Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help With "jeefo.a"


  • Please log in to reply
9 replies to this topic

#1 voidstuff

voidstuff

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 18 October 2007 - 08:14 PM

I downloaded a program: "hide ip platinum" from a site and I think that was the cause for my problems... several warning messages appeared from nod really being upseting and later I discovered that I semi-accidentally deleted some files and programs when the nod window appeared, because I selected the option "clean" or "delete". I've lost 2 programs :blink: ! and more secundary files perhaps.

I would really apreciate I someone could help me. :thumbsup:






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:28 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\XDESK\XDESK.EXE
C:\XDESK\xdeskr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 72.232.208.134 ad.yieldmanager.com
O1 - Hosts: 72.232.208.134 ads1.revenue.net
O1 - Hosts: 72.232.208.134 view.atdmt.com
O1 - Hosts: 72.232.208.134 rad.msn.com
O1 - Hosts: 72.232.208.134 themis.geocities.yahoo.com
O1 - Hosts: 72.232.208.134 us.a1.yimg.com
O1 - Hosts: 72.232.208.134 ad.n2434.doubleclick.net
O1 - Hosts: 72.232.208.134 n3349ad.doubleclick.net
O1 - Hosts: 72.232.208.134 altfarm.mediaplex.com
O1 - Hosts: 72.232.208.134 ad.doubleclick.net
O1 - Hosts: 72.232.208.134 z1.adserver.com
O1 - Hosts: 72.232.208.134 ar.atwola.com
O1 - Hosts: 72.232.208.134 ar1.atwola.com
O1 - Hosts: 72.232.208.134 disney.go.com
O1 - Hosts: 72.232.208.134 rcm.amazon.com
O1 - Hosts: 72.232.208.134 familyfun.go.com
O1 - Hosts: 72.232.208.134 dist.belnk.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: XDESK.LNK = C:\XDESK\XDESK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1176864567498
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176864694873
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 7439 bytes




Attached File  nodLog.txt   5.81KB   36 downloads
Posted Image

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 20 October 2007 - 03:20 AM

Hi voidstuff and Welcome to the Bleeping Computer!

Sorry to be the bearer of bad news but there is no recovery from Jeffo/Hidrag

This is a file infector and infects all exe&scr files and archived folders

Since all exe and scr files will eventually become infected, if not allready,in order to save items you must stress extreme caution not to save any files with exe or scr extensions and not to save any archived folders whatsoever.

Your NOD report confirms the precense of System files allready infected and I can gurantee you dont wanna try to save this and get to the inevidable end of failure and OS loss.

Take the time to do this right and save yourself months of heartache and wasted time trying to save the machine.


That being said,the only resolution is to format the hard drive and reinstall the OS fresh.


Now if your insistent on trying to clean the infection before going any further.

These 3 removal tools are the best chance you have.

Sophos Resolve Tool
http://www.sophos.com/support/cleaners/jeefogui.com

BitDefenders Removal Tool
http://www.bitdefender.com/site/Download/d...RemovalTool/98/

TrendMicros Removal Tool
http://beta.activeupdate.trendmicro.com/fixtool/fixtool.zip

Edited by Cretemonster, 20 October 2007 - 03:23 AM.


#3 voidstuff

voidstuff
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  

Posted 21 October 2007 - 12:32 PM

This is a file infector and infects all exe&scr files and archived folders

Since all exe and scr files will eventually become infected, if not allready,in order to save items you must stress extreme caution not to save any files with exe or scr extensions and not to save any archived folders whatsoever.


OOH ! I'll have to format the hard drive :S bad news indeed

by .scr do you mean the script files or the windows screensaver files? And what do you mean by archived folders? I ask this because I would like to save only some folders that I recently downloaded that are in C:\Downloads and they are 30GB ! so I would really like to save them into dvd's. Would these files be infected? and If I had made some transfers to my mp3 do you think it got infected? Inside the folder I want to save I have
mp3 avi pdf chm zip djvu files. It would be very helpful to me if I could be shure if I can save those files. Is there any way of checking their health?

Thanks!
Posted Image

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 October 2007 - 06:49 PM

Ya know what,I may be wrong,double checking your logs,the infector doesnt seem to have made it far.

Run the 3 removal tools and then do a scan with NOD and see if it will generate a report for you.

I had forgotten when I last tested,I had tried this against NOD and hidrag did lose.

Now,for whatever apps it got to,those will have to be totally uninstalled and resintalled and we will have to be sure we go over the machine with a fine tooth comb and make sure we dont leave a single thing behind.

File Infectors are not user friendly for sure!

#5 voidstuff

voidstuff
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 21 October 2007 - 07:39 PM

I'm not really shure... it seems easier to just format the hard drive. The svchost task has been very infected (it seems from the logs of NoD)...

But you didn't answer my question ... I really need to know if the virus only infects the exe and scr files pelase

thanks
Posted Image

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 21 October 2007 - 09:34 PM

It is known to infected all exe and scr files on all drives and will infect archives such as zips and rars.

Reason I said it hasnt got far is NOD has stopped it in its tracks and is flagging the infector itself.

The svchost you see is not legit,its in the Windows folder,the legit svchost is located in the System32 folder.

I wouldnt tell you the machine looks savable if it wasnt but if you feel better formatting,heh,i cant blame anyone for that.

The tools I posted will clean you up safe enough to save what you need,keep NOD up to date and scan everything with that.

I still think the machine is savable though. :thumbsup:

#7 voidstuff

voidstuff
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  

Posted 21 October 2007 - 09:51 PM

It is known to infected all exe and scr files on all drives and will infect archives such as zips and rars.


Well I prefer formatting but, it is so important for me to save those 30 GB that I would try to save my OS if the zip and rar files have gotten infected. But are you shure about the .rar and .zip files becuase they look clean. I tryed doing an avg scan to the folder I want to save and AMON of Nod didn't show a threat. I realised that when I open folders that contain .exe a threat is detected by NOD imediately on that .exe file and I am asked to delete it or rename it. So the virus is eating all my .exe 's [I can't reccord on Adobe Audition :'( ! ] but the other files seem clean. Is there a way of checking if those files are completely clean?

BTW! I can't do NOD scans I don't know why, and after I disabled the AMON(file monitoring) of NOD for a while to test something, I can't get it back to work!
And I am afraid of getting windows restarted to see if it works. I can open the files that I want to save also.

Thanks
Posted Image

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2007 - 03:24 AM

The more you fiddle around the more you infect other files,NOD is most likely to get infected next.

Best course is to save the zips and archives you want into a single folder.

Save it whereever,CD,FlashDrive or whatever you use.

You can scan each archive that is less than a MB at any online scanner

http://www.virustotal.com

http://virusscan.jotti.org

Thats any files less than a MB.

You can also wait til format is completed and scan each when you get ready with NOD,I assume you will reinstall it.

#9 voidstuff

voidstuff
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Local time:04:11 AM

Posted 22 October 2007 - 07:14 AM

well the problem is that none of the files I want to save are less than 1 MB, but I'll check them after I have my OS formated. Thanks.

I'm not shure if to try this time kaspersky or nod. What do you think is best?
Posted Image

#10 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 22 October 2007 - 05:42 PM

Considering the garbage dropped in front of most file infectors will have a "Process Kill" routine and most every AV process is in the list,its your choice.

NOD...Kaspersky....your choice,I personally like NOD and u can scan the archives with the fresh AV once the new OS is installed.

Edited by Cretemonster, 22 October 2007 - 05:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users