Ok, I can see that you are having fun trying, so I'll give you a gentle shove in what I think is the right direction: did you get your vundofix from here? It won't hurt to delete your copy n get a fresh one....
http://www.atribune.org/ccount/click.php?id=4
Run it in Safe Mode.
Next use hijackthis to fix this entry:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Sm9obg\command.exe (file missing)
Finally go start, run, type cmd and OK. Paste this next line into the window at the prompt, enter it and close.

sc delete cmdService

Say how you get on.... post the vundo log for me, plus a fresh HT scan.
[hxds.dll is a legit M$ file...]

Gerbil,

Brilliant! But alas... the original vermin has not been exterminated.

First, I too thought of Vundo when I first saw this behavior. Apparently my version of the patch was about a year old. Running the new one (see log below) did indeed remove some infected files.

Second, as excited as I am about this discovery, I am still plagued with the seemingly immortal hhmjhhm.dll files. After performing all of your prescribed steps, neither HJT (see log below) nor Security Task Manager are able to remove them... not even on reboot. If you have any further ideas I'll be waiting on the proverbial pins and needles.

Third, thanks for reminding me how to run the Service Controller (I haven't used sc since my old NT 4.0 days). Not only did I remove cmdService, but also an old remnant of a hex editor. There is still an entry for SQL server hanging around that I'd like to nuke, but I haven't managed to get a name for it that sc recognizes. Is there a way to list all services by name? The new version of sc seems to require a specific name before you can access its database.

Thanks again for the help.

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:01 AM, on 8/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sc.exe
C:\packages\VerminTools\JackThis.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - c:\windows\system32\hhmjhhm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: watfykcr - C:\WINDOWS\SYSTEM32\hhmjhhm.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

VundoFix log:


VundoFix V6.3.6
Checking Java version...
Scan started at 2:29:43 PM 2/10/2007
Listing files found while scanning....
C:\WINDOWS\SYSTEM32\coleoeou.ini
C:\WINDOWS\SYSTEM32\fgwgrewt.dll
C:\WINDOWS\system32\gdqjosko.dll
C:\WINDOWS\SYSTEM32\twergwgf.ini
C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\wvuussr.dll
C:\WINDOWS\system32\xxyvv.dll
Beginning removal...
Attempting to delete C:\WINDOWS\SYSTEM32\coleoeou.ini
C:\WINDOWS\SYSTEM32\coleoeou.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\fgwgrewt.dll
C:\WINDOWS\SYSTEM32\fgwgrewt.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\twergwgf.ini
C:\WINDOWS\SYSTEM32\twergwgf.ini Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\uoeoeloc.dll
C:\WINDOWS\SYSTEM32\uoeoeloc.dll Has been deleted!
Attempting to delete C:\WINDOWS\SYSTEM32\wvuussr.dll
C:\WINDOWS\SYSTEM32\wvuussr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyvv.dll
C:\WINDOWS\system32\xxyvv.dll Has been deleted!
Performing Repairs to the registry.
Done!

First off, sc. You gotta enter the service NAME, and you get that from the services manager, it may or may not be correctly given inside the parentheses in the log entry. There are a few ways to kill services...
- hijackthis under misc tools section.
- sc delete "service name"
[Use control panel, admin services; or Start > run, enter services.msc [or dcomcnfg]; - click Services [local] in the left pane, maximise the window and select Extended tab at foot. Search for the specific service, rclick it and select Properties - you can press the Stop button if it is highlighted. Note the file path if there is one.. and note its Service Name. Close.]

Okay, back to the job. Rerun Vundofix in Safe Mode; if it does not detect and delete the C:\WINDOWS\SYSTEM32\hhmjhhm.dll file and its relations then run it again, but modified so:

Double-click VundoFix.exe to start it. Click the Scan for Vundo button.
*****When the scan completes rclick inside the white text box, lclick the Addmore files? line, paste into the new window these pathnames [one per line]:

C:\WINDOWS\SYSTEM32\hhmjhhm.dll
C:\WINDOWS\SYSTEM32\mhhjmhh.*

Click the Add Files button, and next the Remove Vundo button.******
You will receive a prompt asking if you want to remove the files - click YES.... and so on.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Post the vundo , combofix and a fresh hijackthis log.

Gerbil,

Alas, there is still no joy in Mudville. I have run VundoFix, Combofix, and HJT (logs below) as you prescribed. The hhmjhhm.dll files remain comfortably snuggled in their nest. HJT shows the Winlogon entry with hhmjhhm.dll removed, but the browser O4 entry (as well as the file itself) remain.

The new version of Combofix did highlight the addition of some new things on my system. LaunchU3.exe is associated with a memory stick that I use. Anything installed 8/3/07 16:26 is associated with a games CD. (I've been reinstalling an old Win98 system for my mother-in-law and she had complained that she couldn't get one of her games to work. Since she lives over 80 miles away I decided to install the game package - one of these $10 specials from WalMart - on my computer and help her work through her difficulties over the phone... good grief, nothing is easy anymore!)

HJT shows four new entries:
TSAdBot.exe - file dated to coincide with the game install - since removed
nwprovau.dll - netware client service... part of OS install but should NOT be running
browseui.dll x2 - also part of the OS install but should not be running

I presume these all turned up from the egames install, but except for the first, I can't be sure.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:52:19 AM, on 8/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TimeSink\AdGateway\TSAdBot.exe
C:\packages\VerminTools\JackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - c:\windows\system32\hhmjhhm.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSAdBot.exe"
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 2478 bytes

Here's the Vundo log:


VundoFix V6.3.6
Checking Java version...
Scan started at 5:23:25 PM 7/27/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.6
Checking Java version...
Scan started at 8:33:46 AM 8/3/2007
Listing files found while scanning....
C:\windows\system32\eqbcgmdu.dll
C:\windows\system32\ikgxtudp.dll
C:\WINDOWS\system32\laf15.dll
C:\WINDOWS\system32\wvuussr.dll
Beginning removal...
Attempting to delete C:\windows\system32\eqbcgmdu.dll
C:\windows\system32\eqbcgmdu.dll Has been deleted!
Attempting to delete C:\windows\system32\ikgxtudp.dll
C:\windows\system32\ikgxtudp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 10:34:16 AM 8/4/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.6
Checking Java version...
Scan started at 10:42:36 AM 8/4/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...
Attempting to delete c:\windows\system32\hhmjhhm.dll
c:\windows\system32\hhmjhhm.dll Could not be deleted.
Attempting to delete c:\windows\system32\hhmjhhm.dll.bak
c:\windows\system32\hhmjhhm.dll.bak Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete c:\windows\system32\hhmjhhm.dll
c:\windows\system32\hhmjhhm.dll Could not be deleted.
Attempting to delete c:\windows\system32\hhmjhhm.dll.bak
c:\windows\system32\hhmjhhm.dll.bak Could not be deleted.
Performing Repairs to the registry.
Done!

Here's the combofix log:

ComboFix 07-08-04.3 - "John" 2007-08-04 11:03:39.1 [GMT -7:00] - NTFS
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.True
* Created a new restore point
/wow section - STAGE #6I
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\lswmv.ini
C:\Program Files\Common Files\uninstall information

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_EFORGSVU
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_OMCBGXRF
-------\LEGACY_YJN30
-------\eforgsvu
-------\nm
-------\omcbgxrf
-------\RpcApi

((((((((((((((((((((((((( Files Created from 2007-07-04 to 2007-08-04 )))))))))))))))))))))))))))))))

2007-08-04 11:02 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-03 16:27 <DIR> d-------- C:\Program Files\TimeSink
2007-08-03 16:26 29,696 --a------ C:\WINDOWS\SYSTEM32\Addon2VB.dll
2007-08-03 16:26 209,408 --a------ C:\WINDOWS\VcpDLL.dll
2007-08-03 16:26 196,096 --a------ C:\WINDOWS\TSAd.dll
2007-08-03 16:26 <DIR> d-------- C:\eGames
2007-08-03 08:33 <DIR> d-------- C:\VundoFix Backups
2007-08-02 15:42 8,192 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\changer.sys
2007-08-02 15:41 9,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brserif.dll
2007-08-02 15:41 74,240 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\camexo20.dll
2007-08-02 15:41 714,698 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cbmdmkxx.sys
2007-08-02 15:41 60,416 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brserwdm.sys
2007-08-02 15:41 49,182 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cem56n5.sys
2007-08-02 15:41 46,108 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cben5.sys
2007-08-02 15:41 39,680 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cb325.sys
2007-08-02 15:41 37,916 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cb102.sys
2007-08-02 15:41 32,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\diapi2NT.dll
2007-08-02 15:41 314,752 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\camdro21.sys
2007-08-02 15:41 31,529 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brzwlan.sys
2007-08-02 15:41 27,164 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ce3n5.sys
2007-08-02 15:41 236,032 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\camext20.dll
2007-08-02 15:41 223,232 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\camdrv21.sys
2007-08-02 15:41 22,044 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cem33n5.sys
2007-08-02 15:41 22,044 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\cem28n5.sys
2007-08-02 15:41 21,530 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ce2n5.sys
2007-08-02 15:41 171,264 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\camdrv30.sys
2007-08-02 15:41 164,923 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\diapi2.sys
2007-08-02 15:41 13,824 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bulltlp3.sys
2007-08-02 15:41 119,296 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\camext30.dll
2007-08-02 15:41 11,008 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brusbmdm.sys
2007-08-02 15:41 10,368 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brusbscn.sys
2007-08-02 15:40 96,640 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\b57xp32.sys
2007-08-02 15:40 96,128 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ati.dll
2007-08-02 15:40 9,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brcoinst.dll
2007-08-02 15:40 9,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ativmdcd.sys
2007-08-02 15:40 89,952 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\b1cbase.sys
2007-08-02 15:40 871,388 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bcmdm.sys
2007-08-02 15:40 87,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\avmcoxp.dll
2007-08-02 15:40 81,408 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brmfcwia.dll
2007-08-02 15:40 77,568 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ati.sys
2007-08-02 15:40 75,136 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atimpae.sys
2007-08-02 15:40 70,528 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atiragem.sys
2007-08-02 15:40 66,557 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bcm42u.sys
2007-08-02 15:40 54,271 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bcm42xx5.sys
2007-08-02 15:40 5,120 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brscnrsm.dll
2007-08-02 15:40 49,920 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atirtcap.sys
2007-08-02 15:40 46,464 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atibt829.sys
2007-08-02 15:40 41,472 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brmfusb.dll
2007-08-02 15:40 39,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brparwdm.sys
2007-08-02 15:40 382,592 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atidrab.dll
2007-08-02 15:40 38,912 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\avc.sys
2007-08-02 15:40 37,568 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\avmwan.sys
2007-08-02 15:40 37,376 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atievxx.exe
2007-08-02 15:40 36,992 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\aztw2320.sys
2007-08-02 15:40 36,128 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\banshee.sys
2007-08-02 15:40 36,096 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\avcaudio.sys
2007-08-02 15:40 342,336 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\banshee.dll
2007-08-02 15:40 32,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brmfrsmg.exe
2007-08-02 15:40 3,968 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brfiltup.sys
2007-08-02 15:40 3,168 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brparimg.sys
2007-08-02 15:40 29,696 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brmflpt.dll
2007-08-02 15:40 289,664 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atimpab.sys
2007-08-02 15:40 281,600 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atimtai.sys
2007-08-02 15:40 268,160 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atidvai.dll
2007-08-02 15:40 26,880 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atirtsnd.sys
2007-08-02 15:40 26,624 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ativxbar.sys
2007-08-02 15:40 26,568 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bcm4e5.sys
2007-08-02 15:40 23,552 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atixbar.sys
2007-08-02 15:40 2,944 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brfilt.sys
2007-08-02 15:40 19,456 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brbidiif.dll
2007-08-02 15:40 19,456 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ativttxx.sys
2007-08-02 15:40 17,152 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atitvsnd.sys
2007-08-02 15:40 17,152 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atitunep.sys
2007-08-02 15:40 15,360 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brmfbidi.dll
2007-08-02 15:40 144,384 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\avmenum.dll
2007-08-02 15:40 137,216 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atidrae.dll
2007-08-02 15:40 13,696 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\avcstrm.sys
2007-08-02 15:40 12,800 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brevif.dll
2007-08-02 15:40 12,160 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\brfiltlo.sys
2007-08-02 15:40 104,832 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atiraged.dll
2007-08-02 15:40 102,400 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\binlsvc.dll
2007-08-02 15:40 10,240 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\atipcxxx.sys
2007-08-02 15:39 98,304 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\a3d.dll
2007-08-02 15:39 97,354 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\aspndis3.sys
2007-08-02 15:39 96,256 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ac97intc.sys
2007-08-02 15:39 84,480 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ac97via.sys
2007-08-02 15:39 762,780 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\3cwmcru.sys
2007-08-02 15:39 747,392 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\adm8830.sys
2007-08-02 15:39 7,424 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\adicvls.sys
2007-08-02 15:39 689,216 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\3dfxvs.dll
2007-08-02 15:39 61,440 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\acerscad.dll
2007-08-02 15:39 6,272 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\apmbatt.sys
2007-08-02 15:39 584,448 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\adm8810.sys
2007-08-02 15:39 553,984 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\adm8820.sys
2007-08-02 15:39 48,128 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\61883.sys
2007-08-02 15:39 462,848 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\a3dapi.dll
2007-08-02 15:39 46,112 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\adptsf50.sys
2007-08-02 15:39 38,400 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\8514a.dll
2007-08-02 15:39 36,224 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\an983.sys
2007-08-02 15:39 297,728 --a--c--- C:\WINDOWS\SYSTEM32\DLLCACHE\ac97sis.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-04 08:57 24742 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-27 18:06 1338 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-22 22:05 --------- d-------- C:\Program Files\Sierra On-Line
2007-07-07 18:37 1880 --a------ C:\WINDOWS\AUTOLNCH.REG
2007-06-26 12:58 --------- d-------- C:\Program Files\FSHED (Hex Editor)
2007-06-25 22:53 83 --a------ C:\AUTOEXEC.BAT
2007-06-23 15:17 --------- d-------- C:\DOCUME~1\John\APPLIC~1\WinRAR
2007-06-14 18:05 --------- d-------- C:\Program Files\XoftSpy
2007-06-07 19:04 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-06 08:54 108144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-06-06 08:54 --------- dr-h----- C:\DOCUME~1\John\APPLIC~1\SecuROM
2007-06-05 21:10 --------- d-------- C:\Program Files\Microsoft Visual Studio 8
2007-06-05 21:08 --------- d-------- C:\Program Files\Dell
2007-02-08 11:06 417792 --a------ C:\Program Files\Video.exe
2007-02-08 11:06 417792 --a------ C:\Program Files\Track_03.exe
2007-02-08 11:06 25214 --a------ C:\Program Files\B.ico
2007-02-08 11:06 25214 --a------ C:\Program Files\A.ico
2007-02-08 11:06 218606 --a------ C:\Program Files\c.zip
2007-02-08 11:06 217706 --a------ C:\Program Files\b.zip
2007-02-08 11:06 201627 --a------ C:\Program Files\a.zip
2007-02-05 16:26 393216 --a------ C:\Program Files\Setup.exe
2006-10-10 23:05 84640 --a------ C:\DOCUME~1\John\APPLIC~1\GDIPFONTCACHEV1.DAT

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DFDBBDD6-1441-4715-B1BD-9D5540CCCA30}]
2007-07-27 09:17 76288 --------- c:\windows\system32\hhmjhhm.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-06-24 18:32]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" []
"TimeSink Ad Client"="C:\Program Files\TimeSink\AdGateway\TSAdBot.exe" [2007-08-03 16:26]
C:\Documents and Settings\John\Start Menu\Programs\Startup\
DESKTOP.INI [2001-11-14 16:31:16]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-16 20:35:07]
R1 Cdr4_xp;Cdr4_xp;C:\WINDOWS\system32\drivers\Cdr4_xp.sys
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R3 Ich;Ich;C:\WINDOWS\system32\DRIVERS\Ich.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 MxlW2k;MxlW2k;C:\WINDOWS\system32\drivers\MxlW2k.sys
S3 bvrp_pci;bvrp_pci;C:\WINDOWS\system32\drivers\bvrp_pci.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 mdxgthkn;mdxgthkn;\??\C:\DOCUME~1\John\LOCALS~1\Temp\mdxgthkn.sys
S3 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
S3 SQLWriter;SQL Server VSS Writer;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 wlluc48;Wireless LAN PC Card Driver;C:\WINDOWS\system32\DRIVERS\wlluc48.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 SQLBrowser;SQL Server Browser;"c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\LaunchU3.exe -a

**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-04 11:40:32
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-04 11:42:44 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-04 11:42
C:\ComboFix2.txt ... 2007-07-28 06:51
C:\ComboFix3.txt ... 2007-02-09 19:25
--- E O F ---

Gee, mudville man, Vundofix played up a bit there - two of the files it turned up on 8/3/2007 it did not attempt to delete...
C:\WINDOWS\system32\laf15.dll
C:\WINDOWS\system32\wvuussr.dll
.. but then they did not show in the next scan..? It could not cope at all with the last lot you added. Delete your copy of Vundofix and dl a new version please.
I do love the honesty in the naming of your new adware pest.

First step, would you please submit c:\windows\system32\hhmjhhm.dll for a scan at http://virusscan.jotti.org/
-use the browse button or paste the pathname.
We shall see if this tool will handle it.. please download:
Unlocker 1.8.5
==This one is a general purpose deleter, Unlocker 1.8.5: http://filehippo.com/download_unlocker/
It runs from the rclick context menu, and that is cool.
Just in case it does not...
==Download Avenger from http://swandog46.geekstogo.com/avenger.zip
You must be in an Administrator-privileged account to run this procedure...
-unzip it to your desktop.
Update your AVG-AS. Set
CCleaner:
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should aim to keep this one for general use. I set it from the installation checkboxes to only open from the recycle bin. It's neater that way.

Ready? Delete C:\vundofix.txt, then once more into Safe Mode. Use hijackthis to fix the following entries:

O2 - BHO: (no name) - {DFDBBDD6-1441-4715-B1BD-9D5540CCCA30} - c:\windows\system32\hhmjhhm.dll
O4 - HKLM\..\Run: [TimeSink Ad Client] "C:\Program Files\TimeSink\AdGateway\TSAdBot.exe"

__________________________________
Files to delete:
C:\WINDOWS\system32\laf15.dll
C:\WINDOWS\system32\wvuussr.dll
c:\windows\system32\hhmjhhm.dll
C:\Program Files\TimeSink\AdGateway\TSAdBot.exe
Folders to delete:
C:\Program Files\TimeSink
__________________________________

First try Unlocker on those four files - if it cannot delete them then start Avenger; select “Input script manually” and then click the magnifying glass icon. Paste into the box as one block ALL the text between the lines above:-
...and click Done, and finally the green light.
Follow promps to reboot your machine.
[The files, etc., that you asked Avenger to delete are zipped to C:\avenger\backup.zip.]
Avenger creates a log file that should open with the results of its actions. This file is located at C:\avenger.txt
=Now run Vundofix again. If it does not detect any files then paste these lines into the Addmore Files text box:

C:\WINDOWS\SYSTEM32\hhmjhhm.dll
C:\WINDOWS\SYSTEM32\mhhjmhh.*

!!Check the Vundofix log for any entries that could not be deleted - if present rerun Vundofix.!!
Make sure to restart in Safe Mode!!
=Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
=AVG:- under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Please post the Avenger, Vundofix AVG logs with a fresh hijackthis scan run in normal mode.

After you try Unlocker you can run Avenger anyway... even if you manage with Unlocker paste the whole block into Avenger...

Bravo! The villians have been vanquished.

Before I close out this thread, I want to ask advice on one last thing. Below that I'll post the results of the latest activities and then a well-deserved compliment.

First, the hhmjhhm.dll files are gone. Thank you. In the HJT log however, there are still three entries I would like to deal with. They are the O10 & O22 entries. They should not be running. I don't want to use HJT to zap them since they use files (nwprovau.dll & browseui.dll) that are part of the normal OS install. If you could recommend a suitable means to deal with these I'd be grateful. (Also there's a QooBox folder still lying around with some quaratined stuff... is it safe to delete that?)

Second, the details.
1) Virusscan turned up 1 hit: AntiVir Found TR/Trash.Gen . It chose not to add this to its database.
2) unlocker did the trick... removed both stubborn hhmjhhm.dll files
3) Ran a fresh VundoFix (log below) and it reported nothing
4) Ran HJT (log below) and, with the exception of the things mentioned above, things are clean.
5) I came back to post the results and saw your latest post asking that I run avenger anyway... so I did (log below). Good thing I did too because it claims to have deleted that TSAdBot.exe file that I had asked HJT to deal with yesterday (incidentally I had also unistalled my mother-in-law's game package yesterday).
6) Life is good.

Experience. What a wonderful thing. It's the one thing that makes getting older valuable. I have enough of it that I rarely ask help or advice from someone else. I've done OS internals work from 1970 into the 90s, including NT, AIX, SunOs, HP-UX, etc.... I've written over a dozen real-time multi-tasking OSs from scratch. I've helped design and build some of the most complex systems known to man, from satellites, stealth bombers, medical lasers, etc.... The point is that all that isn't worth a hill of crap when your 15 year old daughter uses the internet on your laptop.

There is nothing more valuable than the guy with THE experience for the task at hand. I've been reading many of the other threads besides mine and it is clear that you are that guy. I'd like to humbly extend my sincerest thanks... and respect... for a job that I'm sure you found all too easy.

VundoFix log:


VundoFix V6.3.6
Checking Java version...
Scan started at 5:23:25 PM 7/27/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.6
Checking Java version...
Scan started at 8:33:46 AM 8/3/2007
Listing files found while scanning....
C:\windows\system32\eqbcgmdu.dll
C:\windows\system32\ikgxtudp.dll
C:\WINDOWS\system32\laf15.dll
C:\WINDOWS\system32\wvuussr.dll
Beginning removal...
Attempting to delete C:\windows\system32\eqbcgmdu.dll
C:\windows\system32\eqbcgmdu.dll Has been deleted!
Attempting to delete C:\windows\system32\ikgxtudp.dll
C:\windows\system32\ikgxtudp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 10:34:16 AM 8/4/2007
Listing files found while scanning....
No infected files were found.

VundoFix V6.5.6
Checking Java version...
Scan started at 10:42:36 AM 8/4/2007
Listing files found while scanning....
No infected files were found.

Beginning removal...
Attempting to delete c:\windows\system32\hhmjhhm.dll
c:\windows\system32\hhmjhhm.dll Could not be deleted.
Attempting to delete c:\windows\system32\hhmjhhm.dll.bak
c:\windows\system32\hhmjhhm.dll.bak Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete c:\windows\system32\hhmjhhm.dll
c:\windows\system32\hhmjhhm.dll Could not be deleted.
Attempting to delete c:\windows\system32\hhmjhhm.dll.bak
c:\windows\system32\hhmjhhm.dll.bak Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Scan started at 9:17:31 AM 8/5/2007
Listing files found while scanning....
No infected files were found.

Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\utnwfnxf
*******************
Script file located at: \??\C:\Program Files\cplvfwqt.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:

File C:\WINDOWS\system32\laf15.dll not found!
Deletion of file C:\WINDOWS\system32\laf15.dll failed!
Could not process line:
C:\WINDOWS\system32\laf15.dll
Status: 0xc0000034

File C:\WINDOWS\system32\wvuussr.dll not found!
Deletion of file C:\WINDOWS\system32\wvuussr.dll failed!
Could not process line:
C:\WINDOWS\system32\wvuussr.dll
Status: 0xc0000034

File c:\windows\system32\hhmjhhm.dll not found!
Deletion of file c:\windows\system32\hhmjhhm.dll failed!
Could not process line:
c:\windows\system32\hhmjhhm.dll
Status: 0xc0000034
File C:\Program Files\TimeSink\AdGateway\TSAdBot.exe deleted successfully.
Folder C:\Program Files\TimeSink deleted successfully.
Completed script processing.
*******************
Finished! Terminate.

HJT log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:26:22 AM, on 8/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\packages\VerminTools\JackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\JOHN\Application Data\Mozilla\Profiles\default\sh27cbaj.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 2380 bytes

mudman, I am not sure why your hijackthis picks up those two O22 entries but be assured that they are okay and necessary. In my machine they exist [but are not displayed by HT], meaning they start before windows just as yours do. I can only guess at the reason for their non-appearance in some logs - could it be that I have no browser homepages set?... I don't know. Leave em be. No browseui.dll running, no browser functions.
The O10 entry... it's there because you sometimes connect to a network printer? You can remove it if you wish with LSPFix from Cexx. If you try it... you see that expert box, I know what I'm doing? well, you had better.... if you remove all entries you face repair/installation. If you only have a local printer..ie connected directly to your pc, you don't need it.
Okay, delete vundofix, combofix, qoobox, avenger...and their logs. Most tools are updated regularly to keep pace.
And that looks like it. Cheers.

Gerbil,

Thanks again for all the help. I'll close out the thread.

I'm placated about the O22s, but still very suspicious. The O10 and O22s all showed up right after I installed that stupid game package of my mother-in-law's. I just presumed it gave the damn Ad bot a special link to the outside world. I've been looking at these HJT logs for over a year and have never seen them before. As far as the Netware file goes... well I haven't intentionally used Netware in a connection path in almost 20 years. I have all three network adapters configured so they can use only TCP/IP. (God I hate Windows... I've installed and configured well over a hundred UNIX systems over the years and never has there been any question about what I've had running in a network stack.) ... Well enough whining.

Cheers.