Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help! My last hope... [RESOLVED]


  • This topic is locked This topic is locked

#16
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I also have noticed that "CD-Menu" (Location: D:\) is in my startup folder
  • 0

Advertisements


#17
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
lets try this one then.

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: D:\MENU.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File
andrewuk
  • 0

#18
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I tried but every time it asked for a CD to be inserted. The only place I found CD Menu was as a short cut in the startup folder.
  • 0

#19
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
yes, looking through your logs your D drive is a CD Drive :) . i suspect it is a valid entry, so we will leave it - it will automatically run a CD when inserted in the drive.

your logs are looking pretty good, how is your machine running now?

andrewuk
  • 0

#20
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
So far so good. No pop ups or website redirects so far. I just ran a Kapersky Web scan (quick check) and nothing was found.
I sure appreciate your help on this!

Kascus
  • 0

#21
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Update:
I ran a Malwarebytes check and it found (and deleted) a infected file. Here is the log-

Malwarebytes' Anti-Malware 1.05
Database version: 436

Scan type: Quick Scan
Objects scanned: 29939
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\9129837.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
  • 0

#22
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
could yopu try a full scan with malwarebytes, lets see what that comes up with.

andrewuk
  • 0

#23
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Just before I read this post I had did another quick scan. It showed Files Infected:
C:\WINDOWS\SYSTEM32\rpcc.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

I re-booted and read the post. Here is the results of a FULL SCAN:
Malwarebytes' Anti-Malware 1.05
Database version: 436

Scan type: Full Scan (C:\|)
Objects scanned: 132180
Time elapsed: 1 hour(s), 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\e2241.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
  • 0

#24
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts
hmm......ok, lets get a look in there. there is though the possibility that you are getting infected from your online surfing?

firstly, lets just get some additional protection on your machine.

also, do you recognise this site: http://update.hpphoto.com

====STEP 1====
make sure your AVG is up to date and running, and then download these programs.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
and then update and run them all, and Spybot Search & Destroy which you already have.


====STEP 2====
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
  • Under Additional Scans check the following:
    • Reg - BotCheck
    • Reg - Disabled MS Config Items
    • File - Purity Scan
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

andrewuk

Edited by andrewuk, 02 March 2008 - 08:48 PM.

  • 0

#25
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I am working my way thru the steps listed above. I will post the logs when completed. I think the "http://update.hpphoto.com" is part of my HP Deskjet Printer software.
  • 0

Advertisements


#26
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Also, I am cureently running (since the last couple of days) Zone Alarm and Threat-Fire in addition to AVG that I have had all along. Do I need to remove Zone Alam or Threat-Fire before adding the programs you mentioned?
  • 0

#27
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Attached File  WinPFind35.Txt   195.01KB   84 downloads
  • 0

#28
andrewuk

andrewuk

    Trusted Helper

  • Malware Removal
  • 5,297 posts

Also, I am cureently running (since the last couple of days) Zone Alarm and Threat-Fire in addition to AVG that I have had all along. Do I need to remove Zone Alam or Threat-Fire before adding the programs you mentioned?

if you are running the Zone Alarm firewall then make sure the Windows Firewall is turned off. if you are running the Zone Alarm antivirus program - then you need to turn it off, you already have AVG which should suffice. Likewise ThreatFire, you already have AVG running which is good enough. having more than 1 anti-virus program running will result in them conflicting with each other, slowing down your machine and providing less, not more, protection.

somequestions:

any idea what this is: certificate_hcs.net. it is possibly related to internet zones that you deem trustworthy enough to download items onto your machine.

could you tell me what is in this folder: C:\664f70ecb98bf8ee4539fc70c79ffe


and now.....

Start WinPFind35u. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Sonic RecordNow! -> 
< Run [HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\] > -> HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Sonic RecordNow! -> 
< Kenneth Salter Startup Folder > -> C:\Documents and Settings\Kenneth Salter\Start Menu\Programs\Startup
YY -> %UserProfile%\Start Menu\Programs\Startup\CD-MENU.LNK -> D:\MENU.exe
[Files/Folders - Created Within 90 days]
YY -> 1 C:\*.tmp files -> C:\*.tmp
YY -> 73 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 90 days]
YY -> 9 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\*.tmp
YY -> z4barSpInstall.exe -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\z4barSpInstall.exe
YY -> 4 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp
YY -> 4 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp
YY -> 9 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind35U scan.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

andrewuk

Edited by andrewuk, 04 March 2008 - 03:28 PM.

  • 0

#29
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
I now just running AVG and Zone Alarm Firewall.

The certificate_hcs.net. : I believe this is a certificate I downloaded for my work laptop a long time ago. It is a security certificate from Hayes Computer that works with my aircard. I used this computer because the connection was faster and then transfered it to the other computer.

Folder- C:\664f70ecb98bf8ee4539fc70c79ffe : The only thing there is a text file msxml4-kb92798Uenu.log. I can post it if needed. It appears to be a log file for Windows XP MSXML 4.0 SP2 update or something. I also have a empty folder on the C drive labeled MSXML.

I accidently closed out the WinPfind35u log and running the fix. However I think this is it:
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! deleted successfully.
File not found.
Registry value HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! not found.
File not found.
File D:\MENU.exe not found.
C:\Documents and Settings\Kenneth Salter\Start Menu\Programs\Startup\CD-MENU.LNK moved successfully.
[Files/Folders - Created Within 90 days]
[Files/Folders - Modified Within 90 days]
C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\z4barSpInstall.exe moved successfully.
File delete failed. C:\WINDOWS\Temp\ZLT0107b.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT01081.TMP scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0107b.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01081.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
WinPFind35U Version 1.0.3.0 fix logfile created on 03042008_180349


See next post for the new WinPfind35u log
  • 0

#30
kascus

kascus

    Member

  • Topic Starter
  • Member
  • PipPip
  • 19 posts
Attached File  WinPFind35.Txt   89.46KB   77 downloadsHere is new WinPfind35u log:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP