How do I remove spyware if the machine cannot be started in safe mode? The machine just reboots.

One starting point would be to remove the HDD and either 'slave' it off another computer or use an IDE/SATA USB connector.

Either way, connect the HDD to another computer and use that AV to scan it.
There are also a variety of on-line scanning tools - or download something like "MalwareBytes" to scan it with.

Hi Jsmply,

You take the hard drive out of the computer and put it into another computer as slave...and then run your scan that way...

You could also use one of the various 'Boot Disks' that are available such as DrWebCureit (http://www.freedrweb.com/cureit/) which will actually boot your system and do a good scan for you.

Are the programs such as DrWebCureIt as up to date as programs like MBAM, SAS, and Combofix are about removing spyware?  

Also, the reason I can't get into safe mode, can that be caused by the infection?

You can use as well...SuperAntiSpyware...or Combofix...
http://www.superantispyware.com/
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

You can use Ultimate Boot CD (UBCD)...you can download and burn the .iso and boot from cd...and run some of the anti-virus and malware tools from here...
http://www.ultimatebootcd.com/

Yes DrWebCureIt is kept up to date

If its spy/malware Id try this too instead of a virus checker FIRST.

Combofix

Download from here (ONLY)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Combofix is great and I'd love to use it, but how can I if I can't boot into safe mode and normal mode won't let it run because of all the windows it opens?

Dr.Web LiveCD...
http://www.freedrweb.com/livecd/

Two methods...from myself...and younghv...mentioned already...in ID: 24789784 and 24789785...the two first comments...

Normal mode boots up, but within one minute there are so many windows open that I literally can't do anything at all.  The machine is almost completely frozen.  

Challange one is getting Combofix on the desktop, then I guess your command with /killall is to kill all processes?

Is that right and safe?

Are you able to take out your hard drive and put it into another computer as slave...or do you have a IDE/SATA USB connector...mentioned by younghv?

<<<"Is that right and safe?">>>

Yes, it is very safe.
/killall switch triggers Combofix to be very aggressive and kill process on everything as well as services except for system critical processes.

Have you tried MalwareBytes - www.malwarebytes.org
You can download a free version which will deal with a lot of spyware, malware and nasties.  I use it all the time and it is a great piece of software.
If you cannot download the latest updates directly via the program, you can visit http://mbam.malwarebytes.org/database/mbam-rules.exe

alanhardisty -
Please take the time to read through all of the prior suggestions before jumping in the middle of a string.

Apologies for repeating what has been suggested, but hope the additional link might prove useful in case the nasties prevent MBAM from updating itself.
There is a free version of Avast that performs a boot-time scan and might intercept anything that would normally be removed if you were able to get into safe mode.
http://www.avast.com/eng/download-avast-home.html 

Okay this is proving difficult because immediatly upon booting into normal mode, I get about 10 seconds before I'm bombarded with zjhufhdfe.exe - DLL Initiialzied Failed and I constantly get the error speaker noise as it tries to to open this file hundreds of times.  =\  Any help?

Have you tried the suggestion in the very first post - install the HDD into another PC and scan it from there?

Hi Jsmply.

My experience is that even if you do manage to get to Windows somehow and run tons of different anti-virus/spyware programs, you have a big chance that you PC will never be the same as it was last Friday. You can spend ages scanning your machine and still end up with things popping up on your screen. My recommendation would be to take your hard drive out, connect it to another PC as a slave (it was mentioned before too), get all your personal data off it, including IE favourites, emails from Outlook if any, a DRIVERS folder if existant in C: drive and then just make a clean XP install and start from fresh.
I'm not gonna add a link How to reinstall XP, if you need it just let me know.

@Jsmply,
Even while all the junk is going on, can you open Task Manager (Ctrl-Alt-Del) - that should stay in the foreground of all applications.

If you can, do "File" "New Task (Run...)" and run the command that rpg gave you.

"%userprofile%\desktop\combofix.exe" /killall

@kirret - Everyone here understands that the final option is a "Format/Re-install", but we are posting suggestions about how to avoid doing that. And no, a properly cleaned machine will not have anything popping up on the screen.

@Jsmply,
IF you can kill all those processes, my first choice would be to run the ComboFix function. The creator of CF is working on improvements constantly and it will be your best shot at killing most malware.
If you then post your CF log, rpg can write you a script to run that should remove any left over baddies.

Hi all, thanks!  I'm really trying to avoid a format here as it has LOTS of custom applications the user does not have. I found a way to boot up!  I went to msconfig before the windows started and I choose diagnostic startup. This boots without the problems but I have no internet or USB. Can I load combofix from a CD?  Will it run okay with diagnostic startup selected?

hi,
  you can try to remove following files manually:-
Unregister Antivirus 2008 Pro DLL Files:
shlwapi.dll
wininet.dll

Stop Antivirus 2008 Pro Processes:
Antivirus 2008 Pro.lnk
Uninstall Antivirus.lnk
Antvrs.exe
Antivirus2008Pro.exe

Find and Delete these Antivirus 2008 Pro:
Antivirus2008Pro.exe
shlwapi.dll
wininet.dll
Antivirus 2008 Pro.lnk
Uninstall Antivirus 2008 Pro.lnk

Remove Antivirus 2008 Pro Registry Values:
HKEY_CURRENT_USER\Software\Antivirus
HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Antivirus = %ProgramFiles%\Antivirus 2008 Pro\Antvrs.exe


If doesn't work run smith fraud fix in normal mode atleast two times. It will work for sure.

Before attempting any above step don't forget to take registry backup and set restore point.

Okay, I'm running Combofix right now under the selective startup.  It's running very fast, I guess since no processes are running.  It's rebooting now.  

Under my MSCONFIG, I see zjhufhdfe.exe in the startup hundreds of times.  I googled it and Google says it's a root kit.  Can anyone shed any light on that?  I can attached the combofix log in a few minutes.  I'm hoping to fix this tonight.  Any experts online still?  

Actually, that's assuming I can get the log off this computer.  Remember it won't read USB or the network connection in this selective startup mode.  

I got the log!  Okay, I ran Combofix in the diagnostic startup mode, let it do it's thing, then I put it back to regular startup.  The machine starts up just fine and I don't have the 120012381 error messages anymore, BUT msconfig is still full of hundreds of copies of zjhufhdfe.exe which is in c:\documen~1\melvi\locals~1\temp\zjhufhdfe.exe

They are not opening anymore, I assume that's because Combofix or Super Anti-Spyware (which I ran before Combofix) deleted the file (even though it's not in the log).  However, I still have hundreds of them checked enabled in msconfig.  Can someone review this log file from Combofix PLEASE?  RPGGamerGirl I'd really appreciate it.  I REALLY need to make sure it's right before giving the user back the machine as they are VERY hard to deal with.

Thanks!
ComboFix.txt

Okay, the computer appears to be acting normal again!  I have run full scans with Combofix, MBAM, Super Anti-Spyware, and each one removed stuff.  Now I've run Combofix again (in normal mode) now that I assume the system is clean.  Here is a copy of the latest log!  Please let me know if you see anything alarming before I return the machine to the user!  

It shows no deletions, just a warning about proquote.exe being missing?  I also got safemode back up and running, thanks RPGGamergirl!
newlog.txt

Oh and I manually disabled all of the hundred copies of zjhufhdfe.exe in msconfig startup.  They are still on the list, but they are NOT re-enabling themselves upon restart.  

c:\windows\system32\proquota.exe <-- if you can, you can also replace this file that the virus had deleted. It belongs to Profile Quota Manager which controls how much disc space is available to each specified user.
You can get replacement from these locations:
C:\Windows\$NtServicePackUninstall$
C:\Windows\ServcePackFiles\i386

Or from the Windows CD using command --> sfc /scannow

Hi Rpg, the forms folder has one word document. There is no windows/system volume information folder. Isn't that were restore points are kept?  I cleared those out yesterday. I enabled hidden files and folderd and still don't see it. I wasn't totally sure if I just copy and paste proquote.ex_ from c:/i386 since you gave a slightly different path so I didn't want to risk it so I left that alone. Does that matter?  Will it cause any errors the user will notice?  Thanks!

Oh okay, so your i386 folder you put in your C:\?
You can still get the replacement from there, that should still be okay.
<<<"There is no windows/system volume information folder. Isn't that were restore points are kept?"> >> 

Yes, but that's not the default location of the System Volume Information. I've noticed that with this infection I also see that folder but no one replies back to me for the contents yet.....I'm still waiting for someone to give me back that info.

If you have time, can you let combofix do this please? Only if you have time thanks.

Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
DirLook::
C:\forms
c:\windows\System Volume Information
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

RPG, I am so sorry. I already told the user they could start using the machine again :(  if I would have known I would have run 100 scripts for you while the machine was still at my desk. Do you think this folder you wanted to see or proquota is going to cause problems?  If so I can request the machine back. Better to do that than have it crash again and the user go nuts (she is very difficult).

No I shouldn't think so, like you said there was only a text file in the "forms" and the other one(System Volume Information) is probably only having harmless files inside otherwise Combofix would've picked it up if it housed some malicious .exes.

The proquota.exe replacement.
If she is very difficult she's not going to like  it when you take it back saying you forgot something...
IF she ever find the file is missing one day, then she could just run her Windows CD.... I mean files can get corrupted or go missing(deleted by viruses) at any time and need to be replaced that's normal. But it's up to you...

Thanks RPG, so what will not having proquote do?  Will it pop up and say its missing at one point or cause any problems in windows, disable any feautures, etc?  Sorry again I couldn't get you that lost log. Please don't take it out on my next EE post for help :) if I would have gotten your post 30 mins earlier I would have been glad too!

<<<"Please don't take it out on my next EE post for help :)">>>

Certainly not, I know you would have helped me if you could I understand, it's okay.
You've been really great and cooperative, you worked well with us. It will be a pleasure to join in your future questions. Next time I'm participating in your thread just shoot me an email so I'll reply quickly as I can be online but not always browsing at EE.

You may not realize but there are Askers that are not so nice, if you had read what an Asker had said in this thread(his comment was deleted), he arguably said NO to our requests for logs plus the "F" word as well, and wanted a quick fix to his problem, lol.
http://www.experts-exchange.com/Virus_and_Spyware/HijackThis/Q_24513305.html#a24751509 
I can understand the frustrations an Asker has(with an infected pc and all), but I think he was a bit too much lol.


About the proquota.exe, I'm not really sure it's importance, when it's needed. It says somewhere that a Disc Quota management can also be turned off.
You can try and experiment with yours, rename your proquota.exe(so like it's missing) and see how long it will take before you get an error or any windows alert about it being gone.

Here's what it says about proquota.exe
Proquota.exe, a utility that ships with Windows NT Service Pack 4, allows you to limit the hard disk space that user profiles can consume.
Check this out, it explains Profile quota manager quite well.
http://articles.techrepublic.com.com/5100-10878_11-5754321.html

Thanks so much RPG!  You have been a life saver and I can't imagine how anyone could ever be so rude to you.  I'd be glad to take you up on your e-mail offer, which address is best to use?

I also awarded a few points to Younghv as he pointed me in the right direction.  Thanks everyone who helped!  The user has not complained since returning the machine, so I assume they are in good shape!