Another "Application cannot be executed. The file **.exe is infected" post

[nari_ka]

Hello.
First, I would like to make sure that I am following the protocol of this forum so I need some clarity.
I am hoping I started my thread in the right place. It is my understanding that even if the topic is being discussed already, the issue is unique to that particular person's computer.
I have already read the "Read this before requesting malware removal help" thread at http://www.computerhope.com/forum/index.php/topic,46313.0.html.
I have Windows Vista and last month just renewed my Avast! Anti-Virus Software.
My questions:

• Do you need me to have Service Packs if I am running Vista?
• If Step A or B does not apply, do you still need me to do a full scan on the computer?

Before the problem started, it seemed like over the months, a lot of processes seemed to be slowing the computer down.
Last night after visiting a website for recipes is when everything went haywire. After it started, it was pretty difficult to run an anti-virus scan since the the rogue program (MS Removal Tool) kept interfering. What happened when I tried it was that it automatically switched to safe mode, with limited accessibility, the mouse cursor disappeared when the MS Removal Tool windows and warnings popped up, and I think the estimated time for an Avast! scan was a couple of hours, which I aborted and then shut down my computer.
Tonight I just started it up with no sign of the rogue anti-virus program nor its warning messages. However, since this computer belongs to a Nonprofit that I work for from home, I would like to do what I can to clear up its problems.
I will wait for your response before I go ahead with Add Remove Programs and CCleaner Slim.
Thanks for your help,
Nari

[harry 48]

you could miss A&B but do the rest 1 to 6 and post the 3 logs , forget about add and remove an expert will help you with that

[nari_ka]

Thanks, Harry. I went into Add Remove Programs (Uninstall Programs in Vista) and nothing looked suspicious. I've attached a screenshot of my program list, this seems to be the best way of sharing what programs are on my computer. The only thing a little odd to me is the Internet Offers. Not sure about the MSXMLs either.
Since 99% of my income depends on the work I do on this computer, and I have deadlines to meet, I decided to go ahead with the next steps.
So far I've used CCleaner, SUPERAntiSpyware, and MBAM. The reports say that my computer is clean.
Here are the logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/30/2011 at 06:08 PM

Application Version : 4.50.1002

Core Rules Database Version : 6719
Trace Rules Database Version: 4531

Scan type       : Complete Scan
Total Scan Time : 02:32:05

Memory items scanned      : 743
Memory threats detected   : 0
Registry items scanned    : 9461
Registry threats detected : 0
File items scanned        : 147365
File threats detected     : 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6224

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

3/30/2011 9:48:56 PM
mbam-log-2011-03-30 (21-48-56).txt

Scan type: Quick scan
Objects scanned: 148555
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Shall I go ahead and get HijackThis and run that as well?
Note that this interference happened when I was using Firefox. Not sure if this matters, but now I am using Safari, and I do not use Internet Explorer.
I will update my Java and check back.
Although the interference has only happened once so far, I am still concerned. I have a bit of confusion why nothing is showing up in any of the scans. Maybe this infection is very very clever?
Thanks for any help.
Nari

[recovering disk space - old attachment deleted by admin]

[nari_ka]

Here is my HijackThis log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 4:57:50 PM, on 3/31/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\ltmoh\ltmoh.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Toshiba\Utilities\KeNotify.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\wuauclt.exe
C:\Toshiba\IVP\NetInt\netint.exe
C:\Toshiba\IVP\ISM\ivpsvmgr.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\sniper\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.mc624.mail.yahoo.com/mc/welcome?.gx=1&.tm=1253477804&.rand=8lrtg7plic7v6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NetZero\SearchEnh1.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-up Blocker - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.6.5612.1312\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: &Google Notebook - {CCCCCCD3-666F-4F81-8B69-745DE9F6D897} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-742769657.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-742769657.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [HWSetup] C:\Program Files\TOSHIBA\Utilities\HWSetup.exe hwSetUP
O4 - HKLM\..\Run: [SVPWUTIL] C:\Program Files\TOSHIBA\Utilities\SVPWUTIL.exe SVPwUTIL
O4 - HKLM\..\Run: [KeNotify] C:\Program Files\TOSHIBA\Utilities\KeNotify.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [TOSCDSPD] TOSCDSPD.EXE
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\Windows\system32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /FU "C:\Windows\TEMP\E_S4277.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Startup: Oneeko.lnk = C:\Program Files\Oneeko\ONEEKO.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-742769657.dll/gn_menu1.html
O8 - Extra context menu item: Note this item (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.19-742769657.dll/gn_menu2.html
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.netzero.com
O15 - Trusted Zone: *.netzero.net
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Program Files\Alwil Software\Avast5\afwServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\TOSHIBA Games\TOSHIBA Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1cad9d4d0da1331) (gupdate1cad9d4d0da1331) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 12418 bytes

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I have also attempted to Self-Help this on the Computer Hope Log Tool.
So far nothing seems worth fixing or removing with HijackThis.
It does recommend activating a firewall, however, which I will do.
Any response would be appreciated.
Thanks

[harry 48]

you will have to wait for an expert , he will give you a few more things to run and then help you out

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************
Open HijackThis and select Do a system scan only

Place a check mark next to the following entries: (if there)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.Please place a check mark next to this/these line/lines.
O15 - Trusted Zone: *.netzero.com
O15 - Trusted Zone: *.netzero.net

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.
*********************************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
********************************************************
Download ComboFix by sUBs from one of the below links.  Be sure to save it to the Desktop.

link # 1
Link # 2
If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Close any open web browsers (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your anti-virus, and any anti-spyware real-time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Right-click combofix.exe and select Run as Administrator and follow the prompts.
When finished, ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

NOTE: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your anti-virus and anti-spyware protection when ComboFix is complete.

[nari_ka]

Hello Dave,
Gosh you must be very very busy.
Here is the log from Security Check:

 Results of screen317's Security Check version 0.99.10 
 Windows Vista Service Pack 2 (UAC is enabled)
 Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
 Windows Firewall Enabled! 
 avast! Internet Security   
 WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
 Malwarebytes' Anti-Malware   
 CCleaner     
 Java(TM) 6 Update 24 
 Java(TM) SE Runtime Environment 6
 Adobe Flash Player    10.2.152.32 
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
 Mozilla Firefox (3.6.16) Firefox Out of Date! 
 Mozilla Thunderbird (3.1.7) Thunderbird Out of Date! 
````````````````````````````````
Process Check: 
objlist.exe by Laurent
 Windows Defender MSASCui.exe
 Windows Defender MSASCui.exe   
 system32 AvastSvc.exe -?-   
 Alwil Software Avast5 AvastUI.exe 
``````````End of Log````````````
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Here is my log from ComboFix:

ComboFix 11-04-01.01 - User-2 04/01/2011  21:26:42.1.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.1013.386 [GMT -10:00]
Running from: c:\users\User-2\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\netzeroinstaller\NetZeroInstaller.exe
c:\programdata\ntuser.dat
c:\programdata\xp
c:\programdata\xp\EBLib.dll
c:\programdata\xp\TPwSav.sys
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-02 to 2011-04-02  )))))))))))))))))))))))))))))))
.
.
2011-04-02 07:38 . 2011-04-02 07:38   --------   d-----w-   c:\users\Default\AppData\Local\temp
2011-04-01 02:49 . 2011-04-01 02:49   388096   ----a-r-   c:\users\User-2\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-01 02:49 . 2011-04-01 02:54   --------   d-----w-   c:\program files\Trend Micro
2011-03-31 07:41 . 2011-03-31 07:41   --------   d-----w-   c:\users\User-2\AppData\Roaming\Malwarebytes
2011-03-31 07:40 . 2011-03-31 07:40   --------   d-----w-   c:\programdata\Malwarebytes
2011-03-31 07:40 . 2010-12-21 04:09   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-31 07:40 . 2011-03-31 07:41   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2011-03-31 07:40 . 2010-12-21 04:08   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2011-03-31 01:23 . 2011-03-31 01:23   --------   d-----w-   c:\users\User-2\AppData\Roaming\SUPERAntiSpyware.com
2011-03-31 01:23 . 2011-03-31 01:23   --------   d-----w-   c:\programdata\SUPERAntiSpyware.com
2011-03-31 01:23 . 2011-03-31 01:23   --------   d-----w-   c:\program files\SUPERAntiSpyware
2011-03-31 00:44 . 2011-03-31 00:44   --------   d-----w-   c:\program files\CCleaner
2011-03-27 22:27 . 2011-03-15 04:05   6792528   ----a-w-   c:\programdata\Microsoft\Windows Defender\Definition Updates\{13ABB5D9-2672-4397-8609-3C2111F8CA69}\mpengine.dll
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-23 15:04 . 2010-06-30 10:01   40648   ----a-w-   c:\windows\avastSS.scr
2011-02-23 15:04 . 2007-08-02 02:16   190016   ----a-w-   c:\windows\system32\aswBoot.exe
2011-02-23 14:57 . 2010-02-27 08:37   101976   ----a-w-   c:\windows\system32\drivers\aswFW.sys
2011-02-23 14:56 . 2010-02-27 08:37   371544   ----a-w-   c:\windows\system32\drivers\aswSnx.sys
2011-02-23 14:56 . 2008-12-25 09:10   301528   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2011-02-23 14:56 . 2010-02-27 08:35   192728   ----a-w-   c:\windows\system32\drivers\aswNdis2.sys
2011-02-23 14:55 . 2007-08-02 02:16   49240   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2011-02-23 14:55 . 2007-08-02 02:16   25432   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2011-02-23 14:55 . 2007-08-02 02:16   53592   ----a-w-   c:\windows\system32\drivers\aswMonFlt.sys
2011-02-23 14:54 . 2008-12-25 09:10   19544   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2011-02-03 07:40 . 2010-06-15 17:21   472808   ----a-w-   c:\windows\system32\deployJava1.dll
2011-02-03 04:11 . 2009-10-02 17:35   222080   ------w-   c:\windows\system32\MpSigStub.exe
2011-01-20 16:37 . 2011-03-01 04:14   638336   ----a-w-   c:\windows\system32\drivers\dxgkrnl.sys
2011-01-20 16:08 . 2011-03-01 04:14   478720   ----a-w-   c:\windows\system32\dxgi.dll
2011-01-20 16:08 . 2011-03-01 04:14   219648   ----a-w-   c:\windows\system32\d3d10_1core.dll
2011-01-20 16:08 . 2011-03-01 04:14   160768   ----a-w-   c:\windows\system32\d3d10_1.dll
2011-01-20 16:08 . 2011-03-01 04:14   1029120   ----a-w-   c:\windows\system32\d3d10.dll
2011-01-20 16:08 . 2011-03-01 04:14   189952   ----a-w-   c:\windows\system32\d3d10core.dll
2011-01-20 16:07 . 2011-03-01 04:14   37376   ----a-w-   c:\windows\system32\cdd.dll
2011-01-20 16:07 . 2011-03-01 04:14   258048   ----a-w-   c:\windows\system32\winspool.drv
2011-01-20 16:07 . 2011-03-01 04:14   586240   ----a-w-   c:\windows\system32\stobject.dll
2011-01-20 16:06 . 2011-03-01 04:14   2873344   ----a-w-   c:\windows\system32\mf.dll
2011-01-20 16:06 . 2011-03-01 04:14   26112   ----a-w-   c:\windows\system32\printfilterpipelineprxy.dll
2011-01-20 16:04 . 2011-03-01 04:14   209920   ----a-w-   c:\windows\system32\mfplat.dll
2011-01-20 16:04 . 2011-03-01 04:14   98816   ----a-w-   c:\windows\system32\mfps.dll
2011-01-20 14:28 . 2011-03-01 04:14   1554432   ----a-w-   c:\windows\system32\xpsservices.dll
2011-01-20 14:27 . 2011-03-01 04:14   876032   ----a-w-   c:\windows\system32\XpsPrint.dll
2011-01-20 14:26 . 2011-03-01 04:14   667648   ----a-w-   c:\windows\system32\printfilterpipelinesvc.exe
2011-01-20 14:25 . 2011-03-01 04:14   847360   ----a-w-   c:\windows\system32\OpcServices.dll
2011-01-20 14:24 . 2011-03-01 04:14   288768   ----a-w-   c:\windows\system32\XpsGdiConverter.dll
2011-01-20 14:24 . 2011-03-01 04:14   135680   ----a-w-   c:\windows\system32\XpsRasterService.dll
2011-01-20 14:15 . 2011-03-01 04:14   979456   ----a-w-   c:\windows\system32\MFH264Dec.dll
2011-01-20 14:14 . 2011-03-01 04:14   357376   ----a-w-   c:\windows\system32\MFHEAACdec.dll
2011-01-20 14:14 . 2011-03-01 04:14   302592   ----a-w-   c:\windows\system32\mfmp4src.dll
2011-01-20 14:14 . 2011-03-01 04:14   261632   ----a-w-   c:\windows\system32\mfreadwrite.dll
2011-01-20 14:12 . 2011-03-01 04:14   1172480   ----a-w-   c:\windows\system32\d3d10warp.dll
2011-01-20 14:11 . 2011-03-01 04:14   486400   ----a-w-   c:\windows\system32\d3d10level9.dll
2011-01-20 13:47 . 2011-03-01 04:14   683008   ----a-w-   c:\windows\system32\d2d1.dll
2011-01-20 13:44 . 2011-03-01 04:14   1068544   ----a-w-   c:\windows\system32\DWrite.dll
2011-01-20 13:44 . 2011-03-01 04:14   797184   ----a-w-   c:\windows\system32\FntCache.dll
2011-01-08 08:47 . 2011-03-01 04:09   34304   ----a-w-   c:\windows\system32\atmlib.dll
2011-01-08 06:28 . 2011-03-01 04:09   292352   ----a-w-   c:\windows\system32\atmfd.dll
2010-04-12 00:19 . 2010-04-12 00:19   14336   ----a-w-   c:\program files\wmdmhelper.dll
2010-04-12 00:19 . 2010-04-12 00:19   712704   ----a-w-   c:\program files\dtdr3260.dll
2010-04-12 00:19 . 2010-04-12 00:19   356352   ----a-w-   c:\program files\rjdlg.dll
2010-04-12 00:19 . 2010-04-12 00:19   19456   ----a-w-   c:\program files\rjprog.dll
2010-04-12 00:19 . 2010-04-12 00:19   139264   ----a-w-   c:\program files\DUNZIP32.dll
2010-04-12 00:19 . 2010-04-12 00:19   651264   ----a-w-   c:\program files\rjbres.dll
2010-04-12 00:19 . 2010-04-12 00:19   36352   ----a-w-   c:\program files\ierjplug.dll
2010-04-12 00:19 . 2010-04-12 00:19   6656   ----a-w-   c:\program files\fixrjb.exe
2010-04-12 00:19 . 2010-04-12 00:19   41472   ----a-w-   c:\program files\mmcdda32.dll
2010-04-12 00:19 . 2010-04-12 00:19   19456   ----a-w-   c:\program files\tnetdtct.dll
2010-04-12 00:19 . 2010-04-12 00:19   81920   ----a-w-   c:\program files\tsasdk.dll
2010-04-12 00:19 . 2010-04-12 00:19   57344   ----a-w-   c:\program files\tpasdk.dll
2010-04-12 00:19 . 2010-04-12 00:19   32768   ----a-w-   c:\program files\rpwa3260.dll
2010-04-12 00:19 . 2010-04-12 00:19   16296   ----a-w-   c:\program files\realtfon.fon
2010-04-12 00:19 . 2010-04-12 00:19   43056   ----a-w-   c:\program files\rpshellsearch.dll
2010-04-12 00:18 . 2010-04-12 00:18   719360   ----a-w-   c:\program files\dbghelp.dll
2010-04-12 00:18 . 2010-04-12 00:18   65536   ----a-w-   c:\program files\rjwmapln.dll
2010-04-12 00:18 . 2010-04-12 00:18   53248   ----a-w-   c:\program files\rpau3260.dll
2010-04-12 00:18 . 2010-04-12 00:18   102400   ----a-w-   c:\program files\HXAudioDeviceHook.dll
2010-04-12 00:18 . 2010-04-12 00:18   86016   ----a-w-   c:\program files\rpplugprot.dll
2010-04-12 00:18 . 2010-04-12 00:18   63016   ----a-w-   c:\program files\rpshell.dll
2010-04-12 00:18 . 2010-04-12 00:18   112168   ----a-w-   c:\program files\rdsf3260.dll
2010-04-12 00:18 . 2010-04-12 00:18   7168   ----a-w-   c:\program files\realjbox.exe
2010-04-12 00:18 . 2010-04-12 00:18   14888   ----a-w-   c:\program files\rphelperapp.exe
2010-04-12 00:17 . 2010-04-12 00:17   488968   ----a-w-   c:\program files\realplay.exe
2010-04-12 00:17 . 2010-04-12 00:17   407104   ----a-w-   c:\program files\RecordingManager.exe
2010-08-13 09:04 . 2008-12-13 06:43   119808   ----a-w-   c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 15:04   122512   ----a-w-   c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-20 39408]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-10-12 14940040]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-20 1451304]
"RtHDVCpl"="RtHDVCpl.exe" [2006-11-09 3784704]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2005-12-16 188416]
"NDSTray.exe"="NDSTray.exe" [BU]
"HWSetup"="c:\program files\TOSHIBA\Utilities\HWSetup.exe" [2006-11-01 413696]
"SVPWUTIL"="c:\program files\TOSHIBA\Utilities\SVPWUTIL.exe" [2006-01-19 421888]
"KeNotify"="c:\program files\TOSHIBA\Utilities\KeNotify.exe" [2006-11-07 34352]
"PINGER"="c:\toshiba\IVP\ISM\pinger.exe" [2006-07-20 151552]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-08-13 30192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-30 249064]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-02-23 3451496]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-07-22 141608]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-30 421888]
.
c:\users\User-2\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
Oneeko.lnk - c:\program files\Oneeko\ONEEKO.EXE [N/A]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-3-15 113664]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2007-4-19 64864]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2008-2-5 54512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001
.
R2 avast! Firewall;avast! Firewall;c:\program files\Alwil Software\Avast5\afwServ.exe [2011-02-23 121000]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1cad9d4d0da1331;Google Update Service (gupdate1cad9d4d0da1331);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 133104]
R3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2010-08-13 30192]
R3 USB_RNDIS_VISTA;Westell USB Network Interface;c:\windows\system32\DRIVERS\usb8023.sys [2009-04-11 15872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [2010-01-09 12112]
S0 aswNdis2;avast! Firewall Core Firewall Service;

S1 aswFW;avast! TDI Firewall driver;

S1 aswSnx;aswSnx;

S1 aswSP;aswSP;

S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 aswFsBlk;aswFsBlk;

S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2011-02-23 53592]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile   REG_MULTI_SZ      wcescomm rapimgr
LocalServiceRestricted   REG_MULTI_SZ      WcesComm RapiMgr
LocalServiceAndNoImpersonation   REG_MULTI_SZ      FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 00:11]
.
2011-04-02 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-12 00:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mc624.mail.yahoo.com/mc/welcome?.gx=1&.tm=1253477804&.rand=8lrtg7plic7v6
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
IE: Display All Images with Full Quality - c:\program files\NetZero\qsacc\appres.dll/228
IE: Display Image with Full Quality - c:\program files\NetZero\qsacc\appres.dll/227
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Note this (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-742769657.dll/gn_menu1.html
IE: Note this item (Google Notebook) - c:\program files\Google\Google Notebook\gnotes1.0.2.19-742769657.dll/gn_menu2.html
FF - ProfilePath - c:\users\User-2\AppData\Roaming\Mozilla\Firefox\Profiles\leonb54p.default\
FF - prefs.js: browser.startup.homepage - hxxp://Google.Com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - Ext: The Browser Highlighter: [email protected] - c:\program files\Mozilla Firefox\extensions\[email protected]
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-TOSCDSPD - TOSCDSPD.EXE
HKLM-Run-TPwrMain - %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
HKLM-Run-HSON - %ProgramFiles%\TOSHIBA\TBS\HSON.exe
HKLM-Run-SmoothView - %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
HKLM-Run-00TCrdMain - %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
AddRemove-Oneeko - c:\program files\Oneeko\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-01 21:38
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.flac\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.ogg\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pcm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pls\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.spx\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="YMP.Media"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
Completion time: 2011-04-01  21:43:41
ComboFix-quarantined-files.txt  2011-04-02 07:43
.
Pre-Run: 38,726,467,584 bytes free
Post-Run: 38,641,799,168 bytes free
.
Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
- - End Of File - - 835781CA807612FC2D7A87808F500F6B
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I am confused about the new HijackThis log. I don't have one since I did'nt click the Do a system scan and save a log file button as per your instructions. Should I run one again clicking that Do a system scan and save a log file button?
Thank you for your patient assistance,
Nari

[SuperDave]

Update your Adobe Reader. get.adobe.com/reader.

Be sure to uncheck the Free McAfee Security Scan so it isn't installed.
************************************************************

am confused about the new HijackThis log. I don't have one since I did'nt click the Do a system scan and save a log file button as per your instructions. Should I run one again clicking that Do a system scan and save a log file button?

The only thing I required you to do was to fix those three lines in HJT. If you did this, you're done with HJT.

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[nari_ka]

Here's my SysprotAntiRootKit scan log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_dumpata.sys
Service Name: ---
Module Base: 8CADB000
Module End: 8CAE6000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: 8CAE6000
Module End: 8CAEE000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAddBootEntry
Address: 8C81E9CA
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEvent
Address: 8C820EAC
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEventPair
Address: 8C820F04
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateIoCompletion
Address: 8C82101A
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateMutant
Address: 8C820E02
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSection
Address: 8C820F54
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSemaphore
Address: 8C820E56
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateTimer
Address: 8C820FC8
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteBootEntry
Address: 8C81E9EE
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwLoadDriver
Address: 8C81E7B8
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwModifyBootEntry
Address: 8C81EA12
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeKey
Address: 8C821412
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeMultipleKeys
Address: 8C81F4AA
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEvent
Address: 8C820EDC
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEventPair
Address: 8C820F2C
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenIoCompletion
Address: 8C821044
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenMutant
Address: 8C820E2E
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSection
Address: 8C820F94
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSemaphore
Address: 8C820E84
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenTimer
Address: 8C820FF2
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryObject
Address: 8C81F370
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootEntryOrder
Address: 8C81EA36
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootOptions
Address: 8C81EA5A
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemInformation
Address: 8C81E812
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemPowerState
Address: 8C81E94E
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwShutdownSystem
Address: 8C81E92A
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSystemDebugControl
Address: 8C81E972
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwVdmControl
Address: 8C81EA7E
Driver Base: 8C80C000
Driver End: 8C86A000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateProcessEx
At Address: 82E95E32
Jump To: 8CAA48E2
Module Name: C:\Windows\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 82DB0E12
Jump To: 8CAA029E
Module Name: C:\Windows\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 82DFE9BC
Jump To: 8CAA1D38
Module Name: C:\Windows\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Access denied

Object: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Access denied

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I had to run Sysprot twice since the first time I didn't to run as Admin. I hope the log updated itself.
And I updated Adobe Reader.

Avast keeps telling me that that they recommend opening the program I am trying to open in sandbox.
File: ProgramFiles\GoogleDesktopSearch\pdftotext.exe
From: ProgramFiles\GoogleDesktopSearch\GoogleServices.dll
I've seen this happen before, its kind of disconcerting.
Thanks for all your help.

[SuperDave]

Avast keeps telling me that that they recommend opening the program I am trying to open in sandbox.
File: ProgramFiles\GoogleDesktopSearch\pdftotext.exe
From: ProgramFiles\GoogleDesktopSearch\GoogleServices.dll
I've seen this happen before, its kind of disconcerting.

That file belongs to GoogleDesktopSearch. Sandbox is a security program where you can open potentially dangerous files without harming your computer. Possibly that file is corrupted. You could renew it by uninstalling and reinstalling GoogleDesktopSearch

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[nari_ka]

Hello Dave,
Here is my ESET Scan log:

C:\Users\User-2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\1\3ee57b81-4ab27c90   multiple threats   deleted - quarantined
C:\Users\User-2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\31\781da39f-536eafa4   Java/TrojanDownloader.Agent.NBU trojan   deleted - quarantined
C:\Users\User-2\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\51\491fc3b3-1c446af9   multiple threats   deleted - quarantined

Also, I uninstalled Google Desktop, I wasn't even sure why I had it. I use The Google Toolbar in Firefox, but that's not the same, I'm sure.
Thanks for all your help. It's interesting that ESCAN found something that the others did not.
I will check back soon.

[SuperDave]

It's interesting that ESCAN found something that the others did not.

On-line scanners work better because they are working from the outside without the chance of other influences.
If there are no other issues, we can cleanup.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

********************************************
Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two.
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.
**********************************************
Looking over your log it seems you don't have any evidence of a third party firewall.

Firewalls protect against hackers and malicious intruders. You need to download a free firewall from one of these reliable vendors.

Remember only install ONE firewall

1) Comodo Personal Firewall (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and uncheck any HopSurf and/or Ask.com options if you choose this one)
2) Online Armor
3) Agnitum Outpost
4) PC Tools Firewall Plus

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
**************************************************************
Use the Secunia Software Inspector to check for out of date software.

•Click Start Now

•Check the box next to Enable thorough system inspection.

•Click Start

•Allow the scan to finish and scroll down to see if any updates are needed.
•Update anything listed.
.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!

[nari_ka]

In trying to uninstall Combofix, Avast gave me 3 warning windows telling me "You are opening an application that may be potentially unsafe." and gives me an option to open it in sandbox.
From the looks of it, it doesn't like something having to do with the ComboFix link I got off the Computer Hope Forum, but I am confused as to why it wants to involve iexplore and why it is acting up now.
3 files opened by C:\32788R22FWJFW\iexplore.exe

• C:\32788R22FWJFW\License\iexplore.exe (2 times)
• C:\32788R22FWJFW\prev.exe and

Origin: http://download.bleepingcomputer.com/sUBs/ComboFix.exe http:www.computerhope.com/forum/index.php/topic,117772.0html208.43.120.24
The strange thing to me is that it opened the uninstaller first, then these Avast windows opened.
The options are to

• Open in sandbox (recommended),
• Open normally,
• or Cancel opening

I am hesitant to proceed, but I am inclined to open it normally. I want to think Avast is overreacting, but I want to be sure.
Meanwhile, I can't do anything until I respond to these Avast requests since the windows are on top of all others.
Any suggestions?
Thanks for your response...

[nari_ka]

Actually, it became unresponsive after I sent that last post. So I am in the process of shutting it down. (I am on a different computer)
What to do...?

[SuperDave]

You are opening an application that may be potentially unsafe." and gives me an option to open it in sandbox.

That's what Sandbox does. It opens new applications in the sandbox to protect your computer. Let's try this:

Ok. If there's nothing else, let's do some cleanup.

Delete the Combo-Fix.exe file, C:\Combo-Fix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combo-fix.txt and C:\Combo-Fix-quarantined-files.txt
You may have a problem deleting one of the folders. In that case, just empty the folder of whatever files you can and leave it.
***************************************************
To set a new Restore Point.

Click Start button , click Control Panel, click System and Maintenance, and then clicking System. In the left pane, click System Protection.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation. To turn off System Protection for a hard disk, clear the check box next to the disk, and then click OK. Reboot to Normal Mode.
Click the Start button , click Control Panel, click System and Maintenance, and then click System.
In the left pane, click System Protection.  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
To turn on System Protection for a hard disk, select the check box next to the disk, and then click OK.
This will give you a new, clean Restore Point.