Help! My last hope... [RESOLVED]
#16
Posted 01 March 2008 - 06:43 PM
#17
Posted 01 March 2008 - 08:25 PM
Please go to UploadMalware to upload a suspicious file for analysis.
- Enter your username from this forum
- Copy and paste the link to this thread
- Browse for this filename: D:\MENU.exe
- In the comments, please mention that I asked you to upload this file
- Click on Send File
#18
Posted 02 March 2008 - 09:06 AM
#19
Posted 02 March 2008 - 09:17 AM
your logs are looking pretty good, how is your machine running now?
andrewuk
#20
Posted 02 March 2008 - 09:38 AM
I sure appreciate your help on this!
Kascus
#21
Posted 02 March 2008 - 10:39 AM
I ran a Malwarebytes check and it found (and deleted) a infected file. Here is the log-
Malwarebytes' Anti-Malware 1.05
Database version: 436
Scan type: Quick Scan
Objects scanned: 29939
Time elapsed: 10 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\9129837.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
#22
Posted 02 March 2008 - 12:21 PM
andrewuk
#23
Posted 02 March 2008 - 08:29 PM
C:\WINDOWS\SYSTEM32\rpcc.exe (Spyware.Passwords) -> Quarantined and deleted successfully.
I re-booted and read the post. Here is the results of a FULL SCAN:
Malwarebytes' Anti-Malware 1.05
Database version: 436
Scan type: Full Scan (C:\|)
Objects scanned: 132180
Time elapsed: 1 hour(s), 12 minute(s), 18 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\SYSTEM32\e2241.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.
#24
Posted 02 March 2008 - 08:43 PM
firstly, lets just get some additional protection on your machine.
also, do you recognise this site: http://update.hpphoto.com
====STEP 1====
make sure your AVG is up to date and running, and then download these programs.
- AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
- SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
- SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
- IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
- Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
====STEP 2====
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.
- Close ALL OTHER PROGRAMS.
- Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
- Check the box that says Scan All User Accounts
- Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
- Under Additional Scans check the following:
- Reg - BotCheck
- Reg - Disabled MS Config Items
- File - Purity Scan
- Now click the Run Scan button on the toolbar.
- Let it run unhindered until it finishes.
- When the scan is complete Notepad will open with the report file loaded in it.
- Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
To attach a file, do the following:
- Click Add Reply
- Under the reply panel is the Attachments Panel
- Browse for the attachment file you want to upload, then click the green Upload button
- Once it has uploaded, click the Manage Current Attachments drop down box
- Click on to insert the attachment into your post
andrewuk
Edited by andrewuk, 02 March 2008 - 08:48 PM.
#25
Posted 03 March 2008 - 05:08 PM
#26
Posted 03 March 2008 - 05:24 PM
#27
Posted 03 March 2008 - 10:45 PM
#28
Posted 04 March 2008 - 03:27 PM
if you are running the Zone Alarm firewall then make sure the Windows Firewall is turned off. if you are running the Zone Alarm antivirus program - then you need to turn it off, you already have AVG which should suffice. Likewise ThreatFire, you already have AVG running which is good enough. having more than 1 anti-virus program running will result in them conflicting with each other, slowing down your machine and providing less, not more, protection.Also, I am cureently running (since the last couple of days) Zone Alarm and Threat-Fire in addition to AVG that I have had all along. Do I need to remove Zone Alam or Threat-Fire before adding the programs you mentioned?
somequestions:
any idea what this is: certificate_hcs.net. it is possibly related to internet zones that you deem trustworthy enough to download items onto your machine.
could you tell me what is in this folder: C:\664f70ecb98bf8ee4539fc70c79ffe
and now.....
Start WinPFind35u. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls] [Registry - Non-Microsoft Only] < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YY -> Sonic RecordNow! -> < Run [HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\] > -> HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run YY -> Sonic RecordNow! -> < Kenneth Salter Startup Folder > -> C:\Documents and Settings\Kenneth Salter\Start Menu\Programs\Startup YY -> %UserProfile%\Start Menu\Programs\Startup\CD-MENU.LNK -> D:\MENU.exe [Files/Folders - Created Within 90 days] YY -> 1 C:\*.tmp files -> C:\*.tmp YY -> 73 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp YY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp [Files/Folders - Modified Within 90 days] YY -> 9 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\*.tmp YY -> z4barSpInstall.exe -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\z4barSpInstall.exe YY -> 4 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp YY -> 4 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp YY -> 9 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp [Empty Temp Folders]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind35U scan.
Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
andrewuk
Edited by andrewuk, 04 March 2008 - 03:28 PM.
#29
Posted 04 March 2008 - 07:30 PM
The certificate_hcs.net. : I believe this is a certificate I downloaded for my work laptop a long time ago. It is a security certificate from Hayes Computer that works with my aircard. I used this computer because the connection was faster and then transfered it to the other computer.
Folder- C:\664f70ecb98bf8ee4539fc70c79ffe : The only thing there is a text file msxml4-kb92798Uenu.log. I can post it if needed. It appears to be a log file for Windows XP MSXML 4.0 SP2 update or something. I also have a empty folder on the C drive labeled MSXML.
I accidently closed out the WinPfind35u log and running the fix. However I think this is it:
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! deleted successfully.
File not found.
Registry value HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! not found.
File not found.
File D:\MENU.exe not found.
C:\Documents and Settings\Kenneth Salter\Start Menu\Programs\Startup\CD-MENU.LNK moved successfully.
[Files/Folders - Created Within 90 days]
[Files/Folders - Modified Within 90 days]
C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\z4barSpInstall.exe moved successfully.
File delete failed. C:\WINDOWS\Temp\ZLT0107b.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT01081.TMP scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0107b.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01081.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
WinPFind35U Version 1.0.3.0 fix logfile created on 03042008_180349
See next post for the new WinPfind35u log
#30
Posted 04 March 2008 - 07:33 PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users