sleep\sleeper.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1247792677359
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll
O20 - Winlogon Notify: Antiwpa - antiwpa.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: a2free - Unknown owner - C:\WINDOWS\TEMP\VRT6.tmp (file missing)
O23 - Service: AgereModemAudio - Unknown owner - C:\WINDOWS\system32\agrsmsvc.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspn et_state.exe
O23 - Service: aswUpdSv - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\msco rsvw.exe
O23 - Service: fastnetsrv - Sigma Designs In - C:\WINDOWS\system32\FastNetSrv.exe
O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe (file missing)
O23 - Service: Windows Presentation Foundation Font Cache 3.0.0.0 (FontCache3.0.0.0) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\Presen tationFontCache.exe
O23 - Service: InCDsrv - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: JavaQuickStarterService - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: Net Login (NetLogin) - Unknown owner - C:\WINDOWS\svchost.exe
O23 - Service: Net_Login - Unknown owner - C:\WINDOWS\svchust.exe
O23 - Service: nmservice - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: OICB - Unknown owner - C:\DOCUME~1\BOBC~1.BUZ\LOCALS~1\Temp\OICB.exe (file missing)
O23 - Service: Windows Workstation System (Windows Workstation) - Unknown owner - C:\WINDOWS\sv4.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)
O23 - Service: YLF - Unknown owner - C:\DOCUME~1\BOBC~1.BUZ\LOCALS~1\Temp\YLF.exe (file missing)

[Tomk]

There are two major issues with your computer.

Firstly, it appears to not be a legitimate copy of windows.

Secondly, it doesn't really matter because, Your System is infected with Virut!!
Virut is a file infecting virus which is able to modify itself each and every time it runs. In addition, when it infects, sometimes it will destroy the file it tries to latch onto.
For these reasons, you really can't truly fix Virut. You will need to format/reinstall the operating system on this machine.

More information:
http://free.avg.com/66558

There are bugs in the viral code. When the virus produces infected files, it also creates non-functional files that also contain the virus.

http://home.mcafee.com/VirusInfo/Vir...spx?key=143034

W32/Virut.h is a polymorphic, entry point obscuring (EPO) file infector with IRC bot functionality. It can accept commands to download other malware on the compromised machine.
It appends to the end of the last section of executable (PE) files an encrypted copy of its code. The decryptor is polymorphic and can be located either:
Immediately before the encrypted code at the end of the last section
At the end of the code section of the infected host in 'slack-space' (assuming there is any)
At the original entry point of the host (overwriting the original host code)

Miekiemoes, an expert for malware removal, and an MS-MVP, additionally has a blog post about Virut.

I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc..
Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.

Read here for instructions how to format and reinstall Windows:

http://web.mit.edu/ist/products/winx...ll-format.html

[buzmeg]

Is there a way to find the files that are infected? I don't want to inadvertently move infected files and re-introduce the virus to the new installation.

[Tomk]

Sorry but no. Any executable file that is/was opened since the computer became infected... is infected. Once you mess with it, the virus will "patch" itself to it so you cannot move executable files to a new system with out infecting them.

[Tomk]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.