Reply to Thread New Thread |
![]() |
#21 |
|
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:48:50 PM, on 6/21/2008 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16681) Boot mode: Normal Running processes: C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\WINDOWS\System32\rundll32.exe C:\Program Files\Synaptics\SynTP\SynTPStart.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\WINDOWS\System32\rundll32.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\WINDOWS\ehome\ehtray.exe C:\Users\Owner\AppData\Local\Google\Update\1.1.25. 0\GoogleUpdate.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Dealio\kb126\Dealio Deskbar.exe C:\Users\Owner\AppData\Local\YouTube\Uploader\yout ubeuploader.exe C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\AIM\aim.exe C:\Windows\System32\mobsync.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\system32\SearchFilterHost.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://internetsearchservice.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = HP United States - Computers, Laptops, Servers, Printers and more R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = HP United States - Computers, Laptops, Servers, Printers and more R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = HP United States - Computers, Laptops, Servers, Printers and more R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL R3 - URLSearchHook: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll O1 - Hosts: ::1 localhost O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file) O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb126\Dealio.dll O2 - BHO: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Wisdom-soft toolbar - {6dfc55bb-bfff-485a-9709-90c3fdf6db58} - C:\Program Files\Wisdom-soft\tbWisd.dll O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb126\Dealio.dll O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL O3 - Toolbar: Internet Service - {F99D0C20-F8E1-43B6-AB24-3F16BFAEA77B} - C:\Program Files\Web Technologies\iebr.dll O4 - HKLM\..\Run: [NvSvc] "RUNDLL32.EXE" C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SynTPStart] "C:\Program Files\Synaptics\SynTP\SynTPStart.exe" O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [QlbCtrl] "C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" /Start O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" O4 - HKLM\..\Run: [WAWifiMessage] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [au] "C:\Program Files\Dealio\DealioAU.exe" O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray O4 - HKCU\..\Run: [Sidebar] "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] "rundll32.exe" oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [HPAdvisor] "C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" autoRun O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Google Update] "C:\Users\Owner\AppData\Local\Google\Update\1.1.25 .0\GoogleUpdate.exe" /lang en O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: YouTube Uploader.lnk = C:\Users\Owner\AppData\Local\YouTube\Uploader\yout ubeuploader.exe O4 - Global Startup: Vongo Tray.lnk = ? O8 - Extra context menu item: Compare Prices with &Dealio - C:\Users\Owner\AppData\LocalLow\Dealio\kb126\res\D ealioSearch.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 |
![]() |
![]() |
#22 |
|
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL I am no expert but I think this is Virtumunde so it seems you are infected.
Do not get help from anybody unless you can trust them. When you get an infection it can take several steps sometimes to get cleaned up. Techguy.org is a decent site for help like this if you go to their site HelpOnThe.Net: Tech Support Guy - Free help for Windows XP, Vista, 98, and more! after you create an account you would then go to the Security and HJT forum which is on the left |
![]() |
![]() |
#23 |
|
Yes, you have a lot of bad stuff in there, not necessarily vundo, but enough other junk to warrant cleansing. I have done work on this in the past, used to work on a different site for malware, and can definitely help you, but as Allen said, other sites are far more reputable in the area of malware removal than this site is. The fact that I work in IT means that I run across this stuff daily, and have to at least somewhat cognizant of what is out there, and I feel that I could assiist you and get you system clean on this site, if that is the way you want to go.
If not, I would follow Allen's instructions, as while I do not know him, I have actually heard of the website he speaks of, and while I am not a member there (I do tech work during the day, I would rather relax with some wine and have someone rub my feet in the evening than continue to tech work) I also vouch for their expertise, as I had my machine cleaned up back when I was still married. Matter of fact, it was one of the reasons we got divorced, how that machine got infected. ![]() |
![]() |
![]() |
#24 |
|
I am no expert but I think this is Virtumunde so it seems you are infected. ![]() With vundo you will usually see the infection mirrored in the O20 section, so you would see the below: Code: Code
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DL+L and then an entry in the O20 section that ended in RABSKA.DLL. At least that's the way it used to be. I never got certified anywhere, but I did do a lot of cleaning via HJT in the past, just haven't done so in a few years. As I said, as I've matured, I find that when I'm at home, I like to spend my time as far away from what I do during the day as possible. ![]() |
![]() |
![]() |
#25 |
|
I know that you have a basic infection, but frankly that shouldn't cause your connection problems, just general slowness, pop-ups and other annoyances...
Usually as soon as a scanner finds something it drops it in the vault. You might wanna try just plugging your computer into the router if you're close to it. It might be a problem with the wireless card. 1) your NIC 2) your Router First I'd update the NIC drivers, then I'd first just try updating the routers firmware. if after the updating both of those and you still find yourself having problems, it may actually be corrupt software in the router. What you would do there is start from scratch, blow it out completly and then install the latest drivers and reset up your router. Since I don't know what model of the equipment you have those are just my general suggestions. If you know the specific models, usually the manufactures websites have detailed "how-to" manuals on how to preform the fixes that I suggested. I know that you have a basic infection, but frankly that shouldn't cause your connection problems, just general slowness, pop-ups and other annoyances... |
![]() |
![]() |
#26 |
|
That's actually for the Askbar search assistant. Not malignant, but annoying with a lot of popups. ![]() |
![]() |
![]() |
#27 |
|
It just caught my eye so I did a google and it sent me to a tech site post where a guy said that was what it was. I make NO claims to have any expertise. I used to just follow allow out of boredom a few years ago and saw some of the more obvious stuff that sticks out. OR so I thought ![]() Malware is very annoying and very tricky. I used to be very good at it, but it just took up too much of my time. I went to the site that you suggested and they seem to have a complete area roped off for it, but the same problem that all sites have today with malware, which is that there is vastly more writers of bad malware than there are trained removers of it. I think that ratio will always stay the same, though. Something about the criminal element in us. ![]() I can help here, if they want me too, but I will be honest and say that the people that you recommended have a lot more expertise, and a lot more _recent_ expertise, than I do. But I will do what is asked of me. Within reason, of course. ![]() |
![]() |
![]() |
#28 |
|
|
![]() |
Reply to Thread New Thread |
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
|