PDA

View Full Version : April Fools!??? waled ac.cn TrojanC Registry Value



HopefulBeliever
2009-04-01, 11:51
So here I am again...and I have tried my best to keep my computer updated and safe, thanks to u guys and your advice. Yesterday when I first heard of this fools day-conicker worm, I came in ran updates and scans...all was well...I ran my scans this morning too (tuesday 3/31) about 11:30 P.M. I found a kid on the comp (I forgot to log off, my bad) I started running updates, when I ran malwarebytes update, during it's installation, spybot popped up a warning that it found "waled ac.cn" in a system32 folder/file? So than I ran spybot and lo and behold, I am Infected! :slap:
I clicked on "Fix selected problems" but if this is anything like the past infections I had back in Dec. '08 than I doubt it's gone.
I also want to let u know, last time I had a prob, it was discovered my windows XP was not legal, I have since remedied that, paid 159.00 to legalize it :bigthumb:

so thanks in advance, here is my HJT Log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:19 AM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234136263328
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 7896 bytes

Blade81
2009-04-06, 14:30
Hi there,

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.


Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/us/languages/english/check.html?n=1225554235248)

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.



Read the requirements and privacy statement then click on the Accept button.



The program will launch and start to download the latest definition files.



You will be prompted to install an application from Kaspersky. Click Run



Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives



Click on My Computer under Scan.



Once the scan is complete, it will display the results. Click on View Scan Report.



Click on Save Report As....



Change the Files of type to Text file (.txt) before clicking on the Save button.



Save this report to a convenient place.



Copy and paste that information & a fresh hjt log into your topic.



The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

HopefulBeliever
2009-04-07, 01:53
Hi Blade :) I was so happy to log in this mornin' and see I had a reply...yay!!! :eek:

I have the uninstall log, I turned off (I think) av programs...when I exit AVG, which is the only option I can find to turn it off, I am unsure it is actually turned OFF, because I don't get a warning from microsoft telling me my anti virus program is turned off...

Now...the actual real prob I ran into is...I downloaded Kapersky, followed your directions to the T... well, I unexpectedly had to make a trip into town, so I minimized the scan...would u believe it disappeared!!! I left the comp running and it was still gone when I returned, an hour later. I started to restart the comp and start from the beginning and it mysteriously re-appeared :laugh:
The scan was running along just fine and had found 1 Threat Name and 1 infected object, about 5 mins later when scan was 37% complete my comp froze!!!! (My comp freezing up is an issue I have had off and on since I got this PC) There are some persistant issues with this comp I am hoping to get help with when we are finished with the cleaning, if you have the time to help me with that too... I am unsure if they have anything to do with being infected
I have not yet started over, as my phones have rang more today than I think they have in a week!!! Been spring cleaning and trying to get ready for my sons 17th Birthday tomorrow... 'nough about my life :p:

I am gonna go ahead and post the Uninstall log now, thought maybe it wouldn't hurt since I did get that far :rolleyes:

I'll be back with the rest of the required info as soon as I am able to complete it :)

Have a nice day Blade :)
_________________________________________________________________

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1
Apple Mobile Device Support
Apple Software Update
AVG 8.5
Critical Update for Windows Media Player 11 (KB959772)
Easy CD & DVD Creator 6
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HSP56 MR Drivers
iTunes
Java(TM) 6 Update 11
Lexmark 2500 Series
Lexmark Fax Solutions
Lexmark Toolbar
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MSN
QuickTime
RealPlayer Basic
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinZip
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

HopefulBeliever
2009-04-07, 08:19
Good mornin' Blade...

well...since my last post, I have unsuccessfully tried running Kapersky 2 more times, my comp didn't freeze, but...both times the scan itself seemed to have froze/stalled ,,,just plain quit running :slap:
I have rebooted the comp and walked away for a while, cuz my patience is being tried :hair:
before I rebooted, I opened AVG updated and checked the logs there, I did find in componants (AVG webshield findings) this blocked item from 3/29...
"Exploit MDAC-ActiveX-Code execution type290-ashiping/?sid=aff0048"
That must of happened in the background because I never had a warning about it ...

I am going to try running Kapersky one more time and hopefully will have a log posted for you by the time you are reading this...

sincerely
Julia

Blade81
2009-04-07, 12:47
Hi Julia,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 13 (http://java.sun.com/javase/downloads/index.jsp).
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.


Let's see if we get better results with another online scanner in case Kaspersky still got jammed.


* Go here (http://www.eset.eu/eos/eset-online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Make sure antivirus program is disabled and click Scan then.
Wait for the scan to finish
Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems.


If scanner gets stuck, it's recommended to defrag hard drives and then try scanning again.


Happy Birthday to your son :present:

HopefulBeliever
2009-04-07, 19:36
Hi Blade...thanks for the B-Day wish :)

I updated Java, I thought it was already
Kapersky did finish running the scan w/ no interruptions, found the 2 items I mentioned in earlier post, BUT :lip: would not bring up the report...just a blank page and a banner at the top in red, telling me I am infected,...so I am going to run this other scan you suggested. My IE has not been updated to IE8, I hope this is ok, because I am unsure if I should do that at this time.


If scanner gets stuck, it's recommended to defrag hard drives and then try scanning again.

see the defrag program is something that seems to not be ok with this system, I actually ran it about a week ago, but all files did NOT defrag. Ever since I got this comp (built; not new) it was freezing up and when restarted, goes to disk check, tells me it is checking "Csystem:Fat32 volumes#2D2A-IEE7" which I think is or has something to do with the defrag program

Now in december when my comp was infected and PSKelly helped me, this problem went away but has since returned, along with a pop-up telling me virtual memory is low, with almost everything I try to load, but that hasn't been happening since I ran spybot and malwarebytes, and posted for help here...
makes me think there may of been a vulnerability built into this system, I hope it wasn't intentional :sad:

OK Blade :) Hopefully I will be back with ALL the Logs u need

if you get back here b4 I do, do you want me to post the uninstall list again?

Blade81
2009-04-07, 20:46
goes to disk check, tells me it is checking "Csystem:Fat32 volumes#2D2A-IEE7" which I think is or has something to do with the defrag program
That sounds more like error checking in action :) Actually might be good to run one by following instructions here (http://support.microsoft.com/kb/315265) ('my computer' -option).



Now in december when my comp was infected and PSKelly helped me, this problem went away but has since returned, along with a pop-up telling me virtual memory is low, with almost everything I try to load, but that hasn't been happening since I ran spybot and malwarebytes, and posted for help here...
How much memory does the system have installed in?


if you get back here b4 I do, do you want me to post the uninstall list again?
No need to repost it :)

HopefulBeliever
2009-04-07, 21:05
Hi Blade...I did just let the system check run, on restart as it almost always does if my comp freezes up

My comp doesn't have the memory I wish it did, it is only 256 mb

Now...I was running the ESET scan, it found the virus, it was only 10% complete and shut my comp off!!! :sad:

Here is the info it did retrieve:

Win32/Bagle.gen.zipworm

I am thinkin' this is NOT good, and am doing nothing else til I hear from you again

awaiting your reply

Julia

Blade81
2009-04-08, 01:20
My comp doesn't have the memory I wish it did, it is only 256 mb
Hi

That's why you see occasionally the notification about low virtual memory. Recommended memory amount for XP is 512 mb.

Maybe running disk check as mentioned in my previous post combined with defragging would make scanner work. Also AVG should be disabled as you assumably had on earlier runs. Personally I recommend free JkDefrag (http://www.kessels.com/Jkdefrag/) for defragging.

HopefulBeliever
2009-04-08, 01:38
Also AVG should be disabled as you assumably had on earlier runs.

well I searched and searched, the only option I found in AVG to disable it was to exit it, do u have any advice...somethin' I am overlooking?

Thanks Blade

Blade81
2009-04-08, 02:14
Hi

Please see AVG Resident Shield disabling here (http://www.avg.com/faq.keyw-disable%2Bavg.num-1209) :)

HopefulBeliever
2009-04-08, 02:21
coolness...thanks

I have Kapersky running smoothly and it is about 20 mins to completion I am hoping for the results needed :)

HopefulBeliever
2009-04-08, 02:24
well...apparantly I dont have avg disabled, after looking how to disable it... so u think I should cancel this scan and start over or not?

HopefulBeliever
2009-04-08, 08:26
:coffee: Goodmornin' Blade

We have a success on this step :yahoo:
I felt kinda dumb, I knew about disabling avg, b4...musta slipped my memory banks :whistle:
I always have a full plate and than some...kinda gets overwhelming :thud:
So,,,I have the log from running Kasperky w/avg on and off...they are exactly the same :blink:

It's a lil strange to me, that Spybot found "waled ac.cn TrojansC"and found no info about it

malwarebytes found "Malware.Trace RegistryKey-HKEY_CURRENT_USER/SOFTWARE/Microsoft/cs41275"

ESET; even tho it didn't complete found Win32.Bagle.gen.zip worm"

Kapersky found C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1...I am pretty sure I removed everything to do with aol a long time ago :scratch:
Well...you know better than I, that's why we're here now :cool:

Here are the requested logs::
Kapersky-

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, April 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 04:23:26
Records in database: 2021814
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
E:\
F:\

Scan statistics:
Files scanned: 43392
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:47:03


File name / Threat name / Threats count
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

________________________________________________________________

New HJT Log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:36 PM, on 4/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234136263328
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 7371 bytes
______________________________________________________________-

...so time for me to rest my weary brain :buried: lol

Talk to ya soon
and thanks again :friend: for your expertise and your patience :D:

Blade81
2009-04-08, 12:06
So,,,I have the log from running Kasperky w/avg on and off...they are exactly the same
Hi

Yes, only reason to disable AVG was to make scanning progress little faster :)

If you have removed AOL then there're some leftovers there which can be cleaned next.

Uninstall AOL related items thru add/remove programs.

Start hjt, do a system scan, check (if found):
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Close browsers and fix checked.

Delete following folders if found:
C:\Program Files\AOL Toolbar
C:\Program Files\Common Files\aolback

Now that you know how to disable AVG shield you might want to try ESET scanner one more time.

HopefulBeliever
2009-04-09, 01:29
Start hjt, do a system scan, check (if found):
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Close browsers and fix checked.

Done :)


Uninstall AOL related items thru add/remove programs.

can't find anything related to aol IN add/remove programs
What about AbbyReader? I am not even sure where it came from, what program uses it, if any...it sure is taking up a lot of room



Delete following folders if found:
C:\Program Files\AOL Toolbar
C:\Program Files\Common Files\aolback

I found some aolback files by running a search on my comp, however the search found nothing when I searched for 'aol/toolbar' I am attaching a log of that search::
well...nvm I opened the search I saved and it was empty? searched again and the search came back no results found, I wrote it all down so here is what I found and what happened::

"aolback.eve C:\windows 1KB shortcut"
when i tried to delete it, get a message to go to add/remove programs to completely delete, but it is NOT in add/remove programs

plugin4336537468967334656...C/Documents settings\Bill\ApplicationData\Sun\Java\Deployment log-100 KB Text Document-created 4-7-09"

so I assume this has something to do with one of the av scans you had me run or when I updated Java? I did not delete because I am unsure

I found an aol extras folder in my documents, it won't let me delete it, I found some other aol stuff in documents that seem to be part of the operating system?

I tried to use the dfrag tool you gave me the link to, but can't seem to even install it, it keeps wanting to use "WinZip" to unzip the file, but it is unsuccessful in doing so

I tried running the ESET scan again, it got to 10% and shut my comp off again...it did find the same virus? I listed previously "Win32.Bagle.gen.zip worm"
a few days ago (after I posted here in forums) I ran spybot to see if it was showing any infections...my comp was shut down during that scan also

Thanks Blade

Julia

Blade81
2009-04-09, 10:50
What about AbbyReader? I am not even sure where it came from, what program uses it, if any...it sure is taking up a lot of room
Hi

If you don't use it then uninstalling won't probably do any harm :)

I believe that system shutdowns may be hardware related. One theory is that system heats up and overheating protection shuts the system down. Could it be possible to see what item ESET sees as infection? Also, it has to be kept in mind that the finding may be a false positive.

Were you able to find these folders:

C:\Program Files\AOL Toolbar
C:\Program Files\Common Files\aolback

HopefulBeliever
2009-04-09, 17:43
Hi Blade

I didn't find those aol folders...I don't have time to work on this until tonight I am heading out of town for the day

Have a nice one :)
Julia

HopefulBeliever
2009-04-10, 22:51
Hi Blade

I did delete the one aol item u recommended to remove found in the HJT log

I cant find any aol stuff on my comp, however I do find some items when I run a search for anything with aol, I have tried twice to save that info to show you, but am unsuccessful ...I dunno

I ran a malwarebytes full scan, it came back clean...avg has not found any infections since I started this thread...

I would agree with you about the shut downs being a hardware, over heating problem...except for the fact, it never happened b4 I started this thread and it seems to happen at the exact same point in the two scans I have ran when the comp completely shuts off

I don't know what item ESET is finding the virus? or when spybot shuts down...I can run ESET again and cancel the scan when it finds the virus? before it shuts my comp off, than maybe I can find that item

whatcha think?

Have a Blessed Day :)

Julia

Blade81
2009-04-11, 00:19
I don't know what item ESET is finding the virus? or when spybot shuts down...I can run ESET again and cancel the scan when it finds the virus? before it shuts my comp off, than maybe I can find that item
Does Spybot shut down too? I thought only ESET scanner did. You could try running ESET like you suggested and cancel the scan before system shuts down.

HopefulBeliever
2009-04-11, 00:28
Does Spybot shut down too? I thought only ESET scanner did. You could try running ESET like you suggested and cancel the scan before system shuts down.

Yes...spybot shutdown too, once when I decided to run it just to see if it still found any threats, I think a day before you first replied to this thread, than again wednesday night when I tried to run it...

I will open IE and run ESET to that point and post what I find

Thanks Blade

Julia

HopefulBeliever
2009-04-11, 00:51
Ran ESET...found win32/bagle.gen.zip worm..I stopped the scan and...

Found in...

C;\DocumentsandSettings\AllUsers\ApplicationData\Spybot-Search&Destroy\Recovery\InternetSpeedMoniter.zip

How weird is this, but seems somethin' is up, cuz Spybot shuts down too

Blade81
2009-04-11, 01:16
Hi again

That's location where Spybot keeps backups of items it has fixed.

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Now open that recovery folder and delete items found inside.

HopefulBeliever
2009-04-11, 01:26
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



Done


Now open that recovery folder and delete items found inside.
Where is it? I don't see that option

Blade81
2009-04-11, 01:37
Where is it? I don't see that option


Found in...

C;\DocumentsandSettings\AllUsers\ApplicationData\Spybot-Search&Destroy\Recovery\InternetSpeedMoniter.zip
That bolded folder. I think that path you posted isn't exactly like that (some spaces missing in folder names etc) but I think you should be able to spot right folder. Just look for Spybot folder in C:\Documents and Settings\All Users\Application Data folder and then under it you should find recovery folder.

HopefulBeliever
2009-04-11, 01:38
ok Blade... I gotta run...I'll be back asap to finish

Thanks a million

Julia

HopefulBeliever
2009-04-11, 03:32
Now open that recovery folder and delete items found inside.

Done :)

Blade81
2009-04-11, 03:47
Good. I wonder if Spybot or ESET still keeps crashing after those removals.

HopefulBeliever
2009-04-11, 03:57
I was wondering the same thing, I am going to run them now

get back to ya :)

Thanks Blade

Julia

HopefulBeliever
2009-04-11, 05:02
Spybot crashed
haven't ran ESET...yet
I am gonna go ahead and try, but at this point...I think we are going to find the same results...a crash :(

Hope you have a Beautifully Blessed Resurrection Day :)

Julia

HopefulBeliever
2009-04-11, 06:15
ESET crashed...spybot crashed :thud:

seems they both crashed faster than all the scans before...

so Blade...may I ask...were you... like me...thinking there may not be a virus at all...or do you think there maybe somethin' hid pretty deep in the system?

:sad:

Goodmornin' :)

Blade81
2009-04-11, 14:16
Hi

Yes, I'm also thinking it's not malware causing the crashes. Scanners load CPU a lot which in turn generates heat. If cooling doesn't work well enough motherboard usually makes the system shut down when temperature reaches too high level.

HopefulBeliever
2009-04-11, 23:06
Scanners load CPU a lot which in turn generates heat. If cooling doesn't work well enough motherboard usually makes the system shut down when temperature reaches too high level.
__________________

I understand that...But...it wasn't happening b4 spybot and malwarebytes 'found' ? infections...

:sad:

Blade81
2009-04-12, 01:33
Hi

This is a bit tricky since there're no signs of malware there. Could you see what happens if you run Spybot in safe mode (http://www.computerhope.com/issues/chsafe.htm#02)?

See if there's still Malwarebytes' A-M log around (replace Username with your actual username):
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

HopefulBeliever
2009-04-12, 09:46
This is a bit tricky since there're no signs of malware there. Could you see what happens if you run Spybot in safe mode?

Crash!!!

...and running spybot in safe mode is the first time I turned this comp on today, was using sons laptop earlier, cleaning it and updating his programs



See if there's still Malwarebytes' A-M log around (replace Username with your actual username):
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

do you mean the malware log from finding the infection(4/1/09)?
I do have it, I saved the log (I am pretty sure)...do u still want the username changed?
How about the log from spybot too (from 4/1/09)?

Not sure when I will be back on tomorrow...c'ya when u c me

Have a great day Blade :)

Blade81
2009-04-12, 13:16
do u still want the username changed?
Heh.. you don't need to change your username. That was mentioned to make sure you won't look for MBAM log under folder named as username but the one with your user account name :)

If you have Spybot log there then I could take a look at it too. Trying to figure out if removals those made has anything to do with crashing or if it's pure coincidence.

HopefulBeliever
2009-04-13, 05:43
Goodmorning Blade

here's the Malwarebytes log from 4/1/09

Malwarebytes' Anti-Malware 1.35
Database version: 1929
Windows 5.1.2600 Service Pack 2

4/1/2009 1:46:07 PM
mbam-log-2009-04-01 (13-45-58).txt

Scan type: Full Scan (A:\|C:\|E:\|F:\|)
Objects scanned: 115207
Time elapsed: 50 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
________________________________________________________________

here's the log from running spybot...I guess...cuz this info is all I found related to what happened on 4/1/09
_________________________________________________________________

12/13/2008 7:22:31 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
12/13/2008 7:48:05 PM Denied (based on user decision) value "SpybotDeletingB3861" (new data: "") deleted in System Startup user entry!
12/13/2008 7:48:12 PM Denied (based on user decision) value "SpybotDeletingD7554" (new data: "") deleted in System Startup user entry!
12/13/2008 7:48:24 PM Allowed (based on user decision) value "AVG8_TRAY" (new data: "C:\PROGRA~1\AVG\AVG8\avgtray.exe") added in System Startup global entry!
12/13/2008 7:48:36 PM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Java\jre6\bin\jusched.exe"") changed in System Startup global entry!
12/13/2008 7:48:45 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!
12/13/2008 7:48:52 PM Allowed (based on user decision) value "ccApp" (new data: "") deleted in System Startup global entry!
12/13/2008 7:48:57 PM Allowed (based on user decision) value "ccRegVfy" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:04 PM Allowed (based on user decision) value "AVG7_CC" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:16 PM Allowed (based on user decision) value "Uninstall getPlus(R) for Adobe" (new data: ""C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp") added in System Startup global entry!
12/13/2008 7:49:23 PM Denied (based on user decision) value "SpybotDeletingA772" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:28 PM Denied (based on user decision) value "SpybotDeletingC445" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:31 PM Denied (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:37 PM Allowed (based on user decision) value "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (new data: "") deleted in Global browser toolbar!
12/13/2008 7:49:48 PM Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
12/13/2008 7:49:51 PM Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
12/13/2008 7:49:55 PM Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
12/13/2008 7:50:00 PM Denied (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
12/13/2008 7:50:10 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
2/14/2009 8:52:20 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/15/2009 1:34:30 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
2/22/2009 6:20:01 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/22/2009 10:05:40 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
2/23/2009 3:49:50 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/23/2009 5:45:52 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
2/24/2009 2:04:37 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
2/24/2009 4:31:42 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
2/27/2009 11:55:21 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/27/2009 3:17:18 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/2/2009 11:58:36 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
3/2/2009 8:13:39 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
3/3/2009 8:56:39 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/3/2009 6:35:47 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/5/2009 11:56:16 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/6/2009 9:37:59 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/7/2009 6:15:14 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/7/2009 8:13:36 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/11/2009 11:16:58 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/11/2009 3:36:45 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/13/2009 10:07:08 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/14/2009 10:50:12 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/15/2009 10:48:15 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/15/2009 4:10:21 PM Allowed (based on lassh blacklist) value "FaxCenterServer" (new data: "") deleted in System Startup global entry!
3/15/2009 4:43:30 PM Allowed (based on user decision) value "lxddamon" (new data: "") deleted in System Startup global entry!
3/15/2009 4:43:32 PM Allowed (based on user decision) value "lxddmon.exe" (new data: "") deleted in System Startup global entry!
3/15/2009 4:43:40 PM Allowed (based on user decision) value "Lexmark 2500 Series" (new data: "") added in System Startup global entry!
3/15/2009 4:43:48 PM Allowed (based on user decision) value "lxddUninstallRan" (new data: "") added in System Startup global entry!
3/15/2009 4:47:58 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/15/2009 5:50:13 PM Allowed (based on user decision) value "Lexmark 2500 Series" (new data: "") deleted in System Startup global entry!
3/15/2009 5:50:13 PM Allowed (based on user decision) value "lxddUninstallRan" (new data: "") deleted in System Startup global entry!
3/15/2009 6:48:09 PM Allowed (based on user decision) value "lxddmon.exe" (new data: ""C:\Program Files\Lexmark 2500 Series\lxddmon.exe"") added in System Startup global entry!
3/15/2009 6:48:10 PM Allowed (based on user decision) value "lxddamon" (new data: ""C:\Program Files\Lexmark 2500 Series\lxddamon.exe"") added in System Startup global entry!
3/15/2009 6:51:25 PM Allowed (based on lassh blacklist) value "FaxCenterServer" (new data: ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s") added in System Startup global entry!
3/15/2009 6:54:59 PM Allowed (based on user decision) value "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (new data: "hex:00") added in Global browser toolbar!
3/15/2009 6:55:10 PM Allowed (based on user decision) value "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (new data: "") added in Browser Helper Object!
3/17/2009 5:12:02 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/18/2009 11:06:18 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/19/2009 6:00:48 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/19/2009 6:46:11 PM Allowed (based on user decision) value "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (new data: "hex:0C,A8,17,10,09,6F,48,45,A8,4D,ED,D6,AC,95,25,F0") added in User-specific browser toolbar!
3/19/2009 8:10:21 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/20/2009 3:59:55 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/21/2009 2:47:01 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/22/2009 4:25:55 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/22/2009 9:04:31 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/23/2009 5:10:33 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/23/2009 11:18:20 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/24/2009 10:10:57 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/24/2009 6:42:47 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/25/2009 5:21:24 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: "") deleted in System Startup global entry!
3/25/2009 5:21:25 PM Allowed (based on user decision) value "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}" (new data: "") deleted in Browser Helper Object!
3/25/2009 5:24:40 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!
3/25/2009 5:24:46 PM Allowed (based on user decision) value "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}" (new data: "") added in Browser Helper Object!
3/27/2009 10:02:11 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/27/2009 11:50:34 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/30/2009 9:31:22 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/30/2009 12:53:08 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/30/2009 11:18:42 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/31/2009 10:22:20 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/31/2009 11:52:27 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
3/31/2009 11:52:36 PM Encountered and terminated Win32.Bancos.zm in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe!
4/1/2009 9:31:52 AM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
4/1/2009 10:53:21 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
4/1/2009 2:04:12 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
4/1/2009 2:14:40 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
4/1/2009 3:18:37 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
4/1/2009 9:08:08 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
4/2/2009 6:53:48 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
4/2/2009 1:28:23 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
4/2/2009 8:42:56 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!

Blade81
2009-04-13, 12:43
Hi

Nothing in those logs reveals anything that would be causing shutdowns. That said, I still think that's something else than malware related issue.

HopefulBeliever
2009-04-13, 18:11
What about doing a system restore back to 4/30 or 4/31 and see what happens?

Blade81
2009-04-13, 18:45
Hi

I wouldn't take any risks by trying system restore. You told in the beginning of this thread that system has had freezing earlier. Taking this into account, I still think problem isn't malware related. If shutdowns keep occuring I recommend posting to http://forums.pcpitstop.com. They deal also with non-malware related issues there :)

HopefulBeliever
2009-04-13, 18:55
OK, Blade...since the only 'shutdowns' not freezing issues, happen when I try and run spybot/ESET scans... guess I should go ahead and register there at Pitstop...thanks for the help...and I sure hope I get this all resolved soon, since taxes came back, I am gonna add a lil more memory to this machine...

Have a Nice Day :)

Julia

Blade81
2009-04-13, 18:59
Ok. Hopefully thing gets sorted out :bigthumb:

HopefulBeliever
2009-04-13, 20:41
Hey Blade...I joined the PitStop Forum, like this forum, it has a "Read This" before posting, recommended to run scan first...
Well there was a list of different av scans to run, I chose PC Pitstop Exterminate2, here are those results...

____________________________________________________________________
Bifrost
ThreatID:29428
Type:Malware
Level:2
Category:Backdoor
DescA Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
TracesType:3 Wget -1
CanQuarantine:1
AuthorURL:evileyesoftware.com/ees/request.php?10
__________________________________________________________________
This came from Bifrost a link to get more info about this malware...

Threat Name Bifrost
Summary Bifrost is an advanced remote administration tool that allows users to remotely control computers that are behind firewalls and routers.
Category BackdoorCategory information
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.
Level HighLevel information
High risks are typically installed without user interaction through security exploits, and can severely compromise system security. Such risks may open illicit network connections, use polymorphic tactics to self-mutate, disable security software, modify system files, and install additional malware. These risks may also collect and transmit personally identifiable information (PII) without your consent and severely degrade the performance and stability of your computer.
Advice Quarantine
Description Some features of Bifrost: Cam capture, file manager, file search, offline/online keylogger, password list (protected storage, cached passwords, ICQ, CD keys), polymorphic plugin, process list, remote shell, screen capture, system info, and windows list.
Release Date Apr 12 2005
Last Updated Mar 13 2009
File Traces
Show Traces - (Click to Expand)
_______________________________________________________________

Pitstop exterminate says to remove IMMEDIATELY!!!
I will wait a few to see if you log back in, before I do so

Thanks
Julia

HopefulBeliever
2009-04-13, 20:53
ok, maybe this Pitstop Exterminate is not a good program???

I just went to the second page of the scan results and it said I have Kazaa on my computer...I do NOT have Kazaa on this comp...now I feel taking any action this scan recommends maybe dangerous???

:spider:

Here's second page info from Pitstop Exterminate...
_______________________________________________________________
remove these files as part of the diagnostic process. If you would like these files removed, check the box below.

Low Level ThreatsKaZaA
ThreatID:7631
Type:Low Risk Software
Level:5
Category:P2P Program
DescA P2P (or Peer to Peer) Program is software that enables the user to participate in an online file sharing network and trade or share files with other users in the network. P2P Programs often bundle advertising software, but some P2P Programs are adware-free. P2P Programs are typically not harmful in and of themselves, but the user is at risk for infection with adware and/or malware though files downloaded from the file sharing network.
TracesType:3 Kazaa -1
Type:3 LocalContent -1
CanQuarantine:1
AuthorURL:
FunWebProducts
ThreatID:14912
Type:Low Risk Software
Level:5
Category:Potentially Unwanted Program
DescPotentially Unwanted Programs include software that does not fit into another category (such as Low Risk Adware or Potential Privacy Risk) that users might want detected because the software includes some form of potentially objectionable functionality.
TracesType:3 {9AFB8248-617F-460d-9366-D71CDEDA3179} -1
Type:3 TreatAs -1
Type:3 TreatAs 1
CanQuarantine:1
AuthorURL:funwebproducts.com
Cookie: Tracking Cookies
ThreatID:174265
Type:Cookie
Level:5
Category:Cookie (General)
DescCookies are small "data tags" that web sites and services store on users' PCs in order to distinguish and recognize unique visitors. Cookies are used by web sites to identify returning visitors who have registered for special services; to monitor, measure, and analyze visitors' navigation and use of web site features; to count unique visitors to web pages and web sites; and to allow web surfers to use virtual "shopping carts" at e-commerce sites. Online advertising networks use Cookies to track
TracesType:1 ad.yieldmanager[2].txt
CanQuarantine:0
AuthorURL:

wow...I am so unsure what to do...I am gonna find out where to post in the proper place over at pitstop

Blade81
2009-04-13, 21:59
Hi

Let it remove those :) That Kazaa related finding seems to be some registry value.

HopefulBeliever
2009-04-14, 01:20
Hey Blade...
I truly am not meaning to be a pest...I am here at Safe Networking because I trust this site and the staff, and when I first read spybot S&D's Terms of use..my Heart Smiled ::heart:

I am curious why we didn't find such a high risk threat...outside of the scans crashing...
It doesn't make sense to Purchase *online* from an infected comp with these high level threats... the software to remove it...seems quite dangerous to me... :wink: (I have checked and keep checking my bank accounts, etc... All is well there )

PCPitstop seems legit to me, and afterall u referred me there...
I don't find a number to purchase by telephone...

I emailed tech support there, for these results and the fact they referred me to use their Optimized2 Overdrive Scan, which crashed and restarted my comp, so he (tech) asked me again to run Overdrive, ( I have also read several posts on their forum of other users having this same problem) it was running (in IE) along fine, than IE warning popped up...had to shut down IE because of an add-on trying to install...and all shut down... when windows restarted; I had some kind of warning on my screen, replacing my desktop background... telling me that either, a recently added desktop icon, a web add-on or shutting comp off w/o shutting it down (I would say all 3 applied) basically made my desktop background not run, I was able to restore desktop.

I guess I will email PS tech guy and let him know...

...Patience is definitely a virtue :halo:

Julia

Blade81
2009-04-14, 17:42
Hi


PCPitstop seems legit to me, and afterall u referred me there..
I wouldn't recommend any location that was dubious one.

As I stated earlier, those shutdowns are more likely caused by other things than malware. It's better that PCPitstop guys continue from here.