Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Slow and Intermittent Internet Connection

This is a discussion on Slow and Intermittent Internet Connection within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hope You can help. Somtimes it takes 2 or 3 attempts to connect (broadband 2meg). Once I'm on line, it


 
 
Thread Tools Search this Thread
Old 11-30-2006, 04:51 AM   #1
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Angry

Hope You can help.

Somtimes it takes 2 or 3 attempts to connect (broadband 2meg). Once I'm on line, it runs very slow and often it does not connect to websites, searches etc. I get the"unable to connect to server" message.

I use Mozilla Firefox but also have Yahoo BT Broadband, which has the same problems.

Ive ran Norton Anti Virus and BT Broadband Spyware which hasn't found anything.

Here is thelog. Hope you can sort this.

Cheers



Logfile of HijackThis v1.99.1
Scan saved at 10:25:36 AM, on 11/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\BTBROA~1\HELP\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Graeme\My Documents\Rippleffect\Desktop Gordon\gordon.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\BT Broadband 205\Help\bin\mpbtn.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Graeme\Desktop\utorrent.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Graeme\LOCALS~1\Temp\Rar$EX01.812\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://voyager.home/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll (file missing)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Zango Toolbar - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - C:\Program Files\ZangoToolbar\Bin\4.8.3.0\ZbHostIE.dll (file missing)
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Gordon] C:\Documents and Settings\Graeme\My Documents\Rippleffect\Desktop Gordon\gordon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 205\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
Laurel_bhoy is offline  
Sponsored Links
Advertisement
 
Old 12-02-2006, 06:00 AM   #2
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello Laurel_bhoy,

Download and unzip BFUzip from https://www.merijn.org/files/bfu.zip
Run the program and click the Web button as shown here:


Use this URL to copy into the address bar of the Download script window:

https://metallica.geekstogo.com/MediaGateway.BFU

Make sure all IE windows are closed.

Execute the script by clicking the Execute button.

-----------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

Panda results
New HijackThis log
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-03-2006, 10:24 AM   #3
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


I've realised that if I don't use utorrent, my internet connection is ok. But if I have used utorrent (even if I have closed it down), I have to restart my pc.

I don't know if this is relevant?

Anyway, heres the panda scan and hijack log results


Incident Status Location

Spyware:Spyware/New.net Not disinfected C:\Program Files\NewDotNet\newdotnet3_88.dll
Spyware:Spyware/New.net Not disinfected C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL
Spyware:spyware/new.net Not disinfected c:\program files\newdotnet\newdotnet3_88.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.as-eu.falkag.net/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.club.cdfreaks.com/]
Spyware:Cookie/Cd Freaks Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.cdfreaks.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.adtech.de/]
Spyware:Cookie/HotLog Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.hotlog.ru/]
Spyware:Cookie/SpyLog Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.spylog.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.anm.co.uk/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.com.com/]
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.yadro.ru/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.overture.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[server.iad.liveperson.net/hc/60259442]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Versiontracker Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.versiontracker.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.bfast.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.adviva.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[www.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[stats.drivecleaner.com/]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.drivecleaner.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[statse.webtrendslive.com/S005-01-10-1-233860-106940]
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.cs.sexcounter.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[as1.falkag.de/]
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.revenue.net/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/Weborama Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.weborama.fr/]
Spyware:Cookie/SexList Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[.sexlist.com/]
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cookies.txt[www.myaffiliateprogram.com/]
Spyware:Cookie/Adtech Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp
Spyware:Cookie/Mediaplex Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp
Spyware:Cookie/QuestionMarket Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp
Spyware:Cookie/WebtrendsLive Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp
Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51F.tmp
Spyware:Spyware/New.net Not disinfected C:\Program Files\NewDotNet\uninstall3_88.exe



Logfile of HijackThis v1.99.1
Scan saved at 6:16:14 PM, on 12/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\BTBROA~1\HELP\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Documents and Settings\Graeme\My Documents\Rippleffect\Desktop Gordon\gordon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\clipboard.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BT Broadband 205\Help\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Graeme\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://voyager.home/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Gordon] C:\Documents and Settings\Graeme\My Documents\Rippleffect\Desktop Gordon\gordon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [clipboard.exe] C:\WINDOWS\system32\clipboard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 205\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Cheers
Laurel_bhoy is offline  
Sponsored Links
Advertisement
 
Old 12-03-2006, 11:26 AM   #4
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi,

I realize these next set of instructions are going to be time consuming as well, but it will be worth your effort in the long run as the malware has now revealed itself and these steps will help eradicate it from your system.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download LSPFix.exe as we may need it later.

-----------

Download AVG Anti Spyware

Use the link at the bottom of the page under "AVG Anti-Spyware Free for Windows"

  • Install AVG Anti Spyware
  • Double-click the icon on Desktop to launch AVG
  • On the top of the main screen click Shield
  • Click the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
When you have finished updating, EXIT AVG Anti Spyware. Do Not run a scan just yet, we will shortly.

---------

Download and install CleanUp! but do not run it yet. (Not Recommended for XP64).

------------------------------------------------

Please disable the following program(s) as they may interfere with the fixes below.

SpySweeper:
  • Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
To disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Click Browser Add-Ons and uncheck all items.
  • Exit Spysweeper.
-----------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

-----------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if it exists:

NewDotNet

-----------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = https://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll



Click 'Fix Checked' and close HijackThis.

**NOTE** While running Hijackthis, verify if these entries still exist:

O10 - Hijacked Internet access by New.Net

If they exist, we would be required to run LSPFix.exe

Instructions for using LSPFix
  1. Double click on LSPFix.exe to run it.
  2. Once running, you will be required to tick the disclaimer - "I know what I'm doing".
  3. You'll find a windows with 2 panes.
    In the left pane which is labeled 'Keep', select all instances of this file:
    • newdotnet3_88.dll
  4. Then click on the arrow pointing to the right, >>.
    This will move the entry to the right pane labeled 'Remove'
  5. Click the Finish button to complete the fix.
Only entries similar to newdotnet.dll need to be removed. If you see any other entries in the right pane, move them back to the "Keep" pane & post the filenames to inform me.

-----------------------------------

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading:
* select Show hidden files and folders.
* Uncheck Hide protected operating system files (recommended) option.
*Also, make sure there is no checkmark beside Hide file extensions for known file types.
* Click OK.

-----------------------------------

Using My Computer, navigate to and delete the following Folder if it still exists.

C:\Program Files\NewDotNet

------------------------------------------------

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp! or move them to a permanent location.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it's checked.
Click OK
Press the CleanUp! button to start the program. Do NOT reboot/logoff when prompted.

------------------------------------------------

IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, **Please ensure it is set to Quarantine then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware.
**AVG Anti-Spyware is compatible with most AV and anti-spyware products, and the free version will continue to be useful as a second anti-malware scanner.

-----------------------------------

Reboot into Normal Mode.

-----------------------------------

Upload this file C:\WINDOWS\system32\clipboard.exe to https://virusscan.jotti.org and report back what it found.

At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

--------------------------------------

Please run another online scan at Panda and save the results.

-----------------------------------

Run a new scan with HijackThis and save the log.

-----------------------------------

Please include the following in your next reply:

jotti results
AVG Anti-Spyware results
Panda results
New HijackThis log


How is your system behaving now?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-03-2006, 04:58 PM   #5
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Hello there!

System is behaving much as before.

Everything is OK if I stay out of utorrent. If I use utorrent, I need to re-boot the pc before I can connect to the net again. Maybe this is normal?

Here are the logs you asked for (in the order you asked)


Service load: 0% 100%

File: clipboard.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 1f4eef5168fde447fa6f05c6629a42d1
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing



VG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:03:08 AM 12/4/2006

+ Scan result:



C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP37\A0006529.exe -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP34\A0006351.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP34\A0006352.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP48\A0008551.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP48\A0008552.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-1523973649-4289704364-3355973142-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006154.exe -> Adware.Relevant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP37\A0007288.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP37\A0007289.exe -> Adware.RK : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq2.tmp -> TrackingCookie.Adtech : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq3.tmp -> TrackingCookie.Atdmt : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq4.tmp -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Questionmarket : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Webtrendslive : Cleaned.


::Report end




Incident Status Location

Potentially unwanted tool:Application/Zango Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq51F.tmp



Logfile of HijackThis v1.99.1
Scan saved at 12:30:17 AM, on 12/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\PROGRA~1\BTBROA~1\HELP\SMARTB~1\BTHelpNotifier.exe
C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Graeme\My Documents\Rippleffect\Desktop Gordon\gordon.exe
C:\WINDOWS\system32\clipboard.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\BT Broadband 205\Help\bin\mpbtn.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Graeme\LOCALS~1\Temp\Rar$EX00.687\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = https://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://voyager.home/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\HELP\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\YAHOO!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O5 "LPT1:" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Desktop Gordon] C:\Documents and Settings\Graeme\My Documents\Rippleffect\Desktop Gordon\gordon.exe
O4 - HKCU\..\Run: [clipboard.exe] C:\WINDOWS\system32\clipboard.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Broadband Desktop Help.lnk = C:\Program Files\BT Broadband 205\Help\bin\matcli.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - https://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Cheers
Laurel_bhoy is offline  
Old 12-04-2006, 06:28 PM   #6
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hello,

My apologies for the delay--I've been consulting with a colleague on the clipboard.exe file. We'd like to find out more about it:

Please download the Suspicious File Packer -> https://www.safer-networking.org/files/sfp.zip

Unzip it to the desktop and run it.
Paste the following list of filepaths into the Suspicious File Packer window:

C:\WINDOWS\System32\clipboard.exe

Allow SFP to pack the files. This will generate a CAB archive on your desktop.
Please submit it to this site ? https://www.bleepingcomputer.com/subm....php?channel=4
Please include a link to this topic in the message.

After uploading that file, close any open browsers and run a scan with HijackThis. 'Fix' this entry: (don't delete the file yet):

O4 - HKCU\..\Run: [clipboard.exe] C:\WINDOWS\system32\clipboard.exe

Click 'Fix Checked' and close HijackThis.

-------------------------

Reboot your system. Try UTorrent again--do you still have to reboot to use the internet?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-05-2006, 05:12 AM   #7
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Hello Again

Three times out of five it was Ok. It also connected a few times when utorrent was actually downloading.

It appears to be hit and miss (sometimes it connects to web pages better than others).

Hope you got the "bleeping computer message"

Cheers
Laurel_bhoy is offline  
Old 12-05-2006, 04:59 PM   #8
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi,

Yes, the file has been received and reviewed--thank you.

Please delete that file:

C:\WINDOWS\system32\ clipboard.exe <--this exact file. Do not delete clipbrd.exe.

**If the above resists deletion, boot into Safe Mode and delete the file.

--------------------------------

I'd like to use another online scanner and see if it picks up anything else that may be lurking:

Please perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-05-2006, 05:40 PM   #9
TSF Security Team
Emeritus
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 26,363
OS: N/A


Tell me .. how long have you been using UTorrent (BitTorrent) programs? Reason why I'm asking, is that I want to ascertain how familiar you are with these P2P programs.

If you're fairly familiar, please tell me if you have perfromed the fix for EventID 4226?
If not, go read up here > https://www.bitcomet.com/news/20040908_xp2_4226.htm



Note:
We do not support P2P issues. Thus, we cannot help you with your P2P troubles. If you require further help with P2P, please google for a P2P forum
__________________

sUBs is offline  
Old 12-07-2006, 02:35 AM   #10
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Hello

Ried,
The Kaspersky scanner wont run.
When I accept their privacy statement, nothing happens.

Subs,
I'm not too familiar with it at all.
I ran the patch and on the info given, it refers to "number of half open connections..." I previously increased it to 50 on utorrent, on the advice of another forum

Cheers
Laurel_bhoy is offline  
Old 12-10-2006, 03:42 PM   #11
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Hello there

I managed to get the Kapersky scan with internet explorer 7.0


KASPERSKY ONLINE SCANNER REPORT
Sunday, December 10, 2006 11:39:13 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/12/2006
Kaspersky Anti-Virus database records: 253785
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 46481
Number of viruses found: 3
Number of infected objects: 9 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:21:18

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\00002.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\clipboard.exe Infected: Worm.Win32.VB.dy skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Graeme\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Graeme\Desktop\Tech Supoport\requested-files[2006-12-05_12_48].cab/C:/WINDOWS/System32/clipboard.exe Infected: Worm.Win32.VB.dy skipped
C:\Documents and Settings\Graeme\Desktop\Tech Supoport\requested-files[2006-12-05_12_48].cab CAB: infected - 1 skipped
C:\Documents and Settings\Graeme\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\history.dat Object is locked skipped
C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\parent.lock Object is locked skipped
C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\cert8.db Object is locked skipped
C:\Documents and Settings\Graeme\Application Data\Mozilla\Firefox\Profiles\1dutjm39.default\key3.db Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe/stream Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP42\A0007942.exe/WISE0014.BIN Infected: Worm.Win32.VB.dy skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP42\A0007942.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP58\change.log Object is locked skipped

Scan process completed.
Laurel_bhoy is offline  
Old 12-10-2006, 06:33 PM   #12
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hi,

C:\WINDOWS\system32\clipboard.exe is still showing on your system--did you run into any problems deleting it earlier?
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 12-11-2006, 05:08 PM   #13
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Hello

I don't know why that's not deleted.
I've tried again and it seems to have worked this time.

I've done another kaspersky scan and here are the results.


------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 12, 2006 1:04:42 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/12/2006
Kaspersky Anti-Virus database records: 250058
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 47858
Number of viruses found: 3
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:21:23

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-11_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Graeme\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Temp\Perflib_Perfdata_61c.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Graeme\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Graeme\Desktop\Tech Supoport\requested-files[2006-12-05_12_48].cab/C:/WINDOWS/System32/clipboard.exe Infected: Worm.Win32.VB.dy skipped
C:\Documents and Settings\Graeme\Desktop\Tech Supoport\requested-files[2006-12-05_12_48].cab CAB: infected - 1 skipped
C:\Documents and Settings\Graeme\Cookies\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe/stream Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP33\A0006161.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP42\A0007942.exe/WISE0014.BIN Infected: Worm.Win32.VB.dy skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP42\A0007942.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP60\A0010429.exe Infected: Worm.Win32.VB.dy skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP60\A0010430.exe Infected: Worm.Win32.VB.dy skipped
C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP60\change.log Object is locked skipped
D:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP60\change.log Object is locked skipped

Scan process completed.
Laurel_bhoy is offline  
Old 12-17-2006, 02:16 AM   #14
Registered Member
 
Join Date: Mar 2006
Posts: 30
OS: xp


Hello

Not sure if there's a problem.
Nobody's responded since my last reply of 11th Dec.

Cheers
Laurel_bhoy is offline  
Old 12-17-2006, 11:15 AM   #15
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit


Hiya,

My apologies, I somehow lost track of you.

Your logs are clean. You may delete that Cab file that was created by the Suspicious File Packer.

If you are still having issues with uTorrent, please refer to Post #9.

--------------------------------------------

Please continue with these final instructions and helpful links.


Reset hidden/system files and folders
Windows XP
===============
Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Deselect the Show hidden files and folders option.
* Select the Hide file extensions for known types option.
* Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Enable Windows Auto Update
*Go to Start>Run - type wuaucpl.cpl
*Tick on the checkbox - "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will prevent any reinfection from previous restore points.

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:


Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items .

Download Spyware Guard to catch and block spyware before it can execute.

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)
  • Now navigate to C:\ie-spyad. Double click to open it.
  • From within the folder, double-click install.bat
  • Select Option #2 - Install the new IE-SPYAD list, by typing 2
  • Then return to the main menu.
  • Select option #4 - Add the old porn sites domain, by typing 4
Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Follow this list and your potential for being infected again will reduce dramatically.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:58 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts