Fix Code 1073741819 from C:\Windows\Systems\Services.exe

Hello everyone, well yesterday I started getting the shut down window after getting a "Virus Warning" that tells you to get a better protection software program. I ran Malwarebytes', as I always do and it got rid of everything. When I restarted the computer, I started getting the C:\Windows\Systems\Services.exe 1073741819 code and getting 60 seconds to shut down. I managed to go online and found out it happened to shut down when I was connected to the net, so I unplugged my connection and restarted my computer. This stopped the shutdown countdown, so I ran Malwarebytes again and it found two more problems which I deleted, and I restarted the computer once again.

Now if I keep the internet connected, once the computer is restarted the shut down screen comes up again every time, so what I do is disconnected from the web, run Malwarebytes and get rid of the problem, then plug in my connection and go from there.

I saw that there was a thread on how to get rid of this already, but like stated on the rules, I should not follow any one elses help, so I figured I'd do my own thread and get help here.

So can anyone help me get rid of this 1073741819 problem. Im currently running Windows XP.

Thanks a bunch.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Thanks a bunch here's the log file.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:50 AM, on 9/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\sys32_nov.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Nate\sys32_nov.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.221 viruskill2009.microsoft.com
O1 - Hosts: 91.212.127.221 viruskill2009.com
O1 - Hosts: 91.212.127.221 ww.viruskill2009.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Nate\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\Nate\sys32_nov.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: WUSB54Gv42SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5728 bytes

• Open HijackThis.
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O1 - Hosts: ::1 localhost
  O1 - Hosts: 91.212.127.221 viruskill2009.microsoft.com
  O1 - Hosts: 91.212.127.221 viruskill2009.com
  O1 - Hosts: 91.212.127.221 ww.viruskill2009.com
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
  O4 - HKLM\..\Run: [sys32_nov] C:\WINDOWS\system32\sys32_nov.exe
  O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
  O4 - HKCU\..\Run: [sys32_nov] C:\Documents and Settings\Nate\sys32_nov.exe
  
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Here's the Log.


Malwarebytes' Anti-Malware 1.40
Database version: 2682
Windows 5.1.2600 Service Pack 3

9/12/2009 2:48:31 PM
mbam-log-2009-09-12 (14-48-31).txt

Scan type: Quick Scan
Objects scanned: 94227
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Nate\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> Quarantined and deleted successfully.

Hello.
Please update MBAM databse.

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan.

Copy and paste the new log back here.

Here's the updated log.


Malwarebytes' Anti-Malware 1.41
Database version: 2790
Windows 5.1.2600 Service Pack 3

9/13/2009 9:49:07 AM
mbam-log-2009-09-13 (09-49-07).txt

Scan type: Quick Scan
Objects scanned: 96320
Time elapsed: 5 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sys32_nov.exe (Trojan.Cutwail) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\AGP440.SYS (Trojan.Cutwail) -> Quarantined and deleted successfully.
C:\Documents and Settings\Nate\sys32_nov.exe (Trojan.Cutwail) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Malware.Trace) -> Quarantined and deleted successfully.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Here's the update.

ComboFix 09-09-13.04 - Nate 09/13/2009 22:30.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1030 [GMT -4:00]
Running from: c:\documents and settings\Nate\Desktop\Combo-Fix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\2c7f6.msi
c:\windows\Installer\2c7fa.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-12 09:42 . 2009-09-12 09:42 -------- d-----w- c:\program files\Trend Micro
2009-09-10 15:31 . 2009-09-10 15:31 -------- d-----w- c:\program files\Trojan Remover
2009-09-10 15:29 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2009-09-10 15:29 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2009-09-10 15:29 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2009-09-10 15:29 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\unrar3.dll
2009-09-10 15:29 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2009-09-10 15:29 . 2009-09-10 15:31 -------- d-----w- c:\documents and settings\Nate\Application Data\Simply Super Software
2009-09-10 15:29 . 2009-09-10 15:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-09-09 05:01 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-09-09 05:01 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-09-08 20:09 . 2009-09-13 13:51 -------- d-----w- c:\documents and settings\Nate\Tracing
2009-09-08 20:08 . 2009-09-08 20:08 -------- d-----w- c:\program files\Microsoft
2009-09-08 20:07 . 2009-09-08 20:07 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-09-08 20:07 . 2009-09-08 20:08 -------- d-----w- c:\program files\Windows Live
2009-08-30 02:24 . 2009-08-30 02:24 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET
2009-08-30 02:14 . 2009-08-30 02:31 -------- d-----w- c:\program files\onwnvo
2009-08-23 07:25 . 2009-08-23 07:25 -------- d-----w- c:\documents and settings\Nate\Local Settings\Application Data\ESET
2009-08-23 07:16 . 2009-08-23 07:45 -------- d-----w- c:\program files\jfqilk
2009-08-18 06:09 . 2009-08-18 06:09 -------- d-----w- c:\documents and settings\Nate\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 13:50 . 2009-07-21 22:40 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000003-00001102-00000004-10071102}.dat
2009-09-13 13:50 . 2009-07-21 22:40 384 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000003-00001102-00000004-10071102}.dat
2009-09-13 13:41 . 2009-07-21 21:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2009-07-21 21:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-07-21 21:45 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 15:37 . 2009-07-21 21:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-09 06:00 . 2009-07-21 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-08 20:05 . 2009-07-21 03:23 70800 ----a-w- c:\documents and settings\Nate\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-12 17:59 . 2009-08-12 17:55 -------- d-----w- c:\documents and settings\Nate\Application Data\Ventrilo
2009-08-12 17:55 . 2009-08-12 17:55 -------- d-----w- c:\program files\Ventrilo
2009-08-12 17:54 . 2009-08-12 17:54 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-12 17:50 . 2009-07-21 21:44 -------- d-----w- c:\program files\Java
2009-08-08 07:51 . 2009-08-08 07:51 -------- d-----w- c:\documents and settings\Nate\Application Data\Ashampoo
2009-08-08 07:51 . 2009-08-08 07:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
2009-08-08 07:51 . 2009-08-08 07:51 -------- d-----w- c:\program files\Ashampoo
2009-08-08 00:22 . 2009-08-07 23:57 -------- d-----w- c:\documents and settings\Nate\Application Data\InfraRecorder
2009-08-05 09:01 . 2008-11-27 04:45 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 02:26 . 2009-07-29 02:26 -------- d-----w- c:\program files\Common Files\Windows Live
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-25 09:23 . 2009-07-21 21:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-22 23:25 . 2009-07-22 23:24 -------- d-----w- c:\program files\EPSON
2009-07-21 23:07 . 2009-07-21 23:07 -------- d-----w- c:\program files\ESET
2009-07-21 23:07 . 2009-07-21 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-07-21 23:02 . 2009-07-21 21:41 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-21 22:31 . 2009-07-21 22:31 -------- d-----w- c:\program files\Intel
2009-07-21 22:20 . 2009-07-21 22:20 -------- d-----w- c:\documents and settings\Nate\Application Data\GRETECH
2009-07-21 22:09 . 2009-07-21 22:09 -------- d-----w- c:\program files\Windows Media Connect 2
2009-07-21 21:59 . 2009-07-21 21:54 -------- d-----w- c:\program files\PhotoshopPortable
2009-07-21 21:58 . 2009-07-21 21:58 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-07-21 21:54 . 2009-07-21 21:52 -------- d-----w- c:\program files\SpywareBlaster
2009-07-21 21:46 . 2009-07-21 21:46 -------- d-----w- c:\documents and settings\Nate\Application Data\Malwarebytes
2009-07-21 21:46 . 2009-07-21 21:46 -------- d-----w- c:\program files\Sun
2009-07-21 21:45 . 2009-07-21 21:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-21 21:45 . 2009-07-21 21:45 -------- d-----w- c:\program files\GRETECH
2009-07-21 21:42 . 2009-07-21 21:42 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-21 21:41 . 2009-07-21 21:41 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-07-21 21:41 . 2009-07-21 21:41 -------- d-----w- c:\program files\Linksys Wireless-G USB Wireless Network Monitor
2009-07-21 21:41 . 2009-07-21 21:41 -------- d-----w- c:\program files\Common Files\InstallShield
2009-07-21 11:37 . 2009-07-21 11:37 -------- d-----w- c:\program files\Microsoft Works
2009-07-21 11:36 . 2009-07-21 11:36 -------- d-----w- c:\program files\MSBuild
2009-07-21 03:29 . 2009-07-21 03:29 0 ----a-w- c:\windows\nsreg.dat
2009-07-21 03:17 . 2009-07-21 03:17 -------- d-----w- c:\program files\microsoft frontpage
2009-07-21 03:14 . 2009-07-21 03:14 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-07-17 19:01 . 2008-11-27 04:45 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2008-11-27 04:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2008-11-27 04:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2008-11-27 04:45 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2008-11-27 04:45 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Google Update"="c:\documents and settings\Nate\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-07-22 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-02-06 2021400]
"EPSON Stylus CX3800 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE" [2005-02-08 98304]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-09-04 1069960]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2003-06-20 24576]
"AsioReg"="CTASIO.DLL" - c:\windows\system32\CTASIO.DLL [2003-06-20 118784]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2/6/2009 2:23 PM 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2/6/2009 2:24 PM 93336]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2/6/2009 2:23 PM 727720]
R2 WUSB54Gv42SVC;WUSB54Gv42SVC;c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe [7/21/2009 5:41 PM 53307]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt --> c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1292428093-1606980848-1003Core.job
- c:\documents and settings\Nate\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-22 20:02]

2009-09-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1292428093-1606980848-1003UA.job
- c:\documents and settings\Nate\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-07-22 20:02]

2009-09-13 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-07-23 02:18]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nate\Application Data\Mozilla\Firefox\Profiles\2j1ak4f9.default\
FF - plugin: c:\documents and settings\Nate\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 22:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\program files\Lavalys\EVEREST Home Edition\kerneld.wnt"
.
Completion time: 2009-09-14 22:39
ComboFix-quarantined-files.txt 2009-09-14 02:39

Pre-Run: 302,885,498,880 bytes free
Post-Run: 303,764,221,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

159 --- E O F --- 2009-09-09 06:02

Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTM.exe to run it.
  
• Copy the bolded text below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :files
  c:\program files\onwnvo
  c:\program files\jfqilk
  
  
  
• Return to OTMoveIt, right click in the "Paste instructions for items to be Moved" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the OTMoveIt log.

Here's the update.


========== FILES ==========
c:\program files\onwnvo moved successfully.
c:\program files\jfqilk moved successfully.

OTM by OldTimer - Version 3.0.0.6 log created on 09142009_174657

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?