Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked - Help Needed Please


  • This topic is locked This topic is locked
4 replies to this topic

#1 Twisted Whispers

Twisted Whispers

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 21 March 2007 - 06:11 AM

Hi,
I have a browser Hijacker issues that needs fixing & hoping someone can help me as I am not very Technical with such issues.
I am receiving several pop-ups when opening IE & I am always pretty much up on my browser issues and very rarely if at all get pop-ups until recently & this one has me baffled to remove it.
I believe I know what the problem is that is causing it, I just need a little help to remove it.
I think it is a process called "PrtlAgt.exe". Every time I end Process or Process Tree, it re-appears.
Path Location - C:\Program Files\blueyonder\PCguard\PrtlAgt.exe

Please find HijackThis Log below.

Thanks in advance for any help on this issue.

Jay


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:44:58, on 21/03/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
E:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\USBIcon.exe
C:\WINDOWS\System32\LXSUPMON.EXE
E:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
E:\Program Files\Desktop Sidebar\dsidebar.exe
E:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
E:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Extensis\Suitcase 9.2\Suitcase.exe
C:\Program Files\Windows Media Player\wmplayer.exe
E:\PROGRA~1\INCRED~1\bin\IncMail.exe
C:\WINDOWS\System32\ctfmon.exe
E:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\blueyonder\PCguard\PrtlAgt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Downloads\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - # - (no file)
O2 - BHO: (no name) - $ - (no file)
O2 - BHO: (no name) - 8@ - (no file)
O2 - BHO: (no name) - @> - (no file)
O2 - BHO: (no name) - P> - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {B0E2DB49-F27D-4F6B-81FA-BEB59A3FFB29} - C:\WINDOWS\System32\khfff.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {DC9B1C58-6B3C-4236-943B-486AA549F7C6} - C:\WINDOWS\System32\ljjhgfc.dll
O2 - BHO: (no name) -  - (no file)
O2 - BHO: (no name) - # - (no file)
O2 - BHO: (no name) - # - (no file)
O2 - BHO: (no name) - ? - (no file)
O2 - BHO: (no name) -  - (no file)
O2 - BHO: (no name) - = - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\Rps.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] E:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [MCI USB Icon] C:\WINDOWS\System32\USBIcon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "E:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [IncrediMail] E:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SIDEBAR] "E:\Program Files\Desktop Sidebar\dsidebar.exe"
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] E:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] E:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [SsAAD.exe] E:\PROGRA~1\SsAAD.exe
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "E:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Suitcase Startup.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = E:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to AMV Convert Tool... - E:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: Download with Rapget - C:\Documents and Settings\Jay & Jean\Desktop\Rapget\rapget.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - E:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - E:\Program Files\Desktop Sidebar\sbhelp.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/vers...vex-2.0.6.5.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://download.games.yahoo.com/games/web_...nx.1.0.0.55.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Compone...EngineQuery.dll
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} - http://update.videoegg.com/Install/Windows...ggPublisher.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popc...aploader_v6.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://download.games.yahoo.com/games/web_...ameLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2322412C-1E03-43AF-9235-97240DEF0F54}: NameServer = 192.168.1.254,62.31.176.39
O20 - Winlogon Notify: khfff - C:\WINDOWS\System32\khfff.dll
O20 - Winlogon Notify: ljjhgfc - C:\WINDOWS\SYSTEM32\ljjhgfc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

--
End of file - 10779 bytes

BC AdBot (Login to Remove)

 


#2 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 23 March 2007 - 02:55 PM

Please delete any HijackThis Folders and Files you have now.Use Add/Remove Programs and remove HijackThis. What you have now is a Beta version.

You can get a complete installer that installs HijackThis to C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut from http://downloads.malwareremoval.com/HJTsetup.exe

Click on the link and select Save, save it to your desktop and double click HJTsetup.exe.

Open HijackThis and select: Do a system scan and save a log file.

When the scan is finished, Click Edit> Select All> Edit> Copy> and paste its contents here.

#3 Twisted Whispers

Twisted Whispers
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 23 March 2007 - 03:27 PM

Hi, thanks for replying.
I have also been to CastleCops Forum and I am also receiving help from there, so I am not sure if we are going to recieve conflicts between the 2 of you.

Anyhow, firstly, I was asked to run VundoFix, which I did and it caught a few files, correcting my pop-up issues, but soon after ( before I could reply ) was also asked to upgrade to SP1a and also download & run ComboFix. I have replied to them and told them that my pop-up issue seems to be fixed, but do they still recommend upgrading to SP1a & also the running of ComboFix, as well as any other issues they find in my HiJackThis.Log which require fixing.
I am at present still waiting for a reply.

Do you still think I would need a little help from you also if VundoFix cured my problem or could there be more errors in HiJackThis that could be fixed ( I know that you can't tell without looking ) or should I leave it if my pop-up issue is no more and things seem to be running fine again now. Just curious.
Thank you for your valuable time.

Jay

#4 random/random

random/random

  • Malware Response Team
  • 2,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 23 March 2007 - 03:29 PM

Please continue with your topic at castlecops, not this one

In future, please do not post at multiple forums

#5 Twisted Whispers

Twisted Whispers
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:09 PM

Posted 23 March 2007 - 03:39 PM

Sorry, sending my apologies. I shall be more cafeful in the future.
I was just getting too frustrated with my issue and didn't think I was getting a reply.
Again, I apologise. Your time was appreciated. :thumbsup:

Jay




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users