Hello, I am trying to help a friend clean his laptop. I've scanned a few times in safemode with Spybot, but cannot get rid of Virtumonde, Virtumonde.dll, and Zlob.DNSChanger.Rtk. I also did a scan with Kaspersky and HJT and will post the results of the 2 log files below. Can someone please help? Thanks!

Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 09, 2008 8:56:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/04/2008
Kaspersky Anti-Virus database records: 692913
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 33970
Number of viruses found: 13
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 00:44:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008040920080410\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\zfe1.exe Infected: not-virus:Hoax.Win32.Renos.bii skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\K7OSMKUL\kriv[1] Infected: Packed.Win32.Monder.gen skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Shared\jan dean.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe Infected: not-a-virus:FraudTool.Win32.SpyHeal.l skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093807.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093809.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093824.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093826.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093832.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093834.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093847.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093849.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093950.exe Infected: Trojan-Downloader.Win32.Zlob.kmd skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093954.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093955.dll Infected: Trojan-Downloader.Win32.Zlob.kki skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093956.exe Infected: Trojan-Downloader.Win32.Zlob.klf skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094019.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094020.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094021.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094022.dll Infected: Trojan-Downloader.Win32.Agent.mdt skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094195.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094197.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094198.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094199.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\209789\209789.dll Infected: not-a-virus:AdWare.Win32.E404.w skipped
C:\WINDOWS\system32\375013\375013.dll Infected: not-a-virus:AdWare.Win32.E404.t skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cxajlrdp.dll_old Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\fccywxxw.dll_old Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hlhwbugw.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\rqRJbYqO.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:00 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [BM07474a41] Rundll32.exe "C:\WINDOWS\system32\yktrbkwy.dll",s
O4 - HKLM\..\Run: [047479dd] rundll32.exe "C:\WINDOWS\system32\hlhwbugw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133729400359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1207715245_c9909eb0a79e4953c5b52d1995ebccfc&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B26DD7-C2CC-4643-BC33-8677C43E71DD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O22 - SharedTaskScheduler: bimaculate - {d70e9b0f-aabc-4066-8176-c6de84d92fa1} - C:\WINDOWS\system32\kknwg.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7784 bytes

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

Your friend has a mess, multiple infections, let's see if we can kill any of the junk Kaspersky found first.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\ <<< delete the contents of the TIF folder

C:\Documents and Settings\Administrator\Shared\jan dean.mp3 <<< delete the infected mp3

Start > Control Panel > Add remove Programs and uninstall VirusHeat 4.3 if there.
C:\Program Files\VirusHeat 4.3\VirusHeat 4.3.exe

(delete the files/folders in red)
C:\WINDOWS\system32\209789\ <<< folder
C:\WINDOWS\system32\375013\ <<< folder
C:\WINDOWS\system32\cxajlrdp.dll_old <<< file
C:\WINDOWS\system32\fccywxxw.dll_old <<< file
C:\WINDOWS\system32\hlhwbugw.dll <<< file
C:\WINDOWS\system32\rqRJbYqO.dll <<< file

If you have problems with those, try this tool and instructions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
(let me know about any file you could not remove, they must go before we are done)

System Restore is infected also so do not use it until we clean it later.

1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT.exe, call it shwabo.exe, that will work. After a restart we may be able to see the infection.

2) Thanks to LonnyBJones and anyone else who helped with this fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to yourDesktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads post the text that will open (report.txt) and a new Hijackthis log in the forum please.

(wait until you are finished to post logs and reports)

3) Thanks to Atribune and any others who helped with this fix.

Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Follow these directions starting at: Normal Usage for Removal
http://vundofix.atribune.org/

Vundofix.txt will be on the C:\

Restart and post the report from Vundofix, the report from Fixwareout and a new HJT log.

Thanks...Phil

First off thank you very much for helping me with this "mess". I really apreciate it. :) OK. So I was able to do everything up to deleting rqRJbYqO.dll. I tried safe mode (that's how I got hlhwbugw.dll to go) that didn't work, and I tried renaming HJT to Shwabo (because it would just close) and using the delete on reboot tool. Still there. Can't get rid of that file. I don't want to move further (skip that file for now) unless you tell me it's ok to do so. Thanks again for your help!

Please continue with all of the instructions, post the logs and reports I requested and then tell me about any issues you had trying to complete the instructions. If something did not get completed in the instructions, I will know that when I see the reports. This cleanup is going to take a while.

Thanks...Phil

OK. I was able to complete everything. Here are the log files.

FixWareOut Log:

Username "Charlie" - 04/11/2008 18:53:04 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdqvo.exe"

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....
~~~~~ Other
C:\WINDOWS\Temp\kdqvo.ren 78336 06/13/2007

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_05\\bin\\jusched.exe\""
"047479dd"="rundll32.exe \"C:\\WINDOWS\\system32\\hlhwbugw.dll\",b"
"BM07474a41"="Rundll32.exe \"C:\\WINDOWS\\system32\\yktrbkwy.dll\",s"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

VundoFix Log:

VundoFix V7.0.3

Scan started at 8:06:33 PM 4/11/2008

Listing files found while scanning....

C:\WINDOWS\system32\yktrbkwy.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yktrbkwy.dll
C:\WINDOWS\system32\yktrbkwy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yktrbkwy.dll
C:\WINDOWS\system32\yktrbkwy.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:29:34 PM, on 4/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\HijackThis\Shwabo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6392ECA2-402E-4630-A303-122A7A9F842B} - C:\WINDOWS\system32\fccywxxw.dll (file missing)
O2 - BHO: {546ea1a4-3b62-389a-bf44-023a5261cd96} - {69dc1625-a320-44fb-a983-26b34a1ae645} - C:\WINDOWS\system32\scwuqigj.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - C:\WINDOWS\system32\rqRJbYqO.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: (no name) - {D23C1969-70AF-45A1-A462-C2BAFE67CD61} - C:\WINDOWS\system32\fccdedAr.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [047479dd] rundll32.exe "C:\WINDOWS\system32\hlhwbugw.dll",b
O4 - HKLM\..\Run: [BM07474a41] Rundll32.exe "C:\WINDOWS\system32\yktrbkwy.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133729400359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1207715245_c9909eb0a79e4953c5b52d1995ebccfc&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B26DD7-C2CC-4643-BC33-8677C43E71DD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: rqRJbYqO - C:\WINDOWS\SYSTEM32\rqRJbYqO.dll
O22 - SharedTaskScheduler: bimaculate - {d70e9b0f-aabc-4066-8176-c6de84d92fa1} - C:\WINDOWS\system32\kknwg.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8501 bytes

Thanks for returning your information and the feedback, proceed like this.

1) C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the "Select Files" Window opens copy and paste the file/s one at a time in the "File Name:" box and click Open to add them. When then are all added right click the Windows and choose "Select All" then "Fix Vundo".

(files to add)

C:\WINDOWS\system32\scwuqigj.dll
C:\WINDOWS\system32\rqRJbYqO.dll
C:\WINDOWS\system32\fccdedAr.dll
C:\WINDOWS\system32\hlhwbugw.dll
C:\WINDOWS\system32\fccdedAr.dll

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: (no name) - {6392ECA2-402E-4630-A303-122A7A9F842B} - C:\WINDOWS\system32\fccywxxw.dll (file missing)
O2 - BHO: {546ea1a4-3b62-389a-bf44-023a5261cd96} - {69dc1625-a320-44fb-a983-26b34a1ae645} - C:\WINDOWS\system32\scwuqigj.dll
O2 - BHO: (no name) - {826A5ED9-1316-4EFD-87F8-AA400C5D551A} - C:\WINDOWS\system32\rqRJbYqO.dll
O2 - BHO: (no name) - {D23C1969-70AF-45A1-A462-C2BAFE67CD61} - C:\WINDOWS\system32\fccdedAr.dll
O4 - HKLM\..\Run: [047479dd] rundll32.exe "C:\WINDOWS\system32\hlhwbugw.dll",b
O4 - HKLM\..\Run: [BM07474a41] Rundll32.exe "C:\WINDOWS\system32\yktrbkwy.dll",s
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{86B26DD7-C2CC-4643-BC33-8677C43E71DD}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D7FD457-30C5-4EB0-96CF-756D5DE337C0}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: rqRJbYqO - C:\WINDOWS\SYSTEM32\rqRJbYqO.dll
O22 - SharedTaskScheduler: bimaculate - {d70e9b0f-aabc-4066-8176-c6de84d92fa1} - C:\WINDOWS\system32\kknwg.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\scwuqigj.dll
C:\WINDOWS\system32\rqRJbYqO.dll
C:\WINDOWS\system32\fccdedAr.dll
C:\WINDOWS\system32\hlhwbugw.dll
C:\WINDOWS\system32\fccdedAr.dll

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and your feedback.

Thanks

OK. I was able to goto Add/Remove and remove Viewpoint Toolbar, Viewpoint Media Player, and Viewpoint Manager. I then went to Program Files and deleted the Viewpoint Folder. I then ran the Vundo Fix and added the listed files, however there was no C:\WINDOWS\system32\hlhwbugw.dll and C:\WINDOWS\system32\fccdedAr.dll was listed twice. I still cannot remove C:\WINDOWS\system32\rqRJbYqO.dll either manually or through VundoFix so it is still there. For HJT there was no O20 - Winlogon Notify: rqRJbYqO - C:\WINDOWS\SYSTEM32\rqRJbYqO.dll, however that dll is still present in the System32 folder. ATF Cleaner said it ran successfully. I did notice 010 in the New HJT log, but am not sure if it's legit or not. AVG is still disabled, should I uninstall it and reinstall it? Here are the Logs. Thanks!

VundoFix:


VundoFix V7.0.3

Scan started at 8:06:33 PM 4/11/2008

Listing files found while scanning....

C:\WINDOWS\system32\yktrbkwy.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yktrbkwy.dll
C:\WINDOWS\system32\yktrbkwy.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yktrbkwy.dll
C:\WINDOWS\system32\yktrbkwy.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\fccdedAr.dll
C:\WINDOWS\system32\fccdedAr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqRJbYqO.dll
C:\WINDOWS\system32\rqRJbYqO.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\scwuqigj.dll
C:\WINDOWS\system32\scwuqigj.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Beginning removal...

Beginning removal...

HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:26 PM, on 4/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\Shwabo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133729400359
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1207715245_c9909eb0a79e4953c5b52d1995ebccfc&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6269 bytes

Thanks for returning your information and the feedback, that is a clean HJT log:bigthumb: how is the computer running?

AVG is still disabled, should I uninstall it and reinstall it? I run that myself, it may be that it needs to update, try that first. Once you update the database it should start working. If not, then you may need to do what you said, but try updating it first.

Remove Vundofix and the C:\Vundofix Backups\ folder first then run a new Kaspersky Online Scan using these settings.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. (expect some infected files, we have System Restore to clean yet)

Thanks

Thanks! The computer runs much better. I had to uninstall AVG because I think it somehow got corrupt. I tried updating it first as you suggested, but it was not responding so I uninstalled. I did the scan with Kaspersky and here is the log. I will reinstall AVG after we are done cleaning house unless you say it's ok to install now. Thanks again! :2thumb:

Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 7:24:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 628600
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 31427
Number of viruses found: 9
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 00:38:17

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\UserData\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093807.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093809.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093824.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093826.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093832.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093834.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093847.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093849.exe Infected: Trojan-Downloader.Win32.Zlob.kkl skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093950.exe Infected: Trojan-Downloader.Win32.Zlob.kmd skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093954.exe Infected: Trojan-Downloader.Win32.Zlob.kkb skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093955.dll Infected: Trojan-Downloader.Win32.Zlob.kki skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093956.exe Infected: Trojan-Downloader.Win32.Zlob.klf skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP151\A0093957.exe Infected: not-virus:Hoax.Win32.Gavec.as skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094019.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094020.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094021.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP152\A0094022.dll Infected: Trojan-Downloader.Win32.Agent.mdt skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094195.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094197.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094198.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094199.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP154\A0094279.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP155\A0094412.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{11E43D96-0F35-4D7C-9863-330F3C005C34}\RP157\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\cbikphkg.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\fdoirjje.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\rqRJbYqO.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINDOWS\system32\swolptho.dll Infected: Trojan.Win32.KillAV.rf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

Scan process completed.

Just not a good idea to even be online without an antivirus program.

KASPERSKY ONLINE SCANNER REPORT Saturday, April 12, 2008 7:24:02 PM

Makes sure you are still showing all files and folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

(delete the files in red)

C:\WINDOWS\system32\cbikphkg.dll
C:\WINDOWS\system32\fdoirjje.dll
C:\WINDOWS\system32\rqRJbYqO.dll
C:\WINDOWS\system32\swolptho.dll

If they give you any trouble use this tool and instructions:
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb

Once they are deleted, empty the Recycle Bin on the Desktop

Restart the computer

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Let me know if all goes well.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

OK. All went well. The computer is running great now. I will do the Critical Windows Updates, put AVG back in and give it back to my friend. I just wanted to thank you again for all your time, patience and help with this "infestation". You my friend are a saint and a scholar. God bless! :angel: