PDA

View Full Version : Help with my HJT log please



infekted
2007-05-17, 17:32
Hello,
I have XP pro sp2 on my pc, and my browser is hijacked. I get redirected to other sites or get pop-up windows. So far i used a few programs to try and clean it out, like ad-aware and spyware terminator and others, but no luck. So i ran hijackthis and got this log:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:38 AM, on 5/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Windows Defender\MsMpEng.exe
F:\WINDOWS\System32\svchost.exe
G:\sygate\smc.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\brsvc01a.exe
F:\WINDOWS\system32\brss01a.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\SOUNDMAN.EXE
G:\AVG\avgcc.exe
F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
G:\AVG\avgamsvr.exe
F:\Program Files\Brother\ControlCenter2\brctrcen.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
G:\AVG\avgupsvc.exe
F:\Program Files\Microsoft IntelliPoint\ipoint.exe
F:\WINDOWS\system32\Brmfrmps.exe
F:\Program Files\Spyware Terminator\sp_rsser.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
F:\Program Files\Windows Defender\MSASCui.exe
F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\Logitech\SetPoint\SetPoint.exe
F:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
F:\WINDOWS\system32\devldr32.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Super Krikri\My Documents\HijackThis\HijackThis.exe

O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - F:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar4.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - F:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmcService] G:\sygate\smc.exe -startgui
O4 - HKLM\..\Run: [AVG7_CC] G:\AVG\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PaperPort PTD] F:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] F:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] F:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] F:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ScreenPrint32] F:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [UVS10 Preload] F:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM\..\Run: [IntelliPoint] "F:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "F:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpywareTerminator] "F:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Status Monitor.lnk = F:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130109423031
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O20 - Winlogon Notify: WgaLogon - F:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - F:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - G:\AVG\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - G:\AVG\avgupsvc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - F:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - F:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - G:\sygate\smc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - F:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - F:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

Any help would be appreciated, thanks!

pskelley
2007-05-20, 17:39
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.

Are your issues resolved? If not and you want help, read and follow the above directions. HJT is not showing anything so run one of the suggested online scans and post the results.
Please also post more information about these popups, where are they directing you? What are the popups about?

This may be a hidden Vundo infection, return here: F:\Documents and Settings\Super Krikri\My Documents\HijackThis\HijackThis.exe <<< rename HJT.exe, call it infekted.exe or whatever you wish, the next log may show us the infection.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Restart the computer and post any information I requested, the uninstall list, the online scan results and a new HJT log.

Thanks

tashi
2007-05-26, 08:37
Due to lack of feedback this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.