Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with malware


  • This topic is locked This topic is locked
3 replies to this topic

#1 moonoverparadise

moonoverparadise

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 29 December 2008 - 12:58 AM

Hi!

I've been infected with some files called jkkji.exe, jkkle.exe and wsgfpdss.dll. Not really sure how to get rid of these. Any help is appreciated. Computer is slow but still functioning.


DDS txt file:


DDS (Version 1.1.0) - NTFSx86
Run by Josh Bailey at 23:47:05.21 on Sun 12/28/2008
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1356 [GMT -6:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Documents and Settings\Josh Bailey\My Documents\RCA Detective\RCADetective.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\McAfee.com\Agent\MCAGEN~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe
C:\Program Files\Sprint\Sprint SmartView\RcAppSvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aim toolbar\aimtbServer.exe
C:\Documents and Settings\Josh Bailey\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.aol.com/?src=aim
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uDefault_Search_URL = hxxp://internetsearchservice.com
mDefault_Search_URL = hxxp://internetsearchservice.com
mSearch Page = hxxp://internetsearchservice.com
mSearch Bar = hxxp://internetsearchservice.com/ie6.html
mSearchMigratedDefaultURL = hxxp://internetsearchservice.com/search?q={searchTerms}
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://internetsearchservice.com
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
mSearchURL = hxxp://internetsearchservice.com
mSearchAssistant = hxxp://internetsearchservice.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uWindows: load=c:\windows\system32\jkkji.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: {07C7156E-D651-4ACC-9AD3-498C916E9651} - No File
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - c:\program files\siteadvisor\6172\SiteAdv.dll
BHO: {0BD44AB1-76A7-4E05-92F4-4B065FE72BD6} - No File
BHO: ShoppingReport: {100eb1fd-d03e-47fd-81f3-ee91287f9465} - c:\program files\shoppingreport\bin\2.0.26\ShoppingReport.dll
BHO: {176D799E-6C8C-4D1A-8024-044D96A035E2} - No File
BHO: {1E277AFB-ABC7-4193-8AD2-060DA233B3D9} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {7934D99D-07FF-494A-ACD9-DECD2D44F881} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {82EA1A55-9CBC-404b-9D0C-E8BFB7EAAE9B} - No File
BHO: {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - No File
BHO: BndDrive2 BHO Class: {8b27cc68-110c-46a9-80d3-f3107de6eb98} - c:\program files\ism\BndDrive4.dll
BHO: {a3c4db59-3a46-4767-afb9-0941df67f28c} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: {B1650898-0717-463C-9CA7-3E20D17714D0} - No File
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - c:\program files\siteadvisor\6172\SiteAdv.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Aim6]
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [<NO NAME>]
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [333436383F3B3940] 6C6D6F71787472.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Sprint SmartView] "c:\program files\sprint\sprint smartview\SprintSV.exe" -a
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
mExplorerRun: [start] c:\program files\applications\iebtm.exe
StartupFolder: c:\docume~1\joshba~1\startm~1\programs\startup\rcadet~1.lnk - c:\documents and settings\josh bailey\my documents\rca detective\RCADetective.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.iexplorerfiles.com/redirect.php
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\progra~1\yahoo!\messen~1\YPager.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B2} - {C9CCBB35-D123-4a31-AFFC-9B2933132116} - c:\program files\shoppingreport\bin\2.0.26\ShoppingReport.dll
IE: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - c:\program files\shoppingreport\bin\2.0.26\ShoppingReport.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: getmirar.com\click
Trusted Zone: mirarsearch.com\click
Trusted Zone: mirarsearch.com\redirect
Trusted Zone: net-nucleus.com\awbeta
TCP: {01D3B4AE-E633-439B-8EF6-39CC77FE2231} = 68.28.178.91 68.28.186.91
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - c:\program files\siteadvisor\6172\SiteAdv.dll
Notify: gebbyww - gebbyww.dll
Notify: igfxcui - igfxdev.dll
Notify: psfus - psqlpwd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {cac60ee7-ebe0-4082-be2a-3abf704b7af0} - No File
SEH: {07C7156E-D651-4ACC-9AD3-498C916E9651} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkji
LSA: Notification Packages = scecli psqlpwd

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-3-4 201320]
R2 FdRedir;FdRedir;\??\c:\program files\common files\protector suite ql\drivers\FdRedir.sys [2005-12-21 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;\??\c:\program files\common files\protector suite ql\drivers\filedisk.sys [2005-12-21 33024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-3-4 359248]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-3-4 144704]
R2 smihlp;SMI helper driver;\??\c:\program files\protector suite ql\smihlp.sys [2005-12-21 3456]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2007-12-28 24652]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-3-4 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-3-4 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-3-4 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-3-4 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-3-4 40488]
S3 VmbInfce;VmbInfce;c:\windows\system32\drivers\vmbinfce.sys [2007-1-29 95104]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2008-12-28 22:59 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2008-03-04 19:31 246 a------- c:\program files\common files\lavuh422
2008-03-04 16:06 70,144 a------- c:\program files\common files\lavuh983.dll
2008-03-04 10:53 70,144 a------- c:\program files\common files\lavuh72.dll
2008-03-03 19:50 70,144 a------- c:\program files\common files\lavuh821.dll
2008-03-03 10:44 70,144 a------- c:\program files\common files\lavuh608.dll
2008-02-27 00:14 70,144 a------- c:\program files\common files\lavuh592.dll
2008-02-23 22:43 70,144 a------- c:\program files\common files\lavuh833.dll
2008-02-23 19:15 70,144 a------- c:\program files\common files\lavuh890.dll
2008-02-20 16:27 70,144 a------- c:\program files\common files\lavuh484.dll
2008-02-20 04:41 70,144 a------- c:\program files\common files\lavuh968.dll
2008-02-20 03:39 70,144 a------- c:\program files\common files\lavuh102.dll
2008-02-20 03:22 70,144 a------- c:\program files\common files\lavuh164.dll
2008-02-19 05:29 70,144 a------- c:\program files\common files\lavuh648.dll
2008-02-19 03:01 70,144 a------- c:\program files\common files\lavuh754.dll
2008-02-19 01:57 70,144 a------- c:\program files\common files\lavuh646.dll
2008-02-18 21:39 70,144 a------- c:\program files\common files\lavuh.dll
2008-02-16 20:56 41,724 ---sh--- c:\program files\common files\Yazzle1552OinUninstaller.exe
2008-01-18 13:46 140,288 ---sh--- c:\program files\common files\Yazzle1552OinAdmin.exe
2007-06-14 13:55 143 a------- c:\program files\common files\profsyv.html
2007-05-08 15:35 251 ac------ c:\program files\wt3d.ini
2008-03-12 07:32 249,345 a--sh--- c:\windows\system32\ijkkj.ini2
2008-09-01 22:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 23:47:48.25 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 moonoverparadise

moonoverparadise
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:15 AM

Posted 29 December 2008 - 11:32 AM

Please close topic. I realize ya'll are a bit busy. I'll try to find help elsewhere. I've already run combofix and an uninstaller for oi. But there's more here and it's just going to take time to get them all.

Edited by moonoverparadise, 29 December 2008 - 11:34 AM.


#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:15 PM

Posted 30 December 2008 - 09:13 AM

Hello Moonoverparadise and welcome at BleepingComputer,

Sorry to have kept you waiting for so long, but the forums are really busy.
If you still need help :

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from

Here or

Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes'

    Anti-Malware
    , then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let

MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


3. Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:15 PM

Posted 22 January 2009 - 05:22 AM

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users