This has been happening for a week since my PC had been infected with a virus. I installed avast which captured a few viruses & trojans but this is still happening. Specifically, when I do a google or yahoo search and click a link from the search, it takes me to different websites. Anyone ever experience this? Any recommendations? Avast has not found any other viruses, not sure whats causing this. Thanks.
Hi ceo3west,
Sounds like an IE infestation, could be a rogue BHO or other adware/spyware issue, post a hjt log txt file as an attached txt file in your net posting, and we here will have a serious look at it.
You can download hijackthis from here: http://www.filehippo.com/download_hijackthis/download/58170ee6e58bba306c943f5b6d745c99/
polonus
Thanks for the help on this, attached is the file.
An analysis of your HJT log shows the following problems :
We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
Unnecessary (deactivated) entry that can be fixed. AcroIEhelper.ocx, AcroIEhelper.dll - Adobe Acrobat reader.
O4 - HKUS\S-1-5-21-1219393502-2404566984-3178860527-1006..\Run: [ares ultra] “C:\Program Files\Ares Ultra\Ares Ultra.exe” -h (User ‘Sarah’)
While this entry itself is not bad, this is a possible infection point as are all P2P programs.
The below are questionable entries all related to Yahoo components :
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
Uses excessive system and memory resources with no corresponding benefit.
http://www.pcpitstop.com/libraries/process/i/yahooauservice.exe.html
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
BHO able to monitor Internet browser activity.
http://www.file.net/process/ytsingleinstance.dll.html
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
Uses excessive system and memory resources with no corresponding benefit.
http://www.pcpitstop.com/libraries/process/i/yahooauservice.exe.html
Overview of running tasks :
smss.exe
System task
Session Manager Subsystem
winlogon.exe
System task
Microsoft Windows Logon Process
services.exe
System task
Windows Service Controller
lsass.exe
System task
Local Security Authority Service
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
aswUpdSv.exe
Virusscan
Avast Anti-Virus Component
Explorer.EXE
System task
Microsoft Windows Explorer
ashServ.exe
Virusscan
Avast
spoolsv.exe
System task
Microsoft Printer Spooler Service
AppleMobileDeviceService.exe
Backgroundtask
Apple Mobile Device Service
mDNSResponder.exe
Backgroundtask
Bonjour for Windows Component
jqs.exe
Backgroundtask
jqs.exe
LSSrvc.exe
Backgroundtask
NERO Light Scribe Module
nvsvc32.exe
Application
NVIDIA Driver Helper Service
svchost.exe
System task
Microsoft Service Host Process
svchost.exe
System task
Microsoft Service Host Process
VongoService.exe
Unknown task (a movie download service for portable devices)
Unknown task http://www.file.net/process/vongoservice.exe.html
YahooAUService.exe
Unknown task (Yahoo AutoUpdater for Yahoo Instant Messenger)
Unknown task http://www.pcpitstop.com/libraries/process/i/yahooauservice.exe.html
hpqwmiex.exe
Backgroundtask
HP ProtectTools security manager
ashMaiSv.exe
Virusscan
Avast Anti-Virus Component
ashWebSv.exe
Virusscan
avast! Web Scanner
HP Wireless Assistant.exe
Backgroundtask
JHP Wireless Assistant.exe
HPWuSchd2.exe
Backgroundtask
Hewlett Packard Software Update Scheduler
issch.exe
Application
InstallShield Update Service
QTTask.exe
Backgroundtask
Apple QuickTime Tray Icon
iTunesHelper.exe
Application
Apple Itunes
ashDisp.exe
Virusscan
Avast AntiVirus
jusched.exe
Backgroundtask
Sun Java Update Scheduler
ctfmon.exe
System task
Alternative User Input Services
TeaTimer.exe
Application
Spybot S&D Realtime Scanner
mlb-nexdef-autobahn.exe
Unknown task (If you have both Autobahn and MLB NexDef installed, you will run into issues.)
Unknown task http://www.getautobahn.com/faqs Scroll to bottom of page.
iPodService.exe
Backgroundtask
Apple iTunes
firefox.exe
Application
Mozilla Firefox
winlogon.exe
System task
Microsoft Windows Logon Process
java.exe
Application
Java runtime
HijackThis.exe
Application
Merijn Hijackthis
Hi :
Since your HijackThis log shows you have Spybot ( you did NOT mention IF
you have run their program !? ), I recommend you ask their experienced,
certified, Volunteer “Malware Removal Specialists” for help on their Support
Forums at http://forums.spybot.info .
CharleyO is right there, look here: http://www.prevx.com/filenames/X2370485212263648554-X1/ARES+ULTRA.EXE.html
Description: Ares Ultra.exe is located in a subfolder of “C:\Program Files”. Known file sizes on Windows XP are 2,658,816 bytes (33% of all occurrence), 2,831,360 bytes, 3,780,608 bytes.
There is an icon for this program on the taskbar next to the clock. The program has a visible window. Program can be uninstalled in the Control Panel. File Ares Ultra.exe is not a Windows system file. The process uses ports to connect to LAN or Internet. Ares Ultra.exe is able to record inputs, manipulate other programs. Therefore the technical security rating is 12% dangerous, however also read the users reviews.
Recommended: Identify Ares Ultra.exe related errors
Important: Some malware camouflage themselves as Ares Ultra.exe, particularly if they are located in c:\windows or c:\windows\system32 folder. Thus check the Ares Ultra.exe process on your pc whether it is pest. Update the file to virustotal.com and give us the results as an attached txt file,
P2P although it might be partly legit is a protocol that is frowned upon by certain BigMedia parties, that to say it politely are not too amused about these online download activities and will try to frustrate it, so it can be a source of malcode, so if you are into that take utmost care not to get infested with malicious software.
polonus