I have a Windows 2003 server box that recently became very infected with several malwares. This box serves primarly as a terminal server so there are always any number of people connected to the server doing work and browsing the internet which is probally how the box got infected. I do my best to keep the box safe but this got through. The worst of the infection was something called Spyware Guard 2008 which Malwarebytes was able to get rid of after I removed a rootkit infection.

Now my problem is an infection called "Trojan.Vundo.H" which both Malwarebytes and SpyBot Search and Destroy is able to detect and remove but each time I reboot the trojan is reinstalled. No matter how many times I run Spybot or Malwarebytes it keeps finding the same trojan, removes it, and needs to reboot to remove the rest of the trojan but every time I reboot the trojan is reinstalled. Below is my malwarebytes log. I will post the Panda Active Log and HiJack This Log as soon as they are complete.

Thank you so much for your help!

---------------------- Malwarebytes Log --------------------------

Malwarebytes' Anti-Malware 1.31
Database version: 1491
Windows 5.2.3790

12/11/2008 5:35:10 PM
mbam-log-2008-12-11 (17-35-10).txt

Scan type: Quick Scan
Objects scanned: 339212
Time elapsed: 31 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 6
Registry Keys Infected: 14
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\awtrPjJC.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\efcCvVmM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\vdljmyni.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hgGyyyxW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tsjnbptv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ixvknf.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4481fe0e-3b2b-470e-8b81-ffa4b0094f13} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{4481fe0e-3b2b-470e-8b81-ffa4b0094f13} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hggyyyxw (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bff9a884-e9d1-47bd-a309-3f9881ada053} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{bff9a884-e9d1-47bd-a309-3f9881ada053} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\381b2adb (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\awtrpjjc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\awtrpjjc -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\awtrPjJC.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\CJjPrtwa.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGyyyxW.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\ixvknf.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\efcCvVmM.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\MmVvCcfe.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MmVvCcfe.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdljmyni.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\inymjldv.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tsjnbptv.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\kmrhbieu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rjpjqrwd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wccsoido.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ytzhlx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kendra.Doss.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\CZFVJO5Z\kb600179[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kendra.Doss.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\DO7PTTQ8\CA3E29ZF (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kendra.Doss.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\MZWJLS2O\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Kendra.Doss.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\TEHC32J2\CAEJCLMJ (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gary.Doss\Local Settings\Temporary Internet Files\Content.IE5\2T867SZZ\CATKML97 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evan.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\058SBX8J\CAC905KB (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evan.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\10KW6YYF\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evan.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\5C0H0C45\CAPSSBDX (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Evan.MATRIX\Local Settings\Temporary Internet Files\Content.IE5\5RT2EXKL\CA94MLX7 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator.ARCHITECT\Local Settings\Temporary Internet Files\Content.IE5\OXIFSHA7\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

Turns out I can't do a Panda scan becuase its not compatiable with Server 2003.

Here is my HijackThis log.

--------------------- HijackThis log --------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:11:44 PM, on 12/11/2008
Platform: Windows 2003 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)
Boot mode: Normal

Running processes:
L:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.home.markeight.com/
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,pmonitor.exe,
O2 - BHO: (no name) - {4481FE0E-3B2B-470E-8B81-FFA4B0094F13} - C:\WINDOWS\system32\awtrPjJC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgGyyyxW.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [CTFMon] C:\WINDOWS\system32\CTF\ctfmon.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [381b2adb] rundll32.exe "C:\WINDOWS\system32\lheinacw.dll",b
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware2\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [GoToMeeting] C:\Program Files\Citrix\GoToMeeting\320\g2mstart.exe "/Trigger RunAtLogon"
O4 - HKUS\S-1-5-18\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - L:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - L:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Broken Internet access because of LSP provider 'l:\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4A3CBDDD-C4DC-4C38-B44F-704DAEF628AE} (PjAdoInfo3 Class) - http://www.markeight.com/projectserver/objects/pjclient.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/CSCMV5X.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189185191246
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189185186463
O16 - DPF: {AF9A1421-E128-4D5F-A37E-039F305867B9} (Pj11enuC Class) - http://www.markeight.com/projectserver/obj...033/pjcintl.cab
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} (ExecuteAgent2p Class) - http://hprssclient.frontrange.com/ENUclientPro.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://dell.webex.com/client/T25L/support/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = matrix.local
O17 - HKLM\Software\..\Telephony: DomainName = matrix.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{74F9D2F1-C92A-4E22-9204-2BCE1A182F40}: NameServer = 192.168.1.121
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = matrix.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{74F9D2F1-C92A-4E22-9204-2BCE1A182F40}: NameServer = 192.168.1.121
O20 - Winlogon Notify: hgGyyyxW - hgGyyyxW.dll (file missing)
O20 - Winlogon Notify: sd3notify - sd3notify.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe

--
End of file - 8694 bytes