Find solution
How to update external .dll control reference?

What to delete from Hijack this logfile

  • Would like to know what to delete from the following log and if any of this is specifically malware where it originated from. Thank you. Here is my logfile: Logfile of HijackThis v1.99.1 Scan saved at 1:28:32 AM, on 9/14/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\ibmpmsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\IPSSVC.EXE C:\Program Files\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Executive Software\Diskeeper\DkService.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\TPHDEXLG.EXE C:\WINDOWS\system32\TpKmpSVC.exe C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe C:\Program Files\IBM ThinkVantage\Common\Logger\logmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\tp4serv.exe C:\WINDOWS\system32\TpShocks.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe C:\PROGRA~1\PESTPA~1\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\Visualware Security Suite\tscore.exe C:\Program Files\Visualware Security Suite\desktopicon.exe C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe C:\WINDOWS\system32\java.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\VCOM\FINALB~1\finalbid.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Outlook Express\msimn.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\MY-DOC\Local Settings\Temporary Internet Files\Content.IE5\PYA7LATS\HijackThis[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: IE Privacy Keeper - Last IE Window Detector - {1201333E-BAD9-481C-BCF5-6904498CF85B} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPKbho.dll O2 - BHO: VIPTToolbarManager Class - {1A2641AE-2C42-4C51-A05F-8ECEC3FDC94D} - C:\Program Files\Visual IP Trace\VisualIPTraceIE.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\QuickLink Desktop\QLIEHelper.dll O3 - Toolbar: Visual IP Trace - {E70C26AE-DFF1-40A8-8D37-19180F56F0AA} - C:\Program Files\Visual IP Trace\VisualIPTraceIE.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper O4 - HKLM\..\Run: [TpShocks] TpShocks.exe O4 - HKLM\..\Run: [TP4EX] tp4ex.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray O4 - HKLM\..\Run: [suScheduler] C:\Program Files\ThinkVantage\SystemUpdate\UCLauncher.exe /SCHEDULER O4 - HKLM\..\Run: [LPManager] C:\PROGRA~1\THINKV~2\PrdCtr\LPMGR.exe O4 - HKLM\..\Run: [cssauth] "C:\Program Files\IBM ThinkVantage\Client Security Solution\cssauth.exe" silent O4 - HKLM\..\Run: [PWRMGRTR] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor O4 - HKLM\..\Run: [BLOG] rundll32 C:\PROGRA~1\ThinkPad\UTILIT~1\BatLogEx.DLL,StartBattLog O4 - HKLM\..\Run: [IE Privacy Keeper] "C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe" -stcleanup O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKLM\..\Run: [Visualware Security Suite] "C:\Program Files\Visualware Security Suite\tscore.exe" -autostartup O4 - HKLM\..\Run: [DesktopIcon] C:\Program Files\Visualware Security Suite\desktopicon.exe O4 - HKLM\..\Run: [amsg] C:\PROGRA~1\THINKV~2\AMSG\Amsg.exe O4 - HKLM\..\Run: [ActiveTracker for Outlook Express] C:\Program Files\ActiveTracker 2.0 for Outlook Express\ReadNotify.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [2d46f] c:\program files\2d46f2ac-ovonel\csrss.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [finalbid.exe] C:\PROGRA~1\VCOM\FINALB~1\finalbid.exe /minimize O4 - HKCU\..\Run: [2d46f] c:\program files\2d46f2ac-ovonel\csrss.exe O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe O8 - Extra context menu item: Add item - file://c:\add.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll O9 - Extra button: Add item - {866875B8-9855-48f8-BAAB-8002C325BE69} - C:\Program Files\VCOM\Final Bid\finalbid.exe O9 - Extra 'Tools' menuitem: Add item - {866875B8-9855-48f8-BAAB-8002C325BE69} - C:\Program Files\VCOM\Final Bid\finalbid.exe O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\PkgMgr.exe O9 - Extra button: (no name) - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe O9 - Extra 'Tools' menuitem: IE Privacy Keeper - {D799B0E4-BEDE-41d2-AEE0-1E3A1C4EF918} - C:\Program Files\UnH Solutions\IE Privacy Keeper\IEPrivacyKeeper.exe O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cabO20 - AppInit_DLLs: sfklg.dll O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll O20 - Winlogon Notify: psfus - C:\WINDOWS\SYSTEM32\psqlpwd.dll O20 - Winlogon Notify: tpfnf2 - C:\WINDOWS\SYSTEM32\notifyf2.dll O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: ThinkPad PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: IPS Core Service (IPSSVC) - Lenovo Group Limited - C:\WINDOWS\system32\IPSSVC.EXE O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing) O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ThinkPad HDD APS Logging Service (TPHDEXLGSVC) - Lenovo. - C:\WINDOWS\System32\TPHDEXLG.EXE O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe O23 - Service: TSS Core Service (TSSCoreService) - IBM - C:\Program Files\IBM ThinkVantage\Client Security Solution\ibmtcsd.exe O23 - Service: TVT Backup Service - Unknown owner - C:\Program Files\IBM ThinkVantage\Rescue and Recovery\rrservice.exe O23 - Service: TVT Scheduler - Unknown owner - C:\Program Files\IBM ThinkVantage\Common\Scheduler\tvtsched.exe O23 - Service: ThinkVantage System Update (UCLauncherService) - Unknown owner - C:\Program Files\ThinkVantage\SystemUpdate\UCLauncherService.exe

  • Answer:

    elenafox... You're going to want to check the following entries to be fixed by HJT (Hijack This). You're also going to want to go to the HJT tab named Misc Tools, where you'll see a button labelled 'Delete a file on reboot'. If HJT is unable to remove the file from memory, this will allow you to point it to the file and have it deleted on your next reboot, which precludes the need to boot up in safe mode to do so manually. O4 - HKLM\..\Run: [2d46f] c:\program files\2d46f2ac-ovonel\csrss.exe appears to be bogus. Notice there are two entries for it, close to one another. 2d46f2ac-ovonel matches nothing online. Csrss.exe is a legitimate Windows file, but not in that location. It should be in C:\Windows\System32. It uses the name of a Windows file because the Task Manager will not allow you to close a file with the same name as a known Windows file (clever, huh?). If HJT is unable to use 'remove on reboot' to get rid of it, you may be able to remove it with AdAware SE. Please see this previous answer of mine on computer security for more on AdAware and other useful software which can prevent future attacks: http://answers.google.com/answers/threadview?id=568868 I see you're already using AntiVir. Good! In my list, you'll see WinPatrol, which is more useful than Task Manager and msconfig combined, as it can allow you to differentiate between the csrss.exe file with a legitimate Windows address and the phony one, and to disable the startup registry entries if HJT has any trouble with them. O8 - Extra context menu item: Add item - file://c:\add.htm is an unfamiliar context menu item. If you know of it, leave it. Otherwise you can mark it for removal in HJT. It doesn't look dangerous, just unnecessary. O20 - AppInit_DLLs: sfklg.dll is a keylogger. HJT may have trouble using 'Remove On Reboot' for this one. If so: Reboot in Safe Mode. Click Start/Run and type in cmd and hit OK Type in regsvr32 /u sfklg.dll and hit Enter, then delete it. Empty the recycle bin. Run another scan and make sure it's gone. Everything else looks good! I used the HJT log analyzer found here to scope out your log: http://www.hijackthis.de/en Let me know if anything's unclear. sublime1-ga

elenafox-ga at Google Answers Visit the source

Was this solution helpful to you?

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.