My HJT Log

Discussion in 'Windows - Virus and spyware problems' started by Joeva, May 29, 2007.

  1. Joeva

    Joeva Regular member

    Jan 22, 2006
    well here is my hjt log..

    Logfile of HijackThis v1.99.1
    Scan saved at 2:39:49 PM, on 5/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\CCleaner\ccleaner.exe
    C:\Program Files\ewido anti-spyware 4.0\ewido.exe
    C:\Program Files\Grisoft\AVG7\avgwb.dat

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R3 - URLSearchHook: (no name) - {0FD7DAF0-BBEF-4990-B19E-2805D280571F} - (no file)
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: (no name) - {254f8dc7-bd88-449e-ba8d-12ca3792ade0} - C:\windows\system32\mprprf.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: - file://C:\Program Files\GRIPCZ44\Cache\SelectedContextSearch.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -,0,0,77/
    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) -
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -,0,0,18/
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: mprprf - C:\windows\SYSTEM32\mprprf.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Zaneesha Harrell\ie_updater.exe (file missing)
  2. Waymon3X6

    Waymon3X6 Regular member

    Mar 9, 2006
    Well I looked at your log, and found a whole lot of things that are wrong... First of all, you shouldnt have 2 different anti-malware programs installed. I see you have Kaspersky and AVG, so you should decide which one to keep and unistall the other one. Now to start with your log, check these problems:

    R3 - URLSearchHook: (no name) - {0FD7DAF0-BBEF-4990-B19E-2805D280571F} - (no file)

    O2 - BHO: (no name) - {254f8dc7-bd88-449e-ba8d-12ca3792ade0} - C:\windows\system32\mprprf.dll

    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

    O8 - Extra context menu item: - file://C:\Program Files\GRIPCZ44\Cache\SelectedContextSearch.htm

    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} -

    O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) -

    O20 - AppInit_DLLs:

    O20 - Winlogon Notify: mprprf - C:\windows\SYSTEM32\mprprf.dll

    O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Zaneesha Harrell\ie_updater.exe (file missing)


    Do you have Spybot Search&Destroy ( ), AVG Anti Spyware ( And Ad-Aware SE Personal ( Also, you will need to have CCleaner installed )
    If you don’t have any of these, please download them, update them and run them individually in safe mode. Then, boot back into regular mode, and post a new HJT log once again. Thanks!

    After you do that, you can unistall anything I had you install.
  3. Joeva

    Joeva Regular member

    Jan 22, 2006
    yah i actually have 3 cuz i jus kasp too, but i dont have them active at the same time..

    umm are u sure that 020 klogon is ok?

    and the bho wont go anywhere =/
    here is my updated log

    Logfile of HijackThis v1.99.1
    Scan saved at 5:23:51 PM, on 5/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O2 - BHO: (no name) - {254f8dc7-bd88-449e-ba8d-12ca3792ade0} - C:\windows\system32\mprprf.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [WMDM PMSP Service] C:\windows\system32\cssrss.exe
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -,0,0,77/
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} -,0,0,18/
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
    O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: mprprf - C:\windows\SYSTEM32\mprprf.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ieupdater22 (Microsoft IEUpdater22) - Unknown owner - C:\Documents and Settings\Zaneesha Harrell\ie_updater.exe (file missing)

  4. Joeva

    Joeva Regular member

    Jan 22, 2006
    that one bho doesnt seem to want to leave, and when i delete it it just respawns..
    ive tried deleting it in safe mod and runnin avg in safe mode but no luck
    Last edited: May 30, 2007
  5. Waymon3X6

    Waymon3X6 Regular member

    Mar 9, 2006
    That one BHO is possibly a trojan. Can you find it in you system32 folder? If you can, just rename it and then try deleting it.
  6. Joeva

    Joeva Regular member

    Jan 22, 2006
    yea its the 020 dll file that is the culprit.. kasp doesnt pick it up at all,
    neither does avg,
    but ewido does but when it deletes it it comes back like i said before,
    and jus now when i tried to rename it it says access denied and that its being used by another program blah blah blah
  7. bluecoal

    bluecoal Guest


    This new log shows some additional issues. Just renaming and getting rid of one file is likely not to solve the problem as there is probably another hidden file somewhere reloading things.

    (I believe the klogon relates to Kaspersky.)

    Not sure I can help get rid of everything, but I do have some suggestions. These suggestions include a tool which I have not advised on before, so I may not be able to interpret the results, I’ll have to see. Also I probably will not be available for comments on Thursday and will have limited availability on Friday. – So given all that, doing these things is your choice.

    I am not totally familiar with Ewido antispyware yet. If the guard.exe program is protecting the registry or some files from being changed, you need to disable it right now while you are trying to fix your system.

    Hidden files and folders need to be shown temporarily:
    You can set that back after your computer is fixed.

    Please print the instructions for rebooting your operating system to safe mode.

    Please rename HijackThis.exe to joeva.exe (or another name of your choosing). Some malware is programmed to hide from the HijackThis file name.

    Please download atf cleaner here:
    and print the instructions. (Please note the comments about saving cookies when you run it later.)

    Please download VundoFix here:
    and print the instructions.

    Please download sfix:
    (Specific reason for this is the ieupdater, it may catch other things as well.)

    Please check Ewido antispyware for updates and update if necessary.

    Then please:

    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
    · Restart your computer
    · After hearing your computer beep once during startup, but before the Windows icon appears, tapping the F8 key;
    · The Advanced Options Menu should appear;
    · Use your up arrow key to highlight SafeMode then hit Enter.
    · Choose your usual account.
    · Open the extracted SDFix folder and double click RunThis.bat to start the script.
    · Type Y to begin the cleanup process.
    · It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
    · Press any Key and it will restart the PC.
    · When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    · Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

    At this point the computer should be rebooted back in normal mode.

    Run vundofix according to its instructions.

    After the last reboot required by vundofix,
    Please run atf cleander according to its instructions.
    Please run ewido/avg antispyware and save a log.
    Run run hijackthis and save its log.

    Then post the C:\vundofix.txt log, the sdfix Report.txt, the ewido/avg antispyware log, and the hijackthis log.

    We’ll see what things look like then.

