Mysterious files

By craZy18gurl
Nov 3, 2008
Topic Status:
Not open for further replies.
  1. There are these strange folder, which I first found through Tune Up Utillities Start Up Manager. They were titled 'S' and 'soap mode'.

    http://img.photobucket.com/albums/v298/craZy18gurl/preview1.png

    I unchecked them but for some reason everytime I open up the Start Manager again the S one remains checked.

    So I checked out the location their stored. I found one in the Application Data folder. The folder name is 'FOR MODE DOES'

    http://img.photobucket.com/albums/v298/craZy18gurl/preview2-1.png

    Another in the other Application Data folder (under All Users). Folder name is 'Okay meta anti lite'

    http://img.photobucket.com/albums/v298/craZy18gurl/preview3-1.png

    And I found a similar folder in my Program Files (titles 'FOR MODE DOES') but it's empty.

    I've scanned them multiple times with my Anti Virus and Spyware, they don't seem to be infected or of any harm. But I still have no idea what these files are. They cannot be related to any of my programs or files. I just got a new several days back and only installed few programs which I had on my laptop. Never have I come across these files on my laptop.

    So I decided to simply delete them. While I'm able to delete the first folder, the second one I can't cuz it says it's currently being used by another program.

    I tried searching the internet but couldn't find any exact matches. Just similar ones for the second folder and they had something to do with spyware matters.

    So, anyone has any ideas what these files are and how I can get rid of them?
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The only file I could identify was 'Roam Bait Cake' which is described as part of a LOP infection: you may have these entries:
    Please use our malware cleaning and attach the logs when through. We'll help make sure all entries are removed:
    http://www.techspot.com/vb/topic58138.html

    There will be additional entries, but we need to see the logs.


    Run Superantispyware, followed by HijackThis as outlined. I just helped with a cleaning that had nothing in Mbam but full of malware entries in the other two logs.
  3. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    Here's the log from HJT;

    Moderator Edit:
    Pasted logs Removed

    As stated by Bobbye above, logs must be attached, not pasted into multiple replies
  4. almcneil

    almcneil TechSpot Guru Posts: 1,554

    Are you experiencing any computer problems (i.e. spyware symptoms) ? If not, I wouldn't sweat it.

    I think what this is, is simply "leftovers" from previous a spyware removal. I sometimes encounter this when performing spyware removal on customers computers. The anti-spyware utility detects a spyware program but when it goes to remove it, it can't remove every object. Spyware programs are made up of "objects" (files, folders, registry entries, cookies, ... ) The AS utility sometimes can't remove every single object. But so long as it can remove most objects, the spyware program is essentially gone. It can't run if most of the objects are missing. When the AS reports that it removed "21 of 23 objects" for a particular spyware program, I check with object it couldn't remove. It usually a folder or registry value. That's nothing. I just move on.

    You mentioned that these objects are folders and they are empty. I wouldn't sweat it.

    -- Andy
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    ? :confused:

    Thanks for your wasted input almcneil. Do Not reply here
    I will mention the same thing I have to you on countless occasions
    Do not try to help in the Security and the Web forum, unless you can read HJT logs
    ------------------------------------------------------

    Sorry to interrupt your analysis Bobbye, but I needed to clean up the thread a bit
    MBAM log was clean (but the pasted log is now removed, along with SuperAntispyware

    craZy18gurl, please re-open HJT, and place a tick against the following, then fix it
    Hopefully Bobbye will continue to look at you log without interuption, from anyone else
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    You're going to have to attach another SuperAntispyware log. But in the absence of that, we will proceed on HijackThis:

    Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 10 ): http://java.com/en/download/manual.jsp
    Please install it and then reboot your computer.

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below:
    NOTE: the above includes the file kimsland told you to remove)Regarding RoadKeep: I am not able to identify this process alone. Usually there is an entry following 'road keep' But I trust kimlsland advice on this and the very fact that I can't identify it suggest it's it possible malware.
    I am certain that the SAS log will show many Tracking Cookies as well as possible malware because of BitComet. This file sharing program will continue to cause problems because it is not safe.

    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:

    Reset Cookies: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

    Start> Run> type in 'msconfig' without quotes> enter> Selective Startup> Startup tab> UCHECK everything EXCEPT the Avast processes> Apply> OK.

    Control Panel> Add/Remove Programs> UNISTALL the following if present:
    All Java EXCEPT v6u10
    BitComet
    Any program related to RoadKeep or RealStupid
    Any other programs you do not use. If you don't recognize program, include the name with the next reply.

    Reboot into Normal Mode. Run SAS and attach the log. Rerun HijackThis and include the log.
  7. momok

    momok Newcomer, in training Posts: 2,272

    I'm afraid the user is very much still infected. That's what logs do; they show the whole story. I'm concerned on your apparent careless advice in this thread. Very often, symptoms disappear but malware infection remains. In such situations they can wreak worst havoc: from installing backdoor trojans to keyboard loggers and other programs that steal your information. That's why malware cleaning needs to be extremely thorough.

    to Bobbeye: yes that entry is definitely malware. Fix it. Personally I would recommend Combofix too, to see what other nasties are hiding in the system and not showing up in the MBAM, SAS and HJT logs.
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The person who continues to give this type of information clearly either doesn't bother opening the logs or more likely, doesn't know how to read them. This is a great disservice to the person with the problem as it lends a false sense of security when in fact, the infections are obvious.

    One may not be experiencing overt symptoms while a keylogger may be stealing passwords, a Trojan may be accessing personal information and other malware may possibly be changing files.
  9. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    Alright so I followed everything you said.

    First made sure my Java was updated. Checked those items through HijackThis and fixed them. Entered safe mode, resetted cookies, then in the msconfig, did as you said. One question though about that. You wrote 'Selective Startup> Starup Tab', meaning I had to check the Selective Startup option then go under the Startup Tab right? Cuz since you wrote it like that it got me a lil confused thinking the Startup tab is something under the Selective Startup.

    Right so after that, uninstalled BitComet, didn't find any other Java program other then the v6u10 and didn't find any program related to RoadKeep or RealStupid. One program I couldn't recognized was called Bonjour, a 0.50 MB file which stated it was rarely used. I have no idea what it is so I thought I'd delete it but I thought I should maybe run it by you guys first.

    Here are the logs;
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Yes, the path was correct. When you make changes through msconfig, on the Startup menu, you must first choose Selective Startup, then the Startup tab. And the nag message that comes up after you boot, refers to using Selective Startup as diagnostic only. This scares some away- but the only way to retain the changes is to remain in Selective Startup. (I've been in that for years!)

    The Bonjour Service is typically installed with the iTunes software. Apple's site describes: "Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks." You ma use it for iTunes, but it is not required at startup.

    The file name is mDNSResponder.exe, found here: C:\Program Files\Bonjour\mDNSResponder.exe

    Did you reset the Cookies BEFORE or after you ran SuperAntispyware? It's important because you have a number of Tracking Cookies. Have SAS remove them. You'll find screen shots here to guide you on the screens. jst click on any screen to enlarge: http://superantispyware.en.softonic.com/images

    Please re-open HiJackThis and scan.*Check* the boxes next to all the entries listed below.
    Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis and reboot into Safe Mode:
    Start> Run> msconfig> Selective Startup> Startup tab> UNCHECK the following:
    There are no iTunes entries, so you an uninstall; Bonjour:
    Control Panel> Add/Remove Programs> uninstall Bonjour

    Start. Run> services.msc> right click on Bonjour Service> Properties> change Startup type to Disabled> Apply> OK.

    Reboot into Normal Mode. Close the nag message after checking 'don't show message again'. f your system is now stable, you can remove the cleaning tools and old restore points;

    * Download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe)
    * Click the CleanUp! button.
    * It will go thorough the list and remove all of the tools it finds and then delete itself (requiring a reboot).

    Clear your existing System Restore points and establish a new clean restore point:
    Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.
    Next, go to Start > Run and type in cleanmgr> Select the More options tab> Choose the option to clean up System Restore and OK it.
    This will remove all restore points except the new one you just created.

    Let me know if you need more help. It was a pleasure helping you.
  11. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    Yes I resetted the cookies before running SAS. I had those tracking cookies removed.

    I checked the first one but I couldn't find the other two. I made sure I thoroughly went through the whole list, couldn't find em.

    And under msconfig, those two items weren't listed.

    I did everything else, but at the last step, the cleanmgr, I opened Run and typed it in, it did not give any More Options Tab. Just asked me to select a drive.

    Oh and the files I mentioned in my first post, they are still there, do I not have to worry about them anymore? Oh and as of recent, I'm getting these pop ups all of which links begin with CiD.

    Thank you so much for all the help you have provided. Really appreciate it.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    momok made an excellent suggestion. We need to get at the malware files that aren't showing up:

    Please download ComboFix.: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.

    Please rescan with HijackThis when through and attach both logs.
  13. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    Alright here are the logs;
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I have asked momok to assist in interpreting the ComboFix log. He is more experienced with this program.
  15. momok

    momok Newcomer, in training Posts: 2,272

    Please temporarily disable turn off any real-time monitoring function before you commence with the following instructions.

    1. Open notepad and copy/paste the text in the entire code box (scroll down) below into it (these are bad items to be removed):
    2. Save this as "CFScript.txt" on the desktop.
    3. Referring to the image below, drag CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe.
      [​IMG]
    4. ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.
      Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang
    Paste the new Combofix log in your next reply.

    Next run HijackThis and fix these:
    O4 - HKCU\..\Run: [Grid setup] C:\DOCUME~1\Zainab\APPLIC~1\FORMOD~1\road keep.exe

    Post a fresh HJT log as well as the resultant combofix log from the above instructions in your next reply.
  16. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    That one didn't show up.

    Alright here are the logs;
  17. momok

    momok Newcomer, in training Posts: 2,272

    Nicely done. Sorry for the delay.
    Your system is clean.

    Now that you're gd to go,
    1. Please download and run CCleaner via step 3 of the instructions HERE.

    2. Clear your existing System Restore points and establish a new clean restore point:
      Go to Start > All Programs > Accessories > System Tools > System Restore> Select Create a restore point> OK.

      Next, go to Start > Run > cleanmgr
      Select the More options tab > Choose the option to clean up System Restore and OK.
      This will remove all restore points except the new one you just created.

    3. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.
  18. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    Alright, ran CCleaner and created a restore point.

    Number 2 is still something I don't get. Bobbye once asked me to do it as well but whenever I run cleanmgr, a small window appears asking me to select a drive. There is no More Option Tabs.

    But otherwise, thank you so much for all your assistance momok and Bobbye. Really appreciate it.
  19. momok

    momok Newcomer, in training Posts: 2,272

    Sorry for the slight confusion.
    Select C:\ for that lol. The rest of the options will come after that. =)
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    momok, I have run into a few people who don't get the options using the path I gave- others do fine. The path is from kimsland. I use the 'turn off/turn on' myself, but thought this was shorter.

    Will you type out where the C prompt goes please? Where does it go in these lines? I will correct my copy.
    Sorry craZy18gurl. If you have a problem, just turn system Restore off> Reboot> Turn on again
  21. momok

    momok Newcomer, in training Posts: 2,272

    "Ensure the selection is on C:\ and click on ok"- This goes directly between those two lines. I think this only occurs for vista.
  22. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    Yeah that's how it is.

    Once again, thank you guys! Don't seem to be facing any problem at all now.
  23. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Thanks momok. Have updated the entry.
  24. craZy18gurl

    craZy18gurl Newcomer, in training Topic Starter Posts: 67

    oh wait guy, something strange happened. My computer just suddenly restarted and once it was booted I checked the error report and it listed these two files

    C:\DOCUME~1\Zainab\LOCALS~1\Temp\WER7e49.dir00\Mini111208-01.dmp
    C:\DOCUME~1\Zainab\LOCALS~1\Temp\WER7e49.dir00\sysdata.xml

    Something I should prehaps get rid of? o.o
  25. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Please go to C:\windows\minidump folder (you can also just copy and paste this bold part into Start->Run)

    Then attach [​IMG] the latest Minidump to a new reply
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.