Desktop's icons disappeared!

My icons have disappeared from my desktop, please help.

Hello and welcome to GeekPolice.NetMy name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************

• Please download Unhide by Grinler from here and save it to your desktop.
  
  
• Double click unhide.exe to run the tool.
  
  
• It will take some time to go through all your files, so please be patient.
  
  
• If this tool doesn´t fix the problem, please let me know.
  
  

************************************************
Please download AdwCleaner by Xplode onto your Desktop.

• Please close all open programs and internet browsers.
  
  
• Double click on adwcleaner.exe to run the tool.
  
  
• Click on Delete.
  
  
• Confirm each time with OK
  
  
• Your computer will be rebooted automatically. A text file will open after the restart.
  
  
• Please post the content of that logfile in your reply.
  
  
• You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.
  
  

*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
  
• If an update is found, it will download and install the latest version.
  
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
  
• The scan may take some time to finish,so please be patient.
  
  
• When the scan is complete, click OK, then Show Results to view the results.
  
  
• Make sure that everything is checked, and click Remove Selected.
  
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
  
• Please save the log to a location you will remember.
  
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
  
• Copy and paste the entire report in your next reply.
  
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.

Last edited by Superdave on 12th October 2013, 10:28 pm; edited 1 time in total

Hi Dave,
Thank you for your quick response. I ran the unhide.exe and the icons appeared but when I rebooted, like the program asked, they disappeared again. I then disabled Avast and re-ran the program, the same thing happened. I ran the adwcleaner through the task manager but when it reboots, the txt wont open and don't know how to find it.

When I look under the C:\AdwCleaner, there are two folders: backup and quarantine. No txt file.

sorry about the ignorance! Here it is:
# AdwCleaner v3.005 - Report created 28/09/2013 at 16:00:40
# Updated 22/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Rosa - D7XR78C1
# Running from : C:\Documents and Settings\Rosa\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v

[ File : C:\Documents and Settings\Rosa\Application Data\Mozilla\Firefox\Profiles\39m2v042.default\prefs.js ]


-\\ Google Chrome v29.0.1547.76

[ File : C:\Documents and Settings\Rosa\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [8496 octets] - [20/09/2013 10:30:06]
AdwCleaner[R1].txt - [1296 octets] - [27/09/2013 14:41:05]
AdwCleaner[R2].txt - [1187 octets] - [27/09/2013 18:20:28]
AdwCleaner[R3].txt - [1247 octets] - [27/09/2013 18:22:52]
AdwCleaner[R4].txt - [1308 octets] - [27/09/2013 18:30:04]
AdwCleaner[R5].txt - [1428 octets] - [28/09/2013 09:10:56]
AdwCleaner[R6].txt - [1168 octets] - [28/09/2013 16:00:40]
AdwCleaner[S0].txt - [8733 octets] - [20/09/2013 10:32:18]
AdwCleaner[S1].txt - [1363 octets] - [27/09/2013 14:42:29]
AdwCleaner[S2].txt - [1369 octets] - [27/09/2013 18:31:01]
AdwCleaner[S3].txt - [1489 octets] - [28/09/2013 09:11:57]

Ok, please run the other scanners and post the logs.

Here is the Malwarebytes:
alwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.28.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Rosa :: D7XR78C1 [administrator]

9/28/2013 6:13:32 PM
mbam-log-2013-09-28 (18-13-32).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 614474
Time elapsed: 3 hour(s), 38 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

JRT:
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.3 (09.27.2013:1)
OS: Microsoft Windows XP x86
Ran by Rosa on Sat 09/28/2013 at 23:08:42.48
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 09/28/2013 at 23:12:28.35
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download Combofix from any of the links below, and save it to your DESKTOP.
If your version of Windows defaults to you download folder you will need to copy it to your desktop.

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

ComboFix 13-09-28.02 - Rosa 09/29/2013 17:02:22.19.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2467 [GMT -4:00]
Running from: c:\documents and settings\Rosa\Desktop\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Rosa\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
.
.
((((((((((((((((((((((((( Files Created from 2013-08-28 to 2013-09-29 )))))))))))))))))))))))))))))))
.
.
2013-09-29 20:37 . 2013-09-29 20:37 -------- d-----w- c:\windows\LastGood
2013-09-21 13:14 . 2013-09-27 18:36 -------- d-----w- C:\Rooter$
2013-09-20 18:40 . 2013-09-20 18:40 94632 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-09-20 14:43 . 2013-09-20 14:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-09-20 14:43 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-09-20 14:30 . 2013-09-28 20:27 -------- d-----w- C:\AdwCleaner
2013-09-20 12:11 . 2013-09-20 14:18 -------- d-----w- c:\documents and settings\Rosa\Local Settings\Application Data\assembly
2013-09-12 14:18 . 2013-09-12 15:29 -------- d-----w- c:\documents and settings\Rosa\Local Settings\Application Data\NPE
2013-09-11 02:20 . 2013-09-20 00:20 3723656 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2013-09-06 19:59 . 2013-09-27 20:15 909 ----a-w- C:\Layers.scr
2013-09-05 21:58 . 2013-09-05 21:58 -------- d-----w- c:\windows\system32\wbem\Repository
2013-09-05 14:04 . 2013-09-05 14:04 209272 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-09-20 18:40 . 2013-04-24 18:36 868264 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-09-20 18:40 . 2013-04-24 18:35 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-09-20 18:40 . 2010-05-13 12:50 790440 ----a-w- c:\windows\system32\deployJava1.dll
2013-09-20 00:20 . 2012-05-24 16:11 692616 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-09-20 00:20 . 2011-05-20 14:13 71048 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-09-10 15:21 . 2009-06-08 01:34 2516 --sha-w- c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2013-08-30 07:48 . 2013-07-31 13:18 369584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-08-30 07:48 . 2013-07-31 13:18 56080 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-08-30 07:48 . 2013-07-31 13:18 177864 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-08-30 07:48 . 2013-07-31 13:18 770344 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-08-30 07:48 . 2013-07-31 13:18 49760 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-08-30 07:48 . 2013-07-31 13:18 49376 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-08-30 07:48 . 2013-07-31 13:18 204784 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2013-08-30 07:48 . 2013-07-31 13:18 29816 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-08-30 07:48 . 2013-07-31 13:18 21576 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2013-08-30 07:48 . 2013-07-31 13:18 104752 ----a-w- c:\windows\system32\drivers\aswFW.sys
2013-08-30 07:48 . 2013-07-31 13:18 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-08-30 07:47 . 2013-07-31 13:17 41664 ----a-w- c:\windows\avastSS.scr
2013-08-30 07:47 . 2013-07-31 13:17 229648 ----a-w- c:\windows\system32\aswBoot.exe
2013-08-09 01:56 . 2004-08-11 23:00 386560 ----a-w- c:\windows\system32\themeui.dll
2013-08-08 06:05 . 2004-08-11 23:00 920064 ----a-w- c:\windows\system32\wininet.dll
2013-08-08 06:05 . 2004-08-11 23:00 43520 ------w- c:\windows\system32\licmgr10.dll
2013-08-08 06:05 . 2004-08-11 23:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-08-08 06:05 . 2004-08-11 23:00 18944 ----a-w- c:\windows\system32\corpol.dll
2013-08-08 01:27 . 2004-08-11 23:00 1877760 ----a-w- c:\windows\system32\win32k.sys
2013-08-08 00:02 . 2004-08-11 23:00 385024 ------w- c:\windows\system32\html.iec
2013-08-05 13:30 . 2004-08-11 23:00 1289728 ----a-w- c:\windows\system32\ole32.dll
2013-08-03 18:18 . 2006-10-19 02:47 1543680 ------w- c:\windows\system32\wmvdecod.dll
2013-07-10 10:37 . 2004-08-11 23:00 406016 ----a-w- c:\windows\system32\usp10.dll
2013-07-04 03:03 . 2004-08-11 23:00 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2004-08-04 04:59 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-08-26 19:41 . 2012-08-26 19:40 17798272 ----a-w- c:\program files\Dropbox 1.4.12.exe
2008-08-01 16:43 . 2008-08-01 16:43 122880 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
1997-07-22 00:30 1045776 -csha-w- c:\windows\system32\Msjet35.dll
1997-06-23 08:00 123664 -csha-w- c:\windows\system32\Msjint35.dll
1997-06-23 17:06 24848 -csha-w- c:\windows\system32\Msjter35.dll
1997-06-23 17:06 252176 -csha-w- c:\windows\system32\Msrd2x35.dll
1997-06-23 17:06 287504 -csha-w- c:\windows\system32\Msxbse35.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2013-08-30 07:47 121968 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 81920]
"LaCie Desktop Manager Startup"="c:\program files\LaCie\Desktop Manager\LaCieDesktopManagerStatusItem.exe" [2011-11-03 2456576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Document Manager"="c:\program files\Wave Systems Corp\Services Manager\DocMgr\bin\docmgr.exe" [2006-05-16 102400]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"SwitchBoard"="c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe" [2010-02-19 517096]
"USBDetector"="c:\usbstorage\USBDetector.exe" [2003-04-01 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2013-04-22 59720]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"Sendori Tray"="c:\program files\Sendori\SendoriTray.exe" [2013-04-23 83232]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2012-04-04 446392]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-11-06 15516008]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2013-06-30 295512]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking12\Ereg\Ereg.exe" [2010-10-27 328992]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2013-05-01 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2013-05-31 152392]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2013-08-30 4858968]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-07-02 254336]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EMBASSY Trust Suite Secure Update.lnk - c:\program files\Wave Systems Corp\Services Manager\Secure Update\AutoUpdate.exe [2006-1-30 192512]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSimpleStartMenu"= 0 (0x0)
"NoThumbnailCache"= 0 (0x0)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"=hex(7ac):
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wxvault.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Rosa^Start Menu^Programs^Startup^AOL OpenRide.lnk]
backup=c:\windows\pss\AOL OpenRide.lnkStartup
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Simplify Media"="c:\documents and settings\Rosa\Local Settings\Application Data\Simplify Media\SimplifyMedia.exe"
"SightSpeed"=c:\program files\SightSpeed\SightSpeed.exe -minimized
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PMX Daemon"=ICO.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Rosa\\Application Data\\uTorrent\\uTorrent.exe"=
.
R0 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [7/31/2013 9:18 AM 21576]
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [7/31/2013 9:17 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [7/31/2013 9:18 AM 204784]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [7/31/2013 9:18 AM 49376]
R0 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [7/31/2013 9:18 AM 177864]
R0 FixZeroAccess;Zero Access Fixtool driver;c:\windows\system32\drivers\FixZeroAccess.sys [5/22/2013 8:42 PM 35752]
R1 aswFW;avast! TDI Firewall driver;c:\windows\system32\drivers\aswFW.sys [7/31/2013 9:18 AM 104752]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/31/2013 9:18 AM 770344]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/31/2013 9:18 AM 369584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/11/2004 7:00 PM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/31/2013 9:18 AM 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [7/31/2013 9:18 AM 66336]
R2 Autodesk Content Service;Autodesk Content Service;c:\program files\Autodesk\Content Service\Connect.Service.ContentService.exe [1/31/2012 10:46 AM 19232]
R2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [7/31/2013 9:17 AM 137960]
R2 DragonSvc;Dragon Service;c:\program files\Common Files\Nuance\dgnsvc.exe [7/18/2012 10:07 PM 310232]
R2 GenieTimelineService;Genie Timeline Service;c:\program files\Genie-Soft\Genie Timeline\GenieTimelineService.exe [2/2/2011 10:25 AM 362624]
R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/23/2012 12:37 PM 13672]
R2 nlsX86cc;This service enables products that use the Nalpeiron Licensing System.;c:\windows\system32\nlssrv32.exe [9/22/2011 12:30 PM 66560]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [12/11/2008 7:08 AM 3575808]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\RealNetworks\RealDownloader\rndlresolversvc.exe [4/16/2013 3:07 AM 39056]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [5/23/2013 10:04 AM 1373480]
R2 WTabletServicePro;Wacom Professional Service;c:\program files\Tablet\Wacom\WTabletServicePro.exe [11/13/2012 10:49 AM 522040]
R3 hidkmdf;KMDF Driver;c:\windows\system32\drivers\hidkmdf.sys [9/1/2012 11:01 AM 12272]
R3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [12/19/2006 9:32 PM 18432]
R3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [12/19/2006 9:32 PM 14336]
R3 WacHidRouter;Wacom Hid Router;c:\windows\system32\drivers\wachidrouter.sys [9/1/2012 11:01 AM 70640]
R3 wacomrouterfilter;Wacom Router Filter Driver;c:\windows\system32\drivers\wacomrouterfilter.sys [9/1/2012 11:01 AM 13296]
S0 TfFsMon;TfFsMon; [x]
S0 TfSysMon;TfSysMon; [x]
S2 gupdate1ca39ede91b0558;Google Update Service (gupdate1ca39ede91b0558);c:\program files\Google\Update\GoogleUpdate.exe [9/20/2009 8:28 AM 133104]
S2 LaCieDesktopManagerService;LaCieDesktopManagerService;c:\program files\LaCie\Desktop Manager\lacie_dm_service.exe [5/18/2012 10:12 PM 825344]
S3 cpuz134;cpuz134;\??\c:\docume~1\Rosa\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys --> c:\docume~1\Rosa\LOCALS~1\Temp\cpuz134\cpuz134_x32.sys [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [2/12/2007 2:34 PM 47360]
S3 pmxps2m;PMXPS2M;c:\windows\system32\drivers\pmxps2m.sys [11/16/2007 9:59 AM 16384]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe [2/19/2010 1:37 PM 517096]
S3 TfNetMon;TfNetMon; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - SASKUTIL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
Akamai REG_MULTI_SZ Akamai
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-09-21 11:27 1177552 ----a-w- c:\program files\Google\Chrome\Application\29.0.1547.76\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-09-29 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-24 00:20]
.
2013-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2013-09-29 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-07-31 07:47]
.
2013-09-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-26 00:57]
.
2013-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 12:28]
.
2013-09-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-20 12:28]
.
2013-09-29 c:\windows\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-1817228619-2154543479-3873200891-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 16:45]
.
2013-09-29 c:\windows\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-1817228619-2154543479-3873200891-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 16:45]
.
2013-09-29 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1817228619-2154543479-3873200891-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 16:45]
.
2013-09-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1817228619-2154543479-3873200891-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2013-04-16 16:45]
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.google.com/
uInternet Settings,ProxyOverride = *.local;127.0.0.1:9421;
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\Sendori.dll
Trusted Zone: plaxo.com\www
TCP: DhcpNameServer = 192.168.1.254
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} - hxxp://aolsvc.aol.com/onlinegames/trytrijinx/TriJinx.1.0.0.86.cab
DPF: {74E4A24D-5224-4F05-8A41-99445E0FC22B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mind-medley/gamehouseplayer.cab
DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mystery-solitaire-secret-island/SpinTopGamesLauncher.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://legacy.aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://aolsvc.aol.com/onlinegames/sonybewitched/main.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://aolsvc.aol.com/onlinegames/free-trial-mahjong-fortuna-2-deluxe/zylomplayer.cab
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-29 17:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_8fa3539.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1817228619-2154543479-3873200891-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F2426FA4-EEBE-8FFA-140C-904857E0FA0D}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"kaijfmhlgjoongmgofjjaa"=hex:67,61,69,6a,6a,6d,64,69,62,68,62,6a,6d,6b,00,00
"kaijfmhlgjoongmgofjjba"=hex:66,61,69,6d,6a,6d,6d,6d,6d,61,6c,6d,00,6e
"maiojpnbpmkjjdjbcglbackafp"=hex:62,61,6a,6f,00,eb
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_175_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(832)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\windows\system32\Sendori.dll
.
Completion time: 2013-09-29 17:14:29
ComboFix-quarantined-files.txt 2013-09-29 21:14
ComboFix2.txt 2013-09-27 18:20
.
Pre-Run: 338,194,378,752 bytes free
Post-Run: 338,267,332,608 bytes free
.
- - End Of File - - 8DE615DA6BD98F255CEC91D499AB0DDF
8F558EB6672622401DA993E1E865C861

2013-09-06 19:59 . 2013-09-27 20:15 909 ----a-w- C:\Layers.scr

Did you create this?

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone. Therefore, I recommend that nothing be allowed in the trusted zone. If you agree, please do the following.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  DDS::
  Trusted Zone: plaxo.com\www
  Firefox::
  Trusted Zone: plaxo.com\www
  
  

• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log if you decide to run this script.
  

**********************************************
Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
  
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
  
• Copy and paste the contents of these two log files in your next reply.
  

Dave, i ran the combofix script, no problem. The Malwarebytes seems to be stock on a file. It hasn't changed for about 20 minutes; is that normal?

Malwarebytes Anti-Rootkit BETA 1.07.0.1005
www.malwarebytes.org

Database version: v2013.09.30.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Rosa :: D7XR78C1 [administrator]

9/30/2013 5:47:20 PM
mbar-log-2013-09-30 (17-47-20).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 299171
Time elapsed: 1 hour(s), 16 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)




System Log
Malwarebytes Anti-Rootkit BETA 1.07.0.1005

(c) Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 3 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

Java version: 1.6.0_31

File system is: NTFS
Disk drives: C:\ DRIVE_FIXED, G:\ DRIVE_FIXED
CPU speed: 2.926000 GHz
Memory total: 3487100928, free: 2581213184

Downloaded database version: v2013.09.30.04
Downloaded database version: v2013.09.23.01
=======================================
Initializing...
------------ Kernel report ------------
09/30/2013 07:57:29
------------ Loaded modules -----------
\WINDOWS\system32\ntkrnlpa.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
FixZeroAccess.sys
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
dmio.sys
PartMgr.sys
VolSnap.sys
atapi.sys
iaStor.sys
disk.sys

That doesn't appear to be the full MBAM Rootkit detector log. Could you please try it again?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

I left the malwarebytes anti rootkit running last night, this morning had a blue screen. :sad: Should I try running it again?

rrolon123 wrote:

I left the malwarebytes anti rootkit running last night, this morning had a blue screen. :sad: Should I try running it again?

No, please run the ESET scan.

Busted!   

ESETSmartInstaller@High as downloader log:
all ok
ESETSmartInstaller@High as downloader log:
all ok
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6920
# api_version=3.0.2
# EOSSerial=1a84d6cfa1df4b478906c90f4dcffd44
# engine=15332
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=false
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2013-10-02 11:58:23
# local_time=2013-10-02 07:58:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=772 16777213 83 94 185931 156546575 0 0
# scanned=553831
# found=5
# cleaned=5
# scan_time=42190
sh=9B7AFC05F48AE3F56DBE1A2114F8FDF50067A187 ft=0 fh=0000000000000000 vn="JS/Adware.Yontoo.C application (cleaned by deleting - quarantined)" ac=C fn="C:\AdwCleaner\Quarantine\C\Documents and Settings\Rosa\Application Data\Mozilla\Firefox\Profiles\39m2v042.default\Extensions\plugin@getwebcake.com\content\overlay.js.vir"
sh=29AE9DCF2607713EBEE0A30C732BCFF49E5F2AD9 ft=1 fh=0c6150e6848c0127 vn="a variant of Win32/Adware.SpywareCease.AA application (cleaned by deleting - quarantined)" ac=C fn="G:\downloads\PerfectUninstall_Setup.exe"
sh=F446EF385494C12F72AB4808FC586C5F703FB533 ft=1 fh=bb8b34ec966290d8 vn="Win32/Adware.1ClickDownload.C application (cleaned by deleting - quarantined)" ac=C fn="G:\downloads\Person_of_Interest_S01E15_HDTV_XviD-LOL[ettv].exe"
sh=5B30BA15AEF2D1EA468B2AD729200F1DE57B3D6B ft=0 fh=0000000000000000 vn="a variant of Win32/Packed.VMProtect.AAD trojan (deleted - quarantined)" ac=C fn="G:\downloads\ROXIO.CREATOR.2012.PRO-MAGNiTUDE\m-rc2012\iso\m-rc2012.iso"
sh=DB09E2E7C433B60EC018B4C76163559C29532E07 ft=1 fh=ae5d6d95c423fff6 vn="a variant of Win32/Adware.iBryte.G application (cleaned by deleting - quarantined)" ac=C fn="G:\_Genie Timeline\0\C\Documents and Settings\Rosa\My Documents\Downloads\Setup.exe"



C:\AdwCleaner\Quarantine\C\Documents and Settings\Rosa\Application Data\Mozilla\Firefox\Profiles\39m2v042.default\Extensions\plugin@getwebcake.com\content\overlay.js.vir JS/Adware.Yontoo.C application cleaned by deleting - quarantined
G:\downloads\PerfectUninstall_Setup.exe a variant of Win32/Adware.SpywareCease.AA application cleaned by deleting - quarantined
G:\downloads\Person_of_Interest_S01E15_HDTV_XviD-LOL[ettv].exe Win32/Adware.1ClickDownload.C application cleaned by deleting - quarantined
G:\downloads\ROXIO.CREATOR.2012.PRO-MAGNiTUDE\m-rc2012\iso\m-rc2012.iso a variant of Win32/Packed.VMProtect.AAD trojan deleted - quarantined
G:\_Genie Timeline\0\C\Documents and Settings\Rosa\My Documents\Downloads\Setup.exe a variant of Win32/Adware.iBryte.G application cleaned by deleting - quarantined

That looks good. How's your computer running now?

I rebooted and the icons weren't there. The only thing that makes them come up is if I run the combofix. Could something else be causing this action? Yesterday, after the blue screen, they started faster than I've ever seen them come up!! Ironic!

Did you create this folder?

2013-09-06 19:59 . 2013-09-27 20:15 909 ----a-w- C:\Layers.scr

**************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

Dave,

I did not create that folder, I don't even know what it is, how to or where to create it.

This morning when I started the computer, my monitors wouldn't show any activity not even the mouse, like they weren't connected. I had to reboot and then started working. Would I be having trouble with my video card?

I really appreciate all the help you're giving me! Thanks


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_iaStor.sys
Service Name: ---
Module Base: B465B000
Module End: B4712000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAddBootEntry
Address: B47D7610
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwAllocateVirtualMemory
Address: B48B35FA
Driver Base: B48A6000
Driver End: B48FE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwAssignProcessToJobObject
Address: B47D80E6
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwClose
Address: B481BB36
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEvent
Address: B47E3F18
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateEventPair
Address: B47E3F64
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateIoCompletion
Address: B47E40FE
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateKey
Address: B481B4EA
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateMutant
Address: B47E3E86
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSection
Address: B47E3FA8
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateSemaphore
Address: B47E3ECE
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateThread
Address: B47D85E4
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwCreateTimer
Address: B47E40B8
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDebugActiveProcess
Address: B47D8E9C
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteBootEntry
Address: B47D7676
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteKey
Address: B481C1FC
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDeleteValueKey
Address: B481C4B2
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwDuplicateObject
Address: B47DC596
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateKey
Address: B481C067
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwEnumerateValueKey
Address: B481BED2
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwFreeVirtualMemory
Address: B48B36C2
Driver Base: B48A6000
Driver End: B48FE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwLoadDriver
Address: B47D725E
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwModifyBootEntry
Address: B47D76DC
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeKey
Address: B47DC98C
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwNotifyChangeMultipleKeys
Address: B47D992C
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEvent
Address: B47E3F42
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenEventPair
Address: B47E3F86
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenIoCompletion
Address: B47E4122
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenKey
Address: B481B846
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenMutant
Address: B47E3EAC
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenProcess
Address: B47DBE78
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSection
Address: B47E4036
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenSemaphore
Address: B47E3EF6
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenThread
Address: B47DC26E
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwOpenTimer
Address: B47E40DC
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwProtectVirtualMemory
Address: B48B3822
Driver Base: B48A6000
Driver End: B48FE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwQueryKey
Address: B481BD4D
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryObject
Address: B47D97F8
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueryValueKey
Address: B481BB9F
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwQueueApcThread
Address: B47D934E
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwRenameKey
Address: B48C0744
Driver Base: B48A6000
Driver End: B48FE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwRestoreKey
Address: B481AB30
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootEntryOrder
Address: B47D7742
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetBootOptions
Address: B47D77A8
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetContextThread
Address: B47D8D16
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemInformation
Address: B47D72F8
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetSystemPowerState
Address: B47D74CE
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSetValueKey
Address: B481C303
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwShutdownSystem
Address: B47D745C
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSuspendProcess
Address: B47D9066
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSuspendThread
Address: B47D91C8
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwSystemDebugControl
Address: B47D7556
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwTerminateProcess
Address: B47D8B54
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwTerminateThread
Address: B47D8CF6
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwUnloadDriver
Address: B48B1C42
Driver Base: B48A6000
Driver End: B48FE000
Driver Name: \SystemRoot\System32\Drivers\aswSP.SYS

Function Name: ZwVdmControl
Address: B47D780E
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

Function Name: ZwWriteVirtualMemory
Address: B47D8142
Driver Base: B47BF000
Driver End: B487E000
Driver Name: \SystemRoot\System32\Drivers\aswSnx.SYS

******************************************************************************************
******************************************************************************************
Kernel Hooks:
Hooked Function: ZwCreateProcessEx
At Address: 805D11CA
Jump To: B48CCE04
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ZwClose
At Address: 805BC58A
Jump To: B48C9C9A
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: PsCreateSystemThread
At Address: 805D11CA
Jump To: B48CCE04
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObMakeTemporaryObject
At Address: 805BC58A
Jump To: B48C9C9A
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObInsertObject
At Address: 805C300E
Jump To: B48CB7B4
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

Hooked Function: ObCloseHandle
At Address: 805BC58A
Jump To: B48C9C9A
Module Name: C:\WINDOWS\System32\Drivers\aswSP.SYS

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\Rosa\Application Data\Adobe\Flash Player\APSPrivateData2\0\drm-plug-win-x86\KckDveDsBuHdHi8TJUXQAFOpavQ=\SxQ9ILGlvY8_GGjQGsVelJ4fq9sg=\QTU4QzlBOTEtQkFEMS0zMDY2LTk5RjQtRDA2MzEwMDU3RTI0\OEJFNEE5OUEtRUI0NS0zNjUxLUFBOTMtOTdCMzE4QUU2Q
Status: Hidden

Object: C:\Documents and Settings\Rosa\Application Data\Adobe\Flash Player\APSPrivateData2\0\drm-plug-win-x86\KckDveDsBuHdHi8TJUXQAFOpavQ=\SxQ9ILGlvY8_GGjQGsVelJ4fq9sg=\ZDI4MzkyZGEtMTliNy00MmZiLTg3NmQtOTQzNDQwNTY0ZTMx\QTI0MjcwQjMtQzVFNi0zOEY3LUE5NkEtOTgyNjFEQzM5R
Status: Hidden

Object: C:\Qoobox\BackEnv\AppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cache.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Cookies.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Desktop.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Favorites.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\History.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalAppData.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\LocalSettings.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Music.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\NetHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Personal.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Pictures.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\PrintHood.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Profiles.Folder.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Programs.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Recent.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SendTo.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SetPath.bat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartMenu.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\StartUp.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\SysPath.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\Templates.folder.dat
Status: Access denied

Object: C:\Qoobox\BackEnv\VikPev00
Status: Access denied

I did not create that folder, I don't even know what it is, how to or where to create it.

Please go to Jotti's malware scan
(If more than one file needs scanned they must be done separately and links posted for each one)

* Copy the file path in the below Code box:


* At the upload site, click once inside the window next to Browse.
* Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
* Next click Submit file
* Your file will possibly be entered into a queue which normally takes less than a minute to clear.
* This will perform a scan across multiple different virus scanning engines.
* Important: Wait for all of the scanning engines to complete.
* Once the scan is finished, Copy and then Paste the link in the address bar into your next reply.
**********************************************

Would I be having trouble with my video card?

It could be something like that or the monitor itself. Do you have two monitors on that computer?

I hope this is what you meant! http://virusscan.jotti.org/en/scanresult/b0fa70df4573ce9f052d9666a4ed6d635879afbf

I have my regular monitor and a Wacom tablet.

Please download Farbar Service Scanner and run it on the computer with the issue.

• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.
  

Farbar Service Scanner Version: 13-09-2013
Ran by Rosa (administrator) on 03-10-2013 at 21:54:16
Running from "C:\Documents and Settings\Rosa\My Documents\Downloads"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Other Services:
==============


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswFW(10) aswTdi(8) Gpc(6) IPSec(4) NetBT(5) Tcpip(3)
0x0A00000004000000030000000A00000008000000020000000100000009000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

When you run the Unhide program do the icons return?

The first time I tried it, yes, but not anymore.

Dave, two days in a row I have started the computer with no problem. I will try it for few more days and let you know. I have to thank you for your patience and all the help you have given me.

rrolon123 wrote:

Dave, two days in a row I have started the computer with no problem. I will try it for few more days and let you know. I have to thank you for your patience and all the help you have given me.

Ok, let me know how it goes.

Dave, so far so good with the icons and couldn't be happier but... I have an error with net framework visual studio 8. Don't know if it's important or not, I'm sending you the log, hopefully you can help.

Here is the log:
QueueVer=1
UI LCID=1033
Date=10/6/2013
Time=9:47:19 PM
ReportSize=4142
Bytes=bytes
Kilobytes=KB
Megabytes=MB
MoreInfo=What data does this error report contain?
ErrorSubPath=Generic\visualstudio8setup\microsoft .net framework 2.0-kb979909\1033\1605\msi\f\9.0.40302.0\install\x86\xp\0
Stage1URL=/StageOne/Generic/visualstudio8setup/microsoft .net framework 2.0-kb979909/1033/1605/msi/f/9.0.40302.0/install/x86/xp/0.htm
Stage2URL=/dw/generictwo.asp?EventType=visualstudio8setup&P1=microsoft .net framework 2.0-kb979909&P2=1033&P3=1605&P4=msi&P5=f&P6=9.0.40302.0&P7=install&P8=x86&P9=xp&P10=0
BP0=visualstudio8setup
BP1=microsoft .net framework 2.0-kb979909
BP2=1033
BP3=1605
BP4=msi
BP5=f
BP6=9.0.40302.0
BP7=install
BP8=x86
BP9=xp
BP10=0
CBP=11
DWVer0=12
DWVer1=0
DWVer2=6010
DWVer3=5000
Details_Sig_Body=EventType : visualstudio8setup P1 : microsoft .net framework 2.0-kb979909
P2 : 1033 P3 : 1605 P4 : msi P5 : f P6 : 9.0.40302.0
P7 : install P8 : x86 P9 : xp P10 : 0
QueueMode=268435457
EventID=5000
ReportingFlags=12
UIFlags=1
LoggingFlags=0
MiscFlags=0
EventLogSource=HotFixInstaller
Queued_EventDescription=Queue Servicing Report
General_AppName=Software Update Microsoft .NET Framework 2.0-KB979909 I
Final_Link=Prevent this problem in the future

I have an error with net framework visual studio 8.

I just searched the problem and I found this. Something there might help.

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall
  

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.
  

*****************************************
Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
**************************************
Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster- Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.