[kascus]

I also have noticed that "CD-Menu" (Location: D:\) is in my startup folder

[Advertisements]

lets try this one then.

Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filename: D:\MENU.exe
• In the comments, please mention that I asked you to upload this file
• Click on Send File

andrewuk

[andrewuk]

lets try this one then.

Please go to UploadMalware to upload a suspicious file for analysis.

• Enter your username from this forum
• Copy and paste the link to this thread
• Browse for this filename: D:\MENU.exe
• In the comments, please mention that I asked you to upload this file
• Click on Send File

andrewuk

[kascus]

I tried but every time it asked for a CD to be inserted. The only place I found CD Menu was as a short cut in the startup folder.

[andrewuk]

yes, looking through your logs your D drive is a CD Drive . i suspect it is a valid entry, so we will leave it - it will automatically run a CD when inserted in the drive.

your logs are looking pretty good, how is your machine running now?

andrewuk

[kascus]

So far so good. No pop ups or website redirects so far. I just ran a Kapersky Web scan (quick check) and nothing was found.
I sure appreciate your help on this!

Kascus

[kascus]

Update:
I ran a Malwarebytes check and it found (and deleted) a infected file. Here is the log-

Malwarebytes' Anti-Malware 1.05
Database version: 436

Scan type: Quick Scan
Objects scanned: 29939
Time elapsed: 10 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\9129837.exe (Rootkit.Agent) -> Quarantined and deleted successfully.

[andrewuk]

could yopu try a full scan with malwarebytes, lets see what that comes up with.

andrewuk

[kascus]

Just before I read this post I had did another quick scan. It showed Files Infected:
C:\WINDOWS\SYSTEM32\rpcc.exe (Spyware.Passwords) -> Quarantined and deleted successfully.

I re-booted and read the post. Here is the results of a FULL SCAN:
Malwarebytes' Anti-Malware 1.05
Database version: 436

Scan type: Full Scan (C:\|)
Objects scanned: 132180
Time elapsed: 1 hour(s), 12 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\e2241.exe (Trojan.Adclicker) -> Quarantined and deleted successfully.

[andrewuk]

hmm......ok, lets get a look in there. there is though the possibility that you are getting infected from your online surfing?

firstly, lets just get some additional protection on your machine.

also, do you recognise this site: http://update.hpphoto.com

====STEP 1====
make sure your AVG is up to date and running, and then download these programs.

• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  
• IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

and then update and run them all, and Spybot Search & Destroy which you already have.


====STEP 2====
Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind35u folder and double-click on WinPFind35u.exe to start the program.
• Check the box that says Scan All User Accounts
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Under Additional Scans check the following:
  • Reg - BotCheck
  • Reg - Disabled MS Config Items
  • File - Purity Scan
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

andrewuk

Edited by andrewuk, 02 March 2008 - 08:48 PM.

[kascus]

I am working my way thru the steps listed above. I will post the logs when completed. I think the "http://update.hpphoto.com" is part of my HP Deskjet Printer software.

[kascus]

Also, I am cureently running (since the last couple of days) Zone Alarm and Threat-Fire in addition to AVG that I have had all along. Do I need to remove Zone Alam or Threat-Fire before adding the programs you mentioned?

[kascus]

 WinPFind35.Txt   195.01KB   153 downloads

[andrewuk]

Also, I am cureently running (since the last couple of days) Zone Alarm and Threat-Fire in addition to AVG that I have had all along. Do I need to remove Zone Alam or Threat-Fire before adding the programs you mentioned?

if you are running the Zone Alarm firewall then make sure the Windows Firewall is turned off. if you are running the Zone Alarm antivirus program - then you need to turn it off, you already have AVG which should suffice. Likewise ThreatFire, you already have AVG running which is good enough. having more than 1 anti-virus program running will result in them conflicting with each other, slowing down your machine and providing less, not more, protection.

somequestions:

any idea what this is: certificate_hcs.net. it is possibly related to internet zones that you deem trustworthy enough to download items onto your machine.

could you tell me what is in this folder: C:\664f70ecb98bf8ee4539fc70c79ffe


and now.....

Start WinPFind35u. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Sonic RecordNow! -> 
< Run [HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\] > -> HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> Sonic RecordNow! -> 
< Kenneth Salter Startup Folder > -> C:\Documents and Settings\Kenneth Salter\Start Menu\Programs\Startup
YY -> %UserProfile%\Start Menu\Programs\Startup\CD-MENU.LNK -> D:\MENU.exe
[Files/Folders - Created Within 90 days]
YY -> 1 C:\*.tmp files -> C:\*.tmp
YY -> 73 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YY -> 1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
[Files/Folders - Modified Within 90 days]
YY -> 9 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\*.tmp
YY -> z4barSpInstall.exe -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\z4barSpInstall.exe
YY -> 4 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp
YY -> 4 C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp files -> C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\*.tmp
YY -> 9 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind35U scan.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

andrewuk

Edited by andrewuk, 04 March 2008 - 03:28 PM.

[kascus]

I now just running AVG and Zone Alarm Firewall.

The certificate_hcs.net. : I believe this is a certificate I downloaded for my work laptop a long time ago. It is a security certificate from Hayes Computer that works with my aircard. I used this computer because the connection was faster and then transfered it to the other computer.

Folder- C:\664f70ecb98bf8ee4539fc70c79ffe : The only thing there is a text file msxml4-kb92798Uenu.log. I can post it if needed. It appears to be a log file for Windows XP MSXML 4.0 SP2 update or something. I also have a empty folder on the C drive labeled MSXML.

I accidently closed out the WinPfind35u log and running the fix. However I think this is it:
[Registry - Non-Microsoft Only]
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! deleted successfully.
File not found.
Registry value HKEY_USERS\S-1-5-21-383486228-3918270964-1055720150-1007\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Sonic RecordNow! not found.
File not found.
File D:\MENU.exe not found.
C:\Documents and Settings\Kenneth Salter\Start Menu\Programs\Startup\CD-MENU.LNK moved successfully.
[Files/Folders - Created Within 90 days]
[Files/Folders - Modified Within 90 days]
C:\Documents and Settings\Kenneth Salter\Local Settings\Temp\030108212232\z4barSpInstall.exe moved successfully.
File delete failed. C:\WINDOWS\Temp\ZLT0107b.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\Temp\ZLT01081.TMP scheduled to be deleted on reboot.
[Empty Temp Folders]
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT0107b.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT01081.TMP scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
WinPFind35U Version 1.0.3.0 fix logfile created on 03042008_180349


See next post for the new WinPfind35u log

[kascus]

 WinPFind35.Txt   89.46KB   159 downloadsHere is new WinPfind35u log: