LandzDown Forum

Hello,

A week ago after completing a banking transaction, I exited the private browsing window in FireFox and discovered a new toolbar had been added to the second window beneath.  I ran MBAM, OneCare (my resident security app.) and SAS, but found nothing.  I restored to remove the toolbar, but when the computer booted up, in place of the wallpaper there was a black screen instead.   Since only the desktop screen was affected and I was not in safe mode, I restored again to no avail.  Finally I installed another wallpaper and this seemed to be the solution.  FireFox began crashing constantly and I was forced to uninstall and reinstall it.

After this my computer took longer and longer to boot up.  Today I turned it on and because it could not boot up, it began repairing itself by restoring to an earlier point.  (A popup indicated all of this.)  Ten minutes later it finally booted up, although two FF add-ons were missing.  

I finally discovered the toolbar was part of a music download and convert program I have been using for the past year.  As part of its latest update a nag screen was added hawking this toolbar.  It continues to be a mystery how the toolbar was installed since I had not used the program in over a week before the incident.  

With all that has happened I thought it prudent to seek further assistance, especially since I am now reluctant to turn off my computer.  I ran MBAM again today and found nothing.  Nothing else was done.  

Thank you.


Logfile of random's system information tool 1.06 (written by random/random)
Run by ZANDRA JONES at 2010-04-29 16:44:42
Microsoft® Windows Vista™ Home Premium  Service Pack 2
System drive C: has 154 GB (67%) free of 228 GB
Total RAM: 3006 MB (56% free)

HijackThis download failed

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3728476250-1701664626-1355148271-1001Core.job
C:\Windows\tasks\User_Feed_Synchronization-{60FF668E-BFFB-457E-9FBB-8765E0A01407}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]
WOT Helper - C:\Program Files\WOT\WOT.dll [2009-04-15 1290912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2006-11-17 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-15 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{981FE6A8-260C-4930-960F-C3BC82746CB0}
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}
{71576546-354D-41c9-AAE8-31F2EC22BF0D} - WOT - C:\Program Files\WOT\WOT.dll [2009-04-15 1290912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"=C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe [2010-02-05 65256]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-10-10 320832]
"Immunet Protect"=C:\Program Files\Immunet Protect\1.0.26\iptray.exe [2010-04-13 1315656]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^ZANDRA JONES^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkCalRem.exe [2006-06-05 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\OneCareMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*
.reg - open - regedit.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-04-29 16:44:42 ----D---- C:\rsit
2010-04-29 16:44:42 ----D---- C:\Program Files\trend micro
2010-04-29 14:02:35 ----D---- C:\Program Files\SpywareBlaster
2010-04-29 12:54:00 ----D---- C:\Program Files\ERUNT
2010-04-21 16:45:42 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\Mozilla
2010-04-21 16:45:28 ----D---- C:\Program Files\Mozilla Firefox
2010-04-18 14:51:31 ----D---- C:\Program Files\AnvSoft
2010-04-16 15:34:56 ----D---- C:\Program Files\Microsoft Silverlight
2010-04-15 17:29:56 ----D---- C:\ProgramData\Sun
2010-04-15 17:28:49 ----A---- C:\Windows\system32\javaws.exe
2010-04-15 17:28:49 ----A---- C:\Windows\system32\javaw.exe
2010-04-15 17:28:49 ----A---- C:\Windows\system32\java.exe
2010-04-15 17:28:49 ----A---- C:\Windows\system32\deployJava1.dll
2010-04-15 17:23:29 ----D---- C:\Program Files\DVDVideoSoft
2010-04-15 16:25:09 ----A---- C:\Windows\system32\RENCDFF.tmp
2010-04-15 16:25:09 ----A---- C:\Windows\system32\RENCDFE.tmp
2010-04-15 16:25:09 ----A---- C:\Windows\system32\RENCDED.tmp
2010-04-14 08:36:33 ----A---- C:\Windows\system32\iphlpsvc.dll
2010-04-14 08:36:26 ----A---- C:\Windows\system32\ntoskrnl.exe
2010-04-14 08:36:26 ----A---- C:\Windows\system32\ntkrnlpa.exe
2010-04-14 08:36:20 ----A---- C:\Windows\system32\vbscript.dll
2010-04-13 16:52:09 ----A---- C:\Windows\system32\cabview.dll
2010-04-13 16:52:01 ----A---- C:\Windows\system32\wintrust.dll
2010-04-13 02:16:48 ----D---- C:\Program Files\Immunet Protect
2010-03-31 08:19:20 ----A---- C:\Windows\system32\mshtml.dll
2010-03-31 08:19:19 ----A---- C:\Windows\system32\ieframe.dll
2010-03-31 08:19:18 ----A---- C:\Windows\system32\urlmon.dll
2010-03-31 08:19:18 ----A---- C:\Windows\system32\iertutil.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\wininet.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\occache.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\mstime.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\msfeeds.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\iedkcs32.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\msfeedssync.exe
2010-03-31 08:19:16 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\jsproxy.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\ieUnatt.exe
2010-03-31 08:19:16 ----A---- C:\Windows\system32\ieui.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\iesysprep.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\iesetup.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\iepeers.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\ie4uinit.exe
2010-03-31 08:19:15 ----A---- C:\Windows\system32\iernonce.dll

======List of files/folders modified in the last 1 months======

2010-04-29 16:44:42 ----D---- C:\Windows\Prefetch
2010-04-29 16:44:42 ----D---- C:\Program Files
2010-04-29 16:26:55 ----D---- C:\Windows\Temp
2010-04-29 14:07:20 ----AD---- C:\ProgramData\TEMP
2010-04-29 13:44:02 ----D---- C:\Windows\system32\config
2010-04-29 13:43:52 ----D---- C:\Windows\Tasks
2010-04-29 13:43:52 ----D---- C:\Windows\system32\Tasks
2010-04-29 13:43:52 ----D---- C:\Windows\system32\spool
2010-04-29 13:43:52 ----D---- C:\Windows\system32\Msdtc
2010-04-29 13:43:52 ----D---- C:\Windows\system32\catroot2
2010-04-29 13:43:52 ----D---- C:\Windows
2010-04-29 13:43:44 ----D---- C:\Windows\system32\wbem
2010-04-29 13:43:44 ----D---- C:\Windows\registration
2010-04-29 09:52:48 ----D---- C:\Windows\System32
2010-04-29 09:52:48 ----D---- C:\Windows\inf
2010-04-29 09:52:48 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-29 09:47:08 ----D---- C:\Program Files\Microsoft Windows OneCare Live
2010-04-28 17:02:07 ----SHD---- C:\System Volume Information
2010-04-28 03:01:24 ----D---- C:\Windows\winsxs
2010-04-28 00:25:40 ----D---- C:\Windows\system32\catroot
2010-04-24 22:58:11 ----D---- C:\Program Files\Common Files\DVDVideoSoft
2010-04-24 22:32:43 ----SD---- C:\ProgramData\Microsoft
2010-04-24 21:49:27 ----HD---- C:\ProgramData
2010-04-23 05:20:36 ----SHD---- C:\Windows\Installer
2010-04-23 05:20:34 ----D---- C:\Windows\system32\drivers
2010-04-22 20:37:39 ----D---- C:\Windows\Debug
2010-04-22 17:34:26 ----D---- C:\Windows\AppPatch
2010-04-22 07:49:21 ----D---- C:\Program Files\Microsoft ATS
2010-04-21 10:56:48 ----SHD---- C:\$Recycle.Bin
2010-04-21 10:20:09 ----D---- C:\Program Files\Internet Explorer
2010-04-19 13:58:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-18 14:51:42 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\AnvSoft
2010-04-15 17:29:55 ----D---- C:\Program Files\Common Files\Java
2010-04-15 17:27:50 ----D---- C:\Program Files\Java
2010-04-15 08:57:41 ----DC---- C:\Windows\system32\DRVSTORE
2010-04-15 07:03:26 ----D---- C:\Program Files\SUPERAntiSpyware
2010-04-14 08:59:36 ----D---- C:\Program Files\Windows Mail
2010-04-12 22:54:40 ----D---- C:\Program Files\CCleaner
2010-04-09 17:48:44 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\Windows Live Writer
2010-04-06 10:52:56 ----A---- C:\Windows\system32\mrt.exe
2010-03-31 09:02:48 ----D---- C:\Windows\system32\migration
2010-03-30 15:22:46 ----D---- C:\Program Files\Microsoft Office
2010-03-30 15:22:46 ----D---- C:\Program Files\Common Files\microsoft shared
2010-03-30 15:21:46 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\SoftGrid Client
2010-03-30 00:08:30 ----D---- C:\Windows\pss

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [2007-02-09 12856]
R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 ImmunetMonitorDriver;ImmunetMonitorDriver; C:\Windows\system32\DRIVERS\ImmunetMonitor.sys [2010-04-13 20040]
R1 ImmunetProtectDriver;ImmunetProtectDriver; C:\Windows\system32\DRIVERS\ImmunetProtect.sys [2010-04-13 38856]
R1 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver; C:\Windows\system32\DRIVERS\ImmunetSelfProtect.sys [2010-04-13 29640]
R1 MSFWHLPR;MSFWHLPR; C:\Windows\system32\DRIVERS\msfwhlpr.sys [2007-11-27 37440]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-22 12872]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-22 66632]
R1 SBRE;SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [2010-04-12 95024]
R2 DLABMFSM;DLABMFSM; C:\Windows\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\Windows\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 MSFWDrv;MSFWDrv; C:\Windows\system32\DRIVERS\msfwdrv.sys [2007-11-27 91200]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 dc3d;USBCCGP filter driver (dc3d); C:\Windows\system32\DRIVERS\dc3d.sys [2009-01-15 15360]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2008-05-15 53168]
R3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2007-08-31 18856]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-12-08 4456416]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32k.sys [2008-06-10 33352]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-05-10 326656]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 Inspect;Comodo Firewall Network Driver; C:\Windows\system32\DRIVERS\inspect.sys []
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2010-02-22 12872]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 wanatw;WAN Miniport (ATW); C:\Windows\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CISVC;@%systemroot%\system32\CISVC.EXE,-1; C:\Windows\system32\CISVC.EXE [2008-01-19 11264]
R2 ImmunetProtect;Immunet Protect; C:\Program Files\Immunet Protect\1.0.26\agent.exe [2010-04-13 717552]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 msfwsvc;@C:\Program Files\Microsoft Windows OneCare Live\Firewall\\MSFWSVCResource.dll,-10000; C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe [2007-11-27 869952]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-09-17 196608]
R2 OcHealthMon;Windows Live OneCare Health Monitor; C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe [2008-07-09 18704]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-05-10 94208]
R2 winss;Windows Live OneCare; C:\Program Files\Microsoft Windows OneCare Live\winss.exe [2010-02-05 1141112]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe []
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe Start=service []
S3 ose;Office  Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2009-09-26 149336]
S3 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe []
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S4 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe []
S4 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe []

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2010-04-29 16:44:45

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{028EC2AF-F501-4567-9CEA-140030DE8544}\setup.exe" -l0x9 -u
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2580F4DA-324F-4945-B16F-B2B867325085}\setup.exe" -l0x9 -u
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.3.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Agent Ransack Version 1.7.3-->"C:\Program Files\Mythicsoft\Agent Ransack\unins000.exe"
Any Video Converter 3.0.5-->"C:\Program Files\AnvSoft\Any Video Converter\unins000.exe"
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant D850 PCI V.92 Modem-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -IDel200fz.inf
Dell System Customization Wizard-->MsiExec.exe /I{13BA7B44-B712-4DEE-A7B8-1DD564F37AE5}
Digital Line Detect-->C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\Setup.exe -runfromtemp -l0x0009 -removeonly
DivX Player-->C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Plus Web Player-->C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Epson Event Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -u
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
Free Audio CD Burner version 1.2-->"C:\Program Files\DVDVideoSoft\Free Audio CD Burner\unins000.exe"
Free YouTube to MP3 Converter version 3.3-->"C:\Program Files\DVDVideoSoft\Free YouTube to MP3 Converter\unins000.exe"
GTOneCare-->MsiExec.exe /X{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall  /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
ieSpell-->"C:\Program Files\ieSpell\uninst.exe"
Immunet Protect-->"C:\Program Files\Immunet Protect\1.0.26\uninstall.exe"
Java(TM) 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216020FF}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Protection Service-->MsiExec.exe /I{F3B58D4E-7324-44E4-A6B3-65D2DB8D1FE9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Windows Live OneCare Resources v2.5.2900.30-->MsiExec.exe /I{5660022E-F3F2-4126-8CC5-9726C47150EB}
Microsoft Windows OneCare Live AntiSpyware and AntiVirus-->MsiExec.exe /I{E26B83D1-C0BB-41BC-8F44-31D5354DD6AF}
Microsoft Windows OneCare Live v2.5.2900.28 Idcrl Install-->MsiExec.exe /I{3851147E-5A91-4469-BA4D-13FFFCC8A920}
Microsoft Windows OneCare Live v2.5.2900.30-->MsiExec.exe /I{D07A8E7E-D324-4945-BA8C-E532AD008FF3}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Modem Diagnostic Tool-->MsiExec.exe /I{F63A3748-B93D-4360-9AD4-B064481A5C7B}
Mozilla Firefox (3.6.3)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
PX Engine-->MsiExec.exe /I{6513E869-647F-40FD-A55D-CFC92579B9BA}
Qualxserve Service Agreement-->MsiExec.exe /X{0F756CD9-4A1E-409B-B101-601DDC4C03AA}
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Revo Uninstaller 1.87-->C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator BDAV Plugin-->MsiExec.exe /I{880AF49C-34F7-4285-A8AD-8F7A3D1C33DC}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator DE-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Drag-to-Disc-->MsiExec.exe /I{2F4C24E6-CBD4-4AAC-B56F-C9FD44DE5668}
Roxio Express Labeler-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD DE-->MsiExec.exe /I{D639085F-4B6E-4105-9F37-A0DBB023E2FB}
Roxio Update Manager-->MsiExec.exe /I{30465B6C-B53F-49A1-9EBA-A3F187AD502E}
RTC Client API v1.2-->MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
runtime-->MsiExec.exe /I{D88C3E7C-1DA6-4AD7-97FC-75BC8705B266}
SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly
Sonic Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
SpywareBlaster 4.3-->"C:\Program Files\SpywareBlaster\unins000.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
URL Assistant-->regsvr32 /u /s "C:\Program Files\BAE\BAE.dll"
User's Guides-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CD29180-A95E-11D3-A4EB-00C04F7BDB2C}\setup.exe"
VC80CRTRedist - 8.0.50727.4053-->MsiExec.exe /I{5EE7D259-D137-4438-9A5F-42F432EC0421}
Verizon High Speed Internet-->"C:\Windows\DSL\unins000.exe"
Visual C++ 2008 x86 Runtime - (v9.0.30729)-->MsiExec.exe /X{F333A33D-125C-32A2-8DCE-5C5D14231E27}
Visual C++ 2008 x86 Runtime - v9.0.30729.01-->C:\Windows\system32\msiexec.exe /x {F333A33D-125C-32A2-8DCE-5C5D14231E27} /qb+ REBOOTPROMPT=""
Visual C++ 8.0 ATL (x86) WinSXS MSM-->MsiExec.exe /I{97F81AF1-0E47-DC99-FF1F-C8B3B9A1E18E}
Visual C++ 8.0 CRT (x86) WinSXS MSM-->MsiExec.exe /I{98CB24AD-52FB-DB5F-FF1F-C8B3B9A1E18E}
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live OneCare-->"C:\Program Files\Microsoft Windows OneCare Live\OCSetup.exe" /u
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinPatrol 2009-->C:\PROGRA~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
WOT for Internet Explorer-->MsiExec.exe /X{DB6BD5D5-8482-45C0-99CF-745C5B924497}

======Security center information======

AS: Windows Defender
AS: SUPERAntiSpyware (disabled)
AS: AdwareAlert (disabled)

======System event log======

Computer Name: ZANDRAJONES-PC
Event Code: 412
Message: Task Scheduler service failed to launch tasks triggered by computer startup. Additional Data: Error Value: 2147942402. User Action: restart task scheduler service.
Record Number: 346392
Source Name: Microsoft-Windows-TaskScheduler
Time Written: 20091016183950.686321-000
Event Type: Error
User: NT AUTHORITY\SYSTEM

Computer Name: ZANDRAJONES-PC
Event Code: 49
Message: Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
Record Number: 346390
Source Name: volmgr
Time Written: 20091016183940.562064-000
Event Type: Error
User:

Computer Name: ZANDRAJONES-PC
Event Code: 49
Message: Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
Record Number: 346384
Source Name: volmgr
Time Written: 20091016183935.382831-000
Event Type: Error
User:

Computer Name: ZANDRAJONES-PC
Event Code: 15301
Message: SSL Certificate Settings created by an admin process for Port : 192.168.1.46:63331 .
Record Number: 346279
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20091016123532.899333-000
Event Type: Warning
User:

Computer Name: ZANDRAJONES-PC
Event Code: 15300
Message: SSL Certificate Settings deleted for Port : 192.168.1.46:63331 .
Record Number: 346278
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20091016123532.727733-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: ZANDRAJONES-PC
Event Code: 8194
Message: Volume Shadow Copy Service error: Unexpected error querying for the IVssWriterCallback interface.  hr = 0x80070005. This is often caused by incorrect security settings in either the writer or requestor process.

Operation:
  Gathering Writer Data

Context:
  Writer Class Id: {e8132975-6f93-4464-a53e-1050253ae220}
  Writer Name: System Writer
  Writer Instance ID: {931d5e9c-157a-4dad-8348-78191b66699b}
Record Number: 59325
Source Name: VSS
Time Written: 20090106234737.000000-000
Event Type: Error
User:

Computer Name: ZANDRAJONES-PC
Event Code: 3013
Message: The entry <C:\WINDOWS\INF\WMIAPRPL\WMIAPRPL.H> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Record Number: 59315
Source Name: Microsoft-Windows-Search
Time Written: 20090106165736.000000-000
Event Type: Error
User:

Computer Name: ZANDRAJONES-PC
Event Code: 3013
Message: The entry <C:\WINDOWS\INF\WMIAPRPL\WMIAPRPL.H> in the hash map cannot be updated.

Context:  Application, SystemIndex Catalog

Details:
   A device attached to the system is not functioning.   (0x8007001f)

Record Number: 59314
Source Name: Microsoft-Windows-Search
Time Written: 20090106165736.000000-000
Event Type: Error
User:

Computer Name: ZANDRAJONES-PC
Event Code: 1002
Message: The program NOTEPAD.EXE version 6.0.6001.18000 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Problem Reports and Solutions control panel. Process ID: f9c Start Time: 01c96d25999e6280 Termination Time: 7
Record Number: 59157
Source Name: Application Hang
Time Written: 20090102220121.000000-000
Event Type: Error
User:

Computer Name: ZANDRAJONES-PC
Event Code: 1000
Message: Faulting application wlmail.exe, version 12.0.1606.1023, time stamp 0x471e44f8, faulting module MAILCOMM.dll, version 12.0.1606.1023, time stamp 0x471e44e3, exception code 0xc0000005, fault offset 0x0002f3ff, process id 0xa50, application start time 0x01c96d028e288980.
Record Number: 59150
Source Name: Application Error
Time Written: 20090102181336.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: ZANDRAJONES-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7

Privileges:      SeAssignPrimaryTokenPrivilege
         SeTcbPrivilege
         SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeAuditPrivilege
         SeSystemEnvironmentPrivilege
         SeImpersonatePrivilege
Record Number: 506426
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091119201153.173123-000
Event Type: Audit Success
User:

Computer Name: ZANDRAJONES-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-5-18
   Account Name:      ZANDRAJONES-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Logon Type:         5

New Logon:
   Security ID:      S-1-5-18
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x234
   Process Name:      C:\Windows\System32\services.exe

Network Information:
   Workstation Name:   
   Source Network Address:   -
   Source Port:      -

Detailed Authentication Information:
   Logon Process:      Advapi  
   Authentication Package:   Negotiate
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 506425
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091119201153.173123-000
Event Type: Audit Success
User:

Computer Name: ZANDRAJONES-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
   Security ID:      S-1-5-18
   Account Name:      ZANDRAJONES-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
   Account Name:      SYSTEM
   Account Domain:      NT AUTHORITY
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Target Server:
   Target Server Name:   localhost
   Additional Information:   localhost

Process Information:
   Process ID:      0x234
   Process Name:      C:\Windows\System32\services.exe

Network Information:
   Network Address:   -
   Port:         -

This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 506424
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091119201153.173123-000
Event Type: Audit Success
User:

Computer Name: ZANDRAJONES-PC
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
   Security ID:      S-1-5-21-3728476250-1701664626-1355148271-1001
   Account Name:      ZANDRA JONES
   Account Domain:      ZANDRAJONES-PC
   Logon ID:      0x1becf

Privileges:      SeSecurityPrivilege
         SeTakeOwnershipPrivilege
         SeLoadDriverPrivilege
         SeBackupPrivilege
         SeRestorePrivilege
         SeDebugPrivilege
         SeSystemEnvironmentPrivilege
         SeImpersonatePrivilege
Record Number: 506423
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091119201152.785123-000
Event Type: Audit Success
User:

Computer Name: ZANDRAJONES-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
   Security ID:      S-1-5-18
   Account Name:      ZANDRAJONES-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Logon Type:         2

New Logon:
   Security ID:      S-1-5-21-3728476250-1701664626-1355148271-1001
   Account Name:      ZANDRA JONES
   Account Domain:      ZANDRAJONES-PC
   Logon ID:      0x1bf18
   Logon GUID:      {00000000-0000-0000-0000-000000000000}

Process Information:
   Process ID:      0x298
   Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
   Workstation Name:   ZANDRAJONES-PC
   Source Network Address:   127.0.0.1
   Source Port:      0

Detailed Authentication Information:
   Logon Process:      User32
   Authentication Package:   Negotiate
   Transited Services:   -
   Package Name (NTLM only):   -
   Key Length:      0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 506422
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091119201152.785123-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 75 Stepping 2, AuthenticAMD
"PROCESSOR_LEVEL"=15
"PROCESSOR_REVISION"=4b02
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Hello,

I attempted to run Root Repeal three (3) times.  The first time it appeared to scan my system, however it would not generate a report.  The second and third times I received a FOPS, device to control error. 

Also I did not do a back of my registry.  After downloading and installing the program (instructions were somewhat different) I was left with two icons on my desktop: ERUNT and NTREGOPT.  I do not know which of these icons to select for backup and since I am dealing with the registry, I am very reluctant to experiment.

Thank you.

Hi, Nissi1.

You want to run ERUNT.  Right-click NTREGOPT and select delete.

Any reason you did not allow RSIT to download HijackThis?

It appears you have two antivirus software programs installed, which is not wise as they can cause conflicts.

-- Windows Live OneCare, which will only be supported throughout the term of your current subscription.  Microsoft Security Essentials (http://www.microsoft.com/security_essentials/default.aspx) is the replacement and is free for personal use.

-- A relatively new program, recently out of beta, Immunet Protect.

Your log is also showing AdwareAlert, although I am not seeing an uninstall entry in add/remove program.s  Please see this information regarding AdwareAlert:  http://www.mywot.com/en/scorecard/adwarealert.com

After running ERUNT, please do the following.

Please follow these instructions carefully.

Download ComboFix from one of the following locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

!!! IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications. If not disabled, these programs will likely interfere with cleanup process. This can usually be accomplished by a right-click on the icon in the System Tray.  This can usually be accomplished by a right-click on the icon in the System Tray.  

Note:  If you use AVG, you must also open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar as well as the following:

• Click on Tools.
• Select Advanced Settings.
• In the left hand pane, scroll down to "Resident Shield".
• In the main pane, deselect the option to "Enable Resident Shield."
• To re-enable AVG 8, please select "Enable Resident Shield" again.

Now, please run ComboFix:

• Note:  If infections are found, ComboFix will automatically reboot the machine to complete the removal process.  Please ensure all opened windows are closed before proceeding.
• Double-click ComboFix.exe on your desktop and follow the prompts.
• As part of the process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it is strongly recommended to have this pre-installed on your machine before doing any malware removal. The Recovery Console will allow you to start up the computer in a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  Please note: If the Microsoft Windows Recovery Console is already installed on the computer, ComboFix will continue the malware removal procedures.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
• When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC1.png&hash=29e6fe1eb864e58b4b66611caa7d7b6be84a47f8)


• After the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_RC2.png&hash=e111f6aa2d657579d44cabc5fb4258fd1dce26eb)


• Click "Yes" to continue scanning for malware.


• When finished, a log will be produced. Please include the C:\ComboFix.txt in your next reply.

Hello Corrine,

Thank you for replying so quickly.  Please forgive me for being a dunce, but ERDNT is unable to create the C\Windows\ERDNT... file and indicates it will back up the registry however, it can only be manually restored by another OS to copy the files back.  Should I click the OK or close that window, go back and try to enter another folder?

Also, I removed Adaware with Revo Uninstaller some time ago and it along with McAfee Site Advisor, which was also removed two years ago, continues to appear in all logs.  I have also removed every file found by Agent Ransack. 

Hi, Nissi1. 

You aren't being a dunce.  I hadn't looked at your OS before I replied.  ERUNT and Windows Vista do not play well together.  It can be used, but only if UAC is turned off.  So, let's skip it and move on to ComboFix.

Hello again Corrine,

All is well with the registry backup.  I had difficulty running ComboFix.  My computer is constantly freezing and it continually disconnected from the internet.  I finally got it done, however I have lost OneCare and WinPatrol icons.  Both programs continue to run and Scotty is alerting me to "a change was made to use the following program for this file type:  Registry Editor (regedit.exe %1).  Is this change ok?  Yes  No"  I received the alert twice since I clicked No and shall do so until you tell me different.


ComboFix 10-04-29.04 - ZANDRA JONES 04/29/2010  22:08:44.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3006.1608 [GMT -4:00]
Running from: c:\users\ZANDRA JONES\Desktop\ComboFix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1400113804-1914402855-3429530994-500
c:\$recycle.bin\S-1-5-21-2152478756-3922319563-605102323-500
c:\$recycle.bin\S-1-5-21-3728476250-1701664626-1355148271-500
C:\desktop.ini
c:\windows\MailSwitch.ocx
c:\windows\msvrc20.dll

.
(((((((((((((((((((((((((   Files Created from 2010-03-28 to 2010-04-30  )))))))))))))))))))))))))))))))
.

2010-04-30 02:22 . 2010-04-30 02:24   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Local\temp
2010-04-30 02:22 . 2010-04-30 02:22   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-04-29 20:44 . 2010-04-29 20:44   --------   d-----w-   C:\rsit
2010-04-29 18:02 . 2010-04-29 18:05   --------   d-----w-   c:\program files\SpywareBlaster
2010-04-29 16:54 . 2010-04-29 16:54   --------   d-----w-   c:\program files\ERUNT
2010-04-29 16:15 . 2010-04-27 19:40   650240   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-04-22 00:25 . 2010-03-26 01:49   66048   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-21 21:22 . 2010-03-17 15:35   309248   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
2010-04-21 20:45 . 2010-04-21 20:45   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Local\Mozilla
2010-04-18 18:51 . 2010-04-18 18:51   --------   d-----w-   c:\program files\AnvSoft
2010-04-16 19:34 . 2010-04-16 19:34   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-04-15 21:28 . 2010-04-15 21:27   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-04-15 21:23 . 2010-04-30 01:36   --------   d-----w-   c:\program files\DVDVideoSoft
2010-04-14 12:36 . 2010-02-23 11:10   79360   ----a-w-   c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 12:36 . 2010-02-23 11:10   212992   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 12:36 . 2010-02-23 11:10   106496   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 12:36 . 2010-02-18 14:07   904576   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-04-14 12:36 . 2010-02-18 11:28   25088   ----a-w-   c:\windows\system32\drivers\tunnel.sys
2010-04-14 12:36 . 2010-02-18 13:30   200704   ----a-w-   c:\windows\system32\iphlpsvc.dll
2010-04-14 12:36 . 2010-02-18 14:07   3600776   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-04-14 12:36 . 2010-02-18 14:07   3548040   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-04-14 12:36 . 2010-03-05 14:01   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-04-13 20:52 . 2010-01-13 17:34   98304   ----a-w-   c:\windows\system32\cabview.dll
2010-04-13 20:52 . 2009-12-23 11:33   172032   ----a-w-   c:\windows\system32\wintrust.dll
2010-04-13 06:16 . 2010-04-30 01:33   --------   d-----w-   c:\program files\Immunet Protect
2010-04-12 23:29 . 2010-04-12 23:29   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 01:42 . 2010-02-25 12:40   --------   d-----w-   c:\program files\DivX
2010-04-30 01:36 . 2009-12-11 00:01   --------   d-----w-   c:\program files\Common Files\DVDVideoSoft
2010-04-29 20:49 . 2009-08-04 05:25   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
2010-04-22 11:49 . 2009-12-01 20:00   --------   d-----w-   c:\program files\Microsoft ATS
2010-04-19 17:58 . 2009-12-10 22:42   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-18 18:51 . 2009-12-11 00:36   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\AnvSoft
2010-04-15 21:29 . 2008-09-24 13:34   --------   d-----w-   c:\program files\Common Files\Java
2010-04-15 21:27 . 2008-09-30 18:43   --------   d-----w-   c:\program files\Java
2010-04-15 20:25 . 2010-04-15 20:25   0   ----a-w-   c:\windows\system32\RENCDFF.tmp
2010-04-15 20:25 . 2010-04-15 20:25   0   ----a-w-   c:\windows\system32\RENCDFE.tmp
2010-04-15 20:25 . 2010-04-15 20:25   0   ----a-w-   c:\windows\system32\RENCDED.tmp
2010-04-15 11:03 . 2009-01-29 19:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-04-15 11:01 . 2009-03-19 01:03   117760   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-14 12:59 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-04-13 02:54 . 2008-05-30 04:13   --------   d-----w-   c:\program files\CCleaner
2010-04-09 21:48 . 2009-12-01 20:46   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\Windows Live Writer
2010-03-30 19:39 . 2009-12-31 19:18   5918776   ----a-w-   c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 19:21 . 2010-03-24 21:58   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\SoftGrid Client
2010-03-30 04:46 . 2009-12-10 22:42   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-12-10 22:42   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-27 22:23 . 2010-03-27 22:23   2263549   ----a-w-   C:\OneCareSupportData.zip
2010-03-27 21:51 . 2007-06-15 03:29   124536   ----a-w-   c:\users\ZANDRA JONES\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-24 21:59 . 2010-03-24 21:59   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\NVD
2010-03-10 07:07 . 2010-02-18 21:10   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\DivX
2010-02-27 06:11 . 2010-02-27 06:11   690952   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-23 06:39 . 2010-03-31 12:19   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 12:19   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 12:19   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 12:19   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 09:00   24064   ----a-w-   c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 09:00   30720   ----a-w-   c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 09:00   411648   ----a-w-   c:\windows\system32\drivers\http.sys
2010-02-20 11:44 . 2010-02-20 11:44   96   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\netstat.bat
2010-02-20 11:44 . 2010-02-20 11:44   96   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\netstat.bat
2010-02-18 01:39 . 2010-02-18 01:39   15849560   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2010-02-17 22:59 . 2010-02-17 22:59   86016   ----a-w-   c:\programdata\NOS\Adobe_Downloads\arh.exe
2007-07-26 10:25 . 2007-07-21 17:59   88   --sha-r-   c:\windows\System32\6C99184B57.sys
2007-07-26 10:26 . 2007-07-21 17:59   2516   --sha-w-   c:\windows\System32\KGyGaAvL.sys
2007-02-28 16:54 . 2007-02-28 16:54   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
2007-06-15 14:35 . 2007-06-15 14:35   397312   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16480_none_ef1b6bb652cf8744\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      \0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^ZANDRA JONES^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
path=c:\users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK
backup=c:\windows\pss\wkcalrem.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):77,9e,4f,34,7e,f3,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3728476250-1701664626-1355148271-1001]
"EnableNotificationsRef"=dword:0000000b

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe

• 
  R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-22 12872]
  S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-22 12872]
  S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-22 66632]
  S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-04-12 95024]
  S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
  S3 dc3d;USBCCGP filter driver (dc3d);c:\windows\system32\DRIVERS\dc3d.sys [2009-01-15 15360]
  S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-03-30 38224]
  S4 ImmunetMonitorDriver;ImmunetMonitorDriver;c:\windows\system32\DRIVERS\ImmunetMonitor.sys
• 
  S4 ImmunetProtectDriver;ImmunetProtectDriver;c:\windows\system32\DRIVERS\ImmunetProtect.sys
• 
  S4 ImmunetSelfProtectDriver;ImmunetSelfProtectDriver;c:\windows\system32\DRIVERS\ImmunetSelfProtect.sys
• 
  
  
  --- Other Services/Drivers In Memory ---
  
  *NewlyCreated* - MBAMSWISSARMY
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
  LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
  .
  Contents of the 'Scheduled Tasks' folder
  
  2009-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728476250-1701664626-1355148271-1001Core.job
  - c:\users\ZANDRA JONES\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-29 03:30]
  
  2010-04-30 c:\windows\Tasks\User_Feed_Synchronization-{60FF668E-BFFB-457E-9FBB-8765E0A01407}.job
  - c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
  
  2010-04-30 c:\windows\Tasks\User_Feed_Synchronization-{60FF668E-BFFB-457E-9FBB-8765E0A01407}.job
  - c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
  .
  .
  ------- Supplementary Scan -------
  .
  uStart Page = hxxp://www.aol.com/
  IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
  IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
  Trusted Zone: adobe.com\www
  Trusted Zone: hulu.com\www
  Trusted Zone: justin.tv\www
  Trusted Zone: microsoft.com\support
  Trusted Zone: microsoft.com\update
  Trusted Zone: playlist.com\www
  Trusted Zone: secunia.com
  Trusted Zone: techguy.org\forums
  Trusted Zone: twitter.com
  Trusted Zone: verizon.com
  FF - ProfilePath - c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\
  FF - component: c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
  FF - component: c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
  FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
  FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
  FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
  FF - plugin: c:\users\ZANDRA JONES\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
  FF - plugin: c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
  
  ---- FIREFOX POLICIES ----
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
  c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
  c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
  .
  - - - - ORPHANS REMOVED - - - -
  
  WebBrowser-{6A719530-8443-4898-9BC4-69E76B5F1C89} - (no file)
  Notify-!SASWinLogon - (no file)
  Notify-GoToAssist - (no file)
  
  
  
  **************************************************************************
  
  catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2010-04-29 22:24
  Windows 6.0.6002 Service Pack 2 NTFS
  
  scanning hidden processes ... 
  
  scanning hidden autostart entries ...
  
  scanning hidden files ... 
  
  scan completed successfully
  hidden files: 0
  
  **************************************************************************
  .
  --------------------- LOCKED REGISTRY KEYS ---------------------
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  @Denied: (A) (Users)
  @Denied: (A) (Everyone)
  @Allowed: (B 1 2 3 4 5) (S-1-5-20)
  "BlindDial"=dword:00000000
  .
  Completion time: 2010-04-29  22:31:10
  ComboFix-quarantined-files.txt  2010-04-30 02:30
  
  Pre-Run: 161,695,195,136 bytes free
  Post-Run: 161,597,554,688 bytes free
  
  - - End Of File - - B9911886872C5A230D3927EABE149307
  

Below is another log that came up.

Thank you.


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:      2010/04/29 17:06
Program Version:      Version 1.3.5.0
Windows Version:      Windows Vista SP2
==================================================

Drivers
-------------------
Name: dump_diskdump.sys
Image Path: C:\Windows\System32\Drivers\dump_diskdump.sys
Address: 0x8F598000   Size: 40960   File Visible: No   Signed: -
Status: -

Name: dump_nvstor32.sys
Image Path: C:\Windows\System32\Drivers\dump_nvstor32.sys
Address: 0x8F5A2000   Size: 147456   File Visible: No   Signed: -
Status: -

Processes
-------------------
Path: System
PID: 4   Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1264   Status: Locked to the Windows API!

Hidden Services
-------------------
Service Name: ImmunetProtectDriver
Image Path: C:\Program Files\Immunet Protect\1.0.26\agent.exe

==EOF==

Hi, Nissi1. 

I have some errands to run so will take a closer look at your log later.  In the meantime, yes, allow the change with WinPatrol.  In addition, please shutdown/restart the computer.  Let me know if that restores the desktop shortcuts.

Good morning Corrine,

Thank you and have a beautiful day.

Hello,

Yes, the icons have returned. 

Thank you.

Hi, Nissi1.

I'm glad the restart worked for returning your desktop shortcuts.

Personally, I would not allow any programs in the Trusted Zone.  After all, even well known sites can be the victim of an SQL injection, hidden scripts, and more.If you elect to remove the entries from the Trusted Zone, please do the following:

• Launch Internet Explorer, click Internet Options on the Tools  menu, and then click the Security tab.
• Click Trusted Sites, and then click Sites.
• Click the site you want to delete, and then click Remove.

Although it appears the files are empty, let's remove them anyway.   Custom CFScript

Note: The following instructions were created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

• Please open Notepad (Click Start -> Run -> type notepad in the Open field -> OK).  Copy/Paste all of the text present inside the code box below:


File::
c:\windows\system32\RENCDFF.tmp
c:\windows\system32\RENCDFE.tmp
c:\windows\system32\RENCDED.tmp

• Save this as CFScript.txt and place it on your desktop.
• Close any open browsers.
• Close/disable all antivirus and anti-malware programs so they do not interfere with the running of ComboFix.
  
  
  (https://www.landzdown.com/proxy.php?request=http%3A%2F%2Fsecuritygarden.googlepages.com%2FCF_CFScript.gif&hash=19cdd291c9ded999b7ed69b7a82ebed7c9d0ab01)
  
  


• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Hello Corrine,

I was composing a reply with a Hijack This log when I was alerted there had been a recent reply to my last post.  I totally overlooked your question regarding the Hijack This log.  Just in case, I will post that log after the Combo Fix log.

I deleted everything from the Trusted Zone in IE although I only use that browser if I must.  Here goes the ComboFix log:


ComboFix 10-04-29.04 - ZANDRA JONES 04/30/2010  19:43:59.3.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3006.1944 [GMT -4:00]
Running from: c:\users\ZANDRA JONES\Desktop\ComboFix.exe
Command switches used :: c:\users\ZANDRA JONES\Desktop\cfscript.txt
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\windows\system32\RENCDED.tmp"
"c:\windows\system32\RENCDFE.tmp"
"c:\windows\system32\RENCDFF.tmp"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\RENCDED.tmp
c:\windows\system32\RENCDFE.tmp
c:\windows\system32\RENCDFF.tmp

.
(((((((((((((((((((((((((   Files Created from 2010-03-28 to 2010-04-30  )))))))))))))))))))))))))))))))
.

2010-04-30 23:49 . 2010-04-30 23:49   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-04-30 23:49 . 2010-04-30 23:49   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-04-30 23:12 . 2010-04-30 23:12   --------   d-----w-   c:\program files\trend micro
2010-04-30 02:31 . 2010-04-30 23:50   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Local\temp
2010-04-29 20:44 . 2010-04-29 20:44   --------   d-----w-   C:\rsit
2010-04-29 18:02 . 2010-04-29 18:05   --------   d-----w-   c:\program files\SpywareBlaster
2010-04-29 16:54 . 2010-04-29 16:54   --------   d-----w-   c:\program files\ERUNT
2010-04-29 16:15 . 2010-04-27 19:40   650240   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-04-22 00:25 . 2010-03-26 01:49   66048   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
2010-04-21 21:22 . 2010-03-17 15:35   309248   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
2010-04-21 20:45 . 2010-04-21 20:45   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Local\Mozilla
2010-04-18 18:51 . 2010-04-18 18:51   --------   d-----w-   c:\program files\AnvSoft
2010-04-16 19:34 . 2010-04-16 19:34   --------   d-----w-   c:\program files\Microsoft Silverlight
2010-04-15 21:28 . 2010-04-15 21:27   411368   ----a-w-   c:\windows\system32\deployJava1.dll
2010-04-15 21:23 . 2010-04-30 01:36   --------   d-----w-   c:\program files\DVDVideoSoft
2010-04-14 12:36 . 2010-02-23 11:10   79360   ----a-w-   c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 12:36 . 2010-02-23 11:10   212992   ----a-w-   c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 12:36 . 2010-02-23 11:10   106496   ----a-w-   c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 12:36 . 2010-02-18 14:07   904576   ----a-w-   c:\windows\system32\drivers\tcpip.sys
2010-04-14 12:36 . 2010-02-18 11:28   25088   ----a-w-   c:\windows\system32\drivers\tunnel.sys
2010-04-14 12:36 . 2010-02-18 13:30   200704   ----a-w-   c:\windows\system32\iphlpsvc.dll
2010-04-14 12:36 . 2010-02-18 14:07   3600776   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-04-14 12:36 . 2010-02-18 14:07   3548040   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-04-14 12:36 . 2010-03-05 14:01   420352   ----a-w-   c:\windows\system32\vbscript.dll
2010-04-13 20:52 . 2010-01-13 17:34   98304   ----a-w-   c:\windows\system32\cabview.dll
2010-04-13 20:52 . 2009-12-23 11:33   172032   ----a-w-   c:\windows\system32\wintrust.dll
2010-04-13 06:16 . 2010-04-30 14:00   --------   d-----w-   c:\program files\Immunet Protect
2010-04-12 23:29 . 2010-04-12 23:29   95024   ----a-w-   c:\windows\system32\drivers\SBREDrv.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-30 19:24 . 2009-08-04 05:25   --------   d-----w-   c:\program files\Microsoft Windows OneCare Live
2010-04-30 14:00 . 2010-02-25 12:40   --------   d-----w-   c:\program files\DivX
2010-04-30 01:36 . 2009-12-11 00:01   --------   d-----w-   c:\program files\Common Files\DVDVideoSoft
2010-04-22 11:49 . 2009-12-01 20:00   --------   d-----w-   c:\program files\Microsoft ATS
2010-04-19 17:58 . 2009-12-10 22:42   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-04-18 18:51 . 2009-12-11 00:36   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\AnvSoft
2010-04-15 21:29 . 2008-09-24 13:34   --------   d-----w-   c:\program files\Common Files\Java
2010-04-15 21:27 . 2008-09-30 18:43   --------   d-----w-   c:\program files\Java
2010-04-15 11:03 . 2009-01-29 19:34   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-04-15 11:01 . 2009-03-19 01:03   117760   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-14 12:59 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-04-13 02:54 . 2008-05-30 04:13   --------   d-----w-   c:\program files\CCleaner
2010-04-09 21:48 . 2009-12-01 20:46   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\Windows Live Writer
2010-03-30 19:39 . 2009-12-31 19:18   5918776   ----a-w-   c:\programdata\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-30 19:21 . 2010-03-24 21:58   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\SoftGrid Client
2010-03-30 04:46 . 2009-12-10 22:42   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-12-10 22:42   20824   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-03-27 22:23 . 2010-03-27 22:23   2263549   ----a-w-   C:\OneCareSupportData.zip
2010-03-27 21:51 . 2007-06-15 03:29   124536   ----a-w-   c:\users\ZANDRA JONES\AppData\Local\GDIPFONTCACHEV1.DAT
2010-03-24 21:59 . 2010-03-24 21:59   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\NVD
2010-03-10 07:07 . 2010-02-18 21:10   --------   d-----w-   c:\users\ZANDRA JONES\AppData\Roaming\DivX
2010-02-27 06:11 . 2010-02-27 06:11   690952   ----a-w-   c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-02-23 06:39 . 2010-03-31 12:19   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-02-23 06:33 . 2010-03-31 12:19   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-02-23 06:33 . 2010-03-31 12:19   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-02-23 04:55 . 2010-03-31 12:19   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-02-20 23:06 . 2010-03-10 09:00   24064   ----a-w-   c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-10 09:00   30720   ----a-w-   c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-10 09:00   411648   ----a-w-   c:\windows\system32\drivers\http.sys
2010-02-20 11:44 . 2010-02-20 11:44   96   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\netstat.bat
2010-02-20 11:44 . 2010-02-20 11:44   96   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\netstat.bat
2010-02-18 01:39 . 2010-02-18 01:39   15849560   ----a-w-   c:\users\ZANDRA JONES\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airinstaller1x0\airinstaller1x0.exe
2010-02-17 22:59 . 2010-02-17 22:59   86016   ----a-w-   c:\programdata\NOS\Adobe_Downloads\arh.exe
2007-07-26 10:25 . 2007-07-21 17:59   88   --sha-r-   c:\windows\System32\6C99184B57.sys
2007-07-26 10:26 . 2007-07-21 17:59   2516   --sha-w-   c:\windows\System32\KGyGaAvL.sys
2007-02-28 16:54 . 2007-02-28 16:54   8192   --sha-w-   c:\windows\Users\Default\NTUSER.DAT
2007-06-15 14:35 . 2007-06-15 14:35   397312   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.0.6000.16480_none_ef1b6bb652cf8744\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-05 65256]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute   REG_MULTI_SZ      \0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^ZANDRA JONES^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
path=c:\users\ZANDRA JONES\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wkcalrem.LNK
backup=c:\windows\pss\wkcalrem.LNK.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):77,9e,4f,34,7e,f3,c9,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3728476250-1701664626-1355148271-1001]
"EnableNotificationsRef"=dword:0000000b

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe

• 
  R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-03-30 38224]
  R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-02-22 12872]
  S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-22 12872]
  S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-22 66632]
  S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [2010-04-12 95024]
  S2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
  S3 dc3d;USBCCGP filter driver (dc3d);c:\windows\system32\DRIVERS\dc3d.sys [2009-01-15 15360]
  
  
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
  LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
  .
  Contents of the 'Scheduled Tasks' folder
  
  2009-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3728476250-1701664626-1355148271-1001Core.job
  - c:\users\ZANDRA JONES\AppData\Local\Google\Update\GoogleUpdate.exe [2009-06-29 03:30]
  .
  .
  ------- Supplementary Scan -------
  .
  uStart Page = hxxp://www.aol.com/
  IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
  IE: Save YouTube Video as MP3 - c:\program files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
  FF - ProfilePath - c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\
  FF - component: c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
  FF - component: c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\twitternotifier@naan.net\platform\WINNT\components\nsTwitterFoxSign.dll
  FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
  FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
  FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
  FF - plugin: c:\users\ZANDRA JONES\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll
  FF - plugin: c:\users\ZANDRA JONES\AppData\Roaming\Mozilla\Firefox\Profiles\2s44iqwv.default\extensions\{1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}\plugins\npietab2.dll
  
  ---- FIREFOX POLICIES ----
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
  c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
  c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
  c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
  c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
  c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
  .
  
  **************************************************************************
  
  catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
  Rootkit scan 2010-04-30 19:50
  Windows 6.0.6002 Service Pack 2 NTFS
  
  scanning hidden processes ... 
  
  scanning hidden autostart entries ...
  
  scanning hidden files ... 
  
  scan completed successfully
  hidden files: 0
  
  **************************************************************************
  .
  --------------------- LOCKED REGISTRY KEYS ---------------------
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aac\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m4a\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp4\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
  @Denied: (2) (LocalSystem)
  "Progid"="YMP.Media"
  
  [HKEY_LOCAL_MACHINE\system\ControlSet002\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  @Denied: (A) (Users)
  @Denied: (A) (Everyone)
  @Allowed: (B 1 2 3 4 5) (S-1-5-20)
  "BlindDial"=dword:00000000
  .
  Completion time: 2010-04-30  19:52:52
  ComboFix-quarantined-files.txt  2010-04-30 23:52
  ComboFix2.txt  2010-04-30 02:31
  
  Pre-Run: 164,354,850,816 bytes free
  Post-Run: 164,300,980,224 bytes free
  
  - - End Of File - - E57EFE554522A07980EDDB1580D0D9FB
  
  
  Thank you again.
  

I know it is "overdue" but here is the HijackThis log.  Like I said earlier, Dunce. :uhm::


Logfile of random's system information tool 1.06 (written by random/random)
Run by ZANDRA JONES at 2010-04-30 19:12:22
Microsoft® Windows Vista™ Home Premium  Service Pack 2
System drive C: has 157 GB (69%) free of 228 GB
Total RAM: 3006 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:42 PM, on 4/30/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\ZANDRA JONES\Desktop\RSIT.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\trend micro\ZANDRA JONES.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - (no file)
O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [WinPatrol] "C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" -expressboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: www.hulu.com
O15 - Trusted Zone: http://www.justin.tv
O15 - Trusted Zone: http://www.playlist.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://*.twitter.com
O15 - Trusted Zone: http://*.verizon.com
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5899/mcfscan.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/msn/TrueInstallMSN.exe
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - Unknown owner - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe (file missing)
O23 - Service: GoToAssist - Unknown owner - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe (file missing)
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 5883 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-3728476250-1701664626-1355148271-1001Core.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-04-03 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-02-17 408440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]
WOT Helper - C:\Program Files\WOT\WOT.dll [2009-04-15 1290912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - C:\Program Files\BAE\BAE.dll [2006-11-17 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-04-15 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{981FE6A8-260C-4930-960F-C3BC82746CB0}
{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064}
{71576546-354D-41c9-AAE8-31F2EC22BF0D} - WOT - C:\Program Files\WOT\WOT.dll [2009-04-15 1290912]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"OneCareUI"=C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe [2010-02-05 65256]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-10-10 320832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^ZANDRA JONES^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^wkcalrem.LNK]
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\WkCalRem.exe [2006-06-05 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"= []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\GoToAssist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MCODS]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MpfService]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\OneCareMP]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1

======List of files/folders created in the last 1 months======

2010-04-30 19:12:22 ----D---- C:\Program Files\trend micro
2010-04-29 23:43:35 ----A---- C:\RootRepeal report 04-29-10 (23-43-35).txt
2010-04-29 22:31:16 ----SHD---- C:\$RECYCLE.BIN
2010-04-29 22:31:11 ----A---- C:\ComboFix.txt
2010-04-29 22:04:33 ----A---- C:\Windows\SWXCACLS.exe
2010-04-29 20:32:15 ----A---- C:\Windows\MBR.exe
2010-04-29 20:32:10 ----A---- C:\Windows\NIRCMD.exe
2010-04-29 20:32:05 ----A---- C:\Windows\PEV.exe
2010-04-29 20:32:00 ----A---- C:\Windows\SWREG.exe
2010-04-29 20:31:55 ----A---- C:\Windows\zip.exe
2010-04-29 20:31:50 ----A---- C:\Windows\grep.exe
2010-04-29 20:31:45 ----A---- C:\Windows\sed.exe
2010-04-29 20:31:40 ----A---- C:\Windows\SWSC.exe
2010-04-29 20:29:59 ----D---- C:\Qoobox
2010-04-29 20:23:19 ----D---- C:\Windows\ERDNT
2010-04-29 16:44:42 ----D---- C:\rsit
2010-04-29 14:02:35 ----D---- C:\Program Files\SpywareBlaster
2010-04-29 12:54:00 ----D---- C:\Program Files\ERUNT
2010-04-21 16:45:42 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\Mozilla
2010-04-21 16:45:28 ----D---- C:\Program Files\Mozilla Firefox
2010-04-18 14:51:31 ----D---- C:\Program Files\AnvSoft
2010-04-16 15:34:56 ----D---- C:\Program Files\Microsoft Silverlight
2010-04-15 17:29:56 ----D---- C:\ProgramData\Sun
2010-04-15 17:28:49 ----A---- C:\Windows\system32\javaws.exe
2010-04-15 17:28:49 ----A---- C:\Windows\system32\javaw.exe
2010-04-15 17:28:49 ----A---- C:\Windows\system32\java.exe
2010-04-15 17:28:49 ----A---- C:\Windows\system32\deployJava1.dll
2010-04-15 17:23:29 ----D---- C:\Program Files\DVDVideoSoft
2010-04-15 16:25:09 ----A---- C:\Windows\system32\RENCDFF.tmp
2010-04-15 16:25:09 ----A---- C:\Windows\system32\RENCDFE.tmp
2010-04-15 16:25:09 ----A---- C:\Windows\system32\RENCDED.tmp
2010-04-14 08:36:33 ----A---- C:\Windows\system32\iphlpsvc.dll
2010-04-14 08:36:26 ----A---- C:\Windows\system32\ntoskrnl.exe
2010-04-14 08:36:26 ----A---- C:\Windows\system32\ntkrnlpa.exe
2010-04-14 08:36:20 ----A---- C:\Windows\system32\vbscript.dll
2010-04-13 16:52:09 ----A---- C:\Windows\system32\cabview.dll
2010-04-13 16:52:01 ----A---- C:\Windows\system32\wintrust.dll
2010-04-13 02:16:48 ----D---- C:\Program Files\Immunet Protect
2010-03-31 08:19:20 ----A---- C:\Windows\system32\mshtml.dll
2010-03-31 08:19:19 ----A---- C:\Windows\system32\ieframe.dll
2010-03-31 08:19:18 ----A---- C:\Windows\system32\urlmon.dll
2010-03-31 08:19:18 ----A---- C:\Windows\system32\iertutil.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\wininet.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\occache.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\mstime.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\msfeeds.dll
2010-03-31 08:19:17 ----A---- C:\Windows\system32\iedkcs32.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\msfeedssync.exe
2010-03-31 08:19:16 ----A---- C:\Windows\system32\msfeedsbs.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\jsproxy.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\ieUnatt.exe
2010-03-31 08:19:16 ----A---- C:\Windows\system32\ieui.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\iesysprep.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\iesetup.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\iepeers.dll
2010-03-31 08:19:16 ----A---- C:\Windows\system32\ie4uinit.exe
2010-03-31 08:19:15 ----A---- C:\Windows\system32\iernonce.dll

======List of files/folders modified in the last 1 months======

2010-04-30 19:12:35 ----D---- C:\Windows\Prefetch
2010-04-30 19:12:22 ----D---- C:\Program Files
2010-04-30 19:11:06 ----D---- C:\Windows\Temp
2010-04-30 15:24:34 ----D---- C:\Program Files\Microsoft Windows OneCare Live
2010-04-30 10:15:43 ----SHD---- C:\System Volume Information
2010-04-30 10:08:16 ----D---- C:\Windows\System32
2010-04-30 10:08:16 ----D---- C:\Windows\inf
2010-04-30 10:08:16 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-04-30 10:00:16 ----D---- C:\Program Files\DivX
2010-04-29 22:29:26 ----D---- C:\Windows\Tasks
2010-04-29 22:24:48 ----D---- C:\Windows
2010-04-29 22:24:48 ----A---- C:\Windows\system.ini
2010-04-29 22:16:55 ----D---- C:\Windows\system32\drivers
2010-04-29 22:16:55 ----D---- C:\Windows\AppPatch
2010-04-29 22:16:44 ----D---- C:\Program Files\Common Files
2010-04-29 21:36:38 ----D---- C:\Program Files\Common Files\DVDVideoSoft
2010-04-29 21:33:24 ----DC---- C:\Windows\system32\DRVSTORE
2010-04-29 14:07:20 ----AD---- C:\ProgramData\TEMP
2010-04-29 13:44:02 ----D---- C:\Windows\system32\config
2010-04-29 13:43:52 ----D---- C:\Windows\system32\Tasks
2010-04-29 13:43:52 ----D---- C:\Windows\system32\spool
2010-04-29 13:43:52 ----D---- C:\Windows\system32\Msdtc
2010-04-29 13:43:52 ----D---- C:\Windows\system32\catroot2
2010-04-29 13:43:44 ----D---- C:\Windows\system32\wbem
2010-04-29 13:43:44 ----D---- C:\Windows\registration
2010-04-28 03:01:24 ----D---- C:\Windows\winsxs
2010-04-28 00:25:40 ----D---- C:\Windows\system32\catroot
2010-04-24 22:32:43 ----SD---- C:\ProgramData\Microsoft
2010-04-24 21:49:27 ----D---- C:\ProgramData
2010-04-23 05:20:36 ----SHD---- C:\Windows\Installer
2010-04-22 20:37:39 ----D---- C:\Windows\Debug
2010-04-22 07:49:21 ----D---- C:\Program Files\Microsoft ATS
2010-04-21 10:20:09 ----D---- C:\Program Files\Internet Explorer
2010-04-19 13:58:47 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-04-18 14:51:42 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\AnvSoft
2010-04-15 17:29:55 ----D---- C:\Program Files\Common Files\Java
2010-04-15 17:27:50 ----D---- C:\Program Files\Java
2010-04-15 07:03:26 ----D---- C:\Program Files\SUPERAntiSpyware
2010-04-14 08:59:36 ----D---- C:\Program Files\Windows Mail
2010-04-12 22:54:40 ----D---- C:\Program Files\CCleaner
2010-04-09 17:48:44 ----D---- C:\Users\ZANDRA JONES\AppData\Roaming\Windows Live Writer
2010-04-06 10:52:56 ----A---- C:\Windows\system32\mrt.exe
2010-03-31 09:02:48 ----D---- C:\Windows\system32\migration

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\Windows\System32\Drivers\DLACDBHM.SYS [2007-02-09 12856]
R1 DLARTL_M;DLARTL_M; C:\Windows\System32\Drivers\DLARTL_M.SYS [2006-08-11 28184]
R1 MSFWHLPR;MSFWHLPR; C:\Windows\system32\DRIVERS\msfwhlpr.sys [2007-11-27 37440]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-22 12872]
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys [2010-02-22 66632]
R1 SBRE;SBRE; \??\C:\Windows\system32\drivers\SBREdrv.sys [2010-04-12 95024]
R2 DLABMFSM;DLABMFSM; C:\Windows\System32\DLA\DLABMFSM.SYS [2006-08-18 35096]
R2 DLABOIOM;DLABOIOM; C:\Windows\System32\DLA\DLABOIOM.SYS [2006-08-18 32472]
R2 DLADResM;DLADResM; C:\Windows\System32\DLA\DLADResM.SYS [2006-08-18 9400]
R2 DLAIFS_M;DLAIFS_M; C:\Windows\System32\DLA\DLAIFS_M.SYS [2006-08-18 104472]
R2 DLAOPIOM;DLAOPIOM; C:\Windows\System32\DLA\DLAOPIOM.SYS [2006-08-18 26008]
R2 DLAPoolM;DLAPoolM; C:\Windows\System32\DLA\DLAPoolM.SYS [2006-08-18 14520]
R2 DLAUDF_M;DLAUDF_M; C:\Windows\System32\DLA\DLAUDF_M.SYS [2006-08-18 97848]
R2 DLAUDFAM;DLAUDFAM; C:\Windows\System32\DLA\DLAUDFAM.SYS [2006-08-18 94648]
R2 DRVNDDM;DRVNDDM; C:\Windows\System32\Drivers\DRVNDDM.SYS [2007-02-09 51768]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 12672]
R2 MSFWDrv;MSFWDrv; C:\Windows\system32\DRIVERS\msfwdrv.sys [2007-11-27 91200]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-04 8192]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 dc3d;USBCCGP filter driver (dc3d); C:\Windows\system32\DRIVERS\dc3d.sys [2009-01-15 15360]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2006-10-18 986624]
R3 HSXHWBS2;HSXHWBS2; C:\Windows\system32\DRIVERS\HSXHWBS2.sys [2006-10-18 258048]
R3 MpFilter;Microsoft Malware Protection Driver; C:\Windows\system32\DRIVERS\MpFilter.sys [2008-05-15 53168]
R3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2007-08-31 18856]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2006-12-08 4456416]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\Windows\system32\DRIVERS\point32k.sys [2008-06-10 33352]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\Windows\system32\drivers\stwrt.sys [2007-05-10 326656]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2006-10-18 659968]
S3 catchme;catchme; \??\C:\Users\ZANDRA~1\AppData\Local\Temp\catchme.sys []
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver; C:\Windows\system32\DRIVERS\e1e6032.sys [2006-11-02 200704]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 Inspect;Comodo Firewall Network Driver; C:\Windows\system32\DRIVERS\inspect.sys []
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\Windows\system32\drivers\mbamswissarmy.sys [2010-03-30 38224]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 R300;R300; C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 2028032]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS [2010-02-22 12872]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 wanatw;WAN Miniport (ATW); C:\Windows\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2006-11-02 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 CISVC;@%systemroot%\system32\CISVC.EXE,-1; C:\Windows\system32\CISVC.EXE [2008-01-19 11264]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
R2 msfwsvc;@C:\Program Files\Microsoft Windows OneCare Live\Firewall\\MSFWSVCResource.dll,-10000; C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe [2007-11-27 869952]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-09-17 196608]
R2 OcHealthMon;Windows Live OneCare Health Monitor; C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe [2010-02-05 26120]
R2 OneCareMP;OneCare AntiSpyware and AntiVirus; C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe [2008-07-09 18704]
R2 STacSV;SigmaTel Audio Service; C:\Windows\system32\STacSV.exe [2007-05-10 94208]
R2 winss;Windows Live OneCare; C:\Program Files\Microsoft Windows OneCare Live\winss.exe [2010-02-05 1141112]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2006-08-04 386560]
S2 ACDaemon;ArcSoft Connect Daemon; C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe []
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 GoToAssist;GoToAssist; C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe Start=service []
S3 ose;Office  Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2009-09-26 149336]
S3 RoxWatch9;Roxio Hard Drive Watcher 9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe [2006-11-05 159744]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe []
S4 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S4 McciCMService;McciCMService; C:\Program Files\Common Files\Motive\McciCMService.exe []
S4 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2006-11-05 880640]
S4 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe []

-----------------EOF-----------------

Thank you for the additional log, Nissi1.  Although harmless, this will provide the opportunity for some additional cleanup.

First, however, please do the following to implement cleanup procedures and also to reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal (https://www.paypal.com/cgi-bin/webscr?cmd=_donations&business=combofix%40live%2ecom&item_name=ComboFix&no_shipping=0&no_note=1&tax=0&currency_code=USD&bn=PP%2dDonationsBF&charset=UTF%2d8).


Note that because the Trusted Zone entries are showing in your HijackThis log, I have included them.  Do not worry if you do not see them when you scan your computer with HJT.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - (no file)
O3 - Toolbar: (no name) - {981FE6A8-260C-4930-960F-C3BC82746CB0} - (no file)
O3 - Toolbar: (no name) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - (no file)
O15 - Trusted Zone: http://www.adobe.com
O15 - Trusted Zone: www.hulu.com
O15 - Trusted Zone: http://www.justin.tv
O15 - Trusted Zone: http://www.playlist.com
O15 - Trusted Zone: http://forums.techguy.org
O15 - Trusted Zone: http://*.twitter.com
O15 - Trusted Zone: http://*.verizon.com
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - (no file)

Click on Fix Checked when finished and exit HijackThis. 

Since you already know about a good monitor cleaner ;) please allow me to remind you that having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates (http://securitygarden.blogspot.com/2007/12/understanding-microsoft-updates.html)

To check if your system is missing security updates or has insecure applications installed, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

• Detects insecure versions of applications installed
  
• Verifies that all Microsoft patches are applied
  
• Assists you in updating your system and applications
  

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html

Please let me know if you have any questions.

Hello Corrine,

A quick questions before running ComboFix.  Along with deleting the "no file" links you have listed, can everything McAfee,  along with GoToAssist, Adaware, and Motive also be removed.  I uninstalled McAfee almost 2 years ago and the Site Adviser a year ago and used  McAfee's cleaner twice, however it continue to show up in all longs.  The same with the other programs.

Thank you.

ComboFix removed the orphan GoToAssist on a previous run.  But, hold off then and I'll see what I can find for you.  In the meantime, keep your monitor clean.   :hysterical:

Hi, Nissi1.  I need to see if I can locate the CLSID for AdawareAlert for removing it from the Security Center in the log.  I'm not seeing it anywhere else in your logs.  I won't have time to continue researching it until tomorrow.

Hello again Corrine,

You have been very patient and extremely helpful as always.  I thought the other programs could be removed with ComboFix, however since they cannot please look no further since it is not that important.  It is obvious I do not have any form of malware and have taken enough of your precious time.

I attempted several times to copy and paste ComboFix /Uninstall into the run box, but for some reason it would not work.  It would not paste in the run box.   I typed Combofix /Uninstall in the run box then received a notice Combofix had been uninstalled.  According to your instructions, I am certain more than that was suppose to occur. :laughing:

As for your other instructions, I have all the programs you listed installed on my computer, except Secunia which I have not used for some time.  Thanks to you and all the other MVP's and non-MVP's that have freely given your time to share your knowledge in blogs and arenas like this, my computer remains malware free.  However, it gives me peace of mind to know where to run in the event that circumstance changes.

Thank you very much,

Zandra

Good morning Corrine,

I again attempted to input ComboFix /Uninstall in the run box.  This time I received a Windows cannot find... notice.  ComboFix is on my desktop.  Can I browse to the desktop location, type in /Uninstall and then run it?

Thank you.

Hi, Zandra. 

After spending most of the day outside working in the yard, I'm glad I read your last posts before attempting further research.  As I recall from what I was looking at last night, at least one in not more of the "no files" related to the programs that have been removed. 

In the event ComboFix did not properly uninstall, please right-click ComboFix.exe on your desktop and rename it Uninstall.exe.  Following that, and double-click Uninstall.exe. 

With all the changes that have been made, you may want to run Disk Cleanup.  Following are the instructions for Windows Vista and Windows 7:

• Click start, type Disk Cleanup in the search box
  
• Right-Click Disk Cleanup and select "Run as Administrator" and accept the UAC elevation prompt.
  
• Select the drive where Windows is installed (if you have more than one drive) and click "OK".
  
• When the scan completes, check/uncheck desired boxes.
  
• Next, please click the More Options tab at the top.
  
• Click the "Clean up..." button under the "System Restore and Shadow Copies" section at the bottom.
  
• Click Delete in response to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
  
• The disk clean up utility will remove the selected items.  When it completes, please restart the computer to properly record the changes made to the hard disk.

When you need a break, stop in the LandzDown Lounge for a game.  In the meantime, I'll see you on Twitter.  Please let us know if you have any questions.