By lazerman3000 · 13 replies
Jan 21, 2011
  1. Hello,

    I wanted to ask a preliminary question. Having used this site before I trust the guidance and I am ready to follow the 8 step preliminary malware removal. However on searching for information on this current malware I found a site called d-a-l to which Broni also posts. The page (http://www.d-a-l.com/help/spyware-a...657-resolved-ram-memory-usage-critically.html) instructs that I should not do anything other than what is described in that thread or else I may suffer computer problems in the long run. The malware opens a 'windows scan' and tells me I have various RAM and HDD problems. My question is should I follow the 8 step program?

    Thank you in advance
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    It's going to depend on what's causing the RAM (memory) problem and what the problem is with the Hard Drive. (HDD) I don't have enough information to go any further. Are you getting blue screens with writing on them? What are you doing what the message come up? What is the source of the messages?

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    Running the preliminary scan we have set up should not harm your system. Following directions given to someone else can harm the system. So I'll review the logs and see what's going on. If it appears to be only a system problem, I will have the thread moved to a more appropriate forum.
  3. lazerman3000

    lazerman3000 TS Rookie Topic Starter


    Hi thankyou for the reply

    The problem is with a program that pops up called windows scan which tells me i have various hardware problems and asks me to purchase software to sort them out. i had already run malwarebytes so when i followed you preliminary 8steps it came up with no malicious items. i have therefore included the first scan i ran along with the other logs you requested.

    Malware Bytes

    Malwarebytes' Anti-Malware

    Database version: 5567

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 8.0.6001.18999

    22/01/2011 08:20:25
    mbam-log-2011-01-22 (08-20-25).txt

    Scan type: Full scan (C:\|E:\|F:\|)
    Objects scanned: 345876
    Time elapsed: 1 hour(s), 49 minute(s), 49 second(s)

    Memory Processes Infected: 2
    Memory Modules Infected: 1
    Registry Keys Infected: 0
    Registry Values Infected: 2
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    c:\programdata\pvyakouxdtewvdi.exe (Rogue.FakeHDD) -> 3980 -> Unloaded process successfully.
    c:\programdata\4o3orzlkx.exe (Rogue.FakeHDD) -> 4380 -> Unloaded process successfully.

    Memory Modules Infected:
    c:\programdata\swmcwhrcwjythhw.dll (Rogue.FakeHDD) -> Delete on reboot.

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pVYaKOuxDtewvDI.exe (Rogue.FakeHDD) -> Value: pVYaKOuxDtewvDI.exe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4o3orzlkx (Rogue.FakeHDD) -> Value: 4o3orzlkx -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\programdata\swmcwhrcwjythhw.dll (Rogue.FakeHDD) -> Delete on reboot.
    c:\programdata\pvyakouxdtewvdi.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    c:\programdata\4o3orzlkx.exe (Rogue.FakeHDD) -> Delete on reboot.
    c:\Users\jim cocker\AppData\Local\microsoft\Windows\temporary internet files\Low\Content.IE5\6QM8VAY7\TFC[1].exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
    c:\Users\jim cocker\AppData\Local\Temp\tmp79F.tmp (Rogue.FakeHDD) -> Quarantined and deleted successfully.


    GMER - http://www.gmer.net
    Rootkit quick scan 2011-01-22 10:22:57
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.11.0
    Running: n0zy3qs8.exe; Driver: C:\Users\JIMCOC~1\AppData\Local\Temp\uwdciuog.sys

    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x82B500B8]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x82B500E2]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x82B500CE]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x82B500A4]
    Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Tcp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
    AttachedDevice \Driver\tdx \Device\Udp mfewfpk.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

    ---- EOF - GMER 1.0.15 ----


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Jim Cocker at 10:25:45.33 on 22/01/2011
    Internet Explorer: 8.0.6001.18999
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2010.909 [GMT 0:00]

    AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}

    ============== Running Processes ===============

    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Program Files\Dell\DellDock\DockLogin.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Barclays\Business Manager\bin\ticketservice.exe
    C:\Program Files\Barclays\Business Manager\bin\updateservice.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    C:\Program Files\Common Files\Mcafee\McSvcHost\McSvHost.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
    C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
    C:\Program Files\Dell\DellDock\DellDock.exe
    C:\Program Files\DellTPad\Apoint.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Dell DataSafe Online\DataSafeOnline.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
    C:\Program Files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe
    C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
    C:\Program Files\My Hub\SpareTray.exe
    C:\Program Files\Carbonite\CarbonitePreinstaller.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Windows\system32\svchost.exe -k WindowsMobile
    C:\Program Files\DellTPad\ApMsgFwd.exe
    C:\Program Files\DellTPad\HidFind.exe
    C:\Program Files\DellTPad\Apntex.exe
    C:\Program Files\Common Files\Teleca Shared\Generic.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Teleca Shared\logger.exe
    C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
    C:\Program Files\HTC\HTC Sync\ClientInitiatedStarter\ClientInitiatedStarter.exe
    C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\epmworker.exe
    C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\DbgOut.exe
    C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\HTCVBTServer.exe
    C:\Program Files\HTC\HTC Sync\Mobile Phone Monitor\FsynSrvStarter.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
    C:\Users\Jim Cocker\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page = hxxp://www.google.com
    uStart Page = hxxp://www.bbc.co.uk/
    uSearch Bar = hxxp://www.google.com/ie
    mStart Page = hxxp://search.myheritage.com
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20101110210822.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - No File
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\delltpad\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [QuickSet] c:\program files\dell\quickset\QuickSet.exe
    mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
    mRun: [Dell DataSafe Online] "c:\program files\dell datasafe online\DataSafeOnline.exe" /m
    mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
    mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
    mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 4.0\apdproxy.exe"
    mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe
    mRun: [Barclays Business Manager] c:\program files\barclays\business manager\bin\BarclaysBusinessManager.exe /server
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [Mobile Connectivity Suite] "c:\program files\htc\htc sync\application launcher\Application Launcher.exe" /startoptions
    mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
    mRun: [Spare Backup] "c:\program files\my hub\SpareTray.exe" /silent
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
    mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
    StartupFolder: c:\users\jimcoc~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\jimcoc~1\appdata\roaming\mozilla\firefox\profiles\6pgh1yap.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
    FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\mcafee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

    ============= SERVICES / DRIVERS ===============

    R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-5-31 386840]
    R1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\drivers\mfenlfk.sys [2010-6-26 64304]
    R1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-6-26 164840]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_f6ef8056\AEstSrv.exe [2009-5-22 81920]
    R2 BBMTicketService;BBM Ticket Service;c:\program files\barclays\business manager\bin\ticketservice.exe [2009-9-29 40960]
    R2 BBMUpdateService;BBM Update Service;c:\program files\barclays\business manager\bin\updateservice.exe [2009-9-29 49152]
    R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
    R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-12-18 189736]
    R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
    R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
    R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
    R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-6-26 271480]
    R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-6-26 171168]
    R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-6-26 188136]
    R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-6-26 141792]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc --> RUNDLL32.EXE ykx32coinst,serviceStartProc [?]
    R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-6-26 55840]
    R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-6-26 152960]
    R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-6-26 52104]
    R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-6-26 313288]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
    S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
    S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2009-6-10 24576]
    S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-6-26 84264]
    S3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\dellsu~1\hwdiag\bin\PCD5SRVC.pkms [2008-11-4 22904]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

    =============== Created Last 30 ================

    2011-01-11 19:00:29 708608 ----a-w- c:\program files\common files\system\ado\msado15.dll
    2011-01-11 19:00:29 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-11 19:00:28 57344 ----a-w- c:\program files\common files\system\msadc\msadcs.dll
    2011-01-11 19:00:28 253952 ----a-w- c:\program files\common files\system\ado\msadox.dll
    2011-01-11 19:00:28 241664 ----a-w- c:\program files\common files\system\ado\msadomd.dll
    2011-01-11 19:00:28 180224 ----a-w- c:\program files\common files\system\msadc\msadco.dll
    2011-01-11 19:00:23 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2010-12-30 20:28:47 -------- d-----w- c:\users\jimcoc~1\appdata\roaming\MyHeritage
    2010-12-30 20:28:47 -------- d-----w- c:\progra~2\MyHeritage
    2010-12-30 20:28:24 454656 ----a-w- c:\windows\system32\PaintX.dll
    2010-12-30 20:28:24 372736 ----a-w- c:\windows\system32\ijl15.dll
    2010-12-30 20:28:23 -------- d-----w- c:\users\jimcoc~1\appdata\roaming\The Complete Genealogy Reporter - FTB
    2010-12-30 20:28:00 -------- d-----w- c:\program files\MyHeritage

    ==================== Find3M ====================

    2010-12-20 11:32:06 384528 ----a-w- c:\windows\system32\FTBSaver.scr
    2010-11-29 17:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 17:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-04 18:56:07 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55:38 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55:38 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55:12 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34:06 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01:54 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57:27 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57:11 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57:11 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01:31 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26:10 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24:44 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44:56 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27:47 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20:12 2048 ----a-w- c:\windows\system32\tzres.dll

    ============= FINISH: 10:26:59.08 ===============

    DDS Attach


    DDS (Ver_10-12-12.02)

    Microsoft® Windows Vista™ Home Premium
    Boot Device: \Device\HarddiskVolume3
    Install Date: 22/05/2009 06:46:47
    System Uptime: 22/01/2011 09:53:53 (1 hours ago)

    Motherboard: Dell Inc. | | 0G848F
    Processor: Pentium(R) Dual-Core CPU T4200 @ 2.00GHz | Microprocessor | 2000/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 134 GiB total, 55.491 GiB free.
    E: is FIXED (NTFS) - 15 GiB total, 8.805 GiB free.
    F: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Help Center 2.0
    Adobe Photoshop Elements 4.0
    Adobe Reader 9.3
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    BBC iPlayer Desktop
    Business Manager
    Camera Window
    Canon Camera TWAIN Driver
    Canon Camera Window for ZoomBrowser EX
    Canon EOS Kiss REBEL 300D TWAIN Driver
    Canon Internet Library for ZoomBrowser EX
    Canon PhotoRecord
    Canon Utilities File Viewer Utility 1.3
    Canon Utilities PhotoStitch 3.1
    Canon Utilities RemoteCapture 2.7
    Canon Utilities ZoomBrowser EX
    Carbonite Online Backup Setup
    Choice Guard
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    CyberView X - MF v1.05
    Dell DataSafe Online
    Dell Dock
    Dell Edoc Viewer
    Dell Getting Started Guide
    Dell Support Center (Support Software)
    Dell Touchpad
    Dell Video Chat
    Dell Wireless WLAN Card Utility
    File Viewer Utility 1.3.1
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    HP Deskjet All-In-One Software 9.0
    HTC Driver Installer
    HTC Sync
    Huawei Modems
    Intel(R) TV Wizard
    Intel® Matrix Storage Manager
    Java(TM) 6 Update 11
    Junk Mail filter update
    Malwarebytes' Anti-Malware
    McAfee SecurityCenter
    Media Sync
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 3.5 SP1
    Microsoft .NET Framework 4 Client Profile
    Microsoft Application Error Reporting
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Basic 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft Train Simulator
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft WSE 2.0 SP3 Runtime
    Mozilla Firefox (3.6.12)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    muvee Reveal Seagate Edition
    My Hub
    MyHeritage Family Tree Builder
    OGA Notifier 2.0.0048.0
    ProTrain 3.1 - English Version 3.1
    QuickBooks Pro 2008
    RemoteCapture 2.7.4
    Roxio Creator Audio
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Seagate Manager Installer
    Security Update for 2007 Microsoft Office System (KB2288621)
    Security Update for 2007 Microsoft Office System (KB2288931)
    Security Update for 2007 Microsoft Office System (KB2289158)
    Security Update for 2007 Microsoft Office System (KB2344875)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Microsoft Office Excel 2007 (KB2345035)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2344993)
    SupportSoft Assisted Service
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB963673)
    Update for Microsoft Office Excel 2007 Help (KB963678)
    Update for Microsoft Office Outlook 2007 (KB2412171)
    Update for Microsoft Office Outlook 2007 Help (KB963677)
    Update for Microsoft Office Script Editor Help (KB963671)
    Update for Microsoft Office Word 2007 Help (KB963665)
    Update for Outlook 2007 Junk Email Filter (KB2483110)
    VLC media player 1.0.3
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer

    ==== End Of File ===========================

    I hope this makes sense to you I really appreciate all your help now and in the past
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you not see the entries found in Malwarebytes? I wouldn't call this no malicious items. The system was infected with Rogue.FakeHDD although Mbam quarantined the entries, there may possibly be other entries in the Registry. It is also seen as "Easy Scan." alias "HDD Low" .Your main problem is that it is now in memory and unless we can find and remove from there, it will run again.
    There will still be entries to remove: Please run the following:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
  5. lazerman3000

    lazerman3000 TS Rookie Topic Starter

    Eset and CF

    Thank you for your help so far here are the logs


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK


    ComboFix 11-01-24.02 - Jim Cocker 25/01/2011 22:52:44.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2010.830 [GMT 0:00]
    Running from: c:\users\Jim Cocker\Desktop\ComboFix.exe
    AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
    FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
    SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    ((((((((((((((((((((((((( Files Created from 2010-12-25 to 2011-01-25 )))))))))))))))))))))))))))))))

    2011-01-25 23:02 . 2011-01-25 23:02 -------- d-----w- c:\users\Default\AppData\Local\temp
    2011-01-25 22:05 . 2011-01-25 22:05 -------- d-----w- c:\program files\ESET
    2011-01-11 19:00 . 2010-12-28 15:55 413696 ----a-w- c:\windows\system32\odbc32.dll
    2011-01-11 19:00 . 2010-12-28 15:53 708608 ----a-w- c:\program files\Common Files\System\ado\msado15.dll
    2011-01-11 19:00 . 2010-12-28 15:53 253952 ----a-w- c:\program files\Common Files\System\ado\msadox.dll
    2011-01-11 19:00 . 2010-12-28 15:53 241664 ----a-w- c:\program files\Common Files\System\ado\msadomd.dll
    2011-01-11 19:00 . 2010-12-28 15:53 57344 ----a-w- c:\program files\Common Files\System\msadc\msadcs.dll
    2011-01-11 19:00 . 2010-12-28 15:53 180224 ----a-w- c:\program files\Common Files\System\msadc\msadco.dll
    2011-01-11 19:00 . 2010-12-14 14:49 1169408 ----a-w- c:\windows\system32\sdclt.exe
    2010-12-30 20:28 . 2010-12-30 20:29 -------- d-----w- c:\programdata\MyHeritage
    2010-12-30 20:28 . 2010-12-30 20:28 -------- d-----w- c:\users\Jim Cocker\AppData\Roaming\MyHeritage
    2010-12-30 20:28 . 2003-07-06 13:07 372736 ----a-w- c:\windows\system32\ijl15.dll
    2010-12-30 20:28 . 2002-03-07 00:19 454656 ----a-w- c:\windows\system32\PaintX.dll
    2010-12-30 20:28 . 2010-12-30 20:28 -------- d-----w- c:\users\Jim Cocker\AppData\Roaming\The Complete Genealogy Reporter - FTB
    2010-12-30 20:28 . 2010-12-30 20:28 -------- d-----w- c:\program files\MyHeritage

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    2010-12-20 18:09 . 2009-08-09 16:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2009-08-09 16:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-20 11:32 . 2010-12-20 11:32 384528 ----a-w- c:\windows\system32\FTBSaver.scr
    2010-11-29 17:38 . 2010-11-29 17:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 17:38 . 2010-11-29 17:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    2010-11-04 18:56 . 2010-12-14 19:21 345600 ----a-w- c:\windows\system32\wmicmiplugin.dll
    2010-11-04 18:55 . 2010-12-14 19:21 352768 ----a-w- c:\windows\system32\taskschd.dll
    2010-11-04 18:55 . 2010-12-14 19:21 270336 ----a-w- c:\windows\system32\taskcomp.dll
    2010-11-04 18:55 . 2010-12-14 19:21 601600 ----a-w- c:\windows\system32\schedsvc.dll
    2010-11-04 16:34 . 2010-12-14 19:21 171520 ----a-w- c:\windows\system32\taskeng.exe
    2010-11-02 06:01 . 2010-12-14 19:21 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-02 05:57 . 2010-12-14 19:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-02 05:57 . 2010-12-14 19:21 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-11-02 05:57 . 2010-12-14 19:21 71680 ----a-w- c:\windows\system32\iesetup.dll
    2010-11-02 05:57 . 2010-12-14 19:21 109056 ----a-w- c:\windows\system32\iesysprep.dll
    2010-11-02 05:01 . 2010-12-14 19:21 385024 ----a-w- c:\windows\system32\html.iec
    2010-11-02 04:26 . 2010-12-14 19:21 133632 ----a-w- c:\windows\system32\ieUnatt.exe
    2010-11-02 04:24 . 2010-12-14 19:21 1638912 ----a-w- c:\windows\system32\mshtml.tlb
    2010-10-28 15:44 . 2010-12-14 19:21 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-10-28 13:27 . 2010-12-14 19:21 292352 ----a-w- c:\windows\system32\atmfd.dll
    2010-10-28 13:20 . 2010-12-14 19:21 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-10-13 22:28 . 2010-08-08 19:12 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    *Note* empty entries & legit default entries are not shown

    2010-06-17 00:23 638728 ----a-w- c:\program files\My Hub\SpareShellExtension.dll

    2010-06-17 00:23 638728 ----a-w- c:\program files\My Hub\SpareShellExtension.dll

    2010-06-17 00:23 638728 ----a-w- c:\program files\My Hub\SpareShellExtension.dll

    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-06-06 39408]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]

    "Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-04-01 217088]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-04-01 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-04-01 173592]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2009-04-01 150552]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-22 3810304]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-05-07 178712]
    "dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
    "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]
    "Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2008-01-21 215552]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "Mobile Connectivity Suite"="c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe" [2009-11-19 598016]
    "Spare Backup"="c:\program files\My Hub\SpareTray.exe" [2010-06-17 1142024]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]

    c:\users\Jim Cocker\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

    c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-2-27 1316192]

    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
    2009-05-22 11:13 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll




    [HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    %ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Barclays Business Manager]
    2009-09-29 16:03 181568 ----a-w- c:\program files\Barclays\Business Manager\bin\BarclaysBusinessManager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
    2009-08-04 07:49 318096 ----a-w- c:\program files\Carbonite\CarbonitePreinstaller.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
    2009-11-13 16:15 1807600 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
    2010-12-20 18:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxMenuMgr]
    2009-12-18 10:24 197928 ----a-w- c:\program files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mcui_exe]
    2010-09-30 13:10 1193848 ----a-w- c:\program files\McAfee.com\Agent\mcagent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    2008-12-03 03:41 3882312 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2008-05-23 19:06 128296 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2010-11-29 17:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

    R2 0090151295900303mcinstcleanup;McAfee Application Installer Cleanup (0090151295900303);c:\windows\TEMP\009015~1.EXE [x]
    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 135664]
    R2 yksvc;Marvell Yukon Service;RUNDLL32.EXE ykx32coinst,serviceStartProc [x]
    R3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys [2009-06-10 24576]
    R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-10-13 84264]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2010-10-13 64304]
    S1 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2010-10-13 164840]
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-04-01 81920]
    S2 BBMTicketService;BBM Ticket Service;c:\program files\Barclays\Business Manager\bin\ticketservice.exe [2009-09-29 40960]
    S2 BBMUpdateService;BBM Update Service;c:\program files\Barclays\Business Manager\bin\updateservice.exe [2009-09-29 49152]
    S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
    S2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2009-12-18 189736]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe [2010-03-10 271480]
    S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2010-10-13 188136]
    S2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [2010-10-13 141792]
    S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-10-13 55840]
    S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-10-13 313288]
    S3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - mfeavfk01
    *Deregistered* - uwdciuog

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    WindowsMobile REG_MULTI_SZ wcescomm rapimgr
    LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    hpdevmgmt REG_MULTI_SZ hpqcxs08
    Contents of the 'Scheduled Tasks' folder

    2011-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 16:59]

    2011-01-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 16:59]

    2011-01-25 c:\windows\Tasks\User_Feed_Synchronization-{2C24CD89-3D0F-4DBC-8D9C-E6607BC440A9}.job
    - c:\windows\system32\msfeedssync.exe [2010-12-14 04:25]
    ------- Supplementary Scan -------
    uStart Page = hxxp://www.bbc.co.uk/
    mStart Page = hxxp://search.myheritage.com
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    FF - ProfilePath - c:\users\Jim Cocker\AppData\Roaming\Mozilla\Firefox\Profiles\6pgh1yap.default\
    FF - prefs.js: browser.search.selectedEngine - Secure Search
    FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
    FF - prefs.js: network.proxy.type - 0
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{FD2FD708-1F6F-4B68-B141-C5778F0C19BB} - (no file)
    HKLM-Run-SysTrayApp - %ProgramFiles%\IDT\WDM\sttray.exe


    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-25 23:02
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0


    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)

    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    Completion time: 2011-01-25 23:05:06
    ComboFix-quarantined-files.txt 2011-01-25 23:05

    Pre-Run: 61,880,614,912 bytes free
    Post-Run: 61,504,462,848 bytes free

    - - End Of File - - E0D5966B50F6120687BFCB6E80E45B0C
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Questions about backup programs:

    1. You have 3 Registry entries that end as follows: They are all related to My Hub, which is a secure an Oracle Peoplesoft signin, the site having confidential info for UPMC.
    explorer\shell iconoverlayidentifiers\0SpareBackup_Backedup]
    explorer\shell iconoverlayidentifiers\0SpareBackup_Failed]
    explorer\shell iconoverlayidentifiers\0SpareBackup_NotBackedup]

    2. In addition, you also show Carbonite Online Backup Setup which loads the CarbonitePreinstaller.exe> 8/2009

    3. Dell DataSafe Online, a preloaded process, is also loading
    Are you aware of all these backup programs running? Are you using all of them?
    1. The following preloaded processes from Dell are also running:
    Dell DataSafe Online
    Dell Dock
    Dell Edoc Viewer
    Dell Getting Started Guide
    Dell Support Center (Support Software)
    Dell Touchpad
    Dell Video Chat
    Dell Wireless WLAN Card Utility

    Have you ever reviewed the Dell preloads and determined of you use/need them all?
    2. SupportSoft Assisted Service is also running indicating that at sometime you had an agent use remote control access to solve computer glitches on your computer. If that is no longer being used, it should be stopped. Any remote service adds a vulnerability to the system.
    3. There is a deletion in the Combofix log that indicates you may have used a flash drive that was infected. If that is so, then we will need to disinfect the flash drive also.
    4. ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registered OK>> was there no log? Are you sure it scanned?
    5. Java(TM) 6 Update 11 is outdated. Current version is v6u23:
    Check this site. Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
  7. lazerman3000

    lazerman3000 TS Rookie Topic Starter

    eset rerun

    i assumed that the log being empty was a good thing but i have rerun it and the log is as follows:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    esets_scanner_update returned -1 esets_gle=53251

    This is my dad's laptop and it does run incredibly slowely for what is a fairly new machine. I am happy to stop as much as possible but the names of these things are unfamiliar to me so I do not know if they are necessary. I certainly don't need anything for online storage or remote help. Do I stop these programs through msconfig and uninstalling? Can I get rid of all those things you listed I still want to use the laptop touch pad and wifi?

    To disinfect the falsh drives do I just run the same process you have put me through for the laptop?

    Thank you as always
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Okay, there may not be any entries found by Eset. Most of what I asked was based on what I saw in the log. Please tell me if you are now the owner or primary user of this machine. Or, if you dad is, I will have you ask some specific questions before I have you remove anything.

    There was an 'unusual' mixture of entries in the logs- those I always ask about before taking the responsibility of sending them ff into cyberspace! Because of the nature of some entries, My Hub in particular, I need to know if this is actively being used and by whom.

    I found two very different sites for My Hub
    http://infonet.upmc.com/ with link to https://myhub.upmc.com/psp/hrpa/?cmd=login
    My Hub - Social Address Book
    By Bitsmedia Pte Ltd
  9. lazerman3000

    lazerman3000 TS Rookie Topic Starter

    My dad is the primary user he uses the laptop simply for online tv, outlook email and photo editing. He has asked me to get it free of viruses and speed it up if possible.

    Btw how come you run this site for free do you all have day jobs?
  10. lazerman3000

    lazerman3000 TS Rookie Topic Starter

    my dad does not need myhub and has no idea where it came from
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    mRun: [Spare Backup] "c:\program files\my hub\SpareTray.exe" /silent
    mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
    Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\0SpareBackup_Backedup]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\0SpareBackup_Failed]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\0SpareBackup_NotBackedup]
    "Spare Backup"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CarboniteSetupLite]
    Save this as CFScript.txt, in the same location as ComboFix.exe

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    The following programs should be uninstalled in Add/Remove Programs in the Control Panel.
    Carbonite Online Backup Setup
    My Hub
    SupportSoft Assisted Service

    Then use Windows Explorer> My Computer> Local Drive> Programs> right click> delete the program folders.
    I did not remove the DellDataSafe backup or any of the Dell processes. Suggest you review them and uninstall what he/you doesn't use/need.

    Has the original problem been resolved?
  12. lazerman3000

    lazerman3000 TS Rookie Topic Starter

    Much Appreciated

    Hi, Yes all is well in the world of my laptop thank you so much it is nice to be able to use it without all the pop ups.
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    You're welcome! I'd like you to run HijackThis just to make sure there are no bad entries left. After I check the log, if nothing else shows up, I'll have you remove the cleaning tools.

    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    IF you're comfortable with what' we done and don't want to run HijaakThis, please run the following to remove the cleaning tools:
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

    Empty the Recycle Bin
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...