HiJAck LOG - ljyam.dll

OK I think I got it now.

In TaskManager stop:
C:\WINDOWS\system32\ipqv.exe

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjjcq.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://rjjcq.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://rjjcq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjjcq.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://rjjcq.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjjcq.dll/sp.html#37049

O2 - BHO: (no name) - {2B292AED-5BFF-17AE-F0D6-30E3BA7307B7} - C:\WINDOWS\d3ms.dll

O4 - HKLM\..\Run: [ipqv.exe] C:\WINDOWS\system32\ipqv.exe

Then reboot and delete:
C:\WINDOWS\system32\ipqv.exe
C:\WINDOWS\system32\rjjcq.dll

Run HijackThis and check if there is a new suspicious BHO (O2 entry) before you open IE. If so Fix it and let me know.

Regards,

Pieter

 

this what i noticed has happened..

C:\WINDOWS\system32\netgj32.exe <--deleted.
C:\WINDOWS\system32\wingj.exe

C:\WINDOWS\system32\wingj.exe <---deleted.
C:\WINDOWS\system32\ipqv.exe

C:\WINDOWS\system32\wingj.exe <--renamed to wingj.bak
C:\WINDOWS\system32\ipqv.exe

C:\WINDOWS\system32\ipqv.exe



--

What i dont get is why from stage 2 to stage 3 wingj.exe 'came back from the dead' yet when i renamed it it didnt?

And whatever created netgj32.exe also created ipdv.exe?

 

ipdv.exe ? You mean ipqv.exe I hope.

I will have to run the files I asked you for, to be sure this is all that is involved.

But it looks like two .exe files that "guard" each other and even re-create a new "buddy" if the other is deleted.

I hope the method above works out.

Regards,

Pieter

 

yes all looks well now -

Logfile of HijackThis v1.97.7
Scan saved at 10:17:15 PM, on 6/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\program files\powerstrip\pstrip.exe
C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O8 - Extra context menu item: Sothink SWF Decompiler - C:\Program Files\SourceTec\Sothink SWF Decompiler\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: SWFDecompiler (HKLM)
O9 - Extra 'Tools' menuitem: Sothink SWF Decompiler (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://dev-www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {4EF70419-AAB5-41A9-9782-3DA48A5F3E10} (DomDiagXMain Control) - http://www.argosoft.com/applications/mailserver/DomDiagForm.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab27571.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab27571.cab

 

C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe


Anything to worry about?

 

Not really. Not if they are the same. I think there are three normally. One in the Windows (or WINNT) directory, one in the System(32) directory and one in the dllcache folder.
As long as they are the same size and version there is no reason to worry.

CWS has been known to replace one of those files however.
Have a look here: http://www.cpcug.org/user/clemenzi/technical/notepad_virus.html

Anyway. Glad we got rid of the bugger.

Regards,

Pieter

 

Yea thanks heaps

 

[solved] HiJAck LOG - ljyam.dll

You too. Couldn't have done it without you.
It is easy when you are working with someone who knows what they are doing.

Please read: Why did I get infected in the first place

Regards,

Pieter

 

Hi eze,

Could you check for the presence of these registry entries?

Most likely in HKCU
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{587DBF2D-9145-4c9e-92C2-1F953DA73773}
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Let me know what you find.

Regards,

Pieter