Mysterious files

[craZy18gurl]

There are these strange folder, which I first found through Tune Up Utillities Start Up Manager. They were titled 'S' and 'soap mode'.

http://img.photobucket.com/albums/v298/craZy18gurl/preview1.png

I unchecked them but for some reason everytime I open up the Start Manager again the S one remains checked.

So I checked out the location their stored. I found one in the Application Data folder. The folder name is 'FOR MODE DOES'

http://img.photobucket.com/albums/v298/craZy18gurl/preview2-1.png

Another in the other Application Data folder (under All Users). Folder name is 'Okay meta anti lite'

http://img.photobucket.com/albums/v298/craZy18gurl/preview3-1.png

And I found a similar folder in my Program Files (titles 'FOR MODE DOES') but it's empty.

I've scanned them multiple times with my Anti Virus and Spyware, they don't seem to be infected or of any harm. But I still have no idea what these files are. They cannot be related to any of my programs or files. I just got a new several days back and only installed few programs which I had on my laptop. Never have I come across these files on my laptop.

So I decided to simply delete them. While I'm able to delete the first folder, the second one I can't cuz it says it's currently being used by another program.

I tried searching the internet but couldn't find any exact matches. Just similar ones for the second folder and they had something to do with spyware matters.

So, anyone has any ideas what these files are and how I can get rid of them?

 

[Bobbye]

The only file I could identify was 'Roam Bait Cake' which is described as part of a LOP infection: you may have these entries:

O4 - HKLM\..\Run: [roam slow curb balm] C:\Documents and Settings\All Users\Application Data\Bait cake roam slow\Style debug.exe

O4 - HKCU\..\Run: [LOGO COAL] C:\DOCUME~1\yourusername\APPLIC~1\UPBODY~1\FIRST STYLE.exe

Please use our malware cleaning and attach the logs when through. We'll help make sure all entries are removed:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

There will be additional entries, but we need to see the logs.

Please use our malware cleaning and attach the logs when through. We'll help make sure all entries are removed:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Run Superantispyware, followed by HijackThis as outlined. I just helped with a cleaning that had nothing in Mbam but full of malware entries in the other two logs.

 

[craZy18gurl]

Here's the log from HJT;

Moderator Edit:
Pasted logs Removed

As stated by Bobbye above, logs must be attached, not pasted into multiple replies

 

[almcneil]

Are you experiencing any computer problems (i.e. spyware symptoms) ? If not, I wouldn't sweat it.

I think what this is, is simply "leftovers" from previous a spyware removal. I sometimes encounter this when performing spyware removal on customers computers. The anti-spyware utility detects a spyware program but when it goes to remove it, it can't remove every object. Spyware programs are made up of "objects" (files, folders, registry entries, cookies, ... ) The AS utility sometimes can't remove every single object. But so long as it can remove most objects, the spyware program is essentially gone. It can't run if most of the objects are missing. When the AS reports that it removed "21 of 23 objects" for a particular spyware program, I check with object it couldn't remove. It usually a folder or registry value. That's nothing. I just move on.

You mentioned that these objects are folders and they are empty. I wouldn't sweat it.

-- Andy

 

[kimsland]

Are you experiencing any computer problems (i.e. spyware symptoms) ? If not, I wouldn't sweat it.

?

Thanks for your wasted input almcneil. Do Not reply here
I will mention the same thing I have to you on countless occasions
Do not try to help in the Security and the Web forum, unless you can read HJT logs
------------------------------------------------------

Sorry to interrupt your analysis Bobbye, but I needed to clean up the thread a bit
MBAM log was clean (but the pasted log is now removed, along with SuperAntispyware

craZy18gurl, please re-open HJT, and place a tick against the following, then fix it

O4 - HKCU\..\Run: [Grid setup] C:\DOCUME~1\Zainab\APPLIC~1\FORMOD~1\road keep.exe

Hopefully Bobbye will continue to look at you log without interuption, from anyone else

 

[Bobbye]

You're going to have to attach another SuperAntispyware log. But in the absence of that, we will proceed on HijackThis:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:

C:\Program Files\Java\jre6\bin\jqs.exe
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKCU\..\Run: [Grid setup] C:\DOCUME~1\Zainab\APPLIC~1\FORMOD~1\road keep.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)

NOTE: the above includes the file kimsland told you to remove)Regarding RoadKeep: I am not able to identify this process alone. Usually there is an entry following 'road keep' But I trust kimlsland advice on this and the very fact that I can't identify it suggest it's it possible malware.
I am certain that the SAS log will show many Tracking Cookies as well as possible malware because of BitComet. This file sharing program will continue to cause problems because it is not safe.

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

Reset Cookies: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

Start> Run> type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UCHECK everything EXCEPT the Avast processes> Apply> OK.

Control Panel> Add/Remove Programs> UNISTALL the following if present:
All Java EXCEPT v6u10
BitComet
Any program related to RoadKeep or RealStupid
Any other programs you do not use. If you don't recognize program, include the name with the next reply.

Reboot into Normal Mode. Run SAS and attach the log. Rerun HijackThis and include the log.

 

[momok]

Are you experiencing any computer problems (i.e. spyware symptoms) ? If not, I wouldn't sweat it.

I think what this is, is simply "leftovers" from previous a spyware removal. .
.
.
.
You mentioned that these objects are folders and they are empty. I wouldn't sweat it.

I'm afraid the user is very much still infected. That's what logs do; they show the whole story. I'm concerned on your apparent careless advice in this thread. Very often, symptoms disappear but malware infection remains. In such situations they can wreak worst havoc: from installing backdoor trojans to keyboard loggers and other programs that steal your information. That's why malware cleaning needs to be extremely thorough.

to Bobbeye: yes that entry is definitely malware. Fix it. Personally I would recommend Combofix too, to see what other nasties are hiding in the system and not showing up in the MBAM, SAS and HJT logs.

 

[Bobbye]

I think what this is, is simply "leftovers" from previous a spyware removal. .
.

The person who continues to give this type of information clearly either doesn't bother opening the logs or more likely, doesn't know how to read them. This is a great disservice to the person with the problem as it lends a false sense of security when in fact, the infections are obvious.

One may not be experiencing overt symptoms while a keylogger may be stealing passwords, a Trojan may be accessing personal information and other malware may possibly be changing files.

 

[craZy18gurl]

Alright so I followed everything you said.

First made sure my Java was updated. Checked those items through HijackThis and fixed them. Entered safe mode, resetted cookies, then in the msconfig, did as you said. One question though about that. You wrote 'Selective Startup> Starup Tab', meaning I had to check the Selective Startup option then go under the Startup Tab right? Cuz since you wrote it like that it got me a lil confused thinking the Startup tab is something under the Selective Startup.

Right so after that, uninstalled BitComet, didn't find any other Java program other then the v6u10 and didn't find any program related to RoadKeep or RealStupid. One program I couldn't recognized was called Bonjour, a 0.50 MB file which stated it was rarely used. I have no idea what it is so I thought I'd delete it but I thought I should maybe run it by you guys first.

Here are the logs;

 

[Bobbye]

Yes, the path was correct. When you make changes through msconfig, on the Startup menu, you must first choose Selective Startup, then the Startup tab. And the nag message that comes up after you boot, refers to using Selective Startup as diagnostic only. This scares some away- but the only way to retain the changes is to remain in Selective Startup. (I've been in that for years!)

The Bonjour Service is typically installed with the iTunes software. Apple's site describes: "Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks." You ma use it for iTunes, but it is not required at startup.

The file name is mDNSResponder.exe, found here: C:\Program Files\Bonjour\mDNSResponder.exe

Did you reset the Cookies BEFORE or after you ran SuperAntispyware? It's important because you have a number of Tracking Cookies. Have SAS remove them. You'll find screen shots here to guide you on the screens. jst click on any screen to enlarge: http://superantispyware.en.softonic.com/images

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

C:\Program Files\Bonjour\mDNSResponder.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
(Not Required at Startup - Application Launcher, Microsoft Office Application)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
Start> Run> msconfig> Selective Startup> Startup tab> UNCHECK the following:

mDNSResponder.exe,
PCHealth HelpCtr

There are no iTunes entries, so you an uninstall; Bonjour:
Control Panel> Add/Remove Programs> uninstall Bonjour

Start. Run> services.msc> right click on Bonjour Service> Properties> change Startup type to Disabled> Apply> OK.

Reboot into Normal Mode. Close the nag message after checking 'don't show message again'. f your system is now stable, you can remove the cleaning tools and old restore points;

* Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
* Click the CleanUp! button.
* It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

Clear your existing System Restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
This will remove all restore points except the new one you just created.

Let me know if you need more help. It was a pleasure helping you.

 

[craZy18gurl]

Yes I resetted the cookies before running SAS. I had those tracking cookies removed.

Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.

C:\Program Files\Bonjour\mDNSResponder.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
(Not Required at Startup - Application Launcher, Microsoft Office Application)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

I checked the first one but I couldn't find the other two. I made sure I thoroughly went through the whole list, couldn't find em.

And under msconfig, those two items weren't listed.

I did everything else, but at the last step, the cleanmgr, I opened Run and typed it in, it did not give any More Options Tab. Just asked me to select a drive.

Oh and the files I mentioned in my first post, they are still there, do I not have to worry about them anymore? Oh and as of recent, I'm getting these pop ups all of which links begin with CiD.

Thank you so much for all the help you have provided. Really appreciate it.

 

[Bobbye]

momok made an excellent suggestion. We need to get at the malware files that aren't showing up:

Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.

• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

Do not click on the ComoboFix window, as it may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please rescan with HijackThis when through and attach both logs.

 

[craZy18gurl]

Alright here are the logs;

 

[Bobbye]

I have asked momok to assist in interpreting the ComboFix log. He is more experienced with this program.

 

[momok]

Please temporarily disable turn off any real-time monitoring function before you commence with the following instructions.

1. Open notepad and copy/paste the text in the entire code box (scroll down) below into it (these are bad items to be removed):
   

   File::
   c:\windows\system32\ezsidmv.dat
   c:\windows\system32\deploytk.dll
   c:\windows\Alcmtr.exe
   c:\windows\Tasks\AA9DBF89918A33E9.job
   
   Folder::
   C:\FOUND.007
   C:\FOUND.006
   C:\FOUND.005
   c:\documents and settings\Zainab\keel
   c:\documents and settings\Zainab\oni
   c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
   C:\FOUND.004
   C:\FOUND.003
   C:\FOUND.001
   c:\windows\system32\LogFiles
   c:\documents and settings\Zainab\PrivacIE
   C:\FOUND.002
   c:\documents and settings\Zainab\Application Data\FOR MODE DOES
   c:\documents and settings\All Users\Application Data\Okay meta anti lite
   
   Registry::
   [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Grid setup"=-
   [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Grid setup]
   [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]

2. Save this as "CFScript.txt" on the desktop.
3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
   
   
   
   
4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
   Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

Paste the new Combofix log in your next reply.

Next run HijackThis and fix these:
O4 - HKCU\..\Run: [Grid setup] C:\DOCUME~1\Zainab\APPLIC~1\FORMOD~1\road keep.exe

Post a fresh HJT log as well as the resultant combofix log from the above instructions in your next reply.

 

[craZy18gurl]

O4 - HKCU\..\Run: [Grid setup] C:\DOCUME~1\Zainab\APPLIC~1\FORMOD~1\road keep.exe

That one didn't show up.

Alright here are the logs;

 

[momok]

Nicely done. Sorry for the delay.
Your system is clean.

Now that you're gd to go,

1. Please download and run CCleaner via step 3 of the instructions HERE.
   
   
2. Clear your existing System Restore points and establish a new clean restore point:
   Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
   
   Next, go to Start > Run > cleanmgr
   Select the More options tab > Choose the option to clean up System Restore and OK.
   This will remove all restore points except the new one you just created.
   
   
3. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
   May I recommend you to read this article.
   This can help to prevent future infections.

 

[craZy18gurl]

Alright, ran CCleaner and created a restore point.

Number 2 is still something I don't get. Bobbye once asked me to do it as well but whenever I run cleanmgr, a small window appears asking me to select a drive. There is no More Option Tabs.

But otherwise, thank you so much for all your assistance momok and Bobbye. Really appreciate it.

 

[momok]

Sorry for the slight confusion.
Select C:\ for that lol. The rest of the options will come after that. =)

 

[Bobbye]

momok, I have run into a few people who don't get the options using the path I gave- others do fine. The path is from kimsland. I use the 'turn off/turn on' myself, but thought this was shorter.

Will you type out where the C prompt goes please? Where does it go in these lines? I will correct my copy.

* Next, go to Start > Run and type in *cleanmgr*
* Select the *More options* tab

Sorry craZy18gurl. If you have a problem, just turn system Restore off> Reboot> Turn on again

 

[momok]

"Ensure the selection is on C:\ and click on ok"- This goes directly between those two lines. I think this only occurs for vista.

 

[craZy18gurl]

Yeah that's how it is.

Once again, thank you guys! Don't seem to be facing any problem at all now.

 

[Bobbye]

Thanks momok. Have updated the entry.

 

[craZy18gurl]

oh wait guy, something strange happened. My computer just suddenly restarted and once it was booted I checked the error report and it listed these two files

C:\DOCUME~1\Zainab\LOCALS~1\Temp\WER7e49.dir00\Mini111208-01.dmp
C:\DOCUME~1\Zainab\LOCALS~1\Temp\WER7e49.dir00\sysdata.xml

Something I should prehaps get rid of? o.o

 

[kimsland]

Please go to C:\windows\minidump folder (you can also just copy and paste this bold part into Start->Run)

Then attach

the latest Minidump to a new reply