Hi again!
Although I had downloaded Combo-fix earlier, I reloaded it (as per Poat 5), since I had uninstalled it.
I ran Combofix; during Stage 2 I got a msg that PEV.cfxxe had a problem and was terminating.
After Stage 50, the system auto rebooted.
After completion I can see that I still have a directory c:\HelpAsst_backup, containing copies of my C drive.
The log is as follows:
ComboFix 10-08-23.01 - Yule family 24/08/2010 0:06.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.111 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yule family\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.
2010-08-22 21:52 . 2010-08-22 21:52 -------- d-----w- C:\HelpAsst_backup
2010-08-21 22:09 . 2010-08-21 22:09 -------- d-----w- c:\program files\TrendMicro
2010-08-17 18:31 . 2010-08-17 18:31 -------- d-----w- c:\program files\ESET
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- C:\Combo-Fix17331C
2010-08-15 19:14 . 2010-08-15 19:43 -------- d-----w- C:\Combo-Fix940C
2010-08-13 23:17 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-13 22:28 . 2004-08-04 10:00 8832 -c--a-w- c:\windows\system32\dllcache\rasacd.sys
2010-08-13 22:28 . 2004-08-04 10:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-08-12 19:10 . 2010-08-12 19:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-11 21:19 . 2010-08-11 21:19 -------- d-----w- C:\_OTL
2010-08-10 19:51 . 2010-08-10 19:51 -------- d-----w- c:\program files\Shavlik Technologies
2010-08-08 14:53 . 2010-08-08 14:53 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 16:47 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-08-22 10:06 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-08-22 08:55 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-08-21 22:09 . 2010-08-21 22:09 388096 ----a-r- c:\documents and settings\Yule family\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-08-21 21:41 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-17 20:31 . 2010-08-17 20:31 349416 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportMR.dll
2010-08-17 20:31 . 2010-08-17 20:31 12544 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportIaso.sys
2010-08-13 10:34 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 21:13 . 2010-08-12 21:13 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-sse.dll
2010-08-12 21:13 . 2010-08-12 21:13 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcp71.dll
2010-08-12 21:13 . 2010-08-12 21:13 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\jmc.dll
2010-08-12 21:13 . 2010-08-12 21:13 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcr71.dll
2010-08-12 21:13 . 2010-08-12 21:13 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-d3d.dll
2010-08-12 19:14 . 2007-03-28 19:07 -------- d-----w- c:\program files\Java
2010-08-12 19:12 . 2007-03-28 19:07 -------- d-----w- c:\program files\Common Files\Java
2010-08-09 09:45 . 2010-08-09 09:45 664 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\d3d9caps.tmp
2010-08-05 23:01 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-07-25 23:27 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-07-23 19:06 . 2010-07-23 19:06 73728 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-07-23 19:06 . 2010-07-23 19:06 417792 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-07-23 18:31 . 2010-05-26 23:58 81496 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 19:17 . 2010-04-20 22:06 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-16 08:35 . 2010-03-28 21:57 -------- d-----w- c:\documents and settings\Yule family\Application Data\Ucibxa
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 18:40 . 2010-08-11 07:34 144328 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-24 12:22 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2010-01-16 16:41 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0 HD Edition.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0 HD Edition.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]
--- Other Services/Drivers In Memory ---
*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder
2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]
2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]
2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]
2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]
2010-08-23 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.google.co.uk/IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89C30F0F8BD011D2.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2010-08-24 00:25
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-08-24 00:34:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 23:34
Pre-Run: 80,693,653,504 bytes free
Post-Run: 80,900,644,864 bytes free
- - End Of File - - A8DD55844813DFA72BA309F835D5D45C