Greetings,
I've searched for 2 weekends now on solutions to the problem I am having with my son's relatively new computer (arrived 9/10/07).
I've tried numerous suggestions from numerous sites (mainly this one) and I'm still unable to get a desktop in normal start up mode. I can in Safe Mode.
I did the cleanup methods described in the forum starter notes. There were 3 downloaders and a trojan present on the computer that I had hoped AVG would take complete care of, but my system is still not loading the desktop in normal startup mode.

I ran HiJackThis and have this log:

Logfile of HijackThis v1.99.1
Scan saved at 8:59:05 PM, on 10/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.62/go/?cmp=vm_mg_f...fid=68113&lid=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\c++.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: (no name) - {2EC79B5F-4971-4D75-8584-38C1A3E88F69} - C:\WINDOWS\system32\awtqq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63B1FF69-CB46-4C0C-9A74-3C92045FEFB8} - (no file)
O2 - BHO: (no name) - {7378296C-1FA1-46CC-927A-059E501AFAE4} - C:\Program Files\Elphciot\ggpzxaxn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\hggdawx.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\nxvhghvo.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {E10F6E65-D697-49CF-81A4-84BBC5C46D62} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [xupsfufa] rundll32.exe "C:\Program Files\xupsfufa\jyxwnqpi.dll",Init
O4 - HKLM\..\Run: [mjylybgh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mjylybgh.dll"
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\mnljktui.dll",sitypnow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - Global Startup: 1.exe
O4 - Global Startup: 2.exe~
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1159453796765
O20 - Winlogon Notify: acdaccbfba - C:\WINDOWS\system32\acdaccbfba.dll
O20 - Winlogon Notify: hggdawx - C:\WINDOWS\SYSTEM32\hggdawx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe

At this point I am not sure what else to try doing. Suggestions? Your help is very much appreciated!

did u install any new program or hardware recently

the following items below are all suspect.
ENSURE YOU BACK UP ANY REG KEY BEFORE EDITING.
seeing that you can start in safe mode remove all these items, do search for the file name, remove reg entries, then run adaware, spybot and any malware program u have in safe mode. then do a bootlog startup, if this is not not able to help check the log and see where the error is. if after u still can't boot to normal mode you might have to do a repair of windows,

BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: (no name) - {2EC79B5F-4971-4D75-8584-38C1A3E88F69} - C:\WINDOWS\system32\awtqq.dll
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://65.243.103.62/go/?cmp=vm_mg_f...fid=68113&lid=

2 - BHO: (no name) - {63B1FF69-CB46-4C0C-9A74-3C92045FEFB8} - (no file)
O2 - BHO: (no name) - {7378296C-1FA1-46CC-927A-059E501AFAE4} - C:\Program Files\Elphciot\ggpzxaxn.dll
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\hggdawx.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\nxvhghvo.dll
O2 - BHO: Microsoft copyright - {971D5B7B-F7DF-43ee-B771-6B7FA09975C3} - tcprp.dll (file missing)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: (no name) - {E10F6E65-D697-49CF-81A4-84BBC5C46D62} - (no file)
O4 - HKLM\..\Run: [xupsfufa] rundll32.exe "C:\Program Files\xupsfufa\jyxwnqpi.dll",Init
O4 - HKLM\..\Run: [mjylybgh] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mjylybgh.dll"
O4 - Global Startup: 1.exe
O4 - Global Startup: 2.exe~
O20 - Winlogon Notify: acdaccbfba - C:\WINDOWS\system32\acdaccbfba.dll
O20 - Winlogon Notify: hggdawx - C:\WINDOWS\SYSTEM32\hggdawx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
C:\WINDOWS\system32\4dbb33d0t.exe

My son just got the computer a few weeks ago and has been loading all sorts of games and software on it. He also does online RPGs -- I suspect that may be where the nasties may have originated.

Thanks very much for your suggestions. I'm in the process of scanning after removing the items you listed.

Holy cows! AVG is still plugging away and has found 686 (so far) instances of files infected with win32/virut. The AVG spyware scanner found 49 instances of trojans, downloaders, rootkits, etc. I haven't even started AdAware or SpyBot yet.

The PC came running OEM WinXP and the disk sent with the system is for Windows Vista. We don't want to install Vista because it is incompatible all the games he wants to run. System restore refused to work (probably because of the infections). I may have to research making an XP boot disk next.

I'll let you know what happens once all these scans d their thing.
Thank you!

Ugh -- the scans literally took hours.

Results -- 49+ trojans, downloaders, backdoors, and 8886 Win32/Virut infected files. I was sure AVG was going to make the PC self-ooze a plastic hermetic shield to quarantine the infections.

Interestingly, the virus did not show up until after deleting some of the suspicious entries in the HiJackThis log. I had already done multiple scans with AVG and SpyBot and other tools.

Unfortunately, even after fixing with AVG's Win32/Virut remover, there are still "uncleaned" files, and the nasties in the posted HJT log keep showing back up despite deletion. The "restore" was totally infested.

Since it is the "workweek" now and between work (2 jobs) and class I don't have a lot of time at my machine or others, I will devote myself more to ridding the PC of these pesky nasties Friday through Sunday. Woohoo -- another weekend of nerdy fun.... It is really a challenge -- I hope I win it!

I am still able to boot in safe mode but unable to in normal mode. (I get to the desktop, but no icons, task manager will not actually load, etc.)

If anyone has further suggestions, I'd appreciate them!
Thank you!

with some of the files listed in windows or windows/system32 they have a nasty way of coming back even when you delete them so the only way around it to do the spyware/awadare scans. also delete any instance of a restore point and turn it off for now as any thing that saved will be infected too. make sure to manually delet all cookies and temp files. i know it can be painstakingly long, i had to deal with it once took me 2 days but back then i had time. keep at it did u try righ click on the desktop and show desktop icon

PS did u get a set of restore cd with the PC?

I turned off system restore, and after numerous scans and multiple AVG virus fixer programs run in safe mode, I was finally able to boot in normal mode. Once in normal mode I was able to actually run AVG virus scanner which found 47 more instances of viruses, trojans, and downloaders. AVG spyware was finally able to get rid of one of the pesky files that kept reappearing. I'm not going to call it completely cured yet -- I want to run additional scans tomorrow just to be sure -- but I'm thrilled the desktop is finally back and functioning. I'm going to wait till after running additional scans before rehooking to the internet and the home network.

The restore CD that came with the PC is Windows Vista -- I did not want to restore with that. The machine came running Windows XP. That's the OS that my son's games work on -- they will not run on Vista.

Thanks again for your help and guidance!

you are welcome, keep running the spyware/antivirus, i know its a log process, but it's worth it. bare in mind also you need to update the scan engine of each program you are running.

Note that it is essential that after fixing any 04 entry with hijackthis, that you must delete the related file!! Same goes for the 020 and others.

==

1. Download this file from one of the following links :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply, along with a new hijackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Unfortunately CombFix will not run on the machine. It ran fine on my PC, but on my son's (infected) PC it flashes 2 cmd prompt screens too quickly to see then closes. I tried in both normal mode and safe mode.
The nasty files are not letting me manually delete in either safe mode or normal mode. Checking them to be fixed in HiJackThis does nothing -- immediate re-scanning shows they are still there. (Particularly persistant file basesr.dll .)
I'm scanning with Kapersky antivirus right now. I'll re-try HiJackThis and ComboFix once that scan completes. (The scan seems very slow -- stops for many minutes on certain files.)

Well, Kapersky found 119 more problems. After cleaning, I still cannot get ComboFix to run.

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:32 PM, on 10/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Documents and Settings\Administrator\Desktop\gotcha.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A5E9D6E-869C-4140-9C09-C3FA34134658} - C:\WINDOWS\system32\basesr.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\GRISOFT\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\npjpi150_12.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1159453796765
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Volume Shadow Copy VSSThemes (VSSThemes) - Unknown owner - C:\WINDOWS\system32\4dbb33d0t.exe (file missing)

--
End of file - 4194 bytes


When I briefly hooked to the home network to transfer the HJT log, Kapersky detected a hidden install and stopped the process.

Some nasty is still residing on the machine, not letting me fix things with HiJackThis nor to manually delete them.

Suggestions?

Thank you!