Clipboard Hijacked (XP)

T

Tomdarkness

New Member
Hello,

For some reason the contents of my clipboard keeps getting replaced with:

http://xp-vista {breaking link} -update.net/?id=81029487745 (WARNING DO --NOT-- VISIT)

And its impossible to remove it from the clipboard (i.e if I copy anything it does not replace the link on the clipboard and every time I paste it gives that link).

Anti-Virus: NOD32.

What is causing this?

Thanks,

Tom
 
CCleaner will do that, remove anything like that, removes stuff from the clipboard, recent documents folder, and temporary files folder.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on the "Options" icon at the left side of the window, then click on "Advanced."
    deselect "Only delete files in Windows Temp folders older than 48 hours."
  • Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.

Download: CCleaner (freeware)
http://www.majorgeeks.com/download4191.html
Run the installer, and uncheck the option to install Yahoo toolbar (unless you want Yahoo toolbar).
Once installed, run CCleaner click the Windows [tab]
The following should be selected by default, if not, please select:
CCleanerA.png

Next: click Options click the Settings tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Then click Run Cleaner (bottom right) then Exit
 
Post a HijackThis log and we'll take it from there:

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.
 
Code: 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:38:13, on 16/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
K:\WINDOWS\System32\smss.exe
K:\WINDOWS\system32\winlogon.exe
K:\WINDOWS\system32\services.exe
K:\WINDOWS\system32\lsass.exe
K:\WINDOWS\system32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\System32\svchost.exe
K:\WINDOWS\system32\spoolsv.exe
K:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
K:\Program Files\Bonjour\mDNSResponder.exe
K:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
K:\F@H-1\FAH504-Console.exe
K:\F@H-2\FAH504-Console.exe
K:\F@H-3\FAH504-Console.exe
K:\F@H-4\FAH504-Console.exe
K:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
K:\WINDOWS\system32\nvsvc32.exe
K:\F@H-1\FahCore_82.exe
K:\F@H-2\FahCore_82.exe
K:\F@H-3\FahCore_82.exe
K:\F@H-4\FahCore_78.exe
K:\WINDOWS\system32\PnkBstrA.exe
K:\WINDOWS\system32\svchost.exe
K:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
K:\WINDOWS\Explorer.EXE
K:\WINDOWS\RTHDCPL.EXE
K:\Program Files\HP\hpcoretech\hpcmpmgr.exe
K:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
K:\WINDOWS\system32\hphmon05.exe
K:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
K:\Program Files\iTunes\iTunesHelper.exe
K:\WINDOWS\system32\RUNDLL32.EXE
K:\WINDOWS\system32\wuauclt.exe
K:\Program Files\Razer\Habu\razerhid.exe
K:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
K:\WINDOWS\system32\ctfmon.exe
K:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
K:\Program Files\Symantec\Backup Exec\RAWS\VxMon.exe
K:\Program Files\Electronic Arts\EADM\Core.exe
K:\Program Files\Razer\Habu\razertra.exe
K:\Program Files\Razer\Habu\razerofa.exe
K:\Program Files\Folding@home\Folding@home-gpu\[email protected]
K:\Program Files\Folding@home\Folding@home-gpu\FahCore_11.exe
K:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
K:\Program Files\iPod\bin\iPodService.exe
K:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
K:\Program Files\Kraken\Kraken Reports 0.6.2\kraken reports.exe
J:\Downloads\Software\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.2.3:3128
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - K:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - K:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - K:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE K:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "K:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HPHUPD05] K:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "K:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] K:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HPHmon05] K:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [egui] "K:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "K:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "K:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE K:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Habu] K:\Program Files\Razer\Habu\razerhid.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "K:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "K:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [VxBeMon] "K:\Program Files\Symantec\Backup Exec\RAWS\VxMon.exe"
O4 - HKCU\..\Run: [EA Core] K:\Program Files\Electronic Arts\EADM\Core.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] K:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: [email protected] = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = K:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://K:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - K:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - K:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - K:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - K:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210016982915
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = home.net
O17 - HKLM\Software\..\Telephony: DomainName = home.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{CEF663A7-8F7E-40AD-8825-25973A7DCACF}: NameServer = 192.168.2.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home.net
O23 - Service: Apple Mobile Device - Apple, Inc. - K:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - K:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Bonjour Service - Apple Inc. - K:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - K:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - K:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FAH@K:+F@H-1+FAH504-Console.exe - Stanford University - K:\F@H-1\FAH504-Console.exe
O23 - Service: FAH@K:+F@H-2+FAH504-Console.exe - Stanford University - K:\F@H-2\FAH504-Console.exe
O23 - Service: FAH@K:+F@H-3+FAH504-Console.exe - Stanford University - K:\F@H-3\FAH504-Console.exe
O23 - Service: FAH@K:+F@H-4+FAH504-Console.exe - Stanford University - K:\F@H-4\FAH504-Console.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - K:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - K:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - K:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - K:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - K:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8244 bytes


ceewi1 said:
Post a HijackThis log and we'll take it from there:

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.
Click to expand...
 
Pls do the following:

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
You must log in or register to reply here.
Back
Top