April Fools!??? waled ac.cn TrojanC Registry Value

Status
Not open for further replies.
Does Spybot shut down too? I thought only ESET scanner did. You could try running ESET like you suggested and cancel the scan before system shuts down.
Click to expand...

Yes...spybot shutdown too, once when I decided to run it just to see if it still found any threats, I think a day before you first replied to this thread, than again wednesday night when I tried to run it...

I will open IE and run ESET to that point and post what I find

Thanks Blade

Julia
 
Here u go...

Ran ESET...found win32/bagle.gen.zip worm..I stopped the scan and...

Found in...

C;\DocumentsandSettings\AllUsers\ApplicationData\Spybot-Search&Destroy\Recovery\InternetSpeedMoniter.zip

How weird is this, but seems somethin' is up, cuz Spybot shuts down too
 
Hi again

That's location where Spybot keeps backups of items it has fixed.

Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Now open that recovery folder and delete items found inside.
 
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Click to expand...

Done

Now open that recovery folder and delete items found inside.
Click to expand...
Where is it? I don't see that option
 
Where is it? I don't see that option
Click to expand...

Found in...

C;\DocumentsandSettings\AllUsers\ApplicationData\Spybot-Search&Destroy\Recovery\InternetSpeedMoniter.zip
Click to expand...
That bolded folder. I think that path you posted isn't exactly like that (some spaces missing in folder names etc) but I think you should be able to spot right folder. Just look for Spybot folder in C:\Documents and Settings\All Users\Application Data folder and then under it you should find recovery folder.
 
Good. I wonder if Spybot or ESET still keeps crashing after those removals.
 
No Such Luck...

Spybot crashed
haven't ran ESET...yet
I am gonna go ahead and try, but at this point...I think we are going to find the same results...a crash :(

Hope you have a Beautifully Blessed Resurrection Day :)

Julia
 
Total Bummer

ESET crashed...spybot crashed :thud:

seems they both crashed faster than all the scans before...

so Blade...may I ask...were you... like me...thinking there may not be a virus at all...or do you think there maybe somethin' hid pretty deep in the system?

:sad:

Goodmornin' :)
 
Hi

Yes, I'm also thinking it's not malware causing the crashes. Scanners load CPU a lot which in turn generates heat. If cooling doesn't work well enough motherboard usually makes the system shut down when temperature reaches too high level.
 
Scanners load CPU a lot which in turn generates heat. If cooling doesn't work well enough motherboard usually makes the system shut down when temperature reaches too high level.
__________________
Click to expand...

I understand that...But...it wasn't happening b4 spybot and malwarebytes 'found' ? infections...

:sad:
 
Hi

This is a bit tricky since there're no signs of malware there. Could you see what happens if you run Spybot in safe mode?

See if there's still Malwarebytes' A-M log around (replace Username with your actual username):
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
 
This is a bit tricky since there're no signs of malware there. Could you see what happens if you run Spybot in safe mode?
Click to expand...

Crash!!!

...and running spybot in safe mode is the first time I turned this comp on today, was using sons laptop earlier, cleaning it and updating his programs

See if there's still Malwarebytes' A-M log around (replace Username with your actual username):
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Click to expand...

do you mean the malware log from finding the infection(4/1/09)?
I do have it, I saved the log (I am pretty sure)...do u still want the username changed?
How about the log from spybot too (from 4/1/09)?

Not sure when I will be back on tomorrow...c'ya when u c me

Have a great day Blade :)
 
do u still want the username changed?
Click to expand...
Heh.. you don't need to change your username. That was mentioned to make sure you won't look for MBAM log under folder named as username but the one with your user account name :)

If you have Spybot log there then I could take a look at it too. Trying to figure out if removals those made has anything to do with crashing or if it's pure coincidence.
 
Goodmorning Blade

here's the Malwarebytes log from 4/1/09

Malwarebytes' Anti-Malware 1.35
Database version: 1929
Windows 5.1.2600 Service Pack 2

4/1/2009 1:46:07 PM
mbam-log-2009-04-01 (13-45-58).txt

Scan type: Full Scan (A:\|C:\|E:\|F:\|)
Objects scanned: 115207
Time elapsed: 50 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
________________________________________________________________

here's the log from running spybot...I guess...cuz this info is all I found related to what happened on 4/1/09
_________________________________________________________________

12/13/2008 7:22:31 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
12/13/2008 7:48:05 PM Denied (based on user decision) value "SpybotDeletingB3861" (new data: "") deleted in System Startup user entry!
12/13/2008 7:48:12 PM Denied (based on user decision) value "SpybotDeletingD7554" (new data: "") deleted in System Startup user entry!
12/13/2008 7:48:24 PM Allowed (based on user decision) value "AVG8_TRAY" (new data: "C:\PROGRA~1\AVG\AVG8\avgtray.exe") added in System Startup global entry!
12/13/2008 7:48:36 PM Allowed (based on user decision) value "SunJavaUpdateSched" (new data: ""C:\Program Files\Java\jre6\bin\jusched.exe"") changed in System Startup global entry!
12/13/2008 7:48:45 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!
12/13/2008 7:48:52 PM Allowed (based on user decision) value "ccApp" (new data: "") deleted in System Startup global entry!
12/13/2008 7:48:57 PM Allowed (based on user decision) value "ccRegVfy" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:04 PM Allowed (based on user decision) value "AVG7_CC" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:16 PM Allowed (based on user decision) value "Uninstall getPlus(R) for Adobe" (new data: ""C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp") added in System Startup global entry!
12/13/2008 7:49:23 PM Denied (based on user decision) value "SpybotDeletingA772" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:28 PM Denied (based on user decision) value "SpybotDeletingC445" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:31 PM Denied (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
12/13/2008 7:49:37 PM Allowed (based on user decision) value "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" (new data: "") deleted in Global browser toolbar!
12/13/2008 7:49:48 PM Denied (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
12/13/2008 7:49:51 PM Denied (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
12/13/2008 7:49:55 PM Denied (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
12/13/2008 7:50:00 PM Denied (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
12/13/2008 7:50:10 PM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
2/14/2009 8:52:20 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/15/2009 1:34:30 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
2/22/2009 6:20:01 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/22/2009 10:05:40 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
2/23/2009 3:49:50 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/23/2009 5:45:52 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
2/24/2009 2:04:37 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
2/24/2009 4:31:42 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
2/27/2009 11:55:21 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
2/27/2009 3:17:18 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/2/2009 11:58:36 AM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
3/2/2009 8:13:39 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
3/3/2009 8:56:39 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/3/2009 6:35:47 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/5/2009 11:56:16 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/6/2009 9:37:59 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/7/2009 6:15:14 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/7/2009 8:13:36 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/11/2009 11:16:58 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/11/2009 3:36:45 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/13/2009 10:07:08 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/14/2009 10:50:12 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/15/2009 10:48:15 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/15/2009 4:10:21 PM Allowed (based on lassh blacklist) value "FaxCenterServer" (new data: "") deleted in System Startup global entry!
3/15/2009 4:43:30 PM Allowed (based on user decision) value "lxddamon" (new data: "") deleted in System Startup global entry!
3/15/2009 4:43:32 PM Allowed (based on user decision) value "lxddmon.exe" (new data: "") deleted in System Startup global entry!
3/15/2009 4:43:40 PM Allowed (based on user decision) value "Lexmark 2500 Series" (new data: "") added in System Startup global entry!
3/15/2009 4:43:48 PM Allowed (based on user decision) value "lxddUninstallRan" (new data: "") added in System Startup global entry!
3/15/2009 4:47:58 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/15/2009 5:50:13 PM Allowed (based on user decision) value "Lexmark 2500 Series" (new data: "") deleted in System Startup global entry!
3/15/2009 5:50:13 PM Allowed (based on user decision) value "lxddUninstallRan" (new data: "") deleted in System Startup global entry!
3/15/2009 6:48:09 PM Allowed (based on user decision) value "lxddmon.exe" (new data: ""C:\Program Files\Lexmark 2500 Series\lxddmon.exe"") added in System Startup global entry!
3/15/2009 6:48:10 PM Allowed (based on user decision) value "lxddamon" (new data: ""C:\Program Files\Lexmark 2500 Series\lxddamon.exe"") added in System Startup global entry!
3/15/2009 6:51:25 PM Allowed (based on lassh blacklist) value "FaxCenterServer" (new data: ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s") added in System Startup global entry!
3/15/2009 6:54:59 PM Allowed (based on user decision) value "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (new data: "hex:00") added in Global browser toolbar!
3/15/2009 6:55:10 PM Allowed (based on user decision) value "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (new data: "") added in Browser Helper Object!
3/17/2009 5:12:02 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/18/2009 11:06:18 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/19/2009 6:00:48 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/19/2009 6:46:11 PM Allowed (based on user decision) value "{1017A80C-6F09-4548-A84D-EDD6AC9525F0}" (new data: "hex:0C,A8,17,10,09,6F,48,45,A8,4D,ED,D6,AC,95,25,F0") added in User-specific browser toolbar!
3/19/2009 8:10:21 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/20/2009 3:59:55 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/21/2009 2:47:01 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/22/2009 4:25:55 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/22/2009 9:04:31 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/23/2009 5:10:33 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/23/2009 11:18:20 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/24/2009 10:10:57 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/24/2009 6:42:47 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/25/2009 5:21:24 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: "") deleted in System Startup global entry!
3/25/2009 5:21:25 PM Allowed (based on user decision) value "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}" (new data: "") deleted in Browser Helper Object!
3/25/2009 5:24:40 PM Allowed (based on user decision) value "Adobe Reader Speed Launcher" (new data: ""C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"") added in System Startup global entry!
3/25/2009 5:24:46 PM Allowed (based on user decision) value "{18DF081C-E8AD-4283-A596-FA578C2EBDC3}" (new data: "") added in Browser Helper Object!
3/27/2009 10:02:11 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/27/2009 11:50:34 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/30/2009 9:31:22 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/30/2009 12:53:08 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/30/2009 11:18:42 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
3/31/2009 10:22:20 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
3/31/2009 11:52:27 PM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent") added in System Startup global entry!
3/31/2009 11:52:36 PM Encountered and terminated Win32.Bancos.zm in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe!
4/1/2009 9:31:52 AM Allowed (based on user decision) value "Malwarebytes' Anti-Malware" (new data: "") deleted in System Startup global entry!
4/1/2009 10:53:21 AM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
4/1/2009 2:04:12 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
4/1/2009 2:14:40 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p") added in System Startup user entry!
4/1/2009 3:18:37 PM Allowed (based on user decision) value "FlashPlayerUpdate" (new data: "") deleted in System Startup user entry!
4/1/2009 9:08:08 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
4/2/2009 6:53:48 AM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
4/2/2009 1:28:23 PM Allowed (based on lassh blacklist) value "Yahoo! Pager" (new data: ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet") changed in System Startup user entry!
4/2/2009 8:42:56 PM Allowed (based on user decision) value "Yahoo! Pager" (new data: ""C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet") changed in System Startup user entry!
 
Hi

Nothing in those logs reveals anything that would be causing shutdowns. That said, I still think that's something else than malware related issue.
 
Hi

I wouldn't take any risks by trying system restore. You told in the beginning of this thread that system has had freezing earlier. Taking this into account, I still think problem isn't malware related. If shutdowns keep occuring I recommend posting to http://forums.pcpitstop.com. They deal also with non-malware related issues there :)
 
Status
Not open for further replies.
Back
Top