Desktop icons gone, document, program folders empty, no sys restoree

[goodie2010]

This started about 5 days ago,  all of sudden something popped and started scanning my computer telling me I had all these virus and to buy program. I closed, it wouldnt let me browse internet or run malwarebytes and other apps. The only thing it let me run was SAS. I ran it and removed harm, popups and hch.exe are gone but I still couldn't open firefox or ie. It said unable to connect check proxy or internet options. I cant sys. Restore because I disabled it to get rid of jce.exe and hch.exe. Yahoo messenger and gtalk were online, I got new email and messenge alerts, I just couldnt use firefox or ie.

I ran SAS in safe mode, restarted and and unchecked use proxy server, that got me back online and everything!  I thought everything was all good, I ran malwarebytes just to be safe it found 1 virus, i removed and rebooted.  Then a couple of days later, while browsing online, keep in mind i hadn't downloaded anything new or installed anything.

i guess the aggravating creature never left, a couple days later the fake xp security system launched and began telling me i had all these virus and need to order. I rebooted in safe mode, ran SAS and CCleaner. Rebooted and it appeared gone, then yesterday i kept hearing my computer click when i wasn't doing anything. All of sudden my computer rebooted by itself, didn't appear there was a virus then an hour later firefox closed the fake xp security thing launched and my desktop lost all icons, I ran SAS rebooted, desktop is blank, I can't right click it either, also all my files/icons in documents and programs are missing I unchecked hidden and some reappeared but far from all. I don't have an option to do system restore, i can't get to malwarebytes or anything except SAS. I can get online but can't access desktop apps, folders, etc... I can't even get to it from my computer, I go to My Computer, click C and its blank, no folders or anything, no option to show hidden or anything. Nothing has been deleted because used and free space is still the same, but I can't see or access anything.

Thanks for your help, btw i'm using xp sp3 on a desktop Gateway, I have 1.5TB, 3gb ram.  Thanks

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************
Please boot in Safe Mode with NetWorking and run MBAM. Reboot in Normal Mode and run MBAM again. If successful at that please run these other scans.
*************************************************************
SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
************************************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

[goodie2010]

sorry for late response, my sas scan usually takes 35 min, this time it took over 2 hours.  During the scan xp 2011 antivirus popped up,  after scan i rebooted and it started with computer, it disabled me from using firefox/ie.  I ran cc cleaner and here i am.


gee whiz,  the SAS folder is now blank. i don't have any desktop icons, and SAS folder is blank in startup/ programs, I can't get to programs from my computer/c

so i can't even post SAS log.


MODIFIED....OK i started in safe mode, clicked show all files in programs and was able to start SAS to get log, all though the xp anti spyware 2011 keeps popping up.


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/30/2011 at 11:00 PM

Application Version : 4.52.1000

Core Rules Database Version : 6998
Trace Rules Database Version: 4810

Scan type       : Complete Scan
Total Scan Time : 03:25:12

Memory items scanned      : 530
Memory threats detected   : 0
Registry items scanned    : 6505
Registry threats detected : 1
File items scanned        : 331047
File threats detected     : 9

System.BrokenFileAssociation
   HKCR\.exe

Adware.Tracking Cookie
   C:\Documents and Settings\cs\Cookies\[email protected][1].txt
   C:\Documents and Settings\cs\Cookies\cs@doubleclick[1].txt
   C:\Documents and Settings\cs\Cookies\[email protected][1].txt
   C:\Documents and Settings\cs\Cookies\cs@yieldmanager[1].txt
   C:\Documents and Settings\cs\Cookies\cs@advertising[1].txt
   C:\Documents and Settings\cs\Cookies\[email protected][1].txt
   C:\Documents and Settings\cs\Cookies\[email protected][2].txt
   media.kyte.tv [ C:\Documents and Settings\cs\Application Data\Macromedia\Flash Player\#SharedObjects\GVP00001 ]

Trojan.Agent/Gen
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{653D82B1-7A8A-4A75-A8AF-5BF15F34719A}\RP3\A0001560.EXE


here's dds

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-05-19.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 1/1/2004 7:19:14 AM
System Uptime: 5/31/2011 4:45:40 AM (0 hours ago)
.
Motherboard: Intel Corporation |  | D945GCF
Processor: Intel(R) Pentium(R) Dual  CPU  E2180  @ 2.00GHz | LGA 775 | 1999/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 466 GiB total, 47.55 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 3.647 GiB free.
E: is FIXED (NTFS) - 1397 GiB total, 357.115 GiB free.
F: is Removable
G: is Removable
H: is Removable
I: is Removable
J: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID:
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2772&SUBSYS_604E107B&REV_02\3&61AAA01&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2772&SUBSYS_604E107B&REV_02\3&61AAA01&0&10
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Device
Device ID: PCI\VEN_8086&DEV_27D8&SUBSYS_604E107B&REV_01\3&61AAA01&0&D8
Manufacturer:
Name: PCI Device
PNP Device ID: PCI\VEN_8086&DEV_27D8&SUBSYS_604E107B&REV_01\3&61AAA01&0&D8
Service:
.
Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
Description: Texas Instruments OHCI Compliant IEEE 1394 Host Controller
Device ID: PCI\VEN_104C&DEV_8020&SUBSYS_00000000&REV_00\4&1E46F438&0&28F0
Manufacturer: Texas Instruments
Name: Texas Instruments OHCI Compliant IEEE 1394 Host Controller
PNP Device ID: PCI\VEN_104C&DEV_8020&SUBSYS_00000000&REV_00\4&1E46F438&0&28F0
Service: ohci1394
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Ethernet Controller
Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_00000000&REV_01\4&1E46F438&0&40F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_8086&DEV_27DC&SUBSYS_00000000&REV_01\4&1E46F438&0&40F0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: SM Bus Controller
Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_604E107B&REV_01\3&61AAA01&0&FB
Manufacturer:
Name: SM Bus Controller
PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_604E107B&REV_01\3&61AAA01&0&FB
Service:
.
==== System Restore Points ===================
.
RP1: 5/25/2011 5:27:25 AM - System Checkpoint
RP2: 5/28/2011 4:06:05 AM - System Checkpoint
RP3: 5/29/2011 4:47:23 AM - System Checkpoint
RP4: 5/30/2011 5:21:55 AM - System Checkpoint
.
==== Installed Programs ======================
.
ADM 1.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
AIM 7
aiofw
aioocr
aioscnnr
Analog Factory SE 1.2
Antares Auto-Tune Evo VST
Antares Autotune VST v5.09
Antares AVOX Vocal Kit Bundle VST v1.02
ArcSoft Print Creations
ArcSoft Print Creations - Album Page
ArcSoft Print Creations - Funhouse
ArcSoft Print Creations - Greeting Card
ArcSoft Print Creations - Photo Book
ArcSoft Print Creations - Photo Calendar
ArcSoft Print Creations - Scrapbook
ArcSoft Print Creations - Slimline Card
Ares 2.1.5
ASIO4ALL
BeatKangz Virtual Beat Thang Pro VSTi v2.0.1
Best Service Chris Hein Horns
Bonjour
CCleaner (remove only)
CCScore
center
CodeMeter Runtime Kit v4.01
ConvertXtoDVD 4.0.12.327
CS-80V2 2.0
Download Updater (AOL LLC)
DreamStation DXi2
EASEUS Data Recovery Wizard Professional 5.0.1
East West Vapor
ElastikVst
eLicenser Control
Emagic Logic Audio Platinum 5.5
EMCO Network Malware Cleaner
ESSBrwr
ESSCDBK
ESScore
ESSgui
ESSini
ESSPCD
ESSPDock
ESSTOOLS
essvatgt
FL Studio 10
GForce - Minimonsta
Gizmo5
GoldWave v5.51
Google Chrome
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Update Helper
Google Video Uploader
Help_CTR
HijackThis 2.0.2
Hotfix for Windows XP (KB932716-v2)
Hotfix for Windows XP (KB942288-v3)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
HxD Hex Editor version 1.7.7.0
IL Download Manager
ImageShack Uploader 2.2.0
Interlok driver setup x32
Internet Download Manager
IrfanView (remove only)
IsoBuster 2.5
iZotope Ozone 4
Java Auto Updater
Java(TM) 6 Update 20
Jupiter-8V 1.0
kgcbaby
kgchday
kgchlwn
kgcinvt
kgckids
kgcmove
kgcvday
Kodak EasyShare software
KORG Legacy Collection - ANALOG EDITION 2007
KORG Legacy Collection - DIGITAL EDITION
ksdip
LG United Mobile Driver
LinPlug CronoX VSTi v2.04
Live 8.1.4
LogMeIn
LUXONIX Purity
M-Audio FastTrackPro Driver 6.0.2 (x86)
M-Audio Series II MIDI
Magic DVD Ripper V5.5.0
Malwarebytes' Anti-Malware
Mega Manager
Microsoft .NET Framework 2.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.30319
Microsoft WinUsb 1.0
MIKSOFT Mobile Media Converter
Mozilla Firefox (4.0b2)
Mozilla Firefox 4.0.1 (x86 en-US)
MySpaceIM
Native Instruments Absynth 5
Native Instruments Bandstand
Native Instruments FM8
Native Instruments Guitar Rig 4
Native Instruments Hardware Controller Support
Native Instruments Komplete 6
Native Instruments Kontakt 4
Native Instruments Maschine Driver
Native Instruments Massive
Native Instruments Pro-53
Native Instruments Reaktor 5
Native Instruments Reaktor Session One
Native Instruments Service Center
Nero 7 Premium
neroxml
netbrdg
OfotoXMI
OrangeVocoder v2.0-OxYGeN
PlayItAll media player 1.0.5
Reason 5.0
ReCycle 2.1.2
reFX Nexus VSTi RTAS v2.2.0
Rob Papen RG 1.5 64 Bits
SDFormatter
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SFR
SHASTA
skin0001
SKINXSDK
SONAR X1 Producer
Sonique
SONiVOX Sampla
staticcr
Steinberg Cubase SX v3.0.2.623
Steinberg Cubase v4.1.3
String Machine
SUPERAntiSpyware
SyncroSoft Emu (Remove only)
Tracktion 3.0.4.8
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Veoh Web Player
Vista Codec Package
Vista Ultimate Edition final  v1.0
VPRINTOL
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Media Format Runtime
Windows Vista Sounds Pack
winLAME 2010 beta 2
winLAME prerelease4
WinRAR archiver
WIRELESS
Yahoo! BrowserPlus 2.9.8
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Toolbar
Your Uninstaller! 2010
.
==== Event Viewer Messages From Past Week ========
.
5/29/2011 12:32:38 PM, error: Service Control Manager [7034]  - The IMAPI CD-Burning COM Service service terminated unexpectedly.  It has done this 1 time(s).
5/29/2011 12:23:38 PM, error: System Error [1003]  - Error code 1000007e, parameter1 c0000005, parameter2 b683db29, parameter3 ba4fb810, parameter4 ba4fb50c.
5/28/2011 3:21:22 AM, error: Service Control Manager [7034]  - The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).
5/27/2011 7:45:59 PM, error: Service Control Manager [7034]  - The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).
5/26/2011 7:28:00 PM, error: Service Control Manager [7034]  - The Kodak AiO Device Service service terminated unexpectedly.  It has done this 1 time(s).
5/25/2011 5:58:56 PM, error: DCOM [10016]  - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID  {DCBCA92E-7DBE-4EDA-8B7B-3AAEA4DD412B}  to the user NT AUTHORITY\SYSTEM SID (S-1-5-18).  This security permission can be modified using the Component Services administrative tool.
5/25/2011 5:58:52 PM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  ohci1394
5/25/2011 5:58:52 PM, error: Service Control Manager [7022]  - The Bonjour Service service hung on starting.
5/25/2011 5:57:27 PM, error: Service Control Manager [7000]  - The M-Audio Series II MIDI Installer service failed to start due to the following error:  The system cannot find the file specified.
5/25/2011 5:19:48 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
5/25/2011 2:09:08 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
5/25/2011 2:08:50 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
5/25/2011 2:01:29 AM, error: DCOM [10005]  - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
5/25/2011 1:33:05 AM, error: Service Control Manager [7026]  - The following boot-start or system-start driver(s) failed to load:  AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
5/25/2011 1:33:05 AM, error: Service Control Manager [7001]  - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error:  A device attached to the system is not functioning.
5/25/2011 1:33:05 AM, error: Service Control Manager [7001]  - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/25/2011 1:33:05 AM, error: Service Control Manager [7001]  - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
5/25/2011 1:33:05 AM, error: Service Control Manager [7001]  - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error:  A device attached to the system is not functioning.
5/25/2011 1:33:05 AM, error: Service Control Manager [7001]  - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error:  A device attached to the system is not functioning.
.
==== End Of File ===========================


.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 6.0.2900.3264  BrowserJavaVersion: 1.6.0_20
Run by cs at 4:47:40 on 2011-05-31
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3062.2502 [GMT -4:00]
.
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
============== Running Processes ===============
.
C:\WINDOWS.2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.2\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS.2\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CodeMeter\Runtime\bin\CodeMeter.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
C:\WINDOWS.2\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS.2\Explorer.EXE
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINDOWS.2\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet download manager\IDMan.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS.2\system32\M-AudioTaskBarIcon.exe
C:\Documents and Settings\cs\Local Settings\Application Data\vcu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cs\My Documents\Downloads\dds.scr
C:\WINDOWS.2\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.yahoo.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:61495
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - c:\program files\internet download manager\IDMIECC.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.6209.1142\swg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [VeohPlugin] "c:\program files\veoh networks\veohwebplayer\veohwebplayer.exe"
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
uRun: [Google Update] "c:\documents and settings\cs\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [M-Audio Taskbar Icon] c:\windows.2\system32\M-AudioTaskBarIcon.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [EKIJ5000StatusMonitor] c:\windows.2\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
uPolicies-explorer: NoDesktop = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\megaupload\mega manager\mm_file.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
LSP: c:\windows.2\system32\idmmbc.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: LMIinit - LMIinit.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\cs\application data\mozilla\firefox\profiles\pwlppcx1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=TB-WFFDS&qry=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61495
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\cs\application data\idm\idmmzcc3\components\idmmzcc.dll
FF - component: c:\documents and settings\cs\application data\mozilla\firefox\profiles\pwlppcx1.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\cs\application data\mozilla\firefox\profiles\pwlppcx1.default\extensions\{394dcba4-1f92-4f8e-8ec9-8d2cb90cb69b}\components\ScreenshotXPCOM.dll
FF - plugin: c:\documents and settings\cs\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\vistacodecpack\rm\browser\plugins\nprpjplug.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R0 aaatimeo;aaatimeo;c:\windows.2\system32\drivers\aaatimeo.sys [2006-2-26 4928]
R0 afamgt;afamgt;c:\windows.2\system32\drivers\afamgt.sys [2006-3-28 91707]
R0 siwinacc;siwinacc;c:\windows.2\system32\drivers\siwinacc.sys [2004-11-1 10368]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\codemeter\runtime\bin\CodeMeter.exe [2009-4-3 1680704]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2007-1-31 9216]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2010-1-27 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows.2\system32\drivers\LMIRfsDriver.sys [2010-8-25 47640]
R2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2008-11-21 3706880]
R3 CLEDX;Team H2O CLEDX service;c:\windows.2\system32\drivers\cledx.sys [2010-11-13 33792]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows.2\system32\drivers\MAudioFastTrackPro.sys [2009-11-9 158600]
S?2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-7-6 135664]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows.2\system32\drivers\lgandbus.sys [2011-4-26 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows.2\system32\drivers\lganddiag.sys [2011-4-26 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows.2\system32\drivers\lgandgps.sys [2011-4-26 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows.2\system32\drivers\lgandmodem.sys [2011-4-26 25088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-7-6 135664]
S3 RDID1009;EDIROL UM-1;c:\windows.2\system32\drivers\Rdwm1009.sys [2010-7-22 79393]
S4 LMIRfsClientNP;LMIRfsClientNP;

.
=============== Created Last 30 ================
.
2011-05-31 01:05:24   364544   --sha-w-   c:\documents and settings\cs\local settings\application data\vcu.exe
2011-05-29 16:24:40   341504   ---ha-w-   c:\documents and settings\all users\application data\14475044.exe
2011-05-29 16:17:00   431104   ---ha-w-   c:\documents and settings\all users\application data\UtYUtxpPbB.exe
2011-05-28 07:41:16   --------   d--h--w-   c:\documents and settings\cs\application data\SUPERAntiSpyware.com
2011-05-28 07:41:12   --------   d--h--w-   c:\program files\SUPERAntiSpyware
2011-05-27 23:44:16   327680   --sha-w-   c:\documents and settings\cs\local settings\application data\vgl.exe
2011-05-25 06:02:23   --------   d--h--w-   c:\program files\EMCO Network Malware Cleaner
2011-05-25 06:02:06   11254   ---ha-w-   c:\windows.2\system32\locate.com
2011-05-25 06:01:43   --------   d--h--w-   C:\MGTools
2011-05-25 06:01:11   --------   d--h--w-   c:\program files\common files\Wise Installation Wizard
2011-05-25 06:01:05   --------   d--h--w-   c:\program files\CCleaner
2011-05-25 05:48:51   --------   d--h--w-   c:\program files\Trend Micro
2011-05-25 00:08:43   335872   --sha-w-   c:\documents and settings\cs\local settings\application data\hch.exe
2011-05-14 22:10:34   --------   d--h--w-   c:\documents and settings\all users\application data\SUPERAntiSpyware.com
.
==================== Find3M  ====================
.
2011-04-17 20:43:57   1409   ---ha-w-   c:\windows.2\QTFont.for
2011-04-05 03:57:12   118784   ---ha-w-   c:\windows.2\dsdxirmv.exe
2009-08-14 14:35:34   84350616   ---ha-w-   c:\program files\Komplete 6 Setup PC.exe
.
============= FINISH:  4:48:24.54 ===============

[SuperDave]

Did you run MBAM? I will need to see the log.

The log shows that you only have 47.5 Gb of free space on your harddrive. Windows requires 15% (70 Gb) in order to function properly. You will need to free up some space. You can do this by removing programs that you no longer use. You can also off-load pictures, videos, music and important documents to DVD's or, in your case, tranfer them to your E drive.

P2P - I see you have P2P software installed on your machine Ares 2.1.5. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
******************************************************
Download OTL to your desktop.

* Open OTL
* Copy and Paste the following text in the codebox into the Custom Scans/Fixes window.

Code: [Select]

:OTL
uInternet Settings,ProxyServer = http=127.0.0.1:61495
FF - prefs.js: network.proxy.http_port - 61495

:COMMANDS
[resethosts]
[purity]
[emptytemp]
[start explorer]

* Click Run Fix
* OTLI2 may ask to reboot the machine. Please do so if asked.
* Click OK
* A report will open. Copy and Paste that report in your next reply.
****************************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you insist on using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

[goodie2010]

Thanks for your help Super Dave, i can't run mbam in regular or safe mode, this xp anti-virus 2011 crap keeps popping up, I close in taskmanager (vcu.exe), it took me 30 minutes to finally get firefox to open.  BTW it wont even let me install a new mbam.  Also I can't save anything to my desktop because there are no icons on my desktop and right clicking does nothing.

i'm saving everything in Documents folder since that's the only folder I can access, all my docs aren't even showing up there.  Also I know you said I need like 17% free to run windows but since I can't access most of my files I have no way of freeing up that much space.


OTL


All processes killed
========== OTL ==========
Prefs.js: network.proxy.http_port - 61495 removed from refs.js
========== COMMANDS ==========
C:\WINDOWS.2\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: android-sdk-windows
 
User: AndroidSDK
 
User: cs
->Temp folder emptied: 7521776 bytes
->Temporary Internet Files folder emptied: 172898 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 104628121 bytes
->Google Chrome cache emptied: 121101181 bytes
->Flash cache emptied: 4677 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2459876 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33273 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 225.00 mb
 
 
OTL by OldTimer - Version 3.2.23.0 log created on 05312011_162601

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...





COMBOFIX



All processes killed
========== OTL ==========
Prefs.js: network.proxy.http_port - 61495 removed from refs.js
========== COMMANDS ==========
C:\WINDOWS.2\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully
 
[EMPTYTEMP]
 
User: All Users
 
User: android-sdk-windows
 
User: AndroidSDK
 
User: cs
->Temp folder emptied: 7521776 bytes
->Temporary Internet Files folder emptied: 172898 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 104628121 bytes
->Google Chrome cache emptied: 121101181 bytes
->Flash cache emptied: 4677 bytes
 
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: LogMeInRemoteUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2459876 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 33273 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes
 
Total Files Cleaned = 225.00 mb
 
 
OTL by OldTimer - Version 3.2.23.0 log created on 05312011_162601

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[SuperDave]

Please try running this in Safe Mode with NetWorking.

• Please download Unhide by Grinler from here and save it to your desktop.
  
• Double click unhide.exe to run the tool.
  
• It will take some time to go through all your files, so please be patient.
• If this tool doesn´t fix the problem, please let me know.

**************************************************
You didn't post the ComboFix log.

[goodie2010]

Please try running this in Safe Mode with NetWorking.
You didn't post the ComboFix log.

ComboFix 11-05-31.01 - cs 05/31/2011  17:02:53.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.3062.2497 [GMT -4:00]
Running from: c:\documents and settings\cs\My Documents\Downloads\Programs\ComboFix.exe
AV: Kaspersky Anti-Virus *Disabled/Outdated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\14475044.exe
c:\documents and settings\All Users\Application Data\UtYUtxpPbB.exe
c:\documents and settings\android-sdk-windows\SDK Setup.exe
c:\documents and settings\AndroidSDK\SDK Setup.exe
c:\documents and settings\cs\Application Data\inst.exe
c:\documents and settings\cs\Local Settings\Application Data\hch.exe
c:\documents and settings\cs\Local Settings\Application Data\vcu.exe
c:\documents and settings\cs\Local Settings\Application Data\vgl.exe
c:\windows.2\system32\sysinfo.exe
c:\windows.2\XSxS
E:\autorun.inf
E:\install.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-04-28 to 2011-05-31  )))))))))))))))))))))))))))))))
.
.
2011-05-31 20:26 . 2011-05-31 20:26   --------   d-----w-   C:\_OTL
2011-05-28 07:41 . 2011-05-28 07:41   --------   d--h--w-   c:\documents and settings\cs\Application Data\SUPERAntiSpyware.com
2011-05-28 07:41 . 2011-05-31 09:12   --------   d--h--w-   c:\program files\SUPERAntiSpyware
2011-05-25 06:02 . 2011-05-25 06:02   --------   d-----w-   C:\rsit
2011-05-25 06:02 . 2011-05-28 01:28   --------   d--h--w-   c:\program files\EMCO Network Malware Cleaner
2011-05-25 06:02 . 2005-01-14 02:41   11254   ---ha-w-   c:\windows.2\system32\locate.com
2011-05-25 06:01 . 2011-05-28 01:27   --------   d-----w-   C:\MGTools
2011-05-25 06:01 . 2011-05-25 06:01   --------   d--h--w-   c:\program files\Common Files\Wise Installation Wizard
2011-05-25 06:01 . 2011-05-25 06:01   --------   d--h--w-   c:\program files\CCleaner
2011-05-25 05:48 . 2011-05-25 05:48   --------   d--h--w-   c:\program files\Trend Micro
2011-05-14 22:10 . 2011-05-14 22:10   --------   d--h--w-   c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-28 01:43 . 2011-05-25 06:19   1912   ---ha-w-   C:\MGlogs.zip
2011-04-17 20:43 . 2011-04-17 20:43   1409   ---ha-w-   c:\windows.2\QTFont.for
2011-04-05 03:57 . 2011-04-05 03:57   118784   ---ha-w-   c:\windows.2\dsdxirmv.exe
2009-08-14 14:35 . 2009-08-14 14:35   84350616   ---ha-w-   c:\program files\Komplete 6 Setup PC.exe
2011-04-30 03:28 . 2011-03-27 20:34   142296   ---ha-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2008-01-11 . 2B60598FE17A9EAA1468C1B8F73EA0B9 . 1613824 . . [5.1.2600.3264] . . c:\windows.2\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IDMan"="c:\program files\internet download manager\IDMan.exe" [2010-05-26 3220912]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
"ares"="c:\program files\Ares\Ares.exe" [2010-02-08 1015808]
"Aim"="c:\program files\AIM\aim.exe" [2011-01-05 4321112]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-07-07 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M-Audio Taskbar Icon"="c:\windows.2\system32\M-AudioTaskBarIcon.exe" [2009-11-09 643592]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2010-10-28 207424]
"EKIJ5000StatusMonitor"="c:\windows.2\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2010-09-02 1638400]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-05-11 200069]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2009-12-01 6373376]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21   548352   ---ha-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-02 20:06   87424   ---ha-w-   c:\windows.2\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"Midi1"=ma_cmidn.dll
"midi3"=ma_cmidn.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37   932288   ---ha-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]
2010-02-08 14:51   1015808   ---ha-w-   c:\program files\Ares\Ares.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Gizmo5]
2009-11-11 02:21   5079040   ---ha-w-   c:\program files\Gizmo5\Gizmo5.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]
2010-05-26 17:16   3220912   ---ha-w-   c:\program files\internet download manager\IDMan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2007-11-30 12:16   208952   ---ha-w-   c:\windows.2\ime\IMJP8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
2010-01-27 16:22   63048   ---ha-w-   c:\program files\LogMeIn\x86\LogMeInSystray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 14:17   5252408   ---ha-w-   c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2007-12-01 06:26   1695232   ---h--w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
2009-12-01 19:11   6373376   ---ha-w-   c:\program files\MySpace\IM\MySpaceIM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 19:57   153136   ---ha-w-   c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2007-11-30 12:16   455168   ---ha-w-   c:\windows.2\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2007-11-30 12:16   455168   ---ha-w-   c:\windows.2\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoniqueQuickStart]
2010-07-03 07:30   44832   ---ha-w-   c:\program files\Sonique\SQStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2010-07-07 03:12   39408   ---ha-w-   c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CodeMeter\\Runtime\\bin\\CodeMeter.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Gizmo5\\mDNSResponder.exe"=
"c:\\Program Files\\Gizmo5\\Gizmo5.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\emagic\\Logic 5\\VstPlugIns\\FXpansion\\Guru\\Guru.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Tracktion 3.0.4.8\\Tracktion.exe"=
.
R0 aaatimeo;aaatimeo;c:\windows.2\system32\drivers\aaatimeo.sys [2/26/2006 11:21 AM 4928]
R0 afamgt;afamgt;c:\windows.2\system32\drivers\afamgt.sys [3/28/2006 10:43 AM 91707]
R0 siwinacc;siwinacc;c:\windows.2\system32\drivers\siwinacc.sys [11/1/2004 6:21 AM 10368]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 CodeMeter.exe;CodeMeter Runtime Server;c:\program files\CodeMeter\Runtime\bin\CodeMeter.exe [4/3/2009 6:01 AM 1680704]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [1/31/2007 11:38 PM 9216]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [11/21/2008 2:37 PM 3706880]
R3 CLEDX;Team H2O CLEDX service;c:\windows.2\system32\drivers\cledx.sys [11/13/2010 3:43 PM 33792]
R3 MAUSBFASTTRACKPRO;Service for M-Audio FastTrack Pro;c:\windows.2\system32\drivers\MAudioFastTrackPro.sys [11/9/2009 3:56 PM 158600]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2010 11:12 PM 135664]
S3 Andbus;LGE Android Platform Composite USB Device;c:\windows.2\system32\drivers\lgandbus.sys [4/26/2011 8:37 PM 14336]
S3 AndDiag;LGE Android Platform USB Serial Port;c:\windows.2\system32\drivers\lganddiag.sys [4/26/2011 8:37 PM 20736]
S3 AndGps;LGE Android Platform USB GPS NMEA Port;c:\windows.2\system32\drivers\lgandgps.sys [4/26/2011 8:37 PM 20096]
S3 ANDModem;LGE Android Platform USB Modem;c:\windows.2\system32\drivers\lgandmodem.sys [4/26/2011 8:37 PM 25088]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/6/2010 11:12 PM 135664]
S3 RDID1009;EDIROL UM-1;c:\windows.2\system32\drivers\Rdwm1009.sys [7/22/2010 9:38 PM 79393]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-31 c:\windows.2\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-07 03:12]
.
2011-05-31 c:\windows.2\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-07-07 03:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:61495
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download Link Using Mega Manager... - c:\program files\Megaupload\Mega Manager\mm_file.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
LSP: c:\windows.2\system32\idmmbc.dll
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
FF - ProfilePath - c:\documents and settings\cs\Application Data\Mozilla\Firefox\Profiles\pwlppcx1.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://searchservice.myspace.com/index.cfm?fuseaction=sitesearch.results&type=Web&orig=TB-WFFDS&qry=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 61495
FF - prefs.js: network.proxy.type - 0
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Google Update - c:\documents and settings\cs\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-31 17:07
Windows 5.1.2600 Service Pack 3, v.5938 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):1b,f8,5e,a5,ce,f9,58,34,da,3d,ce,6d,b8,c6,86,35,57,29,b3,33,f8,
   3b,71,5d,a5,ac,ef,38,86,ee,a5,32,ac,26,f2,e6,dc,de,4c,ff,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{9ebab496-a799-4192-bd70-f3d45b19ba23}]
@Denied: (Full) (Everyone)
"Model"=dword:00000116
"Therad"=dword:0000001a
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
@=""
"Installed"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
@=""
"Installed"="1"
"NoChange"="1"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
@=""
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(628)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows.2\system32\LMIinit.dll
c:\windows.2\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(684)
c:\windows.2\system32\idmmbc.dll
.
Completion time: 2011-05-31  17:09:41
ComboFix-quarantined-files.txt  2011-05-31 21:09
.
Pre-Run: 51,120,852,992 bytes free
Post-Run: 51,764,510,720 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.2
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.2="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.1="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS.0="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 11A9E8B24D7BB7788E6E79836C87B838

[goodie2010]

thanks SUPERDAVE, my files are back, but i'm so paranoid, i thought i got rid of this xp 2011 antivirus a week ago and it pops back up, is it really gone?

[SuperDave]

my files are back, but i'm so paranoid, i thought i got rid of this xp 2011 antivirus a week ago and it pops back up, is it really gone?

We're getting there. Your ComboFix is running from the wrong location. Please uninstall/delete it. Download a new one and save it to your desktop. Run another scan and post the log.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.