April Fools!??? waled ac.cn TrojanC Registry Value

[HopefulBeliever]

So here I am again...and I have tried my best to keep my computer updated and safe, thanks to u guys and your advice. Yesterday when I first heard of this fools day-conicker worm, I came in ran updates and scans...all was well...I ran my scans this morning too (tuesday 3/31) about 11:30 P.M. I found a kid on the comp (I forgot to log off, my bad) I started running updates, when I ran malwarebytes update, during it's installation, spybot popped up a warning that it found "waled ac.cn" in a system32 folder/file? So than I ran spybot and lo and behold, I am Infected!
I clicked on "Fix selected problems" but if this is anything like the past infections I had back in Dec. '08 than I doubt it's gone.
I also want to let u know, last time I had a prob, it was discovered my windows XP was not legal, I have since remedied that, paid 159.00 to legalize it

so thanks in advance, here is my HJT Log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:19 AM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1234136263328
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 7896 bytes

[Blade81]

Hi there,

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Read the requirements and privacy statement then click on the Accept button.

• The program will launch and start to download the latest definition files.

• You will be prompted to install an application from Kaspersky. Click Run

• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
• Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives

• Click on My Computer under Scan.

• Once the scan is complete, it will display the results. Click on View Scan Report.

• Click on Save Report As....

• Change the Files of type to Text file (.txt) before clicking on the Save button.

• Save this report to a convenient place.

• Copy and paste that information & a fresh hjt log into your topic.

• The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here

[HopefulBeliever]

Hi Blade I was so happy to log in this mornin' and see I had a reply...yay!!!

I have the uninstall log, I turned off (I think) av programs...when I exit AVG, which is the only option I can find to turn it off, I am unsure it is actually turned OFF, because I don't get a warning from microsoft telling me my anti virus program is turned off...

Now...the actual real prob I ran into is...I downloaded Kapersky, followed your directions to the T... well, I unexpectedly had to make a trip into town, so I minimized the scan...would u believe it disappeared!!! I left the comp running and it was still gone when I returned, an hour later. I started to restart the comp and start from the beginning and it mysteriously re-appeared
The scan was running along just fine and had found 1 Threat Name and 1 infected object, about 5 mins later when scan was 37% complete my comp froze!!!! (My comp freezing up is an issue I have had off and on since I got this PC) There are some persistant issues with this comp I am hoping to get help with when we are finished with the cleaning, if you have the time to help me with that too... I am unsure if they have anything to do with being infected
I have not yet started over, as my phones have rang more today than I think they have in a week!!! Been spring cleaning and trying to get ready for my sons 17th Birthday tomorrow... 'nough about my life

I am gonna go ahead and post the Uninstall log now, thought maybe it wouldn't hurt since I did get that far

I'll be back with the rest of the required info as soon as I am able to complete it

Have a nice day Blade
_________________________________________________________________

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1
Apple Mobile Device Support
Apple Software Update
AVG 8.5
Critical Update for Windows Media Player 11 (KB959772)
Easy CD & DVD Creator 6
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HSP56 MR Drivers
iTunes
Java(TM) 6 Update 11
Lexmark 2500 Series
Lexmark Fax Solutions
Lexmark Toolbar
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MSN
QuickTime
RealPlayer Basic
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinZip
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

[HopefulBeliever]

Good mornin' Blade...

well...since my last post, I have unsuccessfully tried running Kapersky 2 more times, my comp didn't freeze, but...both times the scan itself seemed to have froze/stalled ,,,just plain quit running
I have rebooted the comp and walked away for a while, cuz my patience is being tried
before I rebooted, I opened AVG updated and checked the logs there, I did find in componants (AVG webshield findings) this blocked item from 3/29...
"Exploit MDAC-ActiveX-Code execution type290-ashiping/?sid=aff0048"
That must of happened in the background because I never had a warning about it ...

I am going to try running Kapersky one more time and hopefully will have a log posted for you by the time you are reading this...

sincerely
Julia

[Blade81]

Hi Julia,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

Let's see if we get better results with another online scanner in case Kaspersky still got jammed.


* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Make sure antivirus program is disabled and click Scan then.
• Wait for the scan to finish
• Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems.

If scanner gets stuck, it's recommended to defrag hard drives and then try scanning again.


Happy Birthday to your son

[HopefulBeliever]

Hi Blade...thanks for the B-Day wish

I updated Java, I thought it was already
Kapersky did finish running the scan w/ no interruptions, found the 2 items I mentioned in earlier post, BUT would not bring up the report...just a blank page and a banner at the top in red, telling me I am infected,...so I am going to run this other scan you suggested. My IE has not been updated to IE8, I hope this is ok, because I am unsure if I should do that at this time.

If scanner gets stuck, it's recommended to defrag hard drives and then try scanning again.

see the defrag program is something that seems to not be ok with this system, I actually ran it about a week ago, but all files did NOT defrag. Ever since I got this comp (built; not new) it was freezing up and when restarted, goes to disk check, tells me it is checking "Csystem:Fat32 volumes#2D2A-IEE7" which I think is or has something to do with the defrag program

Now in december when my comp was infected and PSKelly helped me, this problem went away but has since returned, along with a pop-up telling me virtual memory is low, with almost everything I try to load, but that hasn't been happening since I ran spybot and malwarebytes, and posted for help here...
makes me think there may of been a vulnerability built into this system, I hope it wasn't intentional

OK Blade Hopefully I will be back with ALL the Logs u need

if you get back here b4 I do, do you want me to post the uninstall list again?

[Blade81]

goes to disk check, tells me it is checking "Csystem:Fat32 volumes#2D2A-IEE7" which I think is or has something to do with the defrag program

That sounds more like error checking in action Actually might be good to run one by following instructions here ('my computer' -option).

Now in december when my comp was infected and PSKelly helped me, this problem went away but has since returned, along with a pop-up telling me virtual memory is low, with almost everything I try to load, but that hasn't been happening since I ran spybot and malwarebytes, and posted for help here...

How much memory does the system have installed in?

if you get back here b4 I do, do you want me to post the uninstall list again?

No need to repost it

[HopefulBeliever]

Hi Blade...I did just let the system check run, on restart as it almost always does if my comp freezes up

My comp doesn't have the memory I wish it did, it is only 256 mb

Now...I was running the ESET scan, it found the virus, it was only 10% complete and shut my comp off!!!

Here is the info it did retrieve:

Win32/Bagle.gen.zipworm

I am thinkin' this is NOT good, and am doing nothing else til I hear from you again

awaiting your reply

Julia

[Blade81]

My comp doesn't have the memory I wish it did, it is only 256 mb

Hi

That's why you see occasionally the notification about low virtual memory. Recommended memory amount for XP is 512 mb.

Maybe running disk check as mentioned in my previous post combined with defragging would make scanner work. Also AVG should be disabled as you assumably had on earlier runs. Personally I recommend free JkDefrag for defragging.

[HopefulBeliever]

Also AVG should be disabled as you assumably had on earlier runs.

well I searched and searched, the only option I found in AVG to disable it was to exit it, do u have any advice...somethin' I am overlooking?

Thanks Blade