The infection is W32/Mitglieder.HT as per F-Prot
To fix the safeboot:
Download & run this tool > SafeBootKeyRepair-CF
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exeIt shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply and let me know if you can access Safe Mode now?
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.
O20 - Winlogon Notify: ldr64 - C:\WINDOWS\system32\ldr64.dll (file missing)
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\system32\mmx432.dll (file missing)
Now
close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.
THENPlease download the OTMoveIt
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\ldr64.dll
C:\WINDOWS\system32\mmx432.dllReturn to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
The files will be quarantined
One service I am unable to find any decent information about is
O23 - Service: E4M service (e4mservice) - Unknown owner - C:\WINDOWS\system32\e4mserv.exe
Jotti File Submission:- Please go to Jotti's malware scan
- Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- C:\WINDOWS\system32\e4mserv.exe
- Click on the submit button
- Please post the results in your next reply.