Mcafee Error Starting on demand scanner - help!

Hi,

Looks like i've picked up some nasty visru from somewhere I get redirected to some odd looking sites in google and if I try to do a scan with Mcafee i get this error:

Error Starting on demand scanner

I've tried spybot but that just closes automatically and Malwarebytes' Anti-Malware does the same so I'm a bit stuck!

I tried running the hijackthis program and got this:
'An unexpected error has occured at procedure: modRegistry_Inigetstring(sFile=win.ini, sSection=windows, sValue=load)
Error #5 - invalid procedure call or argument

Please help, I've no idea what to try next

update: i got hijackthis to run a couple of times but it closed itself before i had time to copy and paste the text, now it wont run at all

another update: Systemlook gave me this:

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [17:41 02/08/2008] [19:00 10/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [17:35 02/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [17:56 07/03/2019] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [17:41 02/08/2008] [19:00 10/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [17:35 02/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [17:56 07/03/2019] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [17:41 02/08/2008] [19:00 10/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [17:33 02/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [17:56 07/03/2019] [00:11 14/04/2008] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

when i try to extract the avenger.zip mcafee tells me its blocked 'backdoor-EFN' trojan so wont let me run it

do i need to disable mcafee?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Malwarebytes' Anti-Malware 1.41
Database version: 3071
Windows 5.1.2600 Service Pack 3

31/10/2009 21:01:20
mbam-log-2009-10-31 (21-01-20).txt

Scan type: Quick Scan
Objects scanned: 120980
Time elapsed: 9 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1a26f07f-0d60-4835-91cf-1e1766a0ec56} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhceg1j0enae (Rogue.AntiVirusXP) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecB.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Fonts\acrsecI.fon (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\BarryD\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

I'm still getting the same mcafee error and spybot wont run at all so I guess i'm not out of the woods yet?

currently running a full scan with malwarebytes, nearly 2 hours in and 1 infected object found so far.....

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-10-30.01 - BarryD 01/11/2009 23:08.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.572 [GMT 0]
Running from: c:\documents and settings\BarryD\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\recycler\S-1-5-21-1786715176-3111723283-1950669573-500
c:\windows\desktop
c:\windows\desktop\Virtual Pool 3.lnk
c:\windows\emMON.exe
c:\windows\Fonts\acrsec.fon
c:\windows\kb913800.exe
c:\windows\run.log
c:\windows\system32\Cache
c:\windows\system32\clrviddc.dll
c:\windows\system32\images
c:\windows\system32\images\3models.gif
c:\windows\system32\images\but3_off.gif
c:\windows\system32\images\but3_on.gif
c:\windows\system32\images\main_bot.gif
c:\windows\system32\images\main_mid.gif
c:\windows\system32\images\main_top.gif
c:\windows\system32\images\model1.gif
c:\windows\system32\images\panel_bot.gif
c:\windows\system32\images\panel_top.gif
c:\windows\system32\images\pc.gif
c:\windows\system32\images\pcw_award_cover.gif
c:\windows\system32\images\pcwcover.gif
c:\windows\system32\images\Thumbs.db
c:\windows\system32\images\topoff.gif
c:\windows\system32\images\topon.gif
c:\windows\system32\images\webscreen.gif
c:\windows\system32\tmp40.tmp
F:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2019-03-07 17:56 . 2009-08-29 07:36 832512 -c--a-w- c:\windows\system32\dllcache\wininet.dll
2019-03-07 17:53 . 2019-03-07 17:53 -------- d-----w- C:\cmpnents
2009-11-01 20:42 . 2009-11-01 20:43 -------- d-----w- c:\program files\Spybot - Search and Destroy
2009-11-01 20:33 . 2009-11-01 20:33 -------- d--h--w- c:\windows\PIF
2009-10-30 22:44 . 2009-10-30 22:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-30 22:23 . 2009-10-30 22:28 -------- d-----w- c:\documents and settings\BarryD\.SunDownloadManager
2009-10-30 19:48 . 2009-10-30 19:48 -------- d-----w- c:\documents and settings\BarryD\Application Data\Malwarebytes
2009-10-30 19:48 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 19:48 . 2009-10-30 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 19:48 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 19:48 . 2009-10-31 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:16 . 2009-09-06 07:09 126976 -c----w- c:\windows\system32\dllcache\ftpsvc2.dll
2009-10-13 20:49 . 2009-10-13 20:49 120 ----a-w- C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 22:51 . 2007-01-07 23:59 -------- d-----w- c:\documents and settings\BarryD\Application Data\BitTorrent
2009-11-01 21:42 . 2009-04-01 21:48 -------- d-----w- c:\documents and settings\BarryD\Application Data\HPAppData
2009-11-01 21:08 . 2007-01-08 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-01 20:39 . 2007-01-08 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-11-01 19:15 . 2007-01-02 20:29 -------- d-----w- c:\program files\McAfee
2009-10-30 00:25 . 2006-09-23 06:50 88776 ----a-w- c:\documents and settings\BarryD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 23:59 . 2008-10-25 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 23:56 . 2008-10-25 14:15 -------- d-----w- c:\program files\Microsoft Works
2009-10-21 22:20 . 2007-04-25 19:36 -------- d-----w- c:\program files\Winamp
2009-09-27 22:35 . 2009-09-27 22:35 71960 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-27 22:33 . 2007-04-14 15:08 -------- d-----w- c:\documents and settings\BarryD\Application Data\Apple Computer
2009-09-27 22:01 . 2009-09-27 21:59 -------- d-----w- c:\program files\iTunes
2009-09-27 22:01 . 2009-09-27 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 21:59 . 2009-09-27 21:59 -------- d-----w- c:\program files\iPod
2009-09-27 21:59 . 2007-12-26 22:47 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 21:56 . 2009-09-27 21:55 -------- d-----w- c:\program files\QuickTime
2009-09-27 21:45 . 2009-09-27 21:45 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-25 22:01 . 2008-09-29 20:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-16 09:22 . 2007-04-22 09:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 . 2007-04-22 09:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 . 2007-04-22 09:55 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 . 2007-04-22 09:55 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 . 2007-04-22 09:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2019-03-07 17:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 17:05 . 2009-06-30 17:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 18:21 . 2009-08-31 20:42 -------- d-----w- c:\documents and settings\BarryD\Application Data\HpUpdate
2009-09-04 21:03 . 2019-03-07 17:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 21:46 . 2009-09-01 21:21 116839 ----a-w- c:\windows\hpqins00.dat
2009-08-29 07:36 . 2019-03-07 17:56 832512 ----a-w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2019-03-07 17:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2019-03-07 17:56 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 18:42 . 2009-03-26 21:04 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 18:42 . 2007-12-26 22:48 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2019-03-07 17:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 19:24 . 2005-12-02 08:45 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 19:24 . 2005-12-02 08:45 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 19:24 . 2005-12-02 08:45 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 19:24 . 2005-05-26 03:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 19:24 . 2005-12-02 08:45 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 19:24 . 2019-03-07 17:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 19:23 . 2005-12-02 08:45 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 19:23 . 2008-10-25 14:21 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 19:23 . 2008-10-25 14:21 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:23 . 2005-12-02 08:45 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2019-03-07 17:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2004-08-03 23:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-03 22:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2007-01-08 15:30 . 2007-01-08 15:30 37152 ----a-w- c:\program files\MC
.

------- Sigcheck -------

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[-] 2004-08-10 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search and Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-03 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-11 1519616]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-06-18 16384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\BarryD\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [29/09/2008 19:03 206096]
R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT [?]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [13/09/2006 23:15 34944]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/07/2007 21:54 16877]
S3 bfastfao;bfastfao;\??\c:\docume~1\BARRYD~1\LOCALS~1\Temp\bfastfao.sys --> c:\docume~1\BARRYD~1\LOCALS~1\Temp\bfastfao.sys [?]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT [?]
S3 xlink;XLink Driver (xlink.sys);c:\windows\system32\drivers\xlink.sys [26/09/2007 21:44 19677]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [02/12/2005 17:08 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [02/12/2005 17:08 51840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-04-22 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-22 11:22]

2007-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-22 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
Trusted Zone: peeron.com\www
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-PowerBar - (no file)
AddRemove-HijackThis - c:\documents and settings\BarryD\Local Settings\Temporary Internet Files\Content.IE5\6FTV44CO\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 23:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(556)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\windows\system32\dllhost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-11-01 23:28 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 23:28

Pre-Run: 170,484,805,632 bytes free
Post-Run: 170,323,681,280 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 698EB89EC021D950587CF025D67B2CF0

Last edited by BarryD on 2nd November 2009, 6:39 pm; edited 1 time in total

Mcafee still gives me the same message when i try and scan

I uninstalled spybot and re-installed it (had to put it in a different folder as i cant delete 'SpybotSD.exe' but it works fine now.

Hello.
This malware has the ability to change file permissions which cause this problem, we can fix it, but not just yet, there are still other issues.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   FCopy::
   c:\windows\$NtServicePackUninstall$\eventlog.dll | c:\windows\system32\eventlog.dll
   
   Driver::
   bfastfao
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

ComboFix 09-11-01.04 - BarryD 02/11/2009 18:16.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1023.532 [GMT 0:00]
Running from: c:\documents and settings\BarryD\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\BarryD\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BFASTFAO
-------\Service_bfastfao


((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.

2019-03-07 17:56 . 2009-08-29 07:36 832512 -c--a-w- c:\windows\system32\dllcache\wininet.dll
2019-03-07 17:53 . 2019-03-07 17:53 -------- d-----w- C:\cmpnents
2009-11-02 18:16 . 2008-04-14 00:11 56320 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-11-02 18:16 . 2008-04-14 00:11 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-11-02 18:02 . 2009-11-02 18:16 -------- d-----w- c:\windows\LastGood.Tmp
2009-11-01 20:42 . 2009-11-01 20:43 -------- d-----w- c:\program files\Spybot - Search and Destroy
2009-11-01 20:33 . 2009-11-01 20:33 -------- d--h--w- c:\windows\PIF
2009-10-30 22:44 . 2009-10-30 22:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-30 22:23 . 2009-10-30 22:28 -------- d-----w- c:\documents and settings\BarryD\.SunDownloadManager
2009-10-30 19:48 . 2009-10-30 19:48 -------- d-----w- c:\documents and settings\BarryD\Application Data\Malwarebytes
2009-10-30 19:48 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-30 19:48 . 2009-10-30 19:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-30 19:48 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-30 19:48 . 2009-10-31 20:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-16 17:16 . 2009-09-06 07:09 126976 -c----w- c:\windows\system32\dllcache\ftpsvc2.dll
2009-10-13 20:49 . 2009-10-13 20:49 120 ----a-w- C:\drmHeader.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 18:12 . 2009-04-01 21:48 -------- d-----w- c:\documents and settings\BarryD\Application Data\HPAppData
2009-11-02 18:02 . 2007-01-02 20:29 -------- d-----w- c:\program files\McAfee
2009-11-01 23:57 . 2007-01-07 23:59 -------- d-----w- c:\documents and settings\BarryD\Application Data\BitTorrent
2009-11-01 21:08 . 2007-01-08 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-01 20:39 . 2007-01-08 18:01 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-30 00:25 . 2006-09-23 06:50 88776 ----a-w- c:\documents and settings\BarryD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-29 23:59 . 2008-10-25 14:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-29 23:56 . 2008-10-25 14:15 -------- d-----w- c:\program files\Microsoft Works
2009-10-21 22:20 . 2007-04-25 19:36 -------- d-----w- c:\program files\Winamp
2009-09-27 22:35 . 2009-09-27 22:35 71960 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-27 22:33 . 2007-04-14 15:08 -------- d-----w- c:\documents and settings\BarryD\Application Data\Apple Computer
2009-09-27 22:01 . 2009-09-27 21:59 -------- d-----w- c:\program files\iTunes
2009-09-27 22:01 . 2009-09-27 21:59 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-27 21:59 . 2009-09-27 21:59 -------- d-----w- c:\program files\iPod
2009-09-27 21:59 . 2007-12-26 22:47 -------- d-----w- c:\program files\Common Files\Apple
2009-09-27 21:56 . 2009-09-27 21:55 -------- d-----w- c:\program files\QuickTime
2009-09-27 21:45 . 2009-09-27 21:45 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-25 22:01 . 2008-09-29 20:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2009-09-16 09:22 . 2007-04-22 09:55 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 09:22 . 2007-04-22 09:55 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 09:22 . 2007-04-22 09:55 214664 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-09-16 09:22 . 2007-04-22 09:55 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 09:22 . 2007-04-22 09:55 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 14:18 . 2019-03-07 17:56 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 17:05 . 2009-06-30 17:28 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 18:21 . 2009-08-31 20:42 -------- d-----w- c:\documents and settings\BarryD\Application Data\HpUpdate
2009-09-04 21:03 . 2019-03-07 17:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-01 21:46 . 2009-09-01 21:21 116839 ----a-w- c:\windows\hpqins00.dat
2009-08-29 07:36 . 2019-03-07 17:56 832512 ------w- c:\windows\system32\wininet.dll
2009-08-29 07:36 . 2019-03-07 17:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-29 07:36 . 2019-03-07 17:56 17408 ----a-w- c:\windows\system32\corpol.dll
2009-08-28 18:42 . 2009-03-26 21:04 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-28 18:42 . 2007-12-26 22:48 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 08:00 . 2019-03-07 17:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-17 22:33 . 2009-08-17 22:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-06 19:24 . 2005-12-02 08:45 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 19:24 . 2005-12-02 08:45 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 19:24 . 2005-12-02 08:45 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 19:24 . 2005-05-26 03:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 19:24 . 2005-12-02 08:45 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 19:24 . 2019-03-07 17:56 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 19:23 . 2005-12-02 08:45 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 19:23 . 2008-10-25 14:21 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 19:23 . 2008-10-25 14:21 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 19:23 . 2005-12-02 08:45 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2019-03-07 17:56 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2007-01-08 15:30 . 2007-01-08 15:30 37152 ----a-w- c:\program files\MC
.

((((((((((((((((((((((((((((( SnapShot@2009-11-01_23.21.07 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-02 18:27 . 2009-11-02 18:27 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2009-11-02 18:27 . 2009-11-02 18:27 16384 c:\windows\Temp\Perflib_Perfdata_56c.dat
+ 2005-12-02 08:49 . 2009-11-02 18:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-02 08:49 . 2009-11-01 21:25 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-11-01 23:41 . 2009-11-02 18:02 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-12-02 08:49 . 2009-11-01 21:25 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-11-02 18:16 . 2004-08-10 19:00 55808 c:\windows\LastGood.Tmp\system32\eventlog.dll
+ 2008-12-05 23:55 . 2009-11-02 18:27 222436 c:\windows\system32\inetsrv\MetaBase.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search and Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-11 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-08-11 86016]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-07 1176808]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-09-17 645328]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-04-03 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-14 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Ptipbmf"="ptipbmf.dll" - c:\windows\system32\ptipbmf.dll [2003-06-20 118784]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2004-10-27 61952]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-08-11 1519616]
"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-06-18 16384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\BarryD\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Autodesk Licensing Service"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"c:\\Program Files\\McAfee\\MBK\\McAfeeDataBackup.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\barryD\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\common\\left 4 dead demo\\left4dead.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [29/09/2008 19:03 206096]
R2 MSSQL$INVENTORCONTENT;MSSQL$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe -sINVENTORCONTENT [?]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter;c:\windows\system32\drivers\atl01_xp.sys [13/09/2006 23:15 34944]
S2 0327601257184976mcinstcleanup;McAfee Application Installer Cleanup (0327601257184976);c:\windows\TEMP\032760~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\032760~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/07/2007 21:54 16877]
S3 SQLAgent$INVENTORCONTENT;SQLAgent$INVENTORCONTENT;c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT --> c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlagent.EXE -i INVENTORCONTENT [?]
S3 xlink;XLink Driver (xlink.sys);c:\windows\system32\drivers\xlink.sys [26/09/2007 21:44 19677]
S4 m5287;m5287;c:\windows\system32\drivers\m5287.sys [02/12/2005 17:08 85888]
S4 m5289;m5289;c:\windows\system32\drivers\m5289.sys [02/12/2005 17:08 51840]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0327601257184976MCINSTCLEANUP
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-08-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-04-22 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-22 11:22]

2007-07-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-04-22 11:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://uk.search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
Trusted Zone: peeron.com\www
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 18:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3512)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
c:\program files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\program files\Microsoft SQL Server\MSSQL$INVENTORCONTENT\Binn\sqlservr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files\HP\Digital Imaging\bin\hpqgpc01.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\eHome\ehmsas.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
.
**************************************************************************
.
Completion time: 2009-11-02 18:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-02 18:35
ComboFix2.txt 2009-11-01 23:28

Pre-Run: 170,165,895,168 bytes free
Post-Run: 170,125,606,912 bytes free

- - End Of File - - B09C7CF1BE2926992E82CA683C3F608E

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Computer seems to be running ok (and has seemed ok since the successful malwarebytes scan)

mcafee still gives the 'error starting on demand scanner' when i try to scan

Please download this file.

• Please download Junction.zip and save it.
  
• Unzip it and put junction.exe in the Windows directory (C:\Windows).
  
• Go to Start => Run... => Copy and paste the following command in the run box and click OK:
  
  cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  
  
• A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.
  

Junction v1.05 - Windows junction creator and reparse point viewer
Copyright (C) 2000-2007 Mark Russinovich
Systems Internals - http://www.sysinternals.com


Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...
Failed to open \\?\c:\\Program Files\McAfee\VirusScan\mcods.exe: Access is denied.




...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...


Failed to open \\?\c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe: Access is denied.


...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

...

..\\?\c:\\WINDOWS\$hf_mig$\KB904706\KB904706: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB917159\KB917159: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB918899\KB918899: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\$hf_mig$\KB920213\KB920213: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB924496\KB924496: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB925454\KB925454: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\$hf_mig$\KB932168\KB932168: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB933729\KB933729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB941568\KB941568: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\$hf_mig$\KB943460\KB943460: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

...

...

...

...\\?\c:\\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790
Substitute Name: C:\WINDOWS\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790

\\?\c:\\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a: JUNCTION
Print Name : C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e
Substitute Name: C:\WINDOWS\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e



\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\BDATunePIA\BDATunePIA: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehCIR\ehCIR: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\EhCM\EhCM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehcommon\ehcommon: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepg\ehepg: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehepgdat\ehepgdat: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtCOM\ehExtCOM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehExtHost\ehExtHost: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtCOM\ehiExtCOM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiExtens\ehiExtens: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiMsgr\ehiMsgr: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiPlay\ehiPlay: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiProxy\ehiProxy: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiUserXp\ehiUserXp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiVidCtl\ehiVidCtl: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiwmp\ehiwmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehiWUapi\ehiWUapi: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehRecObj\ehRecObj: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\ehshell\ehshell: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages1_v1.1.4322\Microsoft.MediaCenter\Microsoft.MediaCenter: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP115.tmp\ZAP115.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP133.tmp\ZAP133.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP400.tmp\ZAP400.tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\temp\temp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\assembly\tmp\tmp: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Config\Config: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Connection Wizard\Connection Wizard: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\ehome\CreateDisc\SonicResources\SonicResources: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ehome\CreateDisc\Styles\NTSC\Symphony\Cache\CacheDataFiles\CacheDataFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ehome\CreateDisc\Styles\NTSC\Symphony\Symphony\Symphony: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ehome\CreateDisc\Styles\PAL\Symphony\Cache\CacheDataFiles\CacheDataFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ehome\CreateDisc\Styles\PAL\Symphony\Symphony\Symphony: MOUNT POINT
Substitute Name: \Device\__max++>\^

..

...

...\\?\c:\\WINDOWS\IIS Temporary Compressed Files\IIS Temporary Compressed Files: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\chsime\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\CHTIME\Applets\Applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imejp98\imejp98: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imjp8_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\applets\applets: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\imkr6_1\dicts\dicts: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\ime\shared\res\res: MOUNT POINT
Substitute Name: \Device\__max++>\^



..\\?\c:\\WINDOWS\inf\Other\Other: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\classes\classes: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\java\trustlib\trustlib: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Temporary ASP.NET Files\Bind Logs\Bind Logs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\msapps\msinfo\msinfo: MOUNT POINT
Substitute Name: \Device\__max++>\^



.\\?\c:\\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\batch\batch: MOUNT POINT
Substitute Name: \Device\__max++>\^


Failed to open \\?\c:\\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe: Access is denied.


\\?\c:\\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Config\News\News: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\System\DFS\DFS: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\pchealth\helpctr\System_OEM\System_OEM: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\pchealth\helpctr\Temp\Temp: MOUNT POINT
Substitute Name: \Device\__max++>\^



\\?\c:\\WINDOWS\Registration\CRMLog\CRMLog: MOUNT POINT
Substitute Name: \Device\__max++>\^

...

..\\?\c:\\WINDOWS\SoftwareDistribution\AuthCabs\Downloaded\Downloaded: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\355f788b6de8a3ec79e9aa172e6317f1\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\Download\b7becdf0812b9161bfddc415c4486bad\backup\backup: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\SoftwareDistribution\SelfUpdate\Default\Default: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SoftwareDistribution\SelfUpdate\Registered\Registered: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\Sun\Java\Deployment\Deployment: MOUNT POINT
Substitute Name: \Device\__max++>\^

\\?\c:\\WINDOWS\SxsCaPendDel\SxsCaPendDel: MOUNT POINT
Substitute Name: \Device\__max++>\^



...

...

...

\\?\c:\\WINDOWS\WinSxS\InstallTemp\InstallTemp: MOUNT POINT
Substitute Name: \Device\__max++>\^

.\\?\c:\\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2: MOUNT POINT
Substitute Name: \Device\__max++>\^

Please download this file.

Like you did with juntion.exe, place inherit.exe into the Windows folder.

Now open a new notepad file.
Input this into the notepad file:

@echo off
"inherit.exe" "c:\Program Files\McAfee\VirusScan\mcods.exe"
"inherit.exe" "c:\\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
exit

Save this as fix.bat, save it to your desktop.

Let it run until it says OK on each one.

Spybot/Mcafee on-demand scanner will work now.

Wow.

I've no idea what you did or how you did it but it seems to have worked perfectly.

Huge thanks, very much appreciated!

Not a problem!

You can delete everything we used.