Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Jkhfg.dll And Other Problems


  • Please log in to reply
15 replies to this topic

#1 Graham Sumner

Graham Sumner

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 24 December 2007 - 09:08 AM

Spurious false virus alerts and strange things going on after reboot.

Keep getting warned about the jkhfg.dll in the subject but cant seem to get rid of it. Tried to get rid of it without success.

Please can some one help.

Many thanks
Here is my log

Graham

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:08, on 2007-12-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Symmetricom\SymmTime\SymmTime.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avsim.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFetcher - {16E8A050-74CE-43D5-8DC0-BADD7347B2DD} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7885CAB5-4965-41D1-8898-7CAACBFACDBA} - C:\WINDOWS\system32\jkhfg.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1085031214-492894223-725345543-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User '?')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - S-1-5-21-1085031214-492894223-725345543-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1085031214-492894223-725345543-1003 Startup: ListProAlarms.lnk = C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: ListProAlarms.lnk = C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: SymmTime.lnk = C:\Program Files\Symmetricom\SymmTime\SymmTime.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Clip with Sunrise XP - C:\Program Files\Sunrise XP\msie\clip.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112552270140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124116644250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FED2D95-A44D-4871-995E-C67C32807C5F}: NameServer = 195.229.24.50,195.229.24.34
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalAgent - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Just Flight Limited License Service - Just Flight Limited - C:\Program Files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 12751 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 24 December 2007 - 09:25 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Graham Sumner

Graham Sumner
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 25 December 2007 - 02:16 AM

Hi there many thanks for your help especially at this time of year. Its really appreciated.

I ran combo fix and the log file is attached.

For information Zonealarm is still presenting me with a screen saying :-

not-a-virus:Adware.Win32.Virtumonde.clq is active and reporting file C:WINDOWS\system32\jkhfg.dll as being the path to the problem

Thanks and if Merry Christmas

Graham

Attached Files



#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 25 December 2007 - 05:13 PM

ComboFix 07-12-21.4 - gsumner 2007-12-25 9:48:43.1 - NTFSx86

Running from: C:\Documents and Settings\gsumner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\gsumner\Application Data\inst.exe
C:\WINDOWS\system32\NTSVC.ocx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-24 16:59 . 2007-12-25 09:34 326,656 --a------ C:\WINDOWS\system32\jkhfg.exe
2007-12-24 16:04 . 2007-12-24 16:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-24 14:39 . 2007-12-24 14:43 <DIR> d-------- C:\MGtools
2007-12-24 14:20 . 2005-01-14 06:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-12-24 14:03 . 2007-12-24 14:03 323,072 --a------ C:\WINDOWS\system32\jkhfg.dll
2007-12-24 09:46 . 2007-12-24 09:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 08:59 . 2007-12-24 15:01 <DIR> d-------- C:\VundoFix Backups
2007-12-24 08:06 . 2007-12-24 08:06 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\Ahead
2007-12-24 00:13 . 2007-12-25 09:47 6,674 --ahs---- C:\WINDOWS\system32\gfhkj.ini2
2007-12-24 00:13 . 2007-12-25 09:48 6,674 --ahs---- C:\WINDOWS\system32\gfhkj.ini
2007-12-22 11:30 . 2007-12-22 11:30 <DIR> d-------- C:\Program Files\Easiestutils
2007-12-22 09:33 . 2007-12-22 09:33 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-12-21 09:53 . 2007-12-23 21:02 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-21 00:49 . 2007-12-23 21:08 6,516 --ahs---- C:\WINDOWS\system32\tstwa.ini2
2007-12-21 00:49 . 2007-12-23 21:08 6,516 --ahs---- C:\WINDOWS\system32\tstwa.ini
2007-12-21 00:44 . 2007-12-21 00:44 40,448 --a------ C:\WINDOWS\system32\tuvvttu.dll.vir
2007-12-20 17:22 . 2007-12-20 17:22 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\GARMIN
2007-12-20 17:08 . 2007-12-20 17:10 <DIR> d-------- C:\Garmin
2007-12-15 11:00 . 2007-12-15 11:00 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-12-15 10:59 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-15 10:59 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-15 10:59 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-15 10:59 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-12-15 10:59 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-12-14 15:16 . 2007-12-14 15:16 <DIR> d-------- C:\Program Files\MP3 Key Shifter
2007-12-14 15:05 . 2007-12-14 15:05 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
2007-12-14 15:05 . 2007-12-14 21:51 <DIR> d-------- C:\Program Files\Acoustica DJ Twist And Burn
2007-12-14 15:05 . 2007-12-14 15:05 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\Acoustica
2007-12-14 15:05 . 2002-11-05 15:16 57,344 --a------ C:\WINDOWS\system32\Wnaspint.dll
2007-12-08 15:49 . 2007-12-08 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-08 15:18 . 2007-12-08 15:18 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\DVDFab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 07:05 13,316,384 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-25 07:03 460,064 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-25 07:03 21,416 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-25 07:03 192,944 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-25 06:26 17,552,117 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-24 12:51 --------- d-----w C:\Program Files\Warez P2P Client
2007-12-24 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 11:07 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-24 05:06 --------- d-----w C:\Program Files\FreeMem Professional
2007-12-24 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-12-23 22:15 512 ----a-w C:\ScanSectorLog.dat
2007-12-23 21:13 --------- d-----w C:\Documents and Settings\gsumner\Application Data\Sony Corporation
2007-12-23 21:13 --------- d-----w C:\Documents and Settings\gsumner\Application Data\SlipStream
2007-12-23 21:13 --------- d-----w C:\Documents and Settings\gsumner\Application Data\Nokia
2007-12-23 18:55 --------- d-----w C:\Program Files\iTunes
2007-12-23 18:10 --------- d-----w C:\Program Files\8start Launcher
2007-12-22 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-22 06:33 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-22 06:10 --------- d-----w C:\Program Files\Nokia
2007-12-20 13:07 --------- d-----w C:\Program Files\palmOne
2007-12-18 10:58 --------- d-----w C:\Program Files\FSBuild
2007-12-15 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-11-25 20:55 --------- d-----w C:\Documents and Settings\gsumner\Application Data\Free Download Manager
2007-11-18 04:46 --------- d-----w C:\Documents and Settings\gsumner\Application Data\MailFrontier
2007-11-15 17:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-11-13 11:56 --------- d-----w C:\Program Files\ProxyFinder
2007-11-13 11:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 11:37 --------- d-----w C:\Program Files\PC Inspector File Recovery
2007-11-13 11:22 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-11-08 14:11 --------- d-----w C:\Documents and Settings\gsumner\Application Data\FLV Extract
2007-11-08 13:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 13:24 --------- d-----w C:\Program Files\kiss
2007-11-08 13:23 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-11-07 07:50 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-06 06:20 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
2007-11-05 08:34 --------- d-----w C:\Program Files\KVT SoftWare
2007-11-03 20:41 33,856 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-03 20:40 --------- d-----w C:\Program Files\Oxygen
2007-10-26 07:10 --------- d-----w C:\Program Files\WinAce
2007-10-25 07:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-09-30 06:45 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-08-17 12:51 47,360 ----a-w C:\Documents and Settings\gsumner\Application Data\pcouffin.sys
2007-03-19 15:09 81,920 ----a-w C:\Documents and Settings\gsumner\Application Data\ezpinst.exe
2006-04-13 08:51 26,797,648 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_04_13_11_08_02_full.dmp.zip
2006-01-28 19:05 25,498 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_01_28_22_02_37_small.dmp.zip
2005-10-01 17:28 477 ----a-w C:\Program Files\FSBuildEGKK-EGNT.SBP
2005-08-15 13:57 69,054 ----a-w C:\WINDOWS\Internet Logs\firefox_2nd_2005_08_14_21_08_40_small.dmp.zip
2005-08-03 14:07 78,508 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_08_02_21_39_32_small.dmp.zip
2005-08-01 12:36 94,406 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_07_31_22_56_52_small.dmp.zip
2005-08-01 12:36 67,369 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_07_31_22_43_08_small.dmp.zip
2005-07-31 18:42 61,881 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_07_31_19_03_17_small.dmp.zip
2005-06-15 14:37 17,056,878 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_06_14_22_50_40.dmp.zip
2004-10-25 20:00 119 --sh--w C:\WINDOWS\cnerolf.dat
2006-12-28 10:56 56 --sha-r C:\WINDOWS\system32\A451284EA0.sys
2006-12-28 10:57 13,876 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B33EFF1-B33B-4A1F-A351-119DC5DFF386}]
2007-12-24 14:03 323072 --a------ C:\WINDOWS\system32\jkhfg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-12-25 09:34]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CmUsbSound"="RunDll32 cmcnfgu.cpl" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-24 08:55]
"WService"="WService.EXE" [2002-09-07 13:23 C:\WINDOWS\system32\WService.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 11:22 C:\WINDOWS\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="rundll32.exe" [2002-12-31 15:00 C:\WINDOWS\system32\rundll32.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-24 08:55]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-12-22 09:49]

C:\Documents and Settings\gsumner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
ListProAlarms.lnk - C:\Program Files\Ilium Software\ListPro\ListProAlarms.exe [2007-03-18 21:48:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2005-04-01 18:08:44]
SymmTime.lnk - C:\Program Files\Symmetricom\SymmTime\SymmTime.exe [2006-10-31 06:09:58]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [2005-04-27 03:49 200704]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\\WINDOWS\\system32\\jkhfg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2007-12-25 09:34 326656 --a------ C:\WINDOWS\system32\jkhfg.exe


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eda5e9e-7af6-11dc-bd66-00167679874d}]
\Shell\AutoRun\command - J:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{724df48e-7ff8-11d9-93de-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
"C:\Program Files\Internet Explorer\iexplore.exe" -userconfig
.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 14:15:11 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-03-24 20:20:00 C:\WINDOWS\Tasks\1.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-12-24 14:38:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-06-04 22:39:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-25 10:06:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-25 10:07:58 - machine was rebooted [gsumner]
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 25 December 2007 - 05:19 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.


Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\jkhfg.exe
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tuvvttu.dll.vir

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5B33EFF1-B33B-4A1F-A351-119DC5DFF386}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


=================


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
Please copy the text from the DrWeb log and paste it here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 Graham Sumner

Graham Sumner
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 26 December 2007 - 11:00 AM

Seems that file is still loading "jkhfg.dll"

How come it wont go away.
ComboFix.txt attached and
Here is the hijack me result:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:26 PM, on 12/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5335.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\WService.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\DRIVERS\WtSrv.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\MGtools\analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avsim.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlashFetcher - {16E8A050-74CE-43D5-8DC0-BADD7347B2DD} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: FCBHOBHO Class - {8B3868B4-EBA8-48FA-A19B-E1DFB99066FA} - C:\Program Files\FlashCapture\fcbho.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O2 - BHO: (no name) - {EF0EA2D7-8B08-489C-91C6-890FD5EC2BB1} - C:\WINDOWS\system32\jkhfg.dll
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WService] WService.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [xtxpfqbx] C:\pogigbqy.bat
O4 - S-1-5-21-1085031214-492894223-725345543-1003 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Clip with Sunrise XP - C:\Program Files\Sunrise XP\msie\clip.html
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download Using &BitSpirit - C:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\fciext.dll/FCIEXT.htm
O9 - Extra button: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O9 - Extra 'Tools' menuitem: FlashFetcher - {07174FC7-B4C1-4643-9C03-B4D2148EB057} - C:\Program Files\GeoVid\FlashFetcher\FlashFetcher.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\fciext.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1112552270140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124116644250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FED2D95-A44D-4871-995E-C67C32807C5F}: NameServer = 195.229.24.50,195.229.24.34
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: EpsonBidirectionalAgent - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBAgent.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Just Flight Limited License Service - Just Flight Limited - C:\Program Files\Common Files\Just Flight Limited Shared\Service\JustFlightLimitedLicSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PCI Latency Tool Service (LtcyCfgSvc) - Unknown owner - C:\Program Files\PCI Latency Tool 3\LtcyCfgSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\system32\DRIVERS\WtSrv.exe

--
End of file - 11448 bytes

dr web . . . although cleaned up a few infections crashed my computer and was unable to collect a log from it sorry
Thanks

EDIT :-
Please read this:-
I have a program called unlocker. I unlocked the file jkhfg.dll to try to delete it. It syas it is in use by some processes. They are "Explorer.exe" yes this has a capital "E". Is that a rogue process. Also 2 instances of lsass.exe

I've also nitced a few programs that are loaded at startup. They don't look right. They are sitting in memory as I type and are:-

jusched .exe
zlclient .exe

notice the space before the .exe

are these rogues?

there is already 2 identical ones in memory too:-

jusched.exe
zlclient.exe

without that space before the .exe

Perhaps something suspicious with these processes that we are missing and therefore cant get rid if the jkhfg.dll

hope this helps

Graham

Attached Files


Edited by Graham Sumner, 26 December 2007 - 03:58 PM.


#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 27 December 2007 - 04:41 PM

ComboFix 07-12-21.4 - gsumner 2007-12-26 16:01:27.2 - NTFSx86

Running from: C:\Documents and Settings\gsumner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\gsumner\Desktop\CFscript.txt

FILE
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkhfg.exe
C:\WINDOWS\system32\tstwa.ini
C:\WINDOWS\system32\tstwa.ini2
C:\WINDOWS\system32\tuvvttu.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\uninstall.exe.bad
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\jkhfg.dll
C:\WINDOWS\system32\jkhfg.exe
C:\WINDOWS\system32\tuvvttu.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-26 16:10 . 2007-12-26 16:10 323,072 --------- C:\WINDOWS\system32\jkhfg.dll
2007-12-26 16:10 . 2007-12-26 16:11 391 --ahs---- C:\WINDOWS\system32\gfhkj.ini
2007-12-25 22:46 . 2007-12-25 22:46 326,656 --a------ C:\WINDOWS\system32\RCX12.tmp
2007-12-25 22:04 . 2007-12-25 22:04 326,656 --a------ C:\WINDOWS\system32\RCXD.tmp
2007-12-25 15:32 . 2007-12-26 15:52 90,714 --a------ C:\MGlogs.zip
2007-12-25 15:20 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-25 15:19 . 2007-12-25 15:19 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-24 16:04 . 2007-12-24 16:26 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-12-24 14:39 . 2007-12-26 15:52 <DIR> d-------- C:\MGtools
2007-12-24 14:20 . 2005-01-14 06:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-12-24 09:46 . 2007-12-24 09:46 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 08:06 . 2007-12-24 08:06 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\Ahead
2007-12-22 11:30 . 2007-12-22 11:30 <DIR> d-------- C:\Program Files\Easiestutils
2007-12-22 09:33 . 2007-12-22 09:33 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2007-12-21 09:53 . 2007-12-23 21:02 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2007-12-20 17:22 . 2007-12-20 17:22 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\GARMIN
2007-12-20 17:08 . 2007-12-20 17:10 <DIR> d-------- C:\Garmin
2007-12-15 11:00 . 2007-12-15 11:00 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2007-12-15 10:59 . 2007-02-22 10:15 137,216 --a------ C:\WINDOWS\system32\drivers\nmwcd.sys
2007-12-15 10:59 . 2007-02-22 10:15 65,536 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2007-12-15 10:59 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcm.sys
2007-12-15 10:59 . 2007-02-22 10:15 12,288 --a------ C:\WINDOWS\system32\drivers\nmwcdcj.sys
2007-12-15 10:59 . 2007-02-22 10:15 8,320 --a------ C:\WINDOWS\system32\drivers\nmwcdc.sys
2007-12-14 15:16 . 2007-12-14 15:16 <DIR> d-------- C:\Program Files\MP3 Key Shifter
2007-12-14 15:05 . 2007-12-14 15:05 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
2007-12-14 15:05 . 2007-12-14 21:51 <DIR> d-------- C:\Program Files\Acoustica DJ Twist And Burn
2007-12-14 15:05 . 2007-12-14 15:05 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\Acoustica
2007-12-14 15:05 . 2002-11-05 15:16 57,344 --a------ C:\WINDOWS\system32\Wnaspint.dll
2007-12-08 15:49 . 2007-12-08 15:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2007-12-08 15:18 . 2007-12-08 15:18 <DIR> d-------- C:\Documents and Settings\gsumner\Application Data\DVDFab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-26 13:10 326,656 ----a-w C:\WINDOWS\system32\jkhfg.exe
2007-12-25 20:02 460,064 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-25 20:02 22,808 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-25 20:02 195,056 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-25 20:02 13,470,496 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-25 19:47 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2007-12-25 12:20 --------- d-----w C:\Program Files\Java
2007-12-25 06:26 17,552,117 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-24 12:51 --------- d-----w C:\Program Files\Warez P2P Client
2007-12-24 12:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-24 05:06 --------- d-----w C:\Program Files\FreeMem Professional
2007-12-24 05:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2007-12-23 22:15 512 ----a-w C:\ScanSectorLog.dat
2007-12-23 21:13 --------- d-----w C:\Documents and Settings\gsumner\Application Data\Sony Corporation
2007-12-23 21:13 --------- d-----w C:\Documents and Settings\gsumner\Application Data\SlipStream
2007-12-23 21:13 --------- d-----w C:\Documents and Settings\gsumner\Application Data\Nokia
2007-12-23 18:55 --------- d-----w C:\Program Files\iTunes
2007-12-23 18:10 --------- d-----w C:\Program Files\8start Launcher
2007-12-22 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-22 06:33 --------- d-----w C:\Program Files\Common Files\Nokia
2007-12-22 06:10 --------- d-----w C:\Program Files\Nokia
2007-12-20 13:07 --------- d-----w C:\Program Files\palmOne
2007-12-18 10:58 --------- d-----w C:\Program Files\FSBuild
2007-12-15 07:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2007-11-25 20:55 --------- d-----w C:\Documents and Settings\gsumner\Application Data\Free Download Manager
2007-11-18 04:46 --------- d-----w C:\Documents and Settings\gsumner\Application Data\MailFrontier
2007-11-15 17:02 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-11-13 11:56 --------- d-----w C:\Program Files\ProxyFinder
2007-11-13 11:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-13 11:37 --------- d-----w C:\Program Files\PC Inspector File Recovery
2007-11-13 11:22 --------- d-----w C:\Program Files\TuneUp Utilities 2007
2007-11-08 14:11 --------- d-----w C:\Documents and Settings\gsumner\Application Data\FLV Extract
2007-11-08 13:41 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-08 13:24 --------- d-----w C:\Program Files\kiss
2007-11-08 13:23 282,624 ----a-r C:\WINDOWS\Setup1.exe
2007-11-07 07:50 --------- d-----w C:\Program Files\PeerGuardian2
2007-11-06 06:20 831,048 ----a-w C:\WINDOWS\system32\WudfUpdate_01005.dll
2007-11-05 08:34 --------- d-----w C:\Program Files\KVT SoftWare
2007-11-03 20:41 33,856 ----a-w C:\WINDOWS\system32\drivers\oreans32.sys
2007-11-03 20:40 --------- d-----w C:\Program Files\Oxygen
2007-10-26 07:10 --------- d-----w C:\Program Files\WinAce
2007-10-25 07:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-09-30 06:45 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-08-17 12:51 47,360 ----a-w C:\Documents and Settings\gsumner\Application Data\pcouffin.sys
2007-03-19 15:09 81,920 ----a-w C:\Documents and Settings\gsumner\Application Data\ezpinst.exe
2006-04-13 08:51 26,797,648 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2006_04_13_11_08_02_full.dmp.zip
2006-01-28 19:05 25,498 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2006_01_28_22_02_37_small.dmp.zip
2005-10-01 17:28 477 ----a-w C:\Program Files\FSBuildEGKK-EGNT.SBP
2005-08-15 13:57 69,054 ----a-w C:\WINDOWS\Internet Logs\firefox_2nd_2005_08_14_21_08_40_small.dmp.zip
2005-08-03 14:07 78,508 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_08_02_21_39_32_small.dmp.zip
2005-08-01 12:36 94,406 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_07_31_22_56_52_small.dmp.zip
2005-08-01 12:36 67,369 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_07_31_22_43_08_small.dmp.zip
2005-07-31 18:42 61,881 ----a-w C:\WINDOWS\Internet Logs\msnmsgr_2nd_2005_07_31_19_03_17_small.dmp.zip
2005-06-15 14:37 17,056,878 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2005_06_14_22_50_40.dmp.zip
2004-10-25 20:00 119 --sh--w C:\WINDOWS\cnerolf.dat
2006-12-28 10:56 56 --sha-r C:\WINDOWS\system32\A451284EA0.sys
2006-12-28 10:57 13,876 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-12-25_10.06.58.45 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-16 07:04:01 204,666 ----a-w C:\WINDOWS\AisAAAg.dat
+ 2007-09-17 13:10:07 205,557 ----a-w C:\WINDOWS\AisAAAg.dat
- 2004-11-16 20:58:57 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 19:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2004-11-16 20:58:57 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 19:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2004-11-16 20:58:57 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 20:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2007-12-25 07:04:23 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
+ 2007-12-26 12:47:35 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
- 2007-12-25 07:05:32 754,472 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2007-12-25 20:02:41 766,372 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
- 2007-12-25 07:06:41 8,181,248 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
+ 2007-12-25 07:07:50 8,181,248 ----a-w C:\WINDOWS\system32\ZoneLabs\zlqrtdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C03DE50A-1B6E-4F71-A111-B60B0ED23B16}]
2007-12-26 16:10 323072 --------- C:\WINDOWS\system32\jkhfg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CmUsbSound"="RunDll32 cmcnfgu.cpl" []
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-24 08:55]
"WService"="WService.EXE" [2002-09-07 13:23 C:\WINDOWS\system32\WService.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 11:22 C:\WINDOWS\SOUNDMAN.EXE]
"BluetoothAuthenticationAgent"="rundll32.exe" [2002-12-31 15:00 C:\WINDOWS\system32\rundll32.exe]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-12-24 08:55]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-12-26 15:32]
"xtxpfqbx"="C:\pogigbqy.bat" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-12-22 09:49]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(3).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2005-04-01 18:08:44]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [2005-04-27 03:49 200704]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkhfg.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkhfg

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xtxpfqbx]
C:\pogigbqy.bat


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2eda5e9e-7af6-11dc-bd66-00167679874d}]
\Shell\AutoRun\command - J:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{724df48e-7ff8-11d9-93de-806d6172696f}]
\Shell\AutoRun\command - G:\setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{26923b43-4d38-484f-9b9e-de460746276c}]
"C:\Program Files\Internet Explorer\iexplore.exe" -userconfig
.
Contents of the 'Scheduled Tasks' folder
"2007-12-14 14:15:11 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
"2007-03-24 20:20:00 C:\WINDOWS\Tasks\1.job"
- C:\Program Files\DiskTrix\UltimateDefrag\UDefrag.exe
"2007-12-24 14:38:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2005-06-04 22:39:18 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 16:11:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\WINDOWS\system32\jkhfg.dll
.
Completion time: 2007-12-26 16:13:54 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-25 10:07
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 27 December 2007 - 04:52 PM

You're absolutely right to notice those two files. This is a very new variant of the Vundo trojan that actually infects other files on your computer. But a new tool has just been released to deal with this nasty guy.

Download this file to your desktop.

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Double click to run it and post the resulting log back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Graham Sumner

Graham Sumner
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 December 2007 - 02:06 AM

Things are looking up. It found quite alot of those files that look authentic but have spaces before the .exe. Not sure if its fixed the computer yet as I havent rebooted or checked anything. Were definately on the right track. It looks like it goes for stuff that is usually loaded at boot time and also msconfig so it can stop you altering the startup tasks etc. Here is the log.

Ran on Fri 12/28/2007 -  9:58:12.17

----a-w		   884,736 2007-12-22 06:50:02  C:\Program Files\8start Launcher\8start .exe
----a-w		 1,961,984 2007-12-24 05:06:32  C:\Program Files\Ahead\Nero BackItUp\NBJ	  .exe
----a-w		   344,064 2007-12-23 18:03:01  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w		   418,304 2007-12-24 05:06:31  C:\Program Files\FreeMem Professional\fmempro	  .exe
----a-w		   579,072 2007-12-23 18:02:53  C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w		   579,072 2007-12-23 22:11:17  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w		   256,576 2007-12-23 18:03:09  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		   132,496 2007-12-28 06:49:55  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w			25,600 2007-12-23 18:02:40  C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher .exe
----a-w			36,864 2007-12-23 18:02:56  C:\Program Files\Roland\VSC32\vsc32cnf .exe
----a-w			36,864 2007-12-23 18:02:57  C:\Program Files\Roland\VSC32\vscvol .exe
----a-w			81,920 2007-12-23 18:03:16  C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w		 1,460,560 2007-12-26 12:32:47  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   919,280 2007-12-28 06:49:54  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w			82,432 2007-12-24 05:06:29  C:\WINDOWS\hffext\hffsrv  .exe
----a-w		   158,208 2007-12-25 19:47:01  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w		   155,648 2007-12-23 18:02:47  C:\WINDOWS\system32\NeroCheck .exe

 Entries:			   17  (17)
 Directories:			0  Files:			17
 Bytes:		  8,113,680  Blocks:	   15,849

Thanks

EDIT
Ok I guess the RenV.exe just identified the infections as things are still the same. How do we get rid of them though. I cant wait to nail this thing.

Thanks Sam

Edited by Graham Sumner, 28 December 2007 - 03:11 AM.


#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 28 December 2007 - 09:11 AM

You're right on both counts. We just needed to be sure that it didn't identify anything legit before we remove them.

Posted Image

Refering to the picture above, drag Log.txt into RenV.exe
When finished, it shall produce a new log for you. Post that log in your next reply.

Immediately run Combofix.exe and post that log also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Graham Sumner

Graham Sumner
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 December 2007 - 10:06 AM

Sorry but all below was done before your last post. Hope I havent ruined anything.


Hi I think I made some good progress.

By chance I updated zonealarm to the latest version. This must have prevented zlclient .exe [notice the space] from loading into memory at startup. Now heres the strange bit. there was now no trace of the jkhfg.dll or jkhfg.exe anywhere. I think that was loading them. I couldn't close zlclient .exe previously because windows was protecting it. Now its not loaded a preceded to delete all the files picked up with RenV.exe with avenger.

That log is below. Let me know which logs to post now to see if im clean. Still got Explorer.exe as a process. Is that a legit process [i mean with the capital E]. Also no report of instances jkhfg.dll in memory by zonealarm.

Thanks



Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\xcjfatmu

*******************

Script file located at: \??\C:\Documents and Settings\ouputocm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


File C:\WINDOWS\system32\jkhfg.exe not found!
Deletion of file C:\WINDOWS\system32\jkhfg.exe failed!

Could not process line:
C:\WINDOWS\system32\jkhfg.exe
Status: 0xc0000034



File C:\WINDOWS\system32\jkhfg.dll not found!
Deletion of file C:\WINDOWS\system32\jkhfg.dll failed!

Could not process line:
C:\WINDOWS\system32\jkhfg.dll
Status: 0xc0000034


Could not process line:
C:\pogigbqy.bat
Status: 0xc0000034

File C:\WINDOWS\system32\gfhkj.ini deleted successfully.
File C:\WINDOWS\system32\gfhkj~1.ini deleted successfully.
File C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe deleted successfully.
File C:\Program Files\FreeMem Professional\fmempro .exe deleted successfully.
File C:\Program Files\Grisoft\AVG Free\avgcc .exe deleted successfully.
File C:\Program Files\Grisoft\AVG7\avgcc .exe deleted successfully.
File C:\Program Files\iTunes\iTunesHelper .exe deleted successfully.
File C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe deleted successfully.
File C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher .exe deleted successfully.
File C:\Program Files\Roland\VSC32\vsc32cnf .exe deleted successfully.
File C:\Program Files\Roland\VSC32\vscvol .exe deleted successfully.
File C:\Program Files\Sony\SonicStage\SsAAD .exe deleted successfully.
File C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe deleted successfully.
File C:\RECYCLER\S-1-5-21-1085031214-492894223-725345543-1003\Dc3\8start .exe deleted successfully.
File C:\WINDOWS\hffext\hffsrv .exe deleted successfully.
File C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe deleted successfully.
File C:\WINDOWS\system32\NeroCheck .exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Ok I also did what you said and att the logs to the reply. I'm beginning to enjoy this "Is that weird?"

EDIT
Getting the blue screen when doing long virus checks with any scanner. Could I have detleted something I havent.
Any way to check?

Attached Files


Edited by Graham Sumner, 28 December 2007 - 09:53 PM.


#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 28 December 2007 - 11:28 PM

Definitely making progress!! :blink:
Yes, it is more enjoyable when you do make progress. :thumbsup:


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.


File::
C:\WINDOWS\system32\RCX9.tmp
C:\WINDOWS\system32\RCX8.tmp
C:\WINDOWS\system32\RCX6.tmp
C:\WINDOWS\system32\RCX1.tmp

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.



Getting the blue screen when doing long virus checks with any scanner. Could I have detleted something I havent.
Any way to check?

What programs cause the blue screen? Is there any consistency in the timing that you get a blue screen?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Graham Sumner

Graham Sumner
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 29 December 2007 - 07:47 AM

Hi the blue screen seems to come from virus checkers. Maybe they are trying to access something corrupt. I will do a scandisc etc. to see if there are any problems there.

Attached are the logs you requested.

I may also re-install the programs that were infected by vundo and virus check again to see if I get the blue screen

Thanks
Graham

Attached Files



#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:48 PM

Posted 29 December 2007 - 10:57 AM

Your logs look clean to me. Are you having any issues that would appear related to malware?
Let me know what you find out on your virus scans.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Graham Sumner

Graham Sumner
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 29 December 2007 - 02:51 PM

Things seem better now.

I did a scandisc and re installed some software that was infected and therefore removed. No Blue screens today.

I will run the computer for a couple of days to see what happens and report back when all is clear.

Things definately much better now Sam. Although I seem to be getting about 60 or so junk emails per day.

Guess thats down to the vundo thing.

Thanks for now, will report back soon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users