I'd be inclined to let it run since it has made progress, but ultimately it's your call and I would quite understand you pulling the plug. I'm just glad I didn't think a MWAV scan was in order; they normally take 3 hours which would equate to 81 hours pro rata.
explorer.exe is killing system performance [RESOLVED]
Started by
stevebo
, Jul 10 2006 11:11 AM
-
This topic is locked
#16
Posted 31 July 2006 - 08:27 AM
Crustyoldbloke
-
- Retired Staff
-
- 15,131 posts
Old Malware Surgeon with a shaky scalpel
I'd be inclined to let it run since it has made progress, but ultimately it's your call and I would quite understand you pulling the plug. I'm just glad I didn't think a MWAV scan was in order; they normally take 3 hours which would equate to 81 hours pro rata.
#17
Posted 31 July 2006 - 12:30 PM
stevebo
- Topic Starter
-
- Member
-
- 15 posts
Member
Here is the Kaspersky log! (I have both a wired and wireless connection, so it started scanning drive Z:, which is identical to drive c:). I am unsure how or whether to instruct kaspersky to proceed.
-----
KASPERSKY ON-LINE SCANNER REPORT
Monday, July 31, 2006 2:26:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 31/07/2006
Kaspersky Anti-Virus database records: 210900
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Z:\
Scan Statistics
Total number of scanned objects 99869
Number of viruses found 7
Number of infected objects 34
Number of suspicious objects 0
Duration of the scan process 18:50:52
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06980000.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A280000.VBN Infected: Virus.MSWord.Cap skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F400000.VBN Infected: Trojan.Java.Nocheat skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Air Sickness Bags.pst/Air Sickness Bags Folders/Air Sickness Bags/Collectors/Manfred Kleber/27 Jan 2002 19:41 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Air Sickness Bags.pst/Air Sickness Bags Folders/Air Sickness Bags/eBay/Thomas Blickle/05 Feb 2002 05:48 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Air Sickness Bags.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Buying and Selling.pst/Buying and Selling Folders/Buying & Selling/eBay/Speedstream 5260 Modem/17 Nov 2001 05:06 from [email protected]:Question for selle.rtf Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Buying and Selling.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Air Sickness Bags/Collectors/Manfred Kleber/27 Jan 2002 19:41 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Air Sickness Bags/eBay/Thomas Blickle/05 Feb 2002 05:48 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Buying & Selling/eBay/Speedstream 5260 Modem/17 Nov 2001 05:06 from [email protected]:Question for selle.rtf Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Mail MS Mail: infected - 3 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip ZIP: infected - 4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32_viewer.zip/vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32_viewer.zip ZIP: infected - 1 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055354.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055355.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055356.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055358.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP746\A0057391.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06980000.VBN Infected: Exploit.HTML.Mht skipped
Z:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A280000.VBN Infected: Virus.MSWord.Cap skipped
Z:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F400000.VBN Infected: Trojan.Java.Nocheat skipped
Scan process completed.
-----
KASPERSKY ON-LINE SCANNER REPORT
Monday, July 31, 2006 2:26:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 31/07/2006
Kaspersky Anti-Virus database records: 210900
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
Z:\
Scan Statistics
Total number of scanned objects 99869
Number of viruses found 7
Number of infected objects 34
Number of suspicious objects 0
Duration of the scan process 18:50:52
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06980000.VBN Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A280000.VBN Infected: Virus.MSWord.Cap skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F400000.VBN Infected: Trojan.Java.Nocheat skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Air Sickness Bags.pst/Air Sickness Bags Folders/Air Sickness Bags/Collectors/Manfred Kleber/27 Jan 2002 19:41 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Air Sickness Bags.pst/Air Sickness Bags Folders/Air Sickness Bags/eBay/Thomas Blickle/05 Feb 2002 05:48 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Air Sickness Bags.pst Mail MS Mail: infected - 2 skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Buying and Selling.pst/Buying and Selling Folders/Buying & Selling/eBay/Speedstream 5260 Modem/17 Nov 2001 05:06 from [email protected]:Question for selle.rtf Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Buying and Selling.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Air Sickness Bags/Collectors/Manfred Kleber/27 Jan 2002 19:41 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Air Sickness Bags/eBay/Thomas Blickle/05 Feb 2002 05:48 from [email protected]:eBay End of Auction.eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst/Personal Folders/Buying & Selling/eBay/Speedstream 5260 Modem/17 Nov 2001 05:06 from [email protected]:Question for selle.rtf Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\SSilberberg\Local Settings\Application Data\Microsoft\Outlook\Outlook1.pst Mail MS Mail: infected - 3 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32.zip ZIP: infected - 4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32_viewer.zip/vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Downloads\VNC\Real VNC Version 4.0\vnc-4.0-x86_win32_viewer.zip ZIP: infected - 1 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\WinVNC\othread2.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055354.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055355.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055356.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP733\A0055358.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{E87A81FB-FDCF-4B92-A20C-951710F82D7C}\RP746\A0057391.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
Z:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06980000.VBN Infected: Exploit.HTML.Mht skipped
Z:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A280000.VBN Infected: Virus.MSWord.Cap skipped
Z:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0F400000.VBN Infected: Trojan.Java.Nocheat skipped
Scan process completed.
#18
Posted 31 July 2006 - 02:27 PM
Crustyoldbloke
-
- Retired Staff
-
- 15,131 posts
Old Malware Surgeon with a shaky scalpel
Hello Steve
I've had a look at the Kaspersky log and have ignored Norton Quarantine, Restore Points and Outlook emails for the following reasons. The items in Norton Quarantine can be deleted at any time by you:
If you wish to empty Norton quarantine you can follow these directions for cleaning out the Symantec Quarantine Folder
Restore Points are not active and often become infected. I normally clear these out as a final part of the fix. I don't clean them out (delete them) any earlier as I strongly believe an infected restore point is better than none at all, but on this occasion, whilst we are chasing shadows, let's do that now:
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I am surprised that Norton has allowed emails containing virii to be downloaded to your PC. You can of course delete each email mentioned yourself, I'm afraid there is no command I can give you to delete only certain emails from Outlook.
Taking all of that into account, we are left with 14 entries for VNC. It is true that VNC can be manipulated externally by malware writers targeting that exploit. Can I suggest that you uninstall VNC, reboot and ensure all traces are gone, and then if you decide you want that programme, re-install it.
If any of those fixes take care of the problem, great! Let me know how it went.
I've had a look at the Kaspersky log and have ignored Norton Quarantine, Restore Points and Outlook emails for the following reasons. The items in Norton Quarantine can be deleted at any time by you:
If you wish to empty Norton quarantine you can follow these directions for cleaning out the Symantec Quarantine Folder
Restore Points are not active and often become infected. I normally clear these out as a final part of the fix. I don't clean them out (delete them) any earlier as I strongly believe an infected restore point is better than none at all, but on this occasion, whilst we are chasing shadows, let's do that now:
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(Windows XP)
1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I am surprised that Norton has allowed emails containing virii to be downloaded to your PC. You can of course delete each email mentioned yourself, I'm afraid there is no command I can give you to delete only certain emails from Outlook.
Taking all of that into account, we are left with 14 entries for VNC. It is true that VNC can be manipulated externally by malware writers targeting that exploit. Can I suggest that you uninstall VNC, reboot and ensure all traces are gone, and then if you decide you want that programme, re-install it.
If any of those fixes take care of the problem, great! Let me know how it went.
#19
Posted 10 August 2006 - 02:30 AM
Crustyoldbloke
-
- Retired Staff
-
- 15,131 posts
Old Malware Surgeon with a shaky scalpel
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. 
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
