[Ham-Computers] RE: Slow problem - again (Still)

Hsu, Aaron (NBC Universal) aaron.hsu at nbcuni.com
Mon May 14 21:17:10 EDT 2007 

Hi all,

I also responded to Gene in a private e-mail.  Most of the "O21" "hooks" below show that the file is no longer on the system.  In other words, a previous malware scanner probably deleted the file, but left the "hook" in-place - it's therefore a "null".

Of the "O22"'s, browseui.dll is legit, but the others are related to the "O21" hooks - as before, the files are gone, but the hooks are still in place.

Another possible problem I saw with the full log (not posted) is that Gene has a *LOT* of anti-virus/anti-spyware software running.  This, in and of itself, can also cause problems.  There is also an LSP hook to a Novell networking client - this might not cause the problem Gene is seeing, but it's odd that it's there. 

I've given Gene some instructions on what I would do in this situation.  Let's hope he's able to get the system up and running 100% soon.  I didn't see any "running" malware, but a rootkit could be lurking in the background and Hijackthis won't see it.  This hasn't been checked for yet...it's a much more complicated "discovery".


73,

  - Aaron Hsu, NN6O


-----Original Message-----
Sent: Monday, May 14, 2007 12:37 PM
Subject: Re: [Ham-Computers] Slow problem - again (Still)

The part of the log that I find suspicious is this:

O21 - SSODL: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O21 - SSODL: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)
O21 - SSODL: eitheror - {2016a466-91a2-43c6-97d8-2fd380f065ef} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: contrabandists - {dfa61db1-388e-4c87-8d56-540fa229bcb4} - (no file)
O22 - SharedTaskScheduler: carbinyl - {8d8c2387-7f80-4022-9be6-43630a969558} - (no file)

I think you should post the log to the HiJack forums and let one of the frequent fliers there take a look, they will be able to advise you what to do alot quicker than I can. This could involve running more than one program to get rid of the spyware/malware.

R B

More information about the Ham-Computers mailing list