Hi -
I have been battling Virtumonde for over a week and can't get rid of it.

Here's my hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:14 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {d5d2eaed-f215-a25a-a4c4-598e12887013} - {31078821-e895-4c4a-a52a-512fdeae2d5d} - C:\WINDOWS\system32\rhsyhurg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5391DC2A-91CD-4EBF-9DDC-8E68340B37CE} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\qomkhee.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [c8f5af68] rundll32.exe "C:\WINDOWS\system32\xckwxvtb.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8682 bytes


Here's my Kaspersky file:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 05, 2007 12:36:38 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/11/2007
Kaspersky Anti-Virus database records: 451791
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 87617
Number of viruses found: 10
Number of infected objects: 26
Number of suspicious objects: 0
Duration of the scan process: 02:11:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator.PENELOPE\Desktop\qomkheeOLD.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\Documents and Settings\Administrator.PENELOPE\Local Settings\Temporary Internet Files\Content.IE5\GXMBOPE7\upd32_v13[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\cert8.db Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\history.dat Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\key3.db Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Nina\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Nina\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Application Data\Mozilla\Firefox\Profiles\4g7vf2lt.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\History\History.IE5\MSHist012007110520071106\index.dat Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Temp\~DF53F9.tmp Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Temp\~DFFDDC.tmp Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Temp\~WRF0000.tmp Object is locked skipped
C:\Documents and Settings\Nina\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Nina\ntuser.dat Object is locked skipped
C:\Documents and Settings\Nina\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071031-084311-288.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13F.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2FFD.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\Program Files\Online Services\hote83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\e2\caws83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\e2\caws83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\x22\c124wvr.exe.vir Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\RECYCLER\S-1-5-21-3180549725-619868621-4056032450-500\Dc8.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-3180549725-619868621-4056032450-500\Dc8.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-3180549725-619868621-4056032450-500\Dc8.exe RarSFX: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000085.exe Infected: not-a-virus:AdWare.Win32.Trymedia.b skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000101.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000102.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP5\change.log Object is locked skipped
C:\VundoFix Backups\hricyksf.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\VundoFix Backups\mydgwawa.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\VundoFix Backups\nadmhrkl.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\VundoFix Backups\qomkhee.dll.bad Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\VundoFix Backups\vgsjnhho.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4DA87C26-DAB5-4D4E-9843-A88BD1E19D4A}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\vxknbnmp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Thanks so much for any help you can give. I ran spybot in safe mode, it said all problems were fixed, but I am still getting annoying popups.

Best,
Nina

Hello NinaBeans

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Vundo is still present on your log and there may be more we are not seeing, let do this.

You may want to print this out so you can follow along, take your time and if your unsure of anything, do not proceed, post and I can guide you along.

We need to make sure all hidden files are showing :

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide file extensions for known types option.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If you ran Vundofix before, delete it as its updated on a regular basis.

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

Some of these may be gone already.

O2 - BHO: {d5d2eaed-f215-a25a-a4c4-598e12887013} - {31078821-e895-4c4a-a52a-512fdeae2d5d} - C:\WINDOWS\system32\rhsyhurg.dll
O2 - BHO: (no name) - {5391DC2A-91CD-4EBF-9DDC-8E68340B37CE} - C:\WINDOWS\system32\geebb.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - C:\WINDOWS\system32\qomkhee.dll (file missing)

O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

O4 - HKLM\..\Run: [c8f5af68] rundll32.exe "C:\WINDOWS\system32\xckwxvtb.dll",b

O15 - Trusted Zone: *.amaena.com




Delete the files in RED

C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\qomkhee.dll
C:\WINDOWS\system32\rhsyhurg.dll
C:\WINDOWS\system32\xckwxvtb.dll



Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up



This is important , do this before you post a new log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to NinaBeans.exe

I need to see the Combofix log, the Vundofix log and a New HJT log with it renamed please.

Thanks so much for the help. Only, I made the mistake of not saving my vundofix file. I thought I had, but now I can't find it. When I run vundofix now, it says no problems found. :oops:

Here are the logs:

Combofix
ComboFix 07-10-30.5 - Nina 2007-11-05 23:03:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.305 [GMT -5:00]
Running from: C:\Documents and Settings\Nina\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Nina\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Nina\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Nina\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\dtheorbg.dll
C:\WINDOWS\system32\fhqkvxxv.ini2
C:\WINDOWS\system32\fhqkvxxv.tmp
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\mydgwawa.dllbox
C:\WINDOWS\system32\nadmhrkl.dllbox
C:\WINDOWS\system32\vxknbnmp.dll
C:\WINDOWS\system32\wkmuwisu.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.

2007-11-05 23:01 340,032 --a------ C:\WINDOWS\system32\wkmuwisu.dll
2007-11-05 23:01 340,032 --a------ C:\WINDOWS\system32\wbdbdqiq.dll
2007-11-05 22:37 85,568 --a------ C:\WINDOWS\system32\mglpltnn.dll
2007-11-05 22:28 83,008 --a------ C:\WINDOWS\system32\hsrlxiis.dll
2007-11-05 13:03 83,008 --a------ C:\WINDOWS\system32\dundewyd.dll
2007-11-05 07:47 83,008 --a------ C:\WINDOWS\system32\rhsyhurg.dll
2007-11-05 03:38 83,008 --a------ C:\WINDOWS\system32\xfukxtkp.dll
2007-11-04 22:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-04 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-04 20:16 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-04 18:59 78,912 --a------ C:\WINDOWS\system32\hhoslqss.dll
2007-11-03 16:14 81,472 --a------ C:\WINDOWS\system32\lcgahdrw.dll
2007-11-03 08:42 81,472 --a------ C:\WINDOWS\system32\qarfbwac.dll
2007-11-02 10:10 82,496 --a------ C:\WINDOWS\system32\uwnodhcc.dll
2007-11-02 09:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\n7-89-o9-3r-4t-r9
2007-11-02 09:05 <DIR> d-------- C:\Documents and Settings\Nina\Application Data\GameHouse
2007-10-31 11:59 <DIR> d-------- C:\Documents and Settings\Administrator.PENELOPE\Application Data\Grisoft
2007-10-31 11:30 <DIR> d-------- C:\Documents and Settings\Nina\Application Data\Grisoft
2007-10-31 11:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-31 09:56 <DIR> d-------- C:\VundoFix Backups
2007-10-31 00:24 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 23:06 <DIR> d-------- C:\Documents and Settings\Administrator.PENELOPE\Application Data\Lavasoft
2007-10-30 19:25 <DIR> d-------- C:\Documents and Settings\Administrator.PENELOPE\Application Data\Symantec
2007-10-30 19:25 <DIR> d-------- C:\Documents and Settings\Administrator.PENELOPE\Application Data\Gtek
2007-10-30 19:21 2,346 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-30 19:20 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-30 19:20 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-30 19:20 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-30 19:20 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-30 19:20 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-30 14:09 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-30 14:09 <DIR> d-------- C:\Temp
2007-10-19 07:30 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2007-10-17 12:04 <DIR> d-------- C:\Documents and Settings\Nina\Application Data\EleFun Games
2007-10-17 11:55 <DIR> d-------- C:\Program Files\Puzzle Mania
2007-10-06 12:53 <DIR> d-------- C:\Program Files\Janes Hotel
2007-10-06 12:53 <DIR> d-------- C:\Documents and Settings\Nina\Application Data\Jane s Hotel
2007-10-06 12:12 <DIR> d-------- C:\Documents and Settings\Nina\Application Data\Legends of pirates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-02 14:04 --------- d-----w C:\Program Files\GameHouse
2007-11-02 10:48 --------- d-----w C:\Program Files\Common Files\AOL
2007-11-02 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-11-02 05:28 --------- d-----w C:\Documents and Settings\Nina\Application Data\AOL
2007-11-02 03:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 12:34 --------- d-----w C:\Program Files\Trend Micro
2007-10-31 12:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-31 04:48 --------- d-----w C:\Program Files\KingdomElemental_at
2007-10-24 12:00 --------- d-----w C:\Program Files\Dl_cats
2007-10-19 13:36 --------- d-----w C:\Program Files\Shockwave.com
2007-10-07 18:31 --------- d-----w C:\Program Files\StoneofDestiny_at
2007-10-07 18:30 --------- d-----w C:\Program Files\KudosRockLegend_at
2007-10-07 18:22 --------- d-----w C:\Program Files\EscapefromParadise_at
2007-10-07 18:21 --------- d-----w C:\Program Files\Aveyond_atq
2007-10-04 23:16 --------- d-----w C:\Documents and Settings\Mickey\Application Data\HP
2007-10-04 21:41 --------- d-----w C:\Documents and Settings\Nina\Application Data\HP
2007-10-04 21:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\WEBREG
2007-10-04 21:38 --------- d-----w C:\Program Files\HP
2007-10-04 21:38 --------- d-----w C:\Program Files\Common Files\HP
2007-10-04 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
2007-10-04 21:35 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-04 21:35 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2007-10-04 21:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Hewlett-Packard
2007-10-01 21:31 --------- d-----w C:\Documents and Settings\Nina\Application Data\Move Networks
2007-09-17 18:40 35,856 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-09-17 18:40 202,768 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-09-17 18:31 1,126,072 ----a-w C:\WINDOWS\system32\drivers\VsapiNT.sys
2007-09-17 04:25 --------- d-----w C:\Program Files\Azada_at
2007-09-17 04:25 --------- d-----w C:\Program Files\Azada
2007-09-17 04:24 --------- d-----w C:\Program Files\MysteryoftheMummy_at
2007-09-17 04:23 --------- d-----w C:\Program Files\DefenderoftheCrown_at
2007-09-17 04:23 --------- d-----w C:\Program Files\AliceGreenFingers_at
2007-09-11 21:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\HipSoft
2007-09-11 21:28 --------- d-----w C:\Program Files\Build-a-lot
2007-09-08 21:48 --------- d-----w C:\Documents and Settings\Nina\Application Data\Big Fish Games
2007-09-07 22:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Oberon Games
2007-08-27 18:51 5,642 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-22 12:55 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 12:55 665,600 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 12:55 617,984 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 12:55 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 12:55 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 12:55 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 12:55 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 12:55 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 12:55 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 12:55 3,064,832 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 12:55 251,904 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 12:55 205,824 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 12:55 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 12:55 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 12:55 1,498,112 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 12:55 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:19 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-04-05 05:07 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-12-01 02:29:01 88 --sh--r C:\WINDOWS\system32\24EBBDC26C.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-31_ 2.47.37.31 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 22:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-03-02 14:15:08 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
+ 2007-11-02 05:47:44 25,214 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A70900000002}\SC_Reader.exe
+ 2005-05-24 17:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 20:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 20:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2007-10-10 12:53:55 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-05 17:54:39 54,682 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-10 12:53:55 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-05 17:54:39 385,164 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-22 22:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{332d76fc-2ff5-4382-9649-fab16c771880}]
2007-11-05 22:28 83008 --a------ C:\WINDOWS\system32\hsrlxiis.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-05 23:01 340032 --a------ C:\WINDOWS\system32\wkmuwisu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\wkmuwisu.dll [2007-11-05 23:01 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\wkmuwisu.dll [2007-11-05 23:01 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 18:48]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 23:30 C:\WINDOWS\stsystra.exe]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 16:42]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 15:30]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2006-06-22 09:48]
"c8f5af68"="C:\WINDOWS\system32\mglpltnn.dll" [2007-11-05 22:37]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 18:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wkmuwisu]
wkmuwisu.dll 2007-11-05 23:01 340032 C:\WINDOWS\system32\wkmuwisu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geebb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
"C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"C:\Program Files\Dell Support\DSAgnt.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLCFCATS]
rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1171227608\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ModemOnHold]
C:\Program Files\NetWaiting\netWaiting.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
"C:\Program Files\Norton Ghost\Agent\GhostTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)

R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
S3 netrcacm;RCA USB based Digital Cable Modem Win2000 Driver;C:\WINDOWS\system32\DRIVERS\netrcacm.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt hpqcxs08 hpqddsvc

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 23:14:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 23:16:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-31 01:49
.
--- E O F ---

the new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:31 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\HijackThis\ninabeans.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {088177c6-1baf-9469-2834-5ff2cf67d233} - {332d76fc-2ff5-4382-9649-fab16c771880} - C:\WINDOWS\system32\hsrlxiis.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - C:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [c8f5af68] rundll32.exe "C:\WINDOWS\system32\mglpltnn.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {FA945BB6-9D37-43FC-9B2A-AF09F56CBBF0} (moDiagCollectionActiveX Object) - http://yme.music.yahoo.com/qos/cabs/DiagCollectionControl.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 8126 bytes

Good Morning Nina.

Almost there.
C:\vundofix.txt <-- you can find the Vundo report here but if you say if found nothing than not to worry.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



files::
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\wkmuwisu.dll
C:\WINDOWS\system32\wbdbdqiq.dll
C:\WINDOWS\system32\mglpltnn.dll
C:\WINDOWS\system32\hsrlxiis.dll
C:\WINDOWS\system32\dundewyd.dll
C:\WINDOWS\system32\rhsyhurg.dll
C:\WINDOWS\system32\xfukxtkp.dll
C:\WINDOWS\system32\hhoslqss.dll
C:\WINDOWS\system32\lcgahdrw.dll
C:\WINDOWS\system32\qarfbwac.dll
C:\WINDOWS\system32\uwnodhcc.dll

Folder::
C:\VundoFix\Backups


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{332d76fc-2ff5-4382-9649-fab16c771880}]
2007-11-05 22:28 83008 --a------ C:\WINDOWS\system32\hsrlxiis.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-05 23:01 340032 --a------ C:\WINDOWS\system32\wkmuwisu.dll

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\wkmuwisu.dll [2007-11-05 23:01 340032]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\wkmuwisu.dll [2007-11-05 23:01 340032]

[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wkmuwisu]
wkmuwisu.dll 2007-11-05 23:01 340032 C:\WINDOWS\system32\wkmuwisu.dll


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

This topic has been archived due to inactivity.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.