Got some malware here....

The-Lovable-Mr--Hater · October 2009

Hey guys. Everyone in here has always been so helpful, so hopefully you can help with this.

I recently noticed that my microsoft updates had a few that failed. it wasnt a big deal at first, until i started to try and figure out what it was. i did a scan and went to a couple of other sites (my mistake, i should have came here first!) and downloaded a malware remover. loaded the program, went to run the program and it wouldnt load. it gave me the error message " windows cannot access the specified device, path or file. you may not have appropriate permissions to access the item." once again, no big deal. i uninstalled it and rebooted, then the problem started.....

at the windows logon screen (where i installed a password) and this box pops up saying that "The system is shutting down.
Please save all work in progress and log off.Any unsaved changes will be lost.
This shut down was initiated by NT\AUTHORIYSYSTEM Time before shut down(then a countdown starts at 1:00)
Message The system process 'C:\WINDOWS\SYSTEM32\services.exe' terminated unexpectedly with status code -1073741482.The system will now shut down.) "
What the hell is that? so it rebooted for itself, and again the same box popped up. this time, i quickly put my password in and the system booted. now, everything is coming on fine, but im kinda scared to turn it off, since i dont know if its gonna turn back on or not. the help i need is how to remove this malware or whatever is doing this since i cant use a malware remover, as it wont load.

im running windows xp 32 bit (yes i know, i know!)
i have eset antivirus
any other info needed, just ask.

thanks in advance for all the help!

chiaz · November 2009

Hello, sorry for the late reply.

If you still need help,
A few things before we start....
1. Please Read All Instructions Carefully.
2. If you don't understand something, stop and ask! Don't keep going on.
3. Please do not run any other tools or scans whilst I am helping you.
4. If you have to go away for an extended period of time, let me know.
5. Please continue to respond until I give you the "All Clear".
(Just because you can't see a problem doesn't mean it isn't there)

Please download Malwarebytes' Anti-Malware by clicking the link below:
Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* You'll be required to post the contents of this log later.

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include MBAM log, C:\ComboFix.txt and a new HijackThis log for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

The-Lovable-Mr--Hater · November 2009

ok thanks for responding chiaz. well, actually i may have a bigger problem now. for whatever reason, i cant get online. everything worked fine on saturday and then sunday when i got up i couldnt get online. on internet explorer it said "cannot connect blah blah blah" and i hit "diagnose problem" and it did nothing. when i put the cursor over the hyperlink though, i noticed at the bottom of the box it had "res://ieframe.dll/dnserror.htm#"....what the hell is that? i looked up ieframe and it seems there are mixed reviews as to it being either malware or being not needed. i went to device manager and it says that my ethernet has a problem. i used my MB disc to load the driver again for the board and it tells me to load the correct driver. im really confuzzled now! i can do all the stuff you need me to do, but it may take just a little extra time since i cant directly download to the computer. i would have to use my flash drive from my laptop then load it that way. tell me what all i need to do and i will do it! thanks again.

p.s. i have downloaded malwarebytes already and it says that there is no malware on the system. i also have cccleaner and cleanmypc registry cleaners and used them to fix any issues. everything is "supposed" to be clean.

also, i have seen the "hijack this" comment before. is that a program as well or is that in the combofix program? if i need to download that, can i get that from download.com?

The-Lovable-Mr--Hater · November 2009

Here is the MB Log File. Then underneath is the Combofix Log File.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
11/2/2009 7:40:56 PM
mbam-log-2009-11-02 (19-40-56).txt
Scan type: Quick Scan
Objects scanned: 100923
Time elapsed: 2 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)

ComboFix 09-11-01.04 - Michael 11/02/2009 19:12.1.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2763 [GMT -5:00]
Running from: I:\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\patchw32.dll
c:\windows\pw32a.dll

BITS: Possible infected sites

hxxp://resources.zune.net
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-10-03 to 2009-11-03 )))))))))))))))))))))))))))))))
.
2009-11-03 00:12 . 2008-04-13 23:10 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-03 00:12 . 2008-04-13 23:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-02 00:33 . 2009-11-02 00:33

d

w- c:\documents and settings\Michael\Local Settings\Application Data\PCHealth
2009-11-01 21:37 . 2009-11-01 21:37

d

w- c:\documents and settings\Michael\Local Settings\Application Data\Symantec
2009-11-01 21:29 . 2009-11-01 21:29 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-11-01 21:29 . 2009-11-01 21:32 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-11-01 21:29 . 2009-11-01 21:32 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-11-01 21:29 . 2009-11-01 21:29

d

w- c:\windows\system32\drivers\NIS
2009-11-01 21:29 . 2009-11-01 21:29

d

w- c:\program files\Norton Internet Security
2009-11-01 21:29 . 2009-11-01 21:29

d

w- c:\program files\Windows Sidebar
2009-11-01 21:29 . 2009-11-01 21:36

d

w- c:\documents and settings\All Users\Application Data\Norton
2009-11-01 21:28 . 2009-11-01 21:30

d

w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-01 21:28 . 2009-11-01 21:28

d

w- c:\program files\NortonInstaller
2009-11-01 21:27 . 2008-10-07 08:17 28672 ----a-r- c:\windows\system32\drivers\RTLTEAMING.SYS
2009-11-01 21:27 . 2007-10-22 08:33 60416 ----a-r- c:\windows\system32\RTLTEAMING_NB.DLL
2009-11-01 21:27 . 2008-05-26 13:42 17408 ----a-r- c:\windows\system32\drivers\RTLVLAN.SYS
2009-11-01 21:27 . 2008-07-09 06:11 22016 ----a-r- c:\windows\system32\drivers\RtNdPt5x.sys
2009-11-01 20:55 . 2009-11-01 20:55

d

w- C:\found.001
2009-11-01 20:50 . 2001-08-18 03:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2009-11-01 20:50 . 2008-04-14 10:42 159232 ----a-w- c:\windows\system32\ptpusd.dll
2009-11-01 00:48 . 2009-11-01 00:48

d

w- C:\found.000
2009-10-30 02:59 . 2009-10-30 02:59

d

w- c:\windows\Cache
2009-10-30 02:59 . 2009-10-30 02:59

d

w- c:\program files\Coupons
2009-10-27 23:01 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-27 23:01 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-21 02:29 . 2009-10-21 02:10 9092032 ----a-w- C:\windows-kb890830-v3.0.exe
2009-10-20 23:44 . 2009-11-03 00:12

d

w- c:\windows\system32\CatRoot2
2009-10-20 23:22 . 2009-10-20 23:22

d

w- c:\documents and settings\All Users\Application Data\Applications
2009-10-19 03:40 . 2009-10-19 03:40

d

w- c:\documents and settings\Michael\Application Data\Viewpoint
2009-10-19 03:33 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-10-19 03:33 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-10-19 03:33 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-10-19 03:33 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-10-19 03:33 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-10-18 22:25 . 2009-10-18 22:25

d

w- c:\program files\MetaStream
2009-10-18 22:21 . 2009-10-18 22:21

d

w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-18 22:07 . 2009-10-18 22:07

d

w- C:\MGtools
2009-10-18 22:02 . 2009-10-18 22:02

d

w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-18 22:02 . 2009-10-27 22:37

d

w- c:\documents and settings\Michael\Application Data\SUPERAntiSpyware.com
2009-10-18 22:02 . 2009-10-27 22:37

d

w- c:\program files\SUPERAntiSpyware
2009-10-18 21:27 . 2009-10-18 21:27

d

w- c:\program files\CCleaner
2009-10-18 21:16 . 2009-10-18 21:16

d

w- c:\documents and settings\Michael\Application Data\Malwarebytes
2009-10-18 21:16 . 2009-10-27 23:01

d

w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 21:16 . 2009-10-18 21:16

d

w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-04 02:31 . 2009-10-04 02:31

d

w- c:\program files\IObit
2009-10-04 02:31 . 2009-10-04 02:31

d

w- c:\documents and settings\Michael\Application Data\IObit
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 00:19 . 2009-07-22 10:00 16608 -c--a-w- c:\windows\gdrv.sys
2009-11-02 02:35 . 2009-07-23 13:07

d

w- c:\documents and settings\Michael\Application Data\U3
2009-11-02 00:19 . 2009-07-22 10:05

d

w- c:\program files\Realtek
2009-11-01 21:37 . 2009-07-30 00:06

d

w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-01 21:32 . 2009-07-30 00:08

d

w- c:\program files\Symantec
2009-11-01 21:32 . 2009-11-01 21:29 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-11-01 21:32 . 2009-11-01 21:29 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-11-01 21:30 . 2009-07-30 00:06

d

w- c:\program files\Common Files\Symantec Shared
2009-11-01 21:27 . 2009-07-22 10:04

d--h--w- c:\program files\InstallShield Installation Information
2009-10-31 03:46 . 2009-07-22 12:43

d

w- c:\documents and settings\Michael\Application Data\uTorrent
2009-10-27 23:36 . 2009-09-25 01:08

d

w- c:\program files\PeerGuardian2
2009-10-27 23:07 . 2009-07-22 12:44

d

w- c:\program files\uTorrent
2009-10-26 03:24 . 2009-08-20 02:18

d

w- c:\program files\Zune
2009-10-22 03:19 . 2009-09-19 01:48

d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-15 03:43 . 2009-07-22 14:40

d

w- c:\documents and settings\Michael\Application Data\Ahead
2009-10-14 02:06 . 2009-07-23 14:12

d

w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-04 02:28 . 2009-08-24 22:01

d

w- c:\program files\Spybot - Search & Destroy
2009-10-04 02:28 . 2009-08-24 22:01

d

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 04:30 . 2009-10-03 04:30 18816 ----a-w- c:\windows\system32\drivers\dvd43llh.sys
2009-10-03 04:30 . 2009-10-03 04:30

d

w- c:\program files\dvd43
2009-09-23 00:43 . 2009-09-23 00:38 20454 ----a-w- c:\windows\hpoins01.dat
2009-09-20 22:18 . 2009-09-20 22:18 0 ---ha-w- c:\windows\system32\drivers\Msft_User_ZuneDriver_01_09_00.Wdf
2009-09-20 22:18 . 2009-09-20 22:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_WinUSB_01009.Wdf
2009-09-20 22:17 . 2009-09-20 22:17 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_09_00.Wdf
2009-09-20 21:41 . 2009-09-20 21:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_zumbus_01009.Wdf
2009-09-20 21:41 . 2009-09-20 21:41 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2009-09-20 16:56 . 2009-07-22 12:03

d

w- c:\program files\HP
2009-09-19 01:48 . 2009-09-19 01:48

d

w- c:\program files\CleanMyPC
2009-09-19 01:44 . 2009-09-19 01:44

d

w- c:\program files\WinMend
2009-09-15 22:44 . 2009-08-17 03:07

d

w- c:\documents and settings\Michael\Application Data\AdobeUM
2009-09-15 00:59 . 2009-07-22 13:24

d

w- c:\program files\Common Files\Adobe
2009-09-13 16:54 . 2009-09-13 16:54

d

w- c:\program files\SystemRequirementsLab
2009-09-11 14:18 . 2008-04-14 04:42 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-08 00:13 . 2009-09-08 00:13 4608 ----a-w- c:\windows\system32\w95inf32.dll
2009-09-08 00:13 . 2009-09-08 00:13 2272 ----a-w- c:\windows\system32\w95inf16.dll
2009-09-04 21:03 . 2008-04-14 04:42 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 17:17 . 2009-09-04 17:17 447216 ----a-w- c:\windows\system32\ZuneWlanCfgSvc.exe
2009-09-04 17:16 . 2009-09-04 17:16 58592 ----a-w- c:\windows\system32\ZuneBusEnum.exe
2009-09-02 04:29 . 2009-09-02 04:29 74240 ----a-w- c:\windows\system32\ZuneUsbTransport.dll
2009-09-02 04:29 . 2009-09-02 04:29 57344 ----a-w- c:\windows\system32\ZuneRegUtil.dll
2009-09-02 04:29 . 2009-09-02 04:29 18944 ----a-w- c:\windows\system32\ZuneTcp2Udp.dll
2009-09-02 04:29 . 2009-09-02 04:29 12800 ----a-w- c:\windows\system32\ZunePTDNS.dll
2009-09-02 04:29 . 2009-09-02 04:29 310784 ----a-w- c:\windows\system32\ZuneNetProxy.dll
2009-09-02 04:29 . 2009-09-02 04:29 147456 ----a-w- c:\windows\system32\ZuneMTPZ.dll
2009-09-02 04:28 . 2009-09-02 04:28 40832 ----a-w- c:\windows\system32\drivers\zumbus.sys
2009-08-29 07:36 . 2008-04-14 04:42 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2008-04-14 04:41 78336 -c--a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2008-04-14 04:41 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-08-26 08:00 . 2008-04-14 04:42 247326 -c--a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-17 16:37 . 2009-08-17 16:37 1837296 ----a-w- c:\windows\system32\WUDFUpdate_01009.dll
2009-08-17 16:37 . 2009-08-17 16:37 1461992 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2009-08-10 01:42 . 2009-07-22 09:55 90336 -c--a-w- c:\documents and settings\Michael\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:24 . 2009-07-21 17:14 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2009-07-21 17:14 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2009-07-21 17:14 35552 -c--a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2008-10-16 18:09 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2009-07-21 17:14 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 2008-04-14 04:41 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2009-07-21 17:14 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-08-01 06:51 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-08-01 06:51 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2009-07-21 17:14 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2008-04-14 04:42 204800 -c--a-w- c:\windows\system32\mswebdvd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 16:47 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-08-10 39408]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Registry Cleaner Scheduler"="c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2009-09-19 471650]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2005-09-18 1382400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2007-03-10 270336]
"snpstd3"="c:\windows\vsnpstd3.exe" [2006-09-19 827392]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-16 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 570664]
"HostManager"="c:\program files\Common Files\AOL\1248265120\ee\AOLSoftware.exe" [2008-06-24 41824]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2006-05-22 694272]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2009-09-04 158448]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-01-13 18084864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-16 1630208]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\acs\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1248265120\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1000000.07D\SymEFA.sys [11/1/2009 4:29 PM 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1000000.07D\BHDrvx86.sys [11/1/2009 4:29 PM 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1000000.07D\ccHPx86.sys [11/1/2009 4:29 PM 362544]
R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 1:23 PM 106208]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [9/16/2008 11:03 AM 169312]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 1:23 PM 727720]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [7/22/2009 5:04 AM 68136]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [11/1/2009 4:29 PM 115560]
R2 RtNdPt5x;Realtek NDIS Protocol Driver;c:\windows\system32\drivers\RtNdPt5x.sys [11/1/2009 4:27 PM 22016]
R2 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [4/13/2008 11:42 PM 5120]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 1:24 PM 93336]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20080826.006\IDSxpx86.sys [11/1/2009 4:29 PM 274808]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [7/22/2009 7:44 AM 234888]
S3 RTLTEAMING;Realtek Intermediate Driver for Ethernet Extended Features;c:\windows\system32\drivers\RTLTEAMING.SYS [11/1/2009 4:27 PM 28672]
S3 RTLVLAN;Realtek VLAN Intermediate Driver;c:\windows\system32\drivers\RTLVLAN.SYS [11/1/2009 4:27 PM 17408]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-10-25 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2100 series5E771253C1676EBED677BF361FDFC537825E15B8253666622.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]
2009-10-06 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2100 series5E771253C1676EBED677BF361FDFC537825E15B8254798195.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 04:52]
2009-11-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-08-10 22:36]
2009-11-03 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.

Supplementary Scan

.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AOL Toolbar Search - c:\documents and settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{C9BED750-1211-4480-B1A5-718A3BE15525} - c:\program files\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\setup.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 19:20
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.

DLLs Loaded Under Running Processes

- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\WININET.dll
c:\windows\system32\nview.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.

Other Running Processes

.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\IoctlSvc.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\ZuneBusEnum.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
.
**************************************************************************
.
Completion time: 2009-11-03 19:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-03 00:22
Pre-Run: 297,008,578,560 bytes free
Post-Run: 296,893,755,392 bytes free
- - End Of File - - AEE11D331CDC126DDEC6BBB919C70F93

chiaz · November 2009

OK for your internet issue...try this.

Let Winsock XP Fix back up your Registry
1. Download the Winsock XP Fix utility from WinSock XP Fix - fix XP internet connectivity download, reviewed and rated from Spychecker.com -
  This utility will make a backup of parts of your Windows registry, reset your TCP/IP settings and replace your existing Winsock2 registry entries with a default set and replace your Hosts file with a default one.
2. Launch the WinsockXPFix.exe
3. On the Winsock and TCP Repair Utility screen, click ReG-Backup.
4. On the Welcome screen, click OK.
5. On the Backup to: screen, click OK.
6. On the Folder does not exist question screen click Yes.
7. You will see a status screen as your registry is being backed up.
8. On the Registry backup is complete! screen, click OK.
Reset the Winsock Stack
1. On the Winsock and TCP Repair Utility screen, click Fix.
2. On the Apply the VB_Winsock fix? screen click Yes.
3. The Winsock and TCP Repair Utility screen will display a status message.
4. On the Repair Completed screen click OK to re-boot your computer.
5. If your computer was not using DHCP, you will need to re-configure TCP/IP.

If that doesn't restore your internet connection, I will help you rid your computer of all malware first before we tackle this again.

The-Lovable-Mr--Hater · November 2009

Thanks Chiaz. I will do this as soon as I get home today. Not sure where you are (Im in Florida), so depending on the time, I should have done all this by 8 p.m. my time. Thanks and I will post the results.

One other thing...is there an Anti Virus Software that you would recommend, or do they all work about the same?

chiaz · November 2009

I notice that you have both NOD32 and Norton.

You should uninstall/disable the real-time protection of one of them.

My personal preference is to keep NOD32 and get rid of Norton, which is known as a resource hog.

The-Lovable-Mr--Hater · November 2009

Actually, I just loaded Norton, cause I realized that it came with my MB Disc. I can uninstall it. It's no biggie to me. As for the NOD32, I will turn everything off so there wont be any problems. Thanks again Chiaz.

The-Lovable-Mr--Hater · November 2009

just an update. im not sure if this is ok. i went to do the reg. back up and it was ok. then to the welcome screen and back up screen. then, when i click yes on the back up folder it said "error saving file C:\ERDNT\SECURITY! continue with the next file?". should i click yes on that? am i screwed worse than a $2 hooker?

chiaz · November 2009

Yes, continue.

The-Lovable-Mr--Hater · November 2009

well, i tried that and it didnt work. i still cannot get online. i was able to click on the diagnose problem and it gave me a box saying that i needed to contact my operating system operator (or something like that). but still no internet.

chiaz · November 2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

Please go to Control Panel > Add/Remove Programs and uninstall the following if found:
AskBar
Ask Toolbar
AskBarDis

Reboot even if not prompted to.

Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\Coupons
c:\program files\AskBarDis\

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your new reply.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

The-Lovable-Mr--Hater · November 2009

Hey chiaz. thanks for the help. Actually, I came home last night and the system wouldnt even boot up. So I just deleted the hard drive and am currently reinstalling windows. I wish that I could have gotten you the info you needed so maybe someone could figure out what it was. Once again, I appreciate what you did for me. If I do have another issue, I will definately let you know. One question though, do you think that coupon program was the culprit? I did notice it on there.

Got some malware here....

Comments