Disappearing taskbar and security centre virus

Hello.

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• When Hijack This opens, click "Open the Misc Tools section"
  
• Then select "Open Uninstall Manager"
  
• Click on "Save List..." (generates uninstall_list.txt)
  
• Click Save, copy and paste the results in your next post.
  

Hi ,
Here's the txt file:
Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9.3.4
Adobe Shockwave Player 11.5
Athlon 64 Processor Driver
Broadcom 440x 10/100 Integrated Controller
Broadcom Management Programs
BT Voyager 105 ADSL Modem
ClickArt Fonts 3
Corel MediaOne
Dell Resource CD
ESET Online Scanner v3
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Customer Participation Program 7.0
HP Imaging Device Functions 7.0
HP Photosmart Essential
HP Photosmart, Officejet and Deskjet 7.0.A
HP Software Update
HP Solution Center 7.0
iPod for Windows 2005-02-07
iTunes
Java(TM) 6 Update 21
K-Lite Codec Pack 3.2.5 Standard
McAfee SecurityCenter
McAfee Virtual Technician
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 SR-1 Disc 2
Microsoft Office 2000 SR-1 Professional
Microsoft SQL Server Compact 3.5 SP1 English
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
Modem Diagnostic Tool
Moyea FLV Player version: 2.0.2.96
MP4 Player
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NVIDIA Display Control Panel
NVIDIA Drivers
NVIDIA nView Desktop Manager
PHOTOfunSTUDIO 4.0 HD Edition
Quicken 2004
QuickTime
Rapport
Rapport
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
SigmaTel Audio
Skype Toolbars
Skype™ 4.2
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3

END of txt file

Hi.

Please download HAMeb_check.exe and save it to your desktop.

• Double-click on HAMeb_check.exe to run the utility and it will create a log.
• Copy and paste the contents of that log in your next reply.

Hi
The log is posted below. Since you are obviously worried about something or investigating something - what is it by the way?? - the only other odd thing that I notice is that I get a msg on logging off that ppears and then disappears: re "McSvcHost.exe error".

C:\Documents and Settings\Yule family\Desktop\HAMeb_check.exe
22/08/2010 at 11:03:58.21

Account active Yes
Local Group Memberships *Administrators

~~ Checking profile list ~~

S-1-5-21-220523388-1275210071-725345543-1000
%SystemDrive%\Documents and Settings\HelpAssistant

~~ Checking for HelpAssistant directories ~~

HelpAssistant

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %SystemRoot%\System32\termsrv.dll

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"65533:TCP"=65533:TCP:*:Enabled:Services
"52344:TCP"=52344:TCP:*:Enabled:Services
"3029:TCP"=3029:TCP:*:Enabled:Services
"4558:TCP"=4558:TCP:*:Enabled:Services
"3389:TCP"=3389:TCP:*:Enabled:Remote Desktop
80:TCP=80:TCP:*:Enabled:Services
443:TCP=443:TCP:*:Enabled:Services
"1725:TCP"=1725:TCP:*:Enabled:Services
"1950:TCP"=1950:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Hi.

Belahzur is away for the week, and he asked me to take his threads, and I noticed a really bad infection you have called HelpAssistant.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

• Close out all other open programs and windows.
  
• Double click the file to run it and follow any prompts.
  
• If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  
• Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
  
  helpasst -mbrt
  
  
• Make sure you leave a space between helpasst and -mbrt
  
• When it completes, a log will open.
  
• Please post the contents of that log.

Thanks - I did this, and noticed that the Helpassitant directory in Docs & Settings has gone.
NB I still get the McSvHos.exe error on closing down.
The log is:
C:\Documents and Settings\Yule family\Desktop\HelpAsst_mebroot_fix.exe
22/08/2010 at 22:52:28.21

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3029:TCP"=-
"4558:TCP"=-
"3389:TCP"=-
80:TCP=-
443:TCP=-
"1725:TCP"=-
"1950:TCP"=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-220523388-1275210071-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove

~ Not all HelpAssistant files sucessfully removed ~
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user\store\user
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user\store
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user\logs
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport\user
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer\Rapport
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1\Trusteer
Remove on reboot: C:\DOCUME~1\HELPAS~1\APPLIC~1
Remove on reboot: C:\Documents and Settings\HelpAssistant


~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 22/08/2010 at 23:15:32.82

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services
443:TCP=443:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Update, after rebooting several times, the MCsvHost.exe error has disappeared too.
Is all now ok?
thanks

Hi.

Could you please run HA_Check again?

I note that I have a directory - C:\Help_Asst_backup, containing what looks like my old C drive! Should I delete this?

HA initially came up with "Profile not found"; however, I pressed a key and it completed. I then di "Run helpasst -mbrt as before. The log follows:

C:\Documents and Settings\Yule family\Desktop\HelpAsst_mebroot_fix.exe
23/08/2010 at 17:13:48.65

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
80:TCP=-
443:TCP=-

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 23/08/2010 at 17:15:06.06

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
PE file found in sector at 0x012A05115 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
80:TCP=80:TCP:*:Enabled:Services
443:TCP=443:TCP:*:Enabled:Services

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

Hi.

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   KillAll::
   
   Folder::
   C:\Documents and Settings\HelpAssistant
   
   Registry::
   [HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list]
   80:TCP=-
   443:TCP=-
   
   Reboot::
   
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Hi again!
Although I had downloaded Combo-fix earlier, I reloaded it (as per Poat 5), since I had uninstalled it.
I ran Combofix; during Stage 2 I got a msg that PEV.cfxxe had a problem and was terminating.
After Stage 50, the system auto rebooted.
After completion I can see that I still have a directory c:\HelpAsst_backup, containing copies of my C drive.
The log is as follows:
ComboFix 10-08-23.01 - Yule family 24/08/2010 0:06.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.446.111 [GMT 1:00]
Running from: c:\documents and settings\Yule family\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Yule family\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-07-23 to 2010-08-23 )))))))))))))))))))))))))))))))
.

2010-08-22 21:52 . 2010-08-22 21:52 -------- d-----w- C:\HelpAsst_backup
2010-08-21 22:09 . 2010-08-21 22:09 -------- d-----w- c:\program files\TrendMicro
2010-08-17 18:31 . 2010-08-17 18:31 -------- d-----w- c:\program files\ESET
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- C:\Combo-Fix17331C
2010-08-15 19:14 . 2010-08-15 19:43 -------- d-----w- C:\Combo-Fix940C
2010-08-13 23:17 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-08-13 22:28 . 2004-08-04 10:00 8832 -c--a-w- c:\windows\system32\dllcache\rasacd.sys
2010-08-13 22:28 . 2004-08-04 10:00 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-08-12 19:10 . 2010-08-12 19:09 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-11 21:19 . 2010-08-11 21:19 -------- d-----w- C:\_OTL
2010-08-10 19:51 . 2010-08-10 19:51 -------- d-----w- c:\program files\Shavlik Technologies
2010-08-08 14:53 . 2010-08-08 14:53 -------- d-----w- c:\documents and settings\Yule family\Local Settings\Application Data\{CA0A701A-8DAE-4764-9756-24BCACFD0C61}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-22 16:47 . 2010-01-20 22:38 -------- d-----w- c:\program files\McAfee
2010-08-22 10:06 . 2010-02-12 08:16 -------- d-----w- c:\documents and settings\Yule family\Application Data\Skype
2010-08-22 08:55 . 2010-02-12 08:19 -------- d-----w- c:\documents and settings\Yule family\Application Data\skypePM
2010-08-21 22:09 . 2010-08-21 22:09 388096 ----a-r- c:\documents and settings\Yule family\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-08-21 21:41 . 2010-02-18 10:57 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2010-08-17 20:31 . 2010-08-17 20:31 349416 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportMR.dll
2010-08-17 20:31 . 2010-08-17 20:31 12544 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\19211\RapportIaso.sys
2010-08-13 10:34 . 2010-01-29 22:49 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-08-12 21:13 . 2010-08-12 21:13 61440 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-sse.dll
2010-08-12 21:13 . 2010-08-12 21:13 503808 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcp71.dll
2010-08-12 21:13 . 2010-08-12 21:13 499712 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\jmc.dll
2010-08-12 21:13 . 2010-08-12 21:13 348160 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-6ad00b59-n\msvcr71.dll
2010-08-12 21:13 . 2010-08-12 21:13 12800 ----a-w- c:\documents and settings\Yule family\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-3265c9c5-n\decora-d3d.dll
2010-08-12 19:14 . 2007-03-28 19:07 -------- d-----w- c:\program files\Java
2010-08-12 19:12 . 2007-03-28 19:07 -------- d-----w- c:\program files\Common Files\Java
2010-08-09 09:45 . 2010-08-09 09:45 664 ----a-w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\d3d9caps.tmp
2010-08-05 23:01 . 2010-02-21 11:24 -------- d-----w- c:\documents and settings\Yule family\Application Data\Image Zone Express
2010-07-25 23:27 . 2007-04-05 13:51 -------- d-----w- c:\program files\Quicken
2010-07-23 19:06 . 2010-07-23 19:06 73728 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\ncqo.exe
2010-07-23 19:06 . 2010-07-23 19:06 417792 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMR\16072\RapportMR.dll
2010-07-23 18:31 . 2010-05-26 23:58 81496 ----a-w- c:\documents and settings\test\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-21 19:17 . 2010-04-20 22:06 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2010-07-16 08:35 . 2010-03-28 21:57 -------- d-----w- c:\documents and settings\Yule family\Application Data\Ucibxa
2010-07-01 11:07 . 2010-07-01 11:07 434176 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Trusteer\Rapport\store\exts\RapportMS\17053\RapportMS.dll
2010-06-30 12:31 . 2004-08-04 10:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-27 18:40 . 2010-08-11 07:34 144328 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Personal_32_1033.dat
2010-06-24 12:22 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 10:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 10:00 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 10:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-16 06:33 . 2010-01-16 19:05 81496 ----a-w- c:\documents and settings\Yule family\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-14 14:31 . 2010-01-16 16:41 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 10:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-02-18 13:25 . 2010-02-18 13:25 8 --sh--r- c:\windows\system32\57E1DD82AC.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-18 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2007-01-25 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2007-01-25 16384]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-04-01 1180976]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-04-03 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-04-03 13670504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^PHOTOfunSTUDIO 4.0 HD Edition.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\PHOTOfunSTUDIO 4.0 HD Edition.lnk
backup=c:\windows\pss\PHOTOfunSTUDIO 4.0 HD Edition.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk
backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
2007-12-01 17:38 38400 ----a-r- c:\program files\Corel\Corel MediaOne\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP4 Player]
2008-11-06 17:23 772096 ----a-w- c:\program files\MP4 Player\Mp4Player.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-01-17 23:12 98304 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [30/05/2010 16:15 82952]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [01/07/2010 12:07 59240]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [01/07/2010 12:07 166632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [20/01/2010 23:42 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [30/05/2010 16:15 271480]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [30/05/2010 16:15 55456]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [30/05/2010 16:15 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S1 MpKsl56ce2b3f;MpKsl56ce2b3f;\??\c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys --> c:\windows\system32\MpEngineStore\MpKsl56ce2b3f.sys [?]
S1 MpKsl8b16be60;MpKsl8b16be60;\??\c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys --> c:\windows\system32\MpEngineStore\MpKsl8b16be60.sys [?]
S1 MpKslfb1eeb2a;MpKslfb1eeb2a;\??\c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys --> c:\windows\system32\MpEngineStore\MpKslfb1eeb2a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [26/09/2009 18:28 133104]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [30/05/2010 16:15 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [30/05/2010 16:15 83496]
S3 se46bus;Sony Ericsson Device 070 driver (WDM);c:\windows\system32\drivers\se46bus.sys [22/02/2010 12:55 61536]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-08-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-26 17:28]

2010-04-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-07-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-01-20 12:22]

2010-08-23 c:\windows\Tasks\User_Feed_Synchronization-{DF8E2BEC-7A9C-4D85-9DC0-FDC10DEDCB66}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89C30F0F8BD011D2.dll/cmsidewiki.html
Trusted Zone: internet
Trusted Zone: mcafee.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-24 00:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(224)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Common Files\McAfee\SystemCore\mfefire.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-08-24 00:34:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-23 23:34

Pre-Run: 80,693,653,504 bytes free
Post-Run: 80,900,644,864 bytes free

- - End Of File - - A8DD55844813DFA72BA309F835D5D45C

Hi.

The HelpAssistant backup, is a backup of your files that shouldn't be messed with in case of emergency.

HelpAssistant Mebroot seems removed, is it still there at C:\Documents and Settings\HelpAssistant?

Yes, that directory has gone.

Should I uninstall all the virus stuff that I have downloaded?
Is it adequate to do this via Add/rmv?
And should I delete any directories left that are named similary, eg
Combo-fix?
_OTL
5de2baedc3ac8e9e6c2275410292
Qoobox

thanks again.

Hi.

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
  
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.

Herr it is:
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000001fc

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF7358000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7347000 pci.sys
0xF7487000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7497000 MountMgr.sys
0xF7328000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF74A7000 VolSnap.sys
0xF7310000 atapi.sys
0xF7717000 cercsr6.sys
0xF72F8000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF74B7000 disk.sys
0xF74C7000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF72D8000 fltmgr.sys
0xF72C6000 sr.sys
0xF7269000 mfehidk.sys
0xF74D7000 PxHelp20.sys
0xF7252000 KSecDD.sys
0xF71C5000 Ntfs.sys
0xF7198000 NDIS.sys
0xF717E000 Mup.sys
0xF7657000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xF6773000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF6719000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77CF000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF66F5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77D7000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7667000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7677000 \SystemRoot\System32\Drivers\cdrbsdrv.SYS
0xF7687000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7697000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF66D2000 \SystemRoot\system32\DRIVERS\ks.sys
0xF77DF000 \SystemRoot\SYSTEM32\DRIVERS\GEARAspiWDM.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF66AA000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF7AF8000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6696000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF795B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF667F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77E7000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF666E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF664A000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF77EF000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77F7000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77FF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7807000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79B1000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6579000 \SystemRoot\system32\DRIVERS\update.sys
0xF7156000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF6466000 \SystemRoot\system32\drivers\sthda.sys
0xF6442000 \SystemRoot\system32\drivers\portcls.sys
0xF7507000 \SystemRoot\system32\drivers\drmk.sys
0xF7517000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7537000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79BB000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7923000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF79C5000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7AFC000 \SystemRoot\System32\Drivers\Null.SYS
0xF79C7000 \SystemRoot\System32\Drivers\Beep.SYS
0xF782F000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF7837000 \SystemRoot\System32\drivers\vga.sys
0xF79C9000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79CB000 \SystemRoot\SYSTEM32\DRIVERS\RDPCDD.SYS
0xF783F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7847000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF792B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF3D82000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF3D29000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF3D16000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xF3CF0000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF3CC9000 \SystemRoot\System32\Drivers\Mpfp.sys
0xF7597000 \SystemRoot\System32\DRIVERS\ipfltdrv.sys
0xF3CA1000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7943000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF3C57000 \SystemRoot\System32\drivers\afd.sys
0xF75A7000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF3C2C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF3C04000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
0xF75C7000 \??\C:\Program Files\Trusteer\Rapport\bin\RapportKELL.sys
0xF3B94000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF75D7000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF75E7000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7767000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xF3B71000 \SystemRoot\system32\DRIVERS\gwausb.sys
0xF6622000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xF6422000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF6412000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xF7777000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF6386000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xF777F000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xF7787000 \SystemRoot\system32\DRIVERS\HPZius12.sys
0xF7146000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF7142000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF3A63000 \SystemRoot\System32\Drivers\usbvideo.sys
0xF63C2000 \SystemRoot\system32\drivers\usbaudio.sys
0xF63B2000 \SystemRoot\system32\DRIVERS\HPZid412.sys
0xF792F000 \SystemRoot\system32\DRIVERS\HPZipr12.sys
0xF3A4B000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF799D000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF3C91000 \SystemRoot\System32\drivers\Dxapi.sys
0xF778F000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xF7A8F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB86E0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB83EB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB8254000 \SystemRoot\system32\DRIVERS\srv.sys
0xB7FD9000 \SystemRoot\system32\drivers\mfefirek.sys
0xF788F000 \SystemRoot\System32\Drivers\TDTCP.SYS
0xB7E7A000 \SystemRoot\System32\Drivers\RDPWD.SYS
0xB7BBD000 \SystemRoot\system32\drivers\wdmaud.sys
0xB831B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB84A8000 \SystemRoot\system32\drivers\cfwids.sys
0xB7566000 \SystemRoot\system32\drivers\mfeapfk.sys
0xB7AD7000 \SystemRoot\system32\drivers\mfebopk.sys
0xB745D000 \SystemRoot\System32\Drivers\HTTP.sys
0xB6106000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
588 C:\WINDOWS\system32\smss.exe
956 csrss.exe
980 C:\WINDOWS\system32\winlogon.exe
1024 C:\WINDOWS\system32\services.exe
1036 C:\WINDOWS\system32\lsass.exe
1172 C:\WINDOWS\system32\nvsvc32.exe
1216 C:\WINDOWS\system32\svchost.exe
1284 svchost.exe
1340 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
1372 C:\WINDOWS\system32\svchost.exe
1424 svchost.exe
1520 svchost.exe
1636 C:\WINDOWS\system32\spoolsv.exe
1720 svchost.exe
1756 C:\WINDOWS\system32\bgsvcgen.exe
1792 svchost.exe
1856 C:\Program Files\Java\jre6\bin\jqs.exe
1948 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
1964 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
2024 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
2040 C:\Program Files\McAfee\MSK\msksrver.exe
148 C:\WINDOWS\system32\HPZipm12.exe
224 C:\WINDOWS\system32\PSIService.exe
280 C:\WINDOWS\system32\svchost.exe
332 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
540 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
1416 alg.exe
2468 C:\WINDOWS\explorer.exe
2492 C:\WINDOWS\system32\rundll32.exe
2560 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
3008 C:\WINDOWS\stsystra.exe
3020 C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
3028 C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
3092 C:\WINDOWS\system32\rundll32.exe
3104 C:\Program Files\McAfee.com\Agent\mcagent.exe
3120 C:\WINDOWS\system32\rundll32.exe
3172 C:\Program Files\Common Files\Java\Java Update\jusched.exe
3216 C:\WINDOWS\system32\ctfmon.exe
3252 C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
3912 C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
4088 C:\WINDOWS\system32\taskmgr.exe
3380 C:\Program Files\Internet Explorer\iexplore.exe
688 C:\Program Files\Internet Explorer\iexplore.exe
600 C:\Documents and Settings\Yule family\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x0000001b`27f54600 (NTFS)

PhysicalDrive0 Model Number: ST3160812AS, Rev: 3.ADJ

Size Device Name MBR Status
--------------------------------------------
149 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

Hi.

How is your computer running?

Hi,
It is running fine, thanks. To be honest I haven't seen any issues for the last few posts.
However, I have now accumulated lots of thingxs on my computer:
- all the topics and potential removal actions that I mentioned above in Post 24.
- Helpasst_backup directory. I know you said earlier that this is back up from Help Assistent, but I don't remember seeing this before, and I can't find any other reference to Halp Assistant on my computer. If it's running in the background, then it seems quite well hidden. NB I do separately take backups periodically.
Thanks as ever.

Hi.

You can delete the HelpAssistant backup now.

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE.

You now have a clean restore point.

To get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do a calculation of temporary/old files, and then display a dialogue box.
  
• Select the More Options Tab.
  
• At the bottom will be a System Restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done.

========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: Here

=====

Update Programs
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

================

Your computer is now clean. Now, time to remove the tools used, and update your computer to prevent vulnerability.

Updating System Restore
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:

• Select Start > All Programs > Accessories > System tools > System Restore.
  
• On the dialogue box that appears select Create a Restore Point
  
• Click NEXT
  
• Enter a name e.g. Clean
  
• Click CREATE.

You now have a clean restore point.

To get rid of the bad ones:

• Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  
• In the Drop down box that appears select your main drive e.g. C
  
• Click OK
  
• The System will do a calculation of temporary/old files, and then display a dialogue box.
  
• Select the More Options Tab.
  
• At the bottom will be a System Restore box with a CLEANUP button click this
  
• Accept the Warning and select OK again, the program will close and you are done.

========

Removing the tools
Now, to remove all of the tools we used and the files and folders they created, please do the following:

Download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

============

Service Pack upgrade
Please consider upgrading to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

More info about SP3: Here

=====

Update Programs
Please download the newest version of Adobe Acrobat Reader from Adobe.com

Before installing: it is important to remove older versions of Acrobat Reader since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Adobe Acrobat Reader. Uninstall/Remove each of them.

Once old versions are gone, please install the newest version.



Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

Hi
I have done all of that thanks.
I still had some other files left:
- ESET which I removed by Add/rmv
- Hijackthis - ditto
- 3 Combo-fix directories - which I deleted.
Some Help Asst .exe files on my desktop - deleted
Some MB files on my desktop - deleted.

I also have 2 directories (empty) named "NV916284.TMP" or similar. Can I delete these?
And 3 directories named "5de2baedc3ac8e9e6c2275410292" or similar. That dir contains 3 files, eg "mrtsub.exe".

Hi.

You can delete the empty .TMP directories, but the others are legit and they are associated with service pack installs.

Thanks for all the help - The service is just great.
I would like to make a donation; how do I do this?

You're welcome, glad to help.

Here is the link to the donation stuff: http://www.GeekPolice.net/Donate-h29.htm