Vundo - impossible to kill ?

Hello everyone

I've got a good one on my PC.

It is a particularly nasty variant of Vundo.

geeda.dll
jkkli.dll
ursqrpq.dll
pmkhg.dll

and a couple of others seem to spawn from the infection.

jkkli.dll attaches to lsass.exe and captures rundll32.exe to reload upon reboot.

I've killed references to all of the above with HiJackThis, got Stinger running now and have been able to pause lsass.exe with marginal success using Process Explorer.

As soon as I kill or freeze lsass.exe and kill the rundll32 and the threads to the offending dll's the machine locks solid requiring a power off (expected).

Upon reboot, I'm getting DCOM Service Processor Lancher problems. It appears to be trying to load, but it gets about half way and times out.

Thus, COM+ problems. Nothing viewable in Network Connection properties box, IE7 starts and immediately aborts, various .msc app's are partially crippled or non-working.

Can't view any network protocol properties, the adapter properties or any DNS info. Since lsass.exe won't properly authenticate.

Spybot first caught the infection as Virtumonde. Symantec's removal tool (laughable) doesn't even recognize the infection. That, plus it is outdated three or four years.

Files that were infected/affected (and others) :

hkcmd.exe
msconfig.exe
tfswctrl.exe (Intel)
igfxtray.exe (Intel)

As a result, I'm seeing several symptomatic Event ID errors :

15
1015
1053
1054
4689
7023
10005
40960
40961


Seems like just when I get it contained and killed, it comes back even stronger.

I tried unregistering the .dll's referenced, but that seems to have just wasted my regsrv. Now I'm getting errors ' *.dll loaded but the dll register server entry point not found'

Can someone help a brother out here ?

This is making me crazy.

Thanks

45