After installing CloneCD, I attempted to enter a registration key that now, obviously, wasn't what it purported to be.
IE6 now has a " skin" with a new, additional navigation bar and search window as well as another tool bar at the lower screen edge that includes buttons I'd rather the kids didn't click on.
If that isn't enough, the firewall is reporting internet access permission for constantly changing .exe files ( eg:Rii1.exe - Rjq22.exe - Sbs2A.exe ) as well as numerous others. This access permission is sought immediately after bootup. When explorer is opened I keep getting taken to a site called Lop.com. Even though I reselect my preferred homepage I seem to end up here on most, but not all occasions. I have briefly noticed something like " passthrough....." in the address line but haven't been fast enough to nab it.
Spyware Blaster shows this as one of many sites to be avoided and has flagged several this site several times under the name of Lop.com Variant (3) (4) (5) and (6).
When I do a file search for the above .exe files they aren't found and it appears that whatever it is I have managed to pick up generates random .exe files as well as hiding those I deny access to.
As I use the machine for banking etc, I am more than a little concerned and would appreciate all or any assistance that might help me to stop short of an HD reformat.
AVG doesn't show any virus but accept I'm hardly watertight.
Look forward to some help from the combined forces of PPRuNe.
Thanks in advance.

Sounds like you've managed to install Tubmo-A (see http://www.sophos.com/virusinfo/analyses/trojtubmoa.html )

You might also be infected with a variant of Surnova; see, for example,http://www.sophos.com/virusinfo/analyses/w32surnovaf.html

HTH

RTFM - and right you seem to be Sir. I was very taken with the AVG anti virus program after it found and removed things Norton and PCcillin had missed but now it's own Achilles heel seems to have been found. I am downloading a trial version of Sophos as we speak.
My question now is - following the "removal" instructions from your first link ( as simple as running an uninstall via the control panel ), just what sort of trojan actually allows you to do that ? Surely complete removal can't be expected by simply "uninstalling" via a command provided by the trojan itself ?
Having said that though, the skin has certainly gone now.
Dazed and confused but thankful for your help and the links.

Further to the above - after running the uninstall program and successfully removing the "skin" from my Browser ( does this mean my PC has had a circumscision ?)..........I am getting a request on boot up to allow internet access to Spooler SubSystem App ( spoolsv.exe to destination IP 0.0.0.0:DNS ) which I hadn't ever seen before and makes me wonder why something that supposedly takes care of print jobs would require Net access ( stand alone, non networked PC ).
Is this an innocuous request or has something been modified by the Tubmo-A trojan that appears to have been installed previously ?
Again, any and all information accepted. Not only is information power, it's bloody dangerous in the hands of someone like myself !!

> RTFM - and right you seem to be Sir. I was very taken with the > AVG anti virus program after it found and removed things
> Norton and PCcillin had missed but now it's own Achilles heel
> seems to have been found. I am downloading a trial version of
> Sophos as we speak.

There is a dictum in security which goes "defence in depth", or in other words "don't put all you eggs in one basket." You've just discovered that you cannot trust one product to find absolutely everything. The problem is that it's extremely difficult to get multiple anti-virii products to co-operate on the same platform... (my main use of them is on our Unix based mail gateways to scan email -- being Unix, I can make just the bits I want run when I want them, so they don't clash :) On a real Windoze box, it will be alot more difficult :( )

> My question now is - following the "removal" instructions from
> your first link ( as simple as running an uninstall via the control
> panel ), just what sort of trojan actually allows you to do that ?
> Surely complete removal can't be expected by simply
> "uninstalling" via a command provided by the trojan itself ?
> Having said that though, the skin has certainly gone now.

The clue is in the name: the point about a "trojan" as opposed to a "virus" is that a trojan cannot replicate by itself -- it requires active assistance from you do do its job (just like the Greeks needing the Trojans to pull the wooden horse into Troy.) Because they cannot replicate by themselves, they are usually much easier to clean up than a virus -- but each one is different, of course. The reputable AV companies will have done all the donkey work in working out what you need to do -- it's always worth checking out multiple AV vendor sites for further information. I personally prefer Sophos becasue I've had good results with them, but that's not to say the others arne't any good: as you've observed they each manage to miss out on different things...

> Dazed and confused but thankful for your help and the links.

You're welcome.

> Further to the above - after running the uninstall program and
> successfully removing the "skin" from my Browser ( does this
> mean my PC has had a circumscision ?)..........I am getting a
> request on boot up to allow internet access to Spooler
> SubSystem App ( spoolsv.exe to destination IP 0.0.0.0NS )
> which I hadn't ever seen before and makes me wonder why
> something that supposedly takes care of print jobs would
> require Net access ( stand alone, non networked PC ).
> Is this an innocuous request or has something been modified
> by the Tubmo-A trojan that appears to have been installed
> previously ?


Sounds like you've got infected with somehting else, as well. That will be something else. IP addresses 0.0.0.0 is not a valid host address (OK, to keep the cognescenti happy, it is valid as the default network address in routing tables.) Are you running any peer-to-peer software like Kazaa ? That has been implicated in the spread of the trojan that you had and all sorts of other stuff.

Again, any and all information accepted. Not only is information power, it's bloody dangerous in the hands of someone like myself !!

When it comes to Viruses, Trojans and "Security Alerts", it's always advisable to double-check the information that you've been given from multiple trusted sources (e.g. AV vendor sites), especially if this "advice" has been passed on by a "friend". The vast majority of it are hoaxes -- I strongly recommend that you do not follow any "advice" given in such "friendly" alerts (including this one ! :) ), but double check with well-known sources first. Sometimes the advice given is itself actually dangerous (thus turning the hoax into a real virus :eek: ). The exhortation to "pass this on to everyone you know" or similar is always an excellent giveaway. www.vmyths.com is very helpful for debunking hoaxes...

HTH,

RTMF

Thanks RTFM - I have actually done a lot of reading since this unfortunate mishap. While I may now be slightly more rounded in one area I'm sure the next hurdle is just around the corner.
I have always tried to use more than one line of defence but short of never venturing onto the net - what to do ?
Your guidance and information much appreciated. Cheers

SeldomFixit

Check your pm.

http://downloads-zdnet.com.com/3120-20-0.html?qt=spybot&tg=dl-20

removes many ie page hijackers, and importantly their registry changes. free, and spectacularly effective. when u first scan, read the instructions very carefully. get kaspersky anti virus. don't forget to parse system restore folder 2.

http://hometown.aol.co.uk/xla0xla0/tossmonkey004.gif