LOGO
Reply to Thread New Thread
Old 04-22-2009, 04:05 PM   #21
objennasweene

Join Date
Nov 2005
Posts
465
Senior Member
Default
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:50 PM, on 6/21/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16681)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Users\Owner\AppData\Local\Google\Update\1.1.25. 0\GoogleUpdate.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dealio\kb126\Dealio Deskbar.exe
C:\Users\Owner\AppData\Local\YouTube\Uploader\yout ubeuploader.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\AIM\aim.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HP United States - Computers, Laptops, Servers, Printers and more
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HP United States - Computers, Laptops, Servers, Printers and more
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = HP United States - Computers, Laptops, Servers, Printers and more
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb126\Dealio.dll
O2 - BHO: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb126\Dealio.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O3 - Toolbar: Internet Service - {F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B} - C:\Program Files\Web Technologies\iebr.dll
O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
O4 - HKLM\..\Run: [WAWifiMessage] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [au] "C:\Program Files\Dealio\DealioAU.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [HPAdvisor] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\1.1.25 .0\GoogleUpdate.exe" /lang en
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: YouTube Uploader.lnk = C:\Users\Owner\AppData\Local\YouTube\Uploader\yout ubeuploader.exe
O4 - Global Startup: Vongo Tray.lnk = ?
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Users\Owner\AppData\LocalLow\Dealio\kb126\res\D ealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
objennasweene is offline


Old 04-22-2009, 04:22 PM   #22
JamesTornC

Join Date
Oct 2005
Posts
319
Senior Member
Default
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL I am no expert but I think this is Virtumunde so it seems you are infected.

Do not get help from anybody unless you can trust them. When you get an infection it can take several steps sometimes to get cleaned up.

Techguy.org is a decent site for help like this if you go to their site

HelpOnThe.Net: Tech Support Guy - Free help for Windows XP, Vista, 98, and more!

after you create an account you would then go to the Security and HJT forum which is on the left
JamesTornC is offline


Old 04-22-2009, 09:16 PM   #23
Viafdrear

Join Date
Oct 2005
Posts
474
Senior Member
Default
Yes, you have a lot of bad stuff in there, not necessarily vundo, but enough other junk to warrant cleansing. I have done work on this in the past, used to work on a different site for malware, and can definitely help you, but as Allen said, other sites are far more reputable in the area of malware removal than this site is. The fact that I work in IT means that I run across this stuff daily, and have to at least somewhat cognizant of what is out there, and I feel that I could assiist you and get you system clean on this site, if that is the way you want to go.

If not, I would follow Allen's instructions, as while I do not know him, I have actually heard of the website he speaks of, and while I am not a member there (I do tech work during the day, I would rather relax with some wine and have someone rub my feet in the evening than continue to tech work) I also vouch for their expertise, as I had my machine cleaned up back when I was still married.

Matter of fact, it was one of the reasons we got divorced, how that machine got infected.
Viafdrear is offline


Old 04-22-2009, 09:22 PM   #24
TeftyJokip

Join Date
Oct 2005
Posts
358
Senior Member
Default
I am no expert but I think this is Virtumunde so it seems you are infected.
That's actually for the Askbar search assistant. Not malignant, but annoying with a lot of popups.

With vundo you will usually see the infection mirrored in the O20 section, so you would see the below:

Code:
Code
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DL+L

and then an entry in the O20 section that ended in RABSKA.DLL. At least that's the way it used to be. I never got certified anywhere, but I did do a lot of cleaning via HJT in the past, just haven't done so in a few years.

As I said, as I've matured, I find that when I'm at home, I like to spend my time as far away from what I do during the day as possible.
TeftyJokip is offline


Old 04-23-2009, 11:00 PM   #25
valiumcheapll

Join Date
Oct 2005
Posts
470
Senior Member
Default
I know that you have a basic infection, but frankly that shouldn't cause your connection problems, just general slowness, pop-ups and other annoyances...

Usually as soon as a scanner finds something it drops it in the vault. You might wanna try just plugging your computer into the router if you're close to it. It might be a problem with the wireless card.
that would be my first suggestion, and when you do I'd upgrade the wireless NIC regardless anyways. If after plugging it in you find that you have a stable connection, then it's one if not two problems;

1) your NIC
2) your Router

First I'd update the NIC drivers, then I'd first just try updating the routers firmware. if after the updating both of those and you still find yourself having problems, it may actually be corrupt software in the router. What you would do there is start from scratch, blow it out completly and then install the latest drivers and reset up your router.

Since I don't know what model of the equipment you have those are just my general suggestions. If you know the specific models, usually the manufactures websites have detailed "how-to" manuals on how to preform the fixes that I suggested.

I know that you have a basic infection, but frankly that shouldn't cause your connection problems, just general slowness, pop-ups and other annoyances...
valiumcheapll is offline


Old 04-24-2009, 02:17 AM   #26
weightpillsnow

Join Date
Oct 2005
Posts
446
Senior Member
Default
That's actually for the Askbar search assistant. Not malignant, but annoying with a lot of popups.

With vundo you will usually see the infection mirrored in the O20 section, so you would see the below:

Code:
Code
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DL+L

and then an entry in the O20 section that ended in RABSKA.DLL. At least that's the way it used to be. I never got certified anywhere, but I did do a lot of cleaning via HJT in the past, just haven't done so in a few years.

As I said, as I've matured, I find that when I'm at home, I like to spend my time as far away from what I do during the day as possible.
It just caught my eye so I did a google and it sent me to a tech site post where a guy said that was what it was. I make NO claims to have any expertise. I used to just follow allow out of boredom a few years ago and saw some of the more obvious stuff that sticks out. OR so I thought
weightpillsnow is offline


Old 04-24-2009, 02:50 AM   #27
corsar-caribean

Join Date
Oct 2005
Posts
434
Senior Member
Default
It just caught my eye so I did a google and it sent me to a tech site post where a guy said that was what it was. I make NO claims to have any expertise. I used to just follow allow out of boredom a few years ago and saw some of the more obvious stuff that sticks out. OR so I thought


Malware is very annoying and very tricky. I used to be very good at it, but it just took up too much of my time.

I went to the site that you suggested and they seem to have a complete area roped off for it, but the same problem that all sites have today with malware, which is that there is vastly more writers of bad malware than there are trained removers of it. I think that ratio will always stay the same, though. Something about the criminal element in us.

I can help here, if they want me too, but I will be honest and say that the people that you recommended have a lot more expertise, and a lot more _recent_ expertise, than I do.

But I will do what is asked of me.



Within reason, of course.
corsar-caribean is offline


Old 04-24-2009, 02:53 AM   #28
bestformaldress23

Join Date
Oct 2005
Posts
472
Senior Member
Default
Some malware is so stinking imbedded it takes a lot of steps to get it clean. If that happens to me I would just reinstall as I have a drive image program and saved everything on an external drive. 15 minutes and I am all back together and nothing else to reinstall.
bestformaldress23 is offline



Reply to Thread New Thread

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 

All times are GMT +1. The time now is 06:54 AM.
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.
Search Engine Friendly URLs by vBSEO 3.6.0 PL2
Design & Developed by Amodity.com
Copyright© Amodity