Mcafee error starting on demand scanner

Sorry, I just realized after sending this that there's several of these errors in posts is it still okay?
Hi, I'm experiencing problems Whenever I try to use a scan on Mcafee. It always gives me the "Error starting on demand scanner" error and I think I might have a virus causing this. I'm also having problems with my Firefox. It doesn't seem to let me open sites like: http://download.microsoft.com/download/C/C/0/CC0BD555-33DD-411E-936B-73AC6F95AE11/IE8-WindowsXP-x86-ENU.exe
(I believe this is to download IE 8 which I was trying to get because mine seems to have gone missing?)
so when I click the link it returns with:
Unable to connect
Firefox can't establish a connection to the server at download.microsoft.com.

* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.


Oh by the way I'm running windows XP

I checked and Firefox has full access to the internet its not being blocked, well not by mcafee. If anyone has any suggestions it would be appreciated thanks!
PS If I need to go into more depth just tell me what you need to know I could try to find out.
I have no idea if this is the same problem but I cant sign into windows messenger it tells me I need to debug with Visual basics 2008 and it stays stuck at the signing in screen

Last edited by mattferd on 7th October 2009, 2:10 am; edited 1 time in total (Reason for editing : Realized that there was already a post with a potential fix to my error)

Wait for Belahzur or DragonMaster Jay to reply -

They are both insanely good and will help you through the whole process.

It takes some time however so be patient (days) - And consider a donation if you feel they have helped you - there is a link at the bottom of their post.

I would be screwed without all their help.

Thank you Belahzur & DragonMaster Jay

Okay thanks! Also

We also require you to install all the critical updates issued by Microsoft by visiting this site in not we will be wasting our time:
http://www.windowsupdate.com/

I cant do that will this be a problem? It gives me that "Problem loading page" thing like i mentioned above.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Hi here's the scan results.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:47 on 07/10/2009 by Alan (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 181248 bytes [12:00 14/04/2008] [12:00 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [12:00 14/04/2008] [12:00 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c 407040 bytes [12:00 14/04/2008] [12:00 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [12:00 14/04/2008] [12:00 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\system32\dllcache\eventlog.dll --a--c 56320 bytes [12:00 14/04/2008] [12:00 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [00:32 01/01/1601] [03:37 23/03/1649] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Heres the avenger.txt:

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 07 20:45:19 2009

20:45:19: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 07 20:45:54 2009

20:45:54: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Wed Oct 07 20:46:25 2009

20:46:25: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Sorry i took a while to respond. I had a tournament today. I cant go to that website it gives me the:

Server not found
Firefox can't find the server at www.malwarebytes.org
* Check the address for typing errors such as
ww.example.com instead of
www.example.com

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web

Should I try using a USB memory stick thing?

Yeah, give that a try and let me know what happens. :-)

Okay I have it on my computer now it seems to have installed. My question is when I opened it I got an error I pressed okay (because of a usual habit) I think it gave me an error like 731 or 732, 0 0 or something I don't know if this is a problem because It opened anyways. Should I go ahead and start it?

No, lets use this instead, I bet a rootkit is hiding.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

SWEET! I think it might be fȋxed well at least one problem I can download stuff from microsoft now! AND Sign into MSN! But I still get the Error starting on demand scanner error when I try to scan. Possibly a re-install would fix this? Oh here are the logs:

ComboFix 09-10-07.05 - Alan 10/08/2009 20:36.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2927.2256 [GMT -4:00]
Running from: c:\documents and settings\Alan\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
C:\ProgramFiles
c:\programfiles\zipitpro\zShellAD.dll
c:\windows\msa.exe
c:\windows\win32k.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gxvxcserv.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-09 00:14 . 2009-10-09 00:14 -------- d-----w- c:\documents and settings\Alan\Application Data\Malwarebytes
2009-10-09 00:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 00:14 . 2009-10-09 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 00:14 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 00:14 . 2009-10-09 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-08 17:56 . 2009-10-08 17:56 -------- d-----w- c:\windows\LastGood.Tmp
2009-10-07 01:17 . 2009-10-07 01:17 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\Temp
2009-09-26 18:09 . 2009-09-26 18:09 -------- d-----w- c:\windows\system32\Adobe
2009-09-25 22:20 . 2009-09-25 22:20 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-23 23:11 . 2009-09-23 23:11 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\Matt_Provenzale
2009-09-23 23:11 . 2009-09-23 23:11 -------- d-----w- c:\program files\iDesigner
2009-09-22 22:40 . 2009-09-22 22:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-09-19 18:43 . 2009-09-29 21:33 -------- d-----w- c:\documents and settings\Alan\Application Data\uTorrent
2009-09-19 18:43 . 2009-09-19 19:04 -------- d-----w- c:\program files\UTorrent
2009-09-14 22:06 . 2009-09-25 14:22 -------- d-----w- c:\documents and settings\Alan\Application Data\FireShot
2009-09-14 20:35 . 2009-09-14 20:37 -------- d-----w- c:\program files\GuildWars

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 17:56 . 2009-06-07 04:56 -------- d-----w- c:\program files\McAfee
2009-10-07 21:48 . 2009-04-25 12:43 -------- d-s---w- c:\program files\Xfire
2009-10-07 02:25 . 2008-12-07 20:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 02:25 . 2009-08-19 21:21 -------- d-----w- c:\program files\Java
2009-10-07 02:25 . 2009-10-07 02:25 0 ----a-w- c:\windows\system32\REN795.tmp
2009-10-07 02:25 . 2009-10-07 02:25 0 ----a-w- c:\windows\system32\REN794.tmp
2009-10-07 02:25 . 2009-10-07 02:25 0 ----a-w- c:\windows\system32\REN793.tmp
2009-09-29 21:26 . 2009-04-25 12:43 -------- d-----w- c:\documents and settings\Alan\Application Data\Xfire
2009-09-28 22:12 . 2008-11-02 16:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-28 22:12 . 2008-11-02 16:33 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-27 16:44 . 2008-11-16 04:40 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-27 16:44 . 2008-11-16 04:40 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-07 14:12 . 2009-08-08 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-08-29 02:47 . 2009-03-15 14:14 -------- d-----w- c:\documents and settings\Alan\Application Data\Hamachi
2009-08-25 02:31 . 2008-12-07 20:15 34 -c--a-w- c:\documents and settings\Alan\jagex_runescape_preferences.dat
2009-08-25 02:22 . 2009-08-25 02:22 -------- d-----w- c:\program files\TightVNC
2009-08-19 21:57 . 2009-08-19 21:57 0 ----a-w- c:\windows\system32\RENC57.tmp
2009-08-19 21:57 . 2009-08-19 21:57 0 ----a-w- c:\windows\system32\RENC56.tmp
2009-08-19 21:57 . 2009-08-19 21:57 0 ----a-w- c:\windows\system32\RENC55.tmp
2009-08-19 21:24 . 2009-05-09 19:42 -------- d-----w- c:\program files\JavaFX
2009-08-19 21:23 . 2009-08-19 21:23 -------- d-----w- c:\program files\Sun
2009-08-16 20:23 . 2008-11-06 05:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-14 09:22 . 2009-08-07 01:28 -------- d-----w- c:\program files\Circl Developement
2009-08-14 00:43 . 2009-07-24 00:24 -------- d-----w- c:\documents and settings\Alan\Application Data\Apple Computer
2009-08-13 15:06 . 2009-08-13 15:06 -------- d-----w- c:\documents and settings\Alan\Application Data\RealVNC
2009-08-13 14:55 . 2009-08-13 14:55 -------- d-----w- c:\program files\RealVNC
2009-08-13 14:33 . 2009-08-13 14:33 -------- d-----w- c:\program files\UltraVNC
2009-08-12 16:10 . 2009-04-25 02:07 -------- d-----w- c:\program files\Lunia
2009-07-29 22:07 . 2008-11-16 04:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-25 04:21 . 2009-08-13 14:55 26624 ----a-w- c:\windows\system32\VNCpm.dll
2009-07-25 04:21 . 2009-08-13 14:55 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2009-07-25 04:21 . 2009-08-13 14:55 20992 ----a-w- c:\windows\system32\vncmirror.dll
2009-07-21 06:52 . 2009-07-21 06:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-21 06:52 . 2009-07-21 06:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-16 16:32 . 2009-06-07 04:57 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-13 14:01 . 2008-10-21 02:54 70256 ----a-w- c:\documents and settings\Alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Recordpad"="c:\program files\NCH Swift Sound\Recordpad\recordpad.exe" [2009-06-17 876548]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Alan^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Alan\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snagit 9.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snagit 9.lnk
backup=c:\windows\pss\Snagit 9.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\UTorrent\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57640:TCP"= 57640:TCP:*:Disabled:Pando Media Booster
"57640:UDP"= 57640:UDP:*:Disabled:Pando Media Booster
"56630:TCP"= 56630:TCP:*:Disabled:Pando Media Booster
"56630:UDP"= 56630:UDP:*:Disabled:Pando Media Booster
"56494:TCP"= 56494:TCP:*:Disabled:Pando Media Booster
"56494:UDP"= 56494:UDP:*:Disabled:Pando Media Booster
"86:TCP"= 86:TCP:BroadCam Web Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 JAHCI;JAHCI;c:\windows\system32\drivers\JAHCI.sys [11/5/2008 8:53 PM 33280]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/24/2009 9:48 AM 64160]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/13/2009 4:46 PM 55152]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 951632]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/7/2009 12:59 AM 210216]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [8/13/2009 10:34 AM 6016]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [7/23/2009 8:28 PM 28672]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [10/20/2008 10:11 PM 28672]
S2 0230211255024606mcinstcleanup;McAfee Application Installer Cleanup (0230211255024606);c:\windows\TEMP\023021~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\023021~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 BroadCamService;BroadCam Service;c:\program files\NCH Software\BroadCam\broadCam.exe [6/16/2009 9:27 PM 368644]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0230211255024606MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-1417001333-1003Core.job
- c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 01:17]

2009-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-1417001333-1003UA.job
- c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 01:17]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-07 01:26]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-07 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\5mxin21v.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - component: c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\5mxin21v.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-AdobeBridge - (no file)
AddRemove-HijackThis - c:\documents and settings\Alan\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-117609710-1482476501-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{451F5D46-2CC5-C0F4-80F5-316E1AD9092E}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abpgcnpphapbhpjehbfianjoijolifkeca"=hex:61,61,00,00
"bbpgcnpphapbhpjehbaibnendnkfenaijdnp"=hex:61,61,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

- - - - - - - > 'explorer.exe'(3096)
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\McAfee\MSK\msksrver.exe
c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-09 20:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 00:50

Pre-Run: 134,618,009,600 bytes free
Post-Run: 134,897,750,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

278 --- E O F --- 2009-05-13 07:02

Sorry, I turned everything off before I started it then after when it did a reboot it turned back on how can I stop it from doing that because I don't think it mentions that anywhere.

Okay I turned off everything (as far as I know) I hope I didn't mess it up again :\
Here's the Log:
ComboFix 09-10-07.05 - Alan 10/08/2009 21:22.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2927.2394 [GMT -4:00]
Running from: c:\documents and settings\Alan\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Alan\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\REN793.tmp"
"c:\windows\system32\REN794.tmp"
"c:\windows\system32\REN795.tmp"
"c:\windows\system32\RENC55.tmp"
"c:\windows\system32\RENC56.tmp"
"c:\windows\system32\RENC57.tmp"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\REN793.tmp
c:\windows\system32\REN794.tmp
c:\windows\system32\REN795.tmp
c:\windows\system32\RENC55.tmp
c:\windows\system32\RENC56.tmp
c:\windows\system32\RENC57.tmp

.
--------------- FCopy ---------------

c:\windows\system32\dllcache\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-09 01:22 . 2008-04-14 12:00 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-10-09 01:22 . 2008-04-14 12:00 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-10-09 00:14 . 2009-10-09 00:14 -------- d-----w- c:\documents and settings\Alan\Application Data\Malwarebytes
2009-10-09 00:14 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-09 00:14 . 2009-10-09 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-09 00:14 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-09 00:14 . 2009-10-09 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-07 01:17 . 2009-10-07 01:17 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\Temp
2009-09-26 18:09 . 2009-09-26 18:09 -------- d-----w- c:\windows\system32\Adobe
2009-09-25 22:20 . 2009-09-25 22:20 41872 ----a-w- c:\windows\system32\xfcodec.dll
2009-09-23 23:11 . 2009-09-23 23:11 -------- d-----w- c:\documents and settings\Alan\Local Settings\Application Data\Matt_Provenzale
2009-09-23 23:11 . 2009-09-23 23:11 -------- d-----w- c:\program files\iDesigner
2009-09-22 22:40 . 2009-09-22 22:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\Xfire
2009-09-19 18:43 . 2009-09-29 21:33 -------- d-----w- c:\documents and settings\Alan\Application Data\uTorrent
2009-09-19 18:43 . 2009-09-19 19:04 -------- d-----w- c:\program files\UTorrent
2009-09-14 22:06 . 2009-09-25 14:22 -------- d-----w- c:\documents and settings\Alan\Application Data\FireShot
2009-09-14 20:35 . 2009-09-14 20:37 -------- d-----w- c:\program files\GuildWars

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 17:56 . 2009-06-07 04:56 -------- d-----w- c:\program files\McAfee
2009-10-07 21:48 . 2009-04-25 12:43 -------- d-s---w- c:\program files\Xfire
2009-10-07 02:25 . 2008-12-07 20:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-07 02:25 . 2009-08-19 21:21 -------- d-----w- c:\program files\Java
2009-09-29 21:26 . 2009-04-25 12:43 -------- d-----w- c:\documents and settings\Alan\Application Data\Xfire
2009-09-28 22:12 . 2008-11-02 16:33 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-28 22:12 . 2008-11-02 16:33 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-09-27 16:44 . 2008-11-16 04:40 139152 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-09-27 16:44 . 2008-11-16 04:40 111928 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-09-07 14:12 . 2009-08-08 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-08-29 02:47 . 2009-03-15 14:14 -------- d-----w- c:\documents and settings\Alan\Application Data\Hamachi
2009-08-25 02:31 . 2008-12-07 20:15 34 -c--a-w- c:\documents and settings\Alan\jagex_runescape_preferences.dat
2009-08-25 02:22 . 2009-08-25 02:22 -------- d-----w- c:\program files\TightVNC
2009-08-19 21:24 . 2009-05-09 19:42 -------- d-----w- c:\program files\JavaFX
2009-08-19 21:23 . 2009-08-19 21:23 -------- d-----w- c:\program files\Sun
2009-08-16 20:23 . 2008-11-06 05:05 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-08-14 09:22 . 2009-08-07 01:28 -------- d-----w- c:\program files\Circl Developement
2009-08-14 00:43 . 2009-07-24 00:24 -------- d-----w- c:\documents and settings\Alan\Application Data\Apple Computer
2009-08-13 15:06 . 2009-08-13 15:06 -------- d-----w- c:\documents and settings\Alan\Application Data\RealVNC
2009-08-13 14:55 . 2009-08-13 14:55 -------- d-----w- c:\program files\RealVNC
2009-08-13 14:33 . 2009-08-13 14:33 -------- d-----w- c:\program files\UltraVNC
2009-08-12 16:10 . 2009-04-25 02:07 -------- d-----w- c:\program files\Lunia
2009-07-29 22:07 . 2008-11-16 04:40 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-07-25 04:21 . 2009-08-13 14:55 26624 ----a-w- c:\windows\system32\VNCpm.dll
2009-07-25 04:21 . 2009-08-13 14:55 4608 ----a-w- c:\windows\system32\drivers\vncmirror.sys
2009-07-25 04:21 . 2009-08-13 14:55 20992 ----a-w- c:\windows\system32\vncmirror.dll
2009-07-21 06:52 . 2009-07-21 06:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-21 06:52 . 2009-07-21 06:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2009-07-16 16:32 . 2009-06-07 04:57 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-13 14:01 . 2008-10-21 02:54 70256 ----a-w- c:\documents and settings\Alan\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-09_00.42.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 12:00 . 2009-10-09 00:47 531046 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2009-10-08 17:56 531046 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2009-10-09 00:47 103912 c:\windows\system32\perfc009.dat
- 2008-04-14 12:00 . 2009-10-08 17:56 103912 c:\windows\system32\perfc009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-10-07 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Recordpad"="c:\program files\NCH Swift Sound\Recordpad\recordpad.exe" [2009-06-17 876548]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-07 149280]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Alan^Start Menu^Programs^Startup^Xfire.lnk]
path=c:\documents and settings\Alan\Start Menu\Programs\Startup\Xfire.lnk
backup=c:\windows\pss\Xfire.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Snagit 9.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Snagit 9.lnk
backup=c:\windows\pss\Snagit 9.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\UTorrent\\utorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"57640:TCP"= 57640:TCP:*:Disabled:Pando Media Booster
"57640:UDP"= 57640:UDP:*:Disabled:Pando Media Booster
"56630:TCP"= 56630:TCP:*:Disabled:Pando Media Booster
"56630:UDP"= 56630:UDP:*:Disabled:Pando Media Booster
"56494:TCP"= 56494:TCP:*:Disabled:Pando Media Booster
"56494:UDP"= 56494:UDP:*:Disabled:Pando Media Booster
"86:TCP"= 86:TCP:BroadCam Web Server
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 JAHCI;JAHCI;c:\windows\system32\drivers\JAHCI.sys [11/5/2008 8:53 PM 33280]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/24/2009 9:48 AM 64160]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/13/2009 4:46 PM 55152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [6/7/2009 12:59 AM 210216]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [8/13/2009 10:34 AM 6016]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [7/23/2009 8:28 PM 28672]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;c:\windows\system32\drivers\ULILAN51.SYS [10/20/2008 10:11 PM 28672]
S2 0230211255024606mcinstcleanup;McAfee Application Installer Cleanup (0230211255024606);c:\windows\TEMP\023021~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\023021~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 951632]
S3 BroadCamService;BroadCam Service;c:\program files\NCH Software\BroadCam\broadCam.exe [6/16/2009 9:27 PM 368644]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2/6/2009 6:08 PM 533360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files\Microsoft SQL Server\100\Shared\sqladhlp.exe [7/10/2008 8:28 PM 47128]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 8:01 AM 2799808]
S4 RsFx0102;RsFx0102 Driver;c:\windows\system32\drivers\RsFx0102.sys [7/10/2008 2:49 AM 242712]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [7/10/2008 8:28 PM 369688]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0230211255024606MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-10-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-1417001333-1003Core.job
- c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 01:17]

2009-10-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-117609710-1482476501-1417001333-1003UA.job
- c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-07 01:17]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-07 01:26]

2009-10-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-06-07 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
FF - ProfilePath - c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\5mxin21v.default\
FF - prefs.js: browser.search.selectedEngine - Bing
FF - prefs.js: browser.startup.homepage - hxxp://www.bing.com/
FF - component: c:\documents and settings\Alan\Application Data\Mozilla\Firefox\Profiles\5mxin21v.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\Alan\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-10-09 21:27
ComboFix-quarantined-files.txt 2009-10-09 01:27
ComboFix2.txt 2009-10-09 00:50

Pre-Run: 134,917,451,776 bytes free
Post-Run: 134,903,361,536 bytes free

235 --- E O F --- 2009-05-13 07:02

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Its running great! I think I might have to re-install McAffee, but that's no problem!

Seriously, I know you must get this a lot but without your help I would be screwed! Thank you so much! I wish I could donate, but because I am only 13 I cant . Anyways thanks a lot for all your time. I'll make sure to keep this site in my favorites! For whenever (If ever) I get infected thanks!

Oh yea one more question. How do I get rid of winlogon?

Is that one of the programs we renamed to get around the malware, or the real winlogon? Is it WGA?

Uhmmm, It says that its a screensaver file. Its size is 392 KB. Its description is winlogon. Whenever I try to put it in the recycle it says
Cannot delete winlogon: Access is denied.
Make sure the disk is not full or write protected and that the file is not currently in use.
Whenever I try to run it, it says Windows cannot access the specified device path or file. You may not have the appropriate permissions to acces the item.
Its under C:\Documents and Settings\Alan\Desktop\winlogon.scr

You should try making a post, if you mix in your problem with mine it might get confusing.

PS: I also cant install IE8 I have it on my desktop and it goes through the first step then it stops on the checking for malware part and it tells me to restart my computer. Could I possibly still be infected?

Run ESET Online Scan
Please do an online scan with ESET Online Scanner. Please use Internet Explorer as it uses ActiveX.

• Check (tick) this box: YES, I accept the Terms of Use.
  
• Click on the Start button next to it.
  
• When prompted to run ActiveX. click Yes.
  
• You will be asked to install an ActiveX. Click Install.
  
• Once installed, the scanner will be initialized.
  
• After the scanner is initialized, click Start.
  
• Uncheck (untick) Remove found threats box.
  
• Check (tick) Scan unwanted applications.
  
• Click on Scan.
  
• It will start scanning. Please be patient.
  
• Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.
  

Problem one I cant use IE it doesn't want to install. But I'm going to try using Google Chrome instead because it says it can use a smart online scanner that wont IE or something.

This took forever!!! over 6 hours!


ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=5612c9d7de98bd4c835bd01c95f89639
# end=stopped
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-10 08:57:01
# local_time=2009-10-10 04:57:01 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 21 100 88 33997994531250
# scanned=4282
# found=0
# cleaned=0
# scan_time=729
ESETSmartInstaller@High as downloader log:
all ok
esets_scanner_update returned -1 esets_gle=53251
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=5612c9d7de98bd4c835bd01c95f89639
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-10-11 02:57:49
# local_time=2009-10-10 10:57:49 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=5121 21 100 88 34214476562500
# scanned=242416
# found=4
# cleaned=0
# scan_time=21601
C:\Documents and Settings\Alan\Desktop\MATTS STUFF\release\dbvm05.rar probably unknown TSR.BOOT virus 00000000000000000000000000000000 I
C:\Documents and Settings\Alan\Desktop\MATTS STUFF\release\vmcd.iso probably unknown TSR.BOOT virus 00000000000000000000000000000000 I
C:\Documents and Settings\Alan\Desktop\MATTS STUFF\release\vmdisk.img probably unknown TSR.BOOT virus 00000000000000000000000000000000 I
C:\WINDOWS\Downloaded Program Files\gsda.dll Win32/TrojanDownloader.SpyGame.A trojan 00000000000000000000000000000000 I

Hello.
Did you clean them? the files found don't look executable anyhow, but one thing that catches my eye is the first 3 things.

Do you know what them 3 rar/iso/img files are?

Yes actually there from a Cheat Engine that my friend tried to use to hack in game -.- and I deleted all of them yes but do you know why I cant install IE?

I'm not exactly sure, we've cleaned the malware out now.
I've asked a colleague to send me something, hold tight.

Please navigate to this webpage and see the section "Fix it for me"

Click the Microsoft Fix-It button. Download the file to your Desktop. Then, double-click it to run. Follow the prompts.

Sweet IE works now!
But my dads doesn't like a million things on the desktop, (really only like 10) so how would I get rid of the winlogon file?
And also, the Microsoft fix thing created a second user called ASP.NET Machine Account. Is this normal? Do I get rid of it? Do I do a name change? Thanks.

Hello.
You can just right click > "Delete" everything we used.

Yes, MS creates that ASP.NET user account, just leave it alone.

I can delete everything other than the winlogon thing it says:
Cannot delete winlogon Access is denied.

Make sure the disk is not full or write protected and that the file is not currently in use.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
c:\documents and settings\Alan\Desktop\winlogon.scr

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hmm weird. I cant extract it to my desktop.
It does everything it usually does when its extracting but then it just doesn't appear anywhere.
And it didn't work when I tried extracting it to different places.
I also tried re-downloading it and it does the same thing. I'll reboot my machine then try re-downloading it if it doesn't work then I'll try just bringing the .exe inside the .zip with a USB stick.

Okay, let me know how it goes.

Okay so the reboot thing didn't work but when I tried via USB Memory Stick it worked perfectly I put in the code and now the problem seemingly is gone! here is the log:
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "c:\documents and settings\Alan\Desktop\winlogon.scr" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Thank you so much again for your help! It would seem as though you have fȋxed my problem! If I run into anything I'll make sure to look to this site for help!
Thanks,
Matthew

Hello.
So, how is the machine now? anymore problems?

No it seems like its working fine!