i have searched all kinds of solutions for this vundo thing including here but im sure there is still this virus coz there are tmp files getting created in my documents folder . plus there is a red cross that appears on my c drive ( which does not in safe mode)

tried the following
vundofix--deleted some variants twice
spy sweeper
vundo fix tool from symantec in safe mode-never found anything ever
windows registry repair
xp repair

it just wont go. i dont want to try hijack this

can someone please help me i am dying beyond my means.

xtreme work is rest

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.

COMBOFIX log:::
------------------
ComboFix 07-11-08.1 - Administrator 2007-11-18 21:10:33.1 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.601 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FMTR

((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.

2007-11-18 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 13:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-18 13:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Program Files\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-11-18 13:14 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-18 13:14 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-18 13:14 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-18 13:14 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-18 13:14 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-18 13:14 164 --a------ C:\install.dat
2007-11-18 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2007-11-18 01:30 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2007-11-18 01:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 01:22 <DIR> d-------- C:\Program Files\SmartPCTools
2007-11-18 00:09 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2007-11-17 22:56 87,104 --a------ C:\WINDOWS\system32\wyudeebr.dll
2007-11-17 22:56 78,400 --a------ C:\WINDOWS\system32\nxqciqel.dll
2007-11-17 22:53 216,160 --a------ C:\WINDOWS\system32\fgfiyfad.dll
2007-11-17 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 20:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-17 20:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-16 22:53 78,400 --------- C:\WINDOWS\system32\wmydverm.dll
2007-11-15 22:00 78,400 --a------ C:\WINDOWS\system32\ypvexngf.dll
2007-11-14 21:59 78,400 --a------ C:\WINDOWS\system32\ttlqqxps.dll
2007-11-13 21:22 78,400 --a------ C:\WINDOWS\system32\bhngujwn.dll
2007-11-12 21:02 78,400 --a------ C:\WINDOWS\system32\dnrwwflg.dll
2007-11-11 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 17:24 <DIR> d-------- C:\Program Files\CCleaner
2007-11-11 11:41 216,160 --a------ C:\WINDOWS\system32\poratyyb.dll
2007-11-11 11:39 78,400 --a------ C:\WINDOWS\system32\ubfxarwb.dll
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-10 11:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-10 11:04 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-10 02:16 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-10 02:09 <DIR> d-------- C:\WINDOWS\system32\rev3
2007-11-10 02:09 <DIR> d-------- C:\WINDOWS\system32\dn5
2007-11-10 02:08 <DIR> d-------- C:\WINDOWS\system32\rMa01yy
2007-11-10 02:08 <DIR> d-------- C:\Temp\abW9
2007-10-27 16:49 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-27 16:36 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Real
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-19 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 00:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2007-09-30 19:28 --------- d-----w C:\Program Files\KLC
2007-09-21 22:16 --------- d-----w C:\Program Files\Viewpoint
2007-09-21 22:16 --------- d-----w C:\Program Files\AOD
2007-09-21 22:16 --------- d-----w C:\Program Files\AIM
2007-09-21 22:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-09-19 14:11 --------- d-----w C:\Program Files\Beyond Compare 2
2007-09-19 14:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Scooter Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17EF9054-7ADA-482F-9F49-6EE94CDA3D58}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9889F34D-BF64-42C0-9E10-3711AE54FF5C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a184534b-b30a-44ea-9ebe-71f4b710b8da}]
2007-11-17 22:56 78400 --a------ C:\WINDOWS\system32\nxqciqel.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F70487A9-0E6E-4409-389A-E26780A41BFD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22]
"4871f5fd"="C:\WINDOWS\system32\wyudeebr.dll" [2007-11-17 22:56]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 12:57]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [2007-07-04 04:51]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebyy.dll

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);C:\WINDOWS\system32\DRIVERS\qcusbmdm.sys
S3 qcusbser;Qualcomm Diagnostic Port 3197;C:\WINDOWS\system32\DRIVERS\qcusbser.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba078b5-426f-11dc-aa5f-00197e952ae2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-18 13:15:00 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 21:16:21
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-18 21:17:08 - machine was rebooted
.
--- E O F ---
------------

HJT LOG::::::
-------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:20 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\TEMP\BV3718.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [4871f5fd] "rundll32.exe" "C:\WINDOWS\system32\wyudeebr.dll",b
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\{A589D32F-AF08-419E-8FE8-1714A8697E8A}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [XPRepairPro2007] "C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://vg.aramco.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vg.aramco.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://vg.aramco.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vg.aramco.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0726,1516
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://vg.aramco.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vg.aramco.com/vdesk/terminal/urxhost.cab#version=6010,2007,0726,1519
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://vg.aramco.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\Software\..\Telephony: DomainName = TechMahindra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechMahindra.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7483 bytes
--------

Thanks for the amazingly quick follow up. i luv this site.

xtreme work is rest

Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\nxqciqel.dll
C:\WINDOWS\system32\fgfiyfad.dll
C:\WINDOWS\system32\wmydverm.dll
C:\WINDOWS\system32\ypvexngf.dll
C:\WINDOWS\system32\ttlqqxps.dll
C:\WINDOWS\system32\bhngujwn.dll
C:\WINDOWS\system32\dnrwwflg.dll
C:\WINDOWS\system32\poratyyb.dll
C:\WINDOWS\system32\ubfxarwb.dll
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\wyudeebr.dll,b
C:\WINDOWS\TEMP\BV3718.EXE

Folder::
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\dn5
C:\WINDOWS\system32\rMa01yy
C:\Temp\abW9

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17EF9054-7ADA-482F-9F49-6EE94CDA3D58}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9889F34D-BF64-42C0-9E10-3711AE54FF5C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a184534b-b30a-44ea-9ebe-71f4b710b8da}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F70487A9-0E6E-4409-389A-E26780A41BFD}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0

Driver::
MSControlService

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Post a new Hijack This log and a new Combofix log please.

This time there was one dll error and one window popping up saying something could not be run...
here's the coombofix log:

--------------------
ComboFix 07-11-08.3 - Administrator 2007-11-19 22:15:09.2 - [color=red][b]FAT32[/b][/color]x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.595 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Documents and Settings\Administrator\ResErrors.log
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bhngujwn.dll
C:\WINDOWS\system32\dnrwwflg.dll
C:\WINDOWS\system32\fgfiyfad.dll
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\nxqciqel.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\poratyyb.dll
C:\WINDOWS\system32\ttlqqxps.dll
C:\WINDOWS\system32\ubfxarwb.dll
C:\WINDOWS\system32\wmydverm.dll
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\wyudeebr.dll,b
C:\WINDOWS\system32\x2
C:\WINDOWS\system32\ypvexngf.dll
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2
C:\WINDOWS\TEMP\BV3718.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\abW9
C:\Temp\abW9\tOasF.log
C:\WINDOWS\system32\bhngujwn.dll
C:\WINDOWS\system32\dn5
C:\WINDOWS\system32\dnrwwflg.dll
C:\WINDOWS\system32\fgfiyfad.dll
C:\WINDOWS\system32\nxqciqel.dll
C:\WINDOWS\system32\poratyyb.dll
C:\WINDOWS\system32\rev3
C:\WINDOWS\system32\rev3\revdrive33b.exe
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\ttlqqxps.dll
C:\WINDOWS\system32\ubfxarwb.dll
C:\WINDOWS\system32\wmydverm.dll
C:\WINDOWS\system32\wyudeebr.dll
C:\WINDOWS\system32\ypvexngf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_MSCONTROLSERVICE
-------\MSControlService

((((((((((((((((((((((((( Files Created from 2007-10-19 to 2007-11-19 )))))))))))))))))))))))))))))))
.

2007-11-18 21:07 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-18 13:33 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-11-18 13:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Program Files\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2007-11-18 13:14 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Webroot
2007-11-18 13:14 1,526,072 --a------ C:\WINDOWS\WRSetup.dll
2007-11-18 13:14 163,640 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-11-18 13:14 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-11-18 13:14 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-11-18 13:14 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2007-11-18 13:14 164 --a------ C:\install.dat
2007-11-18 13:08 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2007-11-18 01:30 <DIR> d-------- C:\Program Files\XP Repair Pro 2007
2007-11-18 01:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 01:22 <DIR> d-------- C:\Program Files\SmartPCTools
2007-11-18 00:09 34,308 --a------ C:\WINDOWS\system32\Chip.dll
2007-11-17 20:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-17 20:13 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-17 20:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-11 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 17:24 <DIR> d-------- C:\Program Files\CCleaner
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 11:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-10 11:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-10 11:13 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-10 11:04 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-11-10 02:16 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-27 16:49 1,156 --a------ C:\WINDOWS\mozver.dat
2007-10-27 16:36 0 --a------ C:\WINDOWS\nsreg.dat
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Real
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-21 02:46 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-19 22:52 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 00:18 --------- d-----w C:\Documents and Settings\Administrator\Application Data\mIRC
2007-09-30 19:28 --------- d-----w C:\Program Files\KLC
2007-09-21 22:16 --------- d-----w C:\Program Files\Viewpoint
2007-09-21 22:16 --------- d-----w C:\Program Files\AOD
2007-09-21 22:16 --------- d-----w C:\Program Files\AIM
2007-09-21 22:16 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Aim
2007-09-19 14:11 --------- d-----w C:\Program Files\Beyond Compare 2
2007-09-19 14:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Scooter Software
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" [2005-11-17 19:49]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2007-03-16 18:10]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22]
"4871f5fd"="rundll32.exe" [2004-08-03 19:26 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-10-01 16:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 19:26]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-08-30 17:43]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-15 12:57]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [2007-07-04 04:51]

R0 SSFS0BB9;Spy Sweeper File System Filer Driver: 0BB9;C:\WINDOWS\system32\Drivers\SSFS0BB9.SYS
S3 qcusbmdm;Qualcomm Proprietary USB Driver (PID 3197);C:\WINDOWS\system32\DRIVERS\qcusbmdm.sys
S3 qcusbser;Qualcomm Diagnostic Port 3197;C:\WINDOWS\system32\DRIVERS\qcusbser.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8ba078b5-426f-11dc-aa5f-00197e952ae2}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
\Shell\Open(0)\command - Recycled\ctfmon.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-19 22:06:56 C:\WINDOWS\Tasks\wrSpySweeperTrialSweep.job"
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-19 22:18:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-19 22:20:45 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 21:17
.
--- E O F ---
--------

Here's the hjt log :::

--------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:31 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\TEMP\EW2847.EXE
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKLM\..\Run: [4871f5fd] "rundll32.exe" "C:\WINDOWS\system32\wyudeebr.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://vg.aramco.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vg.aramco.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://vg.aramco.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vg.aramco.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0726,1516
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://vg.aramco.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vg.aramco.com/vdesk/terminal/urxhost.cab#version=6010,2007,0726,1519
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://vg.aramco.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\Software\..\Telephony: DomainName = TechMahindra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechMahindra.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 7611 bytes

-

Thanks for the help. i really appreciate it. There is still this red coloured cross on the my computer icon.

xtreme work is rest

sry thrs a red cross in place of the c drive icon.

xtreme work is rest

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Make sure spysweeper is turned off.

Run Hijack This,close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O4 - HKLM\..\Run: [4871f5fd] "rundll32.exe" "C:\WINDOWS\system32\wyudeebr.dll",b

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\TEMP\EW2847.EXE
C:\WINDOWS\system32\wyudeebr.dll

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Post a new Hijack this log please.

hi, i tdid the hjt thing and then proceeded to do the combofix thing, but combofix keeps saying your copy has expired and then uinstalls itself. i had this problem once earlier but downloading from the other site had helped.

Now it doesnt help where i download combofix from. it just pops out that error message.:(

xtreme work is rest

Just post the Hijack This log ploease.

oooo....here it is
HJT log::::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:01 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\OfficeScan Client\Pop3Trap.exe
C:\WINDOWS\TEMP\ZHEDDC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mybeat.techmahindra.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mybeat.techmahindra.com
O16 - DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} (F5 Networks CacheCleaner) - https://vg.aramco.com/vdesk/cachecleaner.cab#version=6010,2007,0726,1517
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vg.aramco.com/vdesk/terminal/InstallerControl.cab
O16 - DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} (F5 Networks Policy Agent Host Class) - https://vg.aramco.com/vdesk/terminal/f5InspectionHost.cab#version=6010,2007,0726,1518
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vg.aramco.com/vdesk/terminal/urTermProxy.cab#version=6010,2007,0726,1516
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://vg.aramco.com/vdesk/terminal/msrdp.cab#version=5,2,3790,0
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vg.aramco.com/vdesk/terminal/urxhost.cab#version=6010,2007,0726,1519
O16 - DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} (F5 Networks OS Policy Agent) - https://vg.aramco.com/policy/download_binary.php/win32/f5syschk.cab#Version=6010,2007,0223,0322
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\Software\..\Telephony: DomainName = TechMahindra.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = TechMahindra.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = TechMahindra.com
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Personal Firewall (OfcPfwSvc) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\OfcPfwSvc.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 6889 bytes

xtreme work is rest

hi pleeese help its that red cross in place of the c drive icon that gets me really worried...plus there are no more errors at the start,,and no more temp files being created as far as i know....

is it because of bad sectors?

xtreme work is rest

Sorry for the delay, sick family member.

Does the red x look like an artist paint brush may have made it?

Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files. Once the files are downloaded click on Next
Click on Scan Settings and configure as follows:
Scan using the following Anti-Virus database:
Extended Scan Options:
Scan Archives
Scan Mail Base
When the scan is done, in the Scan is completed window , any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use Kaspersky, or something similar
In Save as type, click the drop arrow and select: Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in your reply.

yes it looks like an artists paintbrush might have made it....i'll respond back real quick once i get the online virus scan done.

xtreme work is rest

this is the kappersky report:

---------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 23, 2007 12:00:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/11/2007
Kaspersky Anti-Virus database records: 464251
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 52481
Number of viruses found: 1
Number of infected objects: 6
Number of suspicious objects: 0
Duration of the scan process: 01:37:25

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{84DC6BBC-6C43-4241-9DAA-DA45FA404724}.bin Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007112320071124\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RAdmin\R_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\RAdmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\RAdmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\RAdmin\Radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Trend Micro\OfficeScan Client\ConnLog\Conn_20071123.log Object is locked skipped
C:\System Volume Information\_restore{C068BF58-E786-4A60-A869-014FF40E884D}\RP2\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

............

Some remote admin virus thing it says...:( sadly the name seems to be not-a-virus

xtreme work is rest

Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.

Navigate to C:\Autorun.inf open it, copy/paste its contents (if anything) into the comment box and post it please.

thnks for the reply.

thrs no autorun.inf in the c drive. i searched c drive and found two autoruns at two different places in c:/dell/drivers/<folder>
they had the following entry:

[autorun]
open=setup.exe

There is an autoexec.bat file in c drive but it is empty.

xtreme work is rest

Go to start> run> type in regedit> ok. Click edit> find> type in shell32.dll,123 > find next.

This should take you to the current drive default icon. Try this and let me know if this is correct but do not make any changes yet. The path would be:

HKEY_CLASS_ROOT\Drive\DefaultIcon

To exit the registry click file> exit or you can click the - signs to the right of the open keys untill you are back to "My computer" then click the X at the top right of the screen.

hi shell32.dll,123 doesnt take me to the default drive icon, it says no entry found.

i did check he folder heirarchy u mentioned, and sure enuf theres a key for the default icon which is

%SystemRoot%\System32\shell32.dll,8

does that help?

xtreme work is rest

That is the correct data value for the standard c: drive icon. I'll continue look for a solution.

hi any updates??

xtreme work is rest

I'm still working on it, keep me reminded. Alert me if I don't get back to you in a day or two.

darn this weird icon,....i wonder why it has to be me.......[:(]

xtreme work is rest

Thanks, jabuck. You got me on the right track for finding the stupid icon. I had manually removed the rest of the Vundo/Virtumonde crap, but was still stuck with the red X for my C: icon.

I found that the X was icon #131 in shell32.dll, so I was able to search for that and find the location that Vundo uses.

poggendroff, you want to look in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons\ (or search for "shell32.dll,131"). You can delete the whole "c" key under DriveIcons to get rid of the annoying icon.

THANKS!!

xtreme work is rest