1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

virus IM-Worm.win32 and also Trojan-downloader.win32

Discussion in 'Virus & Other Malware Removal' started by bubbyjam, May 4, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    Im going nutz with these two and I dont know how to get rid of them. Windows XP running. Tried to understand other threads but not sure if it would apply to what I have here. A great deal of help needed!
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Hi and welcome to TSG,

    Click here and then scroll down to and click on hijackthis self installer to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    Logfile of HijackThis v1.99.1
    Scan saved at 5:01:41 PM, on 6/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\vxnaychw.dll",realset
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com.au/cabs/QOLCheck.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{312119C9-E9B0-410D-AD5E-EDC20EABFA10}: Domain = nsw.bigpond.net.au
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

    thankyou for the quick reply :)
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Please download VundoFix.exe to your desktop.

    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
     
  5. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    VundoFix V6.3.21

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 10:53:20 PM 6/05/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\jkklk.dll
    C:\WINDOWS\system32\klkkj.bak1
    C:\WINDOWS\system32\klkkj.ini
    C:\WINDOWS\system32\klkkj.ini2
    C:\WINDOWS\system32\klkkj.tmp
    C:\WINDOWS\system32\sstqq.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\jkklk.dll
    C:\WINDOWS\system32\jkklk.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\klkkj.bak1
    C:\WINDOWS\system32\klkkj.bak1 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\klkkj.ini
    C:\WINDOWS\system32\klkkj.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\klkkj.ini2
    C:\WINDOWS\system32\klkkj.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\klkkj.tmp
    C:\WINDOWS\system32\klkkj.tmp Has been deleted!

    Performing Repairs to the registry.
    Done!


    Logfile of HijackThis v1.99.1
    Scan saved at 11:08:07 PM, on 6/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1C65423D-974A-43AB-AE29-6D43E3BDC2D8} - C:\WINDOWS\system32\sstqq.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {87593822-1807-4CEA-9A28-2AE7D32DDC5E} - C:\WINDOWS\system32\jkklk.dll (file missing)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {F49ED2B3-08F5-4BA3-8536-2DAEE8C8409B} - C:\WINDOWS\system32\opnlkki.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\vxnaychw.dll",realset
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com.au/cabs/QOLCheck.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{312119C9-E9B0-410D-AD5E-EDC20EABFA10}: Domain = nsw.bigpond.net.au
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: opnlkki - C:\WINDOWS\SYSTEM32\opnlkki.dll
    O20 - Winlogon Notify: sstqq - C:\WINDOWS\system32\sstqq.dll (file missing)
    O20 - Winlogon Notify: vtuts - C:\WINDOWS\system32\vtuts.dll (file missing)
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select ALL
    • in the Additional scans sections please press select ALL
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
    Upload the report as an attachment please.
     
  7. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    quick question...how do i put it on as an attachment?
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Below the reply dialog box, click on "manage attachments" and then "browse" to the file on your computer and then "upload" it and then submit your reply.
     
  9. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    uhmmm my attachment is bigger than 200 mb.... it is actually about 212...
    gosh my case is a hard one!
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Split it in two and upload it as two attachments.
     
  11. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    Lol Im so sorry here they r
     

    Attached Files:

  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program. Copy and paste the information in the code box below into the pane where it says "Paste fix here" and then click the Run Fix button. The fix should only take a very short time and then you will be asked if you want to reboot. Choose Yes.

    Post the latest .log file from the WinPFind3u folder (it will have a name in the format mmddyyyy_hhmmss.log) back here along with a new HijackThis log please.


    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - All]
    < Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YY -> WindowsService -> %System32%\vxnaychw.dll [rundll32.exe "C:\WINDOWS\system32\vxnaychw.dll",realset]
    < ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
    YY -> {F49ED2B3-08F5-4BA3-8536-2DAEE8C8409B} [HKLM] -> %System32%\opnlkki.dll []
    < Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
    YY -> ddcya -> %System32%\ddcya.dll
    YY -> opnlkki -> %System32%\opnlkki.dll
    YN -> sstqq -> %System32%\sstqq.dll
    YN -> vtuts -> %System32%\vtuts.dll
    < BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {1C65423D-974A-43AB-AE29-6D43E3BDC2D8} [HKLM] -> %System32%\sstqq.dll [Reg Data - Value does not exist]
    YN -> {7E853D72-626A-48EC-A868-BA8D5E23E045} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found]
    YN -> {87593822-1807-4CEA-9A28-2AE7D32DDC5E} [HKLM] -> %System32%\jkklk.dll [Reg Data - Value does not exist]
    YY -> {90B4FF4C-0E94-4921-9145-8B917F2DFD0A} [HKLM] -> %System32%\ddcya.dll [Reg Data - Value does not exist]
    YY -> {F49ED2B3-08F5-4BA3-8536-2DAEE8C8409B} [HKLM] -> %System32%\opnlkki.dll [Reg Data - Value does not exist]
    [Registry - Additional Scans - Non-Microsoft Only]
    < Uninstall List > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
    YN -> PopCap Browser Plugin -> PopCap Browser Plugin
    [Files/Folders - Created Within 60 days]
    NY -> aycdd.bak1 -> %System32%\aycdd.bak1
    NY -> aycdd.ini -> %System32%\aycdd.ini
    NY -> aycdd.ini2 -> %System32%\aycdd.ini2
    NY -> aycdd.tmp -> %System32%\aycdd.tmp
    NY -> ddcddeb.dll -> %System32%\ddcddeb.dll
    NY -> ddcya.dll -> %System32%\ddcya.dll
    NY -> efcyvss.dll -> %System32%\efcyvss.dll
    NY -> efcyvvt.dll -> %System32%\efcyvvt.dll
    NY -> fcccyyy.dll -> %System32%\fcccyyy.dll
    NY -> fccywvt.dll -> %System32%\fccywvt.dll
    NY -> hhkmp.ini -> %System32%\hhkmp.ini
    NY -> irohslrx.ini -> %System32%\irohslrx.ini
    NY -> ljjgeca.dll -> %System32%\ljjgeca.dll
    NY -> ljjklmj.dll -> %System32%\ljjklmj.dll
    NY -> nnnkljj.dll -> %System32%\nnnkljj.dll
    NY -> pmkhh.dll -> %System32%\pmkhh.dll
    NY -> qqtss.bak1 -> %System32%\qqtss.bak1
    NY -> qqtss.ini -> %System32%\qqtss.ini
    NY -> qqtss.ini2 -> %System32%\qqtss.ini2
    NY -> qqtss.tmp -> %System32%\qqtss.tmp
    NY -> ssttt.dll -> %System32%\ssttt.dll
    NY -> stutv.tmp -> %System32%\stutv.tmp
    NY -> whcyanxv.ini -> %System32%\whcyanxv.ini
    [Files/Folders - Modified Within 30 days]
    NY -> aycdd.bak1 -> %System32%\aycdd.bak1
    NY -> aycdd.ini -> %System32%\aycdd.ini
    NY -> aycdd.ini2 -> %System32%\aycdd.ini2
    NY -> aycdd.tmp -> %System32%\aycdd.tmp
    NY -> ddcddeb.dll -> %System32%\ddcddeb.dll
    NY -> ddcya.dll -> %System32%\ddcya.dll
    NY -> efcyvss.dll -> %System32%\efcyvss.dll
    NY -> efcyvvt.dll -> %System32%\efcyvvt.dll
    NY -> fcccyyy.dll -> %System32%\fcccyyy.dll
    NY -> fccywvt.dll -> %System32%\fccywvt.dll
    NY -> hhkmp.ini -> %System32%\hhkmp.ini
    NY -> irohslrx.ini -> %System32%\irohslrx.ini
    NY -> ljjgeca.dll -> %System32%\ljjgeca.dll
    NY -> ljjklmj.dll -> %System32%\ljjklmj.dll
    NY -> nnnkljj.dll -> %System32%\nnnkljj.dll
    NY -> opnlkki.dll -> %System32%\opnlkki.dll
    NY -> pmkhh.dll -> %System32%\pmkhh.dll
    NY -> qqtss.bak1 -> %System32%\qqtss.bak1
    NY -> qqtss.ini -> %System32%\qqtss.ini
    NY -> qqtss.ini2 -> %System32%\qqtss.ini2
    NY -> qqtss.tmp -> %System32%\qqtss.tmp
    NY -> ssttt.dll -> %System32%\ssttt.dll
    NY -> stutv.tmp -> %System32%\stutv.tmp
    NY -> vxnaychw.dll -> %System32%\vxnaychw.dll
    NY -> whcyanxv.ini -> %System32%\whcyanxv.ini
    [File String Scan - All]
    NY -> UPX! , -> %System32%\ddcddeb.dll
    NY -> UPX! , -> %System32%\efcyvss.dll
    NY -> UPX! , -> %System32%\efcyvvt.dll
    NY -> UPX! , -> %System32%\fcccyyy.dll
    NY -> UPX! , -> %System32%\fccywvt.dll
    NY -> UPX! , -> %System32%\ljjgeca.dll
    NY -> UPX! , -> %System32%\ljjklmj.dll
    NY -> UPX! , -> %System32%\nnnkljj.dll
    NY -> UPX! , UPX0 , -> %System32%\pmkhh.dll
    NY -> UPX! , UPX0 , -> %System32%\ssttt.dll
    NY -> UPX! , -> %System32%\vxnaychw.dll
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
     
  13. bubbyjam

    bubbyjam It's My Birthday! Thread Starter

    Joined:
    May 4, 2007
    Messages:
    12
    hope it done well :)
     

    Attached Files:

  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Pasting the log for easier viewing.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:34:34 PM, on 12/05/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\keyhook.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
    C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {972A3F8D-EE38-4610-AE0D-559625552066} - C:\WINDOWS\system32\ddcya.dll
    O2 - BHO: (no name) - {E2EE5C44-C66D-499d-BEAE-A2A79189A63A} - C:\WINDOWS\system32\xgcjihcd.dll
    O2 - BHO: (no name) - {F49ED2B3-08F5-4BA3-8536-2DAEE8C8409B} - C:\WINDOWS\system32\opnlkki.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\system32\keyhook.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
    O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\lqgtadmt.dll",realset
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com.au/cabs/QOLCheck.ocx
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://clubgames.pogo.com/online2/pogop/zuma/popcaploader_v5.cab
    O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{312119C9-E9B0-410D-AD5E-EDC20EABFA10}: Domain = nsw.bigpond.net.au
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
    O20 - Winlogon Notify: ddcya - C:\WINDOWS\system32\ddcya.dll
    O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
    O20 - Winlogon Notify: opnlkki - C:\WINDOWS\SYSTEM32\opnlkki.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    111,856
    Please run WinpFind3u again and post the log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/569640

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice