I think I'm killing my computer!!!

[StivVid]

Help!

My computer has been acting strangely for months now. It crashes at least a half dozen times a day. Just a sudden crash and restart with no warning.

Yesterday I started the computer and went to check my email in Outlook Express, but my mailbox was missing. In my quest to recover my lost email data, I made things immeasurably worse. One of the apps I downloaded to recover the data must have loaded a virus on my system.

I started getting many warning from PC-Cillin that my computer was trying to access an unsafe website. The warnings were coming so fast that I could hardly read the info on them. Before I could read the first one, about ten more were layered on top. I finally got the warnings to stop popping up, ran a scan for spyware and viruses and found nothing. During the scan, though, I got a message that my system was at risk and that I should download something called Ultimate Defender 2007 and Ultimate Cleaner. Looked like an official Microsoft windows security alert. Don't think it was, though. Tried to close it, but I think it loaded stuff on my computer anyway.

Anyway, to make a long story short... After much fumbling around and trial and error (mostly error, I'm afraid) I found your forum and would greatly appreciate your help. I think my computer is very sick.

I completed the five steps you've asked people to do before posting. Wasn't easy because the computer was incredibly sluggish and kept crashing. Everything went fine except the last step. When I ran DSS.exe the first time, it worked as you described. There were 2 files generated--one maximized, one minimized. As I was copying the contents of the maximized file, the computer crashed. After restarting and running DSS.exe again, the program only generated the maximized file. No extra.txt.

Here's my info. Hope you can help.

Data generated by Panda's Activescan:


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\Program Files\Idagchom\karhvtiv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnomki.dll
Adware:Adware/CWS.Searchmeup Not disinfected C:\!KillBox\serial.exe
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\All Users\Application Data\dyzwxezg.dll
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[server.iad.liveperson.net/hc/19452074]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Rob\Application Data\Mozilla\Firefox\Profiles\71rrij7z.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Rob\Cookies\rob@doubleclick[1].txt
Possible Virus. Not disinfected C:\Documents and Settings\Rob\Local Settings\Temp\TMP101.tmp
Possible Virus. Not disinfected C:\Program Files\SecCenter\scprot4 .exe
Adware:Adware/UltimateDefender Not disinfected C:\WINDOWS\PerfInfo\Sb4sm5UPraud.exe
Adware:Adware/UltimateFixer Not disinfected C:\WINDOWS\system32\njprckha\njprckha1.exe
Adware:Adware/UltimateFixer Not disinfected C:\WINDOWS\system32\njprckha\njprckha2.exe
Potentially unwanted tool:Application/UltimateCleaner Not disinfected C:\WINDOWS\system32\njprckha\njprckha3.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/CWS.Searchmeup Not disinfected C:\WINDOWS\system32\winwim32.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xxyyyxv.dll

Now here's what I got from running DSS.exe:

Deckard's System Scanner v20071014.68
Run by Rob on 2007-12-23 23:10:34
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Rob.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:32 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Microsoft IntelliType Pro\itype .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft IntelliPoint\ipoint .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
C:\Program Files\Logitech\QuickCam\Quickcam .exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Rob\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rob.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.eircom.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java Machine Support Dll - {6B925150-4E3E-4EC7-B642-57392A9394C1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {76F262CF-0308-0FB4-F7A3-043266F3A47C} - C:\Program Files\Idagchom\karhvtiv.dll
O2 - BHO: (no name) - {82AC7177-191A-4A9E-9077-AC14CF57EB43} - C:\WINDOWS\system32\ssqpm.dll
O2 - BHO: (no name) - {DB0B918E-A0A8-482B-8D75-A682816B0C7B} - C:\WINDOWS\system32\nnnomki.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [nwpkngni] rundll32.exe "C:\Program Files\nwpkngni\dapabclc.dll",Init
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Sb4sm5UPra] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: VOIP321.lnk = C:\Program Files\Philips\VOIP321\VOIP321.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {48989C74-D5FC-4F17-BA40-3D825C716836} (clMultiDownLoader Control) - http://mgn.musicgiants.com/cab/mgndownloader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125917775265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nnnomki - C:\WINDOWS\SYSTEM32\nnnomki.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8879 bytes

-- Files created between 2007-11-23 and 2007-12-23 -----------------------------

2007-12-23 19:54:07 0 d-------- C:\ie-spyad_zo
2007-12-23 19:35:45 0 d-------- C:\Program Files\SpywareBlaster
2007-12-23 16:30:38 8576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-23 16:18:36 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-23 15:50:33 0 d-------- C:\WINDOWS\ppqvmpqr
2007-12-23 15:50:33 0 d-------- C:\WINDOWS\PerfInfo
2007-12-23 15:50:26 208896 --a------ C:\WINDOWS\system32\ndaTqsVqrX.dll
2007-12-23 14:56:03 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2007-12-23 14:56:02 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-23 14:56:02 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-12-23 14:56:00 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-12-23 14:55:59 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-12-23 11:11:00 0 dr-h----- C:\Documents and Settings\Rob\Recent
2007-12-22 17:26:20 326656 --a------ C:\WINDOWS\system32\ssqpm.exe
2007-12-22 17:25:57 31238 --ahs---- C:\WINDOWS\system32\mpqss.ini2
2007-12-22 17:25:53 323072 --a------ C:\WINDOWS\system32\ssqpm.dll
2007-12-22 17:25:00 0 d-------- C:\Program Files\IObit
2007-12-22 17:21:49 0 d-------- C:\WINDOWS\system32\njprckha
2007-12-22 17:21:46 0 d-------- C:\Program Files\SecCenter
2007-12-22 17:21:44 110592 --a------ C:\Documents and Settings\All Users\Application Data\dyzwxezg.dll
2007-12-22 17:21:40 0 d-------- C:\Program Files\Idagchom
2007-12-22 17:21:22 38912 --a------ C:\WINDOWS\system32\xxyyyxv.dll
2007-12-22 17:21:16 0 d-------- C:\Program Files\nwpkngni
2007-12-22 17:20:47 23040 --a------ C:\WINDOWS\system32\winwim32.dll
2007-12-22 17:20:34 40448 --a------ C:\WINDOWS\system32\nnnomki.dll
2007-12-19 22:09:30 0 d-------- C:\Program Files\QuickTime
2007-12-15 16:54:09 0 d-------- C:\Program Files\Philips
2007-12-09 16:41:32 0 d-------- C:\Program Files\Realtek AC97
2007-12-07 11:25:40 0 d-------- C:\Documents and Settings\Rob\Application Data\Snapfish
2007-12-05 11:03:08 0 d-------- C:\Program Files\Realtek Sound Manager
2007-12-04 13:36:36 0 d-------- C:\Program Files\Skype
2007-12-04 13:36:32 0 d-------- C:\Program Files\Common Files\Skype
2007-12-03 20:58:26 0 d-------- C:\Program Files\VS Revo Group


-- Find3M Report ---------------------------------------------------------------

2007-12-23 23:02:42 0 d-------- C:\Program Files\iTunes
2007-12-23 23:02:39 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-12-23 23:02:35 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-12-23 22:44:37 0 d-------- C:\Documents and Settings\Rob\Application Data\Skype
2007-12-23 22:36:21 0 d-------- C:\Documents and Settings\Rob\Application Data\skypePM
2007-12-23 17:08:44 0 d-------- C:\Program Files\JetAudio
2007-12-23 14:57:01 0 d-------- C:\Program Files\Messenger
2007-12-23 12:08:10 0 d-------- C:\Program Files\Trend Micro
2007-12-22 16:24:31 0 d-------- C:\Program Files\Mozilla Thunderbird
2007-12-21 16:37:57 59882 --a------ C:\Documents and Settings\Rob\Application Data\wklnhst.dat
2007-12-19 23:23:51 0 d-------- C:\Program Files\HT Audio
2007-12-09 21:30:54 0 d-------- C:\Documents and Settings\Rob\Application Data\dvdcss
2007-12-09 19:30:26 0 d-------- C:\Program Files\SopCast
2007-12-09 19:19:41 0 d-------- C:\Documents and Settings\Rob\Application Data\SopCast
2007-12-09 18:46:57 0 d-------- C:\Program Files\AvRack
2007-12-07 11:25:37 5928 --a------ C:\WINDOWS\mozver.dat
2007-12-04 13:36:32 0 d-a------ C:\Program Files\Common Files
2007-11-22 20:09:49 0 d-------- C:\Program Files\Common Files\LogiShrd
2007-11-22 20:03:50 0 d-------- C:\Program Files\Common Files\Logitech
2007-11-22 20:00:16 0 d-------- C:\Program Files\Logitech
2007-11-06 22:21:51 0 d-------- C:\Program Files\iPod
2007-10-31 19:54:46 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B925150-4E3E-4EC7-B642-57392A9394C1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{76F262CF-0308-0FB4-F7A3-043266F3A47C}]
12/22/2007 05:21 PM 110592 --a------ C:\Program Files\Idagchom\karhvtiv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82AC7177-191A-4A9E-9077-AC14CF57EB43}]
12/22/2007 05:25 PM 323072 --a------ C:\WINDOWS\system32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DB0B918E-A0A8-482B-8D75-A682816B0C7B}]
12/22/2007 05:20 PM 40448 --a------ C:\WINDOWS\system32\nnnomki.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [12/23/2007 11:02 PM]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [12/23/2007 10:30 PM]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [12/23/2007 10:30 PM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [12/23/2007 11:02 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/23/2007 10:30 PM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [12/23/2007 10:30 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [12/23/2007 10:30 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [12/23/2007 11:02 PM]
"nwpkngni"="C:\Program Files\nwpkngni\dapabclc.dll" [12/22/2007 05:21 PM]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [04/12/2007 10:58 AM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 12:00 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\Documents and Settings\Rob\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [7/17/2003 12:37:26 AM]
VOIP321.lnk - C:\Program Files\Philips\VOIP321\VOIP321.exe [5/3/2007 3:52:18 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [3/1/2007 1:57:59 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 6:01:04 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"Sb4sm5UPra"=rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DB0B918E-A0A8-482B-8D75-A682816B0C7B}"= C:\WINDOWS\system32\nnnomki.dll [12/22/2007 05:20 PM 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnomki]
nnnomki.dll 12/22/2007 05:20 PM 40448 C:\WINDOWS\system32\nnnomki.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqpm




-- End of Deckard's System Scanner: finished at 2007-12-23 23:12:49 ------------

Sorry about the timing. Have a very happy Christmas. Looking forward to hearing from you.

Rob

[StivVid]

Forgot to mention that all the icons, start menu, etc. started flashing off and on. After a restart, there was nothing on the desktop at all--just the wallpaper. Had to use ctl, alt, del to open task manager to access programs.

[sUBs]

www.bleepingcomputer.com
www.forospyware.com
www.geekstogo.com

1. Please choose from any of the above links. Download the file & Save it to Desktop.

2. Double click on ComboFix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

[StivVid]

Hey, sUBs. Thanks for getting to me so quickly. Here's the info you asked for:

combofix scan...

ComboFix 07-12-26.3 - Rob 2007-12-25 23:38:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.232 [GMT 0:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\dyzwxezg.dll
C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Idagchom
C:\Program Files\Idagchom\karhvtiv.dll
C:\Program Files\inetget2
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\nwpkngni
C:\Program Files\nwpkngni\dapabclc.dll
C:\Program Files\QuickTime\QTTask .exe
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4 .exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\winpop
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\Sb4sm5UPrauc.exe
C:\WINDOWS\PerfInfo\Sb4sm5UPraud.exe
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\mpqss.ini2
C:\WINDOWS\system32\njprckha
C:\WINDOWS\system32\njprckha\bg1.gif
C:\WINDOWS\system32\njprckha\bgtop.gif
C:\WINDOWS\system32\njprckha\bottom1.gif
C:\WINDOWS\system32\njprckha\essentials.gif
C:\WINDOWS\system32\njprckha\icon1.ico
C:\WINDOWS\system32\njprckha\install1.gif
C:\WINDOWS\system32\njprckha\left1.gif
C:\WINDOWS\system32\njprckha\li.gif
C:\WINDOWS\system32\njprckha\logo.gif
C:\WINDOWS\system32\njprckha\main.htm
C:\WINDOWS\system32\njprckha\mainframe.htm
C:\WINDOWS\system32\njprckha\njprckha1.exe
C:\WINDOWS\system32\njprckha\njprckha2.exe
C:\WINDOWS\system32\njprckha\njprckha3.exe
C:\WINDOWS\system32\njprckha\reinstall1.gif
C:\WINDOWS\system32\njprckha\right1.gif
C:\WINDOWS\system32\njprckha\s1.htm
C:\WINDOWS\system32\njprckha\s2.htm
C:\WINDOWS\system32\njprckha\s3.htm
C:\WINDOWS\system32\njprckha\SMTop1.gif
C:\WINDOWS\system32\njprckha\SMTop2.gif
C:\WINDOWS\system32\njprckha\SMTop3.gif
C:\WINDOWS\system32\njprckha\SMTop4.gif
C:\WINDOWS\system32\njprckha\soft1_off.gif
C:\WINDOWS\system32\njprckha\soft1_off_ext.gif
C:\WINDOWS\system32\njprckha\soft1_on.gif
C:\WINDOWS\system32\njprckha\soft1_on_ext.gif
C:\WINDOWS\system32\njprckha\soft2_off.gif
C:\WINDOWS\system32\njprckha\soft2_off_ext.gif
C:\WINDOWS\system32\njprckha\soft2_on.gif
C:\WINDOWS\system32\njprckha\soft2_on_ext.gif
C:\WINDOWS\system32\njprckha\soft3_off.gif
C:\WINDOWS\system32\njprckha\soft3_off_ext.gif
C:\WINDOWS\system32\njprckha\soft3_on.gif
C:\WINDOWS\system32\njprckha\soft3_on_ext.gif
C:\WINDOWS\system32\njprckha\softbottom_off.gif
C:\WINDOWS\system32\njprckha\softbottom_on.gif
C:\WINDOWS\system32\njprckha\softleft_off.gif
C:\WINDOWS\system32\njprckha\softleft_on.gif
C:\WINDOWS\system32\njprckha\top1.gif
C:\WINDOWS\system32\njprckha\top2.gif
C:\WINDOWS\system32\njprckha\turnoff1.gif
C:\WINDOWS\system32\njprckha\turnon1.gif
C:\WINDOWS\system32\nnnomki.dll
C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqpm.exe
C:\WINDOWS\system32\xxyyyxv.dll
C:\WINDOWS\wr.txt

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-25 23:26 . 2007-12-25 23:26 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2007-12-23 20:32 . 2007-12-23 20:32 <DIR> d-------- C:\Deckard
2007-12-23 19:54 . 2007-12-23 19:54 <DIR> d-------- C:\ie-spyad_zo
2007-12-23 19:35 . 2007-12-23 20:18 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-23 19:35 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-23 16:30 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\RkPavProc.sys
2007-12-23 16:18 . 2007-12-23 17:41 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-23 16:18 . 2007-12-23 16:18 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-23 16:18 . 2007-12-23 16:18 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-23 16:18 . 2007-12-23 16:18 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-23 15:50 . 2007-12-23 15:50 <DIR> d-------- C:\WINDOWS\ppqvmpqr
2007-12-23 15:50 . 2007-12-23 15:50 208,896 --a------ C:\WINDOWS\system32\ndaTqsVqrX.dll
2007-12-23 14:56 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-23 14:56 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-23 14:56 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-23 14:56 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-23 14:55 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-23 12:09 . 2007-09-17 14:31 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-12-23 12:09 . 2007-04-12 10:58 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-12-23 12:09 . 2007-09-17 14:40 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-12-23 12:09 . 2007-04-12 10:58 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-12-23 12:09 . 2007-04-12 10:58 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-12-23 12:09 . 2007-09-17 14:40 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-12-23 11:33 . 2007-12-23 11:33 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2007-12-22 17:25 . 2007-12-22 17:25 <DIR> d-------- C:\Program Files\IObit
2007-12-22 17:20 . 2007-12-22 17:20 23,040 --a------ C:\WINDOWS\system32\winwim32.dll
2007-12-19 22:43 . 2007-12-25 23:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-19 22:43 . 2007-12-19 22:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-19 22:09 . 2007-12-27 00:04 <DIR> d-------- C:\Program Files\QuickTime
2007-12-15 16:54 . 2007-12-15 16:54 <DIR> d-------- C:\Program Files\Philips
2007-12-11 10:57 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-11 10:57 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-09 18:46 . 2001-07-06 00:19 164 --a------ C:\WINDOWS\avrack.ini
2007-12-09 16:41 . 2007-12-09 16:41 <DIR> d-------- C:\Program Files\Realtek AC97
2007-12-07 11:25 . 2007-12-07 11:25 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Snapfish
2007-12-05 11:03 . 2007-12-05 11:03 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2007-12-04 13:36 . 2007-12-04 13:36 <DIR> d-------- C:\Program Files\Skype
2007-12-04 13:36 . 2007-12-04 13:36 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-12-03 20:58 . 2007-12-03 20:58 <DIR> d-------- C:\Program Files\VS Revo Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-27 00:18 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-12-27 00:18 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2007-12-27 00:04 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-12-27 00:04 --------- d-----w C:\Program Files\iTunes
2007-12-27 00:03 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2007-12-25 23:09 --------- d-----w C:\Documents and Settings\Rob\Application Data\Skype
2007-12-23 22:36 --------- d-----w C:\Documents and Settings\Rob\Application Data\skypePM
2007-12-23 17:08 --------- d-----w C:\Program Files\JetAudio
2007-12-23 12:08 --------- d-----w C:\Program Files\Trend Micro
2007-12-23 12:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trend Micro
2007-12-22 16:24 --------- d-----w C:\Program Files\Mozilla Thunderbird
2007-12-21 16:37 59,882 ----a-w C:\Documents and Settings\Rob\Application Data\wklnhst.dat
2007-12-19 23:23 --------- d-----w C:\Program Files\HT Audio
2007-12-09 21:30 --------- d-----w C:\Documents and Settings\Rob\Application Data\dvdcss
2007-12-09 19:30 --------- d-----w C:\Program Files\SopCast
2007-12-09 19:19 --------- d-----w C:\Documents and Settings\Rob\Application Data\SopCast
2007-12-09 18:46 --------- d-----w C:\Program Files\AvRack
2007-12-04 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-11-22 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2007-11-22 20:09 --------- d-----w C:\Program Files\Common Files\LogiShrd
2007-11-22 20:03 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-22 20:00 --------- d-----w C:\Program Files\Logitech
2007-11-22 19:47 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-06 22:21 --------- d-----w C:\Program Files\iPod
2007-08-03 09:17 81,920 ----a-w C:\Documents and Settings\Rob\Application Data\ezpinst.exe
2007-08-03 09:17 47,360 ----a-w C:\Documents and Settings\Rob\Application Data\pcouffin.sys
2006-04-29 21:53 60,256 ----a-w C:\Documents and Settings\Rob\Application Data\GDIPFONTCACHEV1.DAT
2006-01-17 13:44 266 ---h--w C:\Program Files\desktop.ini
2006-01-17 13:44 11,079 -c-h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 09:17]

C:\Documents and Settings\Rob\Start Menu\Programs\Startup\
HotSync Manager.lnk - C:\Program Files\Palm\HOTSYNC.EXE [2003-07-17 00:37:26]
VOIP321.lnk - C:\Program Files\Philips\VOIP321\VOIP321.exe [2007-05-03 15:52:18]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [2007-03-01 01:57:59]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 06:01:04]

R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 16:42]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 03:22]
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys [2004-08-04 04:10]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\Rob\LOCALS~1\Temp\cdiskdun.sys []
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys [2004-08-04 04:10]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-22 09:59:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 00:19:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-27 0:21:21 - machine was rebooted
.
2007-12-11 23:27:25 --- E O F ---


Hijack This scan...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:23 AM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.eircom.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Sb4sm5UPra] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: VOIP321.lnk = C:\Program Files\Philips\VOIP321\VOIP321.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\npjpi150_11.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {48989C74-D5FC-4F17-BA40-3D825C716836} (clMultiDownLoader Control) - http://mgn.musicgiants.com/cab/mgndownloader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1125917775265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15029/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 6614 bytes

[sUBs]

Quite a few of your legit files have got infected. Please carry out the instructions from this page :> click here

[StivVid]

Ok. Here's the next step done.

[sUBs]

All of those files got renamed by the infection. It added an extra space into the filename.

Example:

Original Name: "Reader_sl.exe"
Name modified by the infection: "Reader_sl .exe"

Please download this tool :> http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Place the tool next to Log.txt




Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a log for you. Post that log in your next reply.

[StivVid]

Ran on Thu 12/27/2007 - 17:27:01.03

------w 563,984 2007-12-25 23:03:37 C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe

Entries: 1 (1)
Directories: 0 Files: 1
Bytes: 563,984 Blocks: 1,102

[sUBs]

Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Policies\Explorer\Run: [Sb4sm5UPra] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrX.dll",DllCleanServer


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\ndaTqsVqrX.dll
C:\WINDOWS\system32\winwim32.dll
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
Folder::
C:\WINDOWS\ppqvmpqr

Save this as "CFScript"




Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:

1. Fresh Hijackthis log taken just before replying
2. Online scan
3. ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[sUBs]

This is to be performed after you have posted the required logs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.