EXTREMELY Tough Virus

[croSSeduP]

Please see this post for more history/info on this problem:
http://www.techist.com/forums/f51/freerealms-com-dont-go-there-252411/
Posted here are two of my logs. First, HijackThis. Thanks for any help.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:20:53 PM, on 12/26/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\WINDOWS\system32\wpabaln.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\The Gaulke's\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll (file missing)
O4 - HKLM\..\Run: [NMSVC] C:\Program Files\CE\CovenantEyes.exe
O4 - HKLM\..\Run: [SwitchBoard] C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Live Update 5] C:\Program Files\MSI\Live Update 5\LU5.exe /reminder
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe /launchGaming
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AdobeCS5.5ServiceManager] "C:\Program Files\Common Files\Adobe\CS5.5ServiceManager\CS5.5ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nmnsp.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O10 - Unknown file in Winsock LSP: cespy.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LogMeIn Hamachi Tunneling Engine (Hamachi2Svc) - LogMeIn Inc. - C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

--
End of file - 6008 bytes

And Combofix log:

ComboFix 11-12-24.10 - The Gaulke's 12/25/2011 15:06:17.2.3 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1477 [GMT -8:00]
Running from: c:\documents and settings\The Gaulke's\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\1.tmp
c:\windows\system32\2.tmp
c:\windows\system32\4.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-11-25 to 2011-12-25 )))))))))))))))))))))))))))))))
.
.
2011-12-25 22:24 . 2011-05-12 22:05 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-12-25 21:05 . 2011-12-25 21:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Temp
2011-12-25 21:05 . 2011-12-25 21:05 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2011-12-24 03:59 . 2011-12-24 04:04 -------- d-----w- C:\4de3ea01af33b4a40e40d9da028f
2011-12-11 22:55 . 2011-12-11 22:55 -------- d-----w- c:\program files\Bonjour
2011-12-05 03:39 . 2011-12-05 03:39 -------- d-----w- c:\program files\AMD APP
2011-12-05 03:39 . 2010-11-29 12:50 35712 ----a-w- c:\windows\system32\drivers\usbfilter.sys
2011-12-05 03:39 . 2011-12-05 03:39 -------- d-----w- c:\program files\ATI
2011-12-05 03:39 . 2011-12-05 03:39 -------- d-----w- c:\program files\ATI Technologies
2011-12-05 03:15 . 2006-12-02 08:25 1093120 ----a-w- c:\documents and settings\The Gaulke's\mfc80u.dll
2011-12-05 03:14 . 2011-10-04 21:43 -------- d-----w- c:\documents and settings\The Gaulke's\Packages
2011-12-05 03:14 . 2011-10-04 21:42 -------- d-----w- c:\documents and settings\The Gaulke's\Images
2011-12-05 03:14 . 2011-10-04 21:42 -------- d-----w- c:\documents and settings\The Gaulke's\Config
2011-12-05 03:14 . 2011-10-04 21:42 -------- d-----w- c:\documents and settings\The Gaulke's\Bin
2011-12-05 03:14 . 2011-07-29 02:23 498304 ----a-w- c:\documents and settings\The Gaulke's\Setup.exe
2011-12-05 03:14 . 2006-12-02 06:54 548864 ----a-w- c:\documents and settings\The Gaulke's\msvcp80.dll
2011-12-05 03:14 . 2006-12-02 06:54 626688 ----a-w- c:\documents and settings\The Gaulke's\msvcr80.dll
2011-11-28 22:59 . 2011-11-28 22:59 -------- d-----w- c:\documents and settings\The Gaulke's\Application Data\Stykz Help
2011-11-28 22:13 . 2011-12-08 00:41 -------- d-----w- c:\documents and settings\The Gaulke's\Local Settings\Application Data\._LiveCode_
2011-11-28 22:12 . 2011-12-24 07:17 -------- d-----w- c:\documents and settings\The Gaulke's\Application Data\Stykz
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-23 13:25 . 2008-04-14 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-20 08:58 . 2011-05-18 21:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-10 13:54 . 2011-02-06 23:05 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-11-10 11:27 . 2011-02-06 23:05 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-11-08 01:41 . 2011-11-08 01:41 3985776 ----a-w- c:\program files\LiveUpdate.exe
2011-11-01 20:35 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-11-01 20:35 . 2008-04-14 12:00 667136 ----a-w- c:\windows\system32\wininet.dll
2011-11-01 20:35 . 2008-04-14 12:00 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-11-01 16:07 . 2008-04-14 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-11-01 15:02 . 2008-04-14 12:00 369664 ----a-w- c:\windows\system32\html.iec
2011-10-28 05:31 . 2008-04-14 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37 . 2008-04-14 12:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2008-04-14 00:01 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 22:29 . 2011-10-24 22:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 22:29 . 2011-10-24 22:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-18 11:13 . 2008-04-14 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2011-01-06 21:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-10-08 04:50 . 2011-03-08 10:15 54272 ----a-w- c:\windows\system32\nvwddi.dll
2011-10-08 04:50 . 2011-03-08 10:15 298304 ----a-w- c:\windows\system32\nvsvc32.exe
2011-10-08 04:50 . 2011-03-08 10:15 220992 ----a-w- c:\windows\system32\nvcolor.exe
2011-10-08 04:50 . 2011-03-08 10:15 203072 ----a-w- c:\windows\system32\nvmctray.dll
2011-10-08 04:50 . 2011-03-08 10:15 16744256 ----a-w- c:\windows\system32\nvcpl.dll
2011-10-08 04:50 . 2011-03-08 10:15 602432 ----a-w- c:\windows\system32\easyUpdatusAPIU.dll
2011-10-08 04:50 . 2011-01-15 02:18 919872 ----a-w- c:\windows\system32\nvdispco32.dll
2011-10-08 04:50 . 2011-01-15 02:18 877376 ----a-w- c:\windows\system32\nvgenco32.dll
2011-10-08 04:50 . 2011-01-15 02:18 5595136 ----a-w- c:\windows\system32\nvcuda.dll
2011-10-08 04:50 . 2011-01-15 02:18 4226688 ----a-w- c:\windows\system32\nv4_disp.dll
2011-10-08 04:50 . 2011-01-15 02:18 2449408 ----a-w- c:\windows\system32\nvapi.dll
2011-10-08 04:50 . 2011-01-15 02:18 2398016 ----a-w- c:\windows\system32\nvcuvid.dll
2011-10-08 04:50 . 2011-01-15 02:18 2099520 ----a-w- c:\windows\system32\nvcuvenc.dll
2011-10-08 04:50 . 2011-01-15 02:18 17956864 ----a-w- c:\windows\system32\nvoglnt.dll
2011-10-08 04:50 . 2011-01-15 02:18 17240064 ----a-w- c:\windows\system32\nvcompiler.dll
2011-10-08 04:50 . 2011-01-15 02:18 12791488 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2011-09-28 07:06 . 2008-04-14 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-08 05:15 . 2011-07-08 05:15 38808920 ----a-w- c:\program files\FileFormatConverters.exe
2011-06-18 21:45 . 2011-06-18 21:45 672173 ----a-w- c:\program files\Minecraft_Server.exe
2011-06-12 20:22 . 2011-06-12 20:22 270142 ----a-w- c:\program files\Minecraft.exe
2011-03-28 00:15 . 2011-03-28 00:15 2087424 ----a-w- c:\program files\QuakeLiveNP_433.msi
2011-03-28 00:08 . 2011-03-28 00:08 11627760 ----a-w- c:\program files\InstallWizard101.exe
2011-01-10 00:39 . 2010-12-23 21:22 52736 ----a-w- c:\program files\BlueScreenView.exe
2008-09-24 16:58 . 2008-09-24 16:58 419080 ------r- c:\program files\EASetup.exe
2008-09-24 16:58 . 2008-09-24 16:58 419080 ------r- c:\program files\AutoRun.exe
2011-11-11 00:21 . 2011-04-30 06:42 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-12-25_18.57.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-12-25 22:56 . 2011-12-25 22:56 16384 c:\windows\temp\Perflib_Perfdata_750.dat
+ 2008-04-14 12:00 . 2011-12-25 23:00 67952 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2011-12-25 18:51 67952 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2011-12-25 23:00 432996 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2011-12-25 18:51 432996 c:\windows\system32\perfh009.dat
+ 2011-12-25 22:19 . 2011-12-25 22:19 262144 c:\windows\system32\config\systemprofile\NtUser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.

 

[KSoD]

LSP-Fix - a free program to repair damaged Winsock 2 stacks
Run LSPFix.

 

[croSSeduP]

Thanks for the post, but it's too late. Took both machines to a "professional" and got them fixed to the tune of $200+.

 

[KSoD]

Well you posted right around the holidays. You have to remember we are volunteers and have a life outside of the site. I had family in from all over the country and couldnt stop life just to get on the PC. Sorry you had to spend money, but life happens.

 

[croSSeduP]

Not a problem; I get it! However, the virus or whatever the h--- it is, is not fixed. Still there, so I will try your suggestion before taking the machines back.

EDIT: Tried the LSPFix; didn't work. Problem still exists. Machines going back in the shop tomorrow.