Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EXE4JLIB.JAR and other files locked


  • This topic is locked This topic is locked
3 replies to this topic

#1 Tonyess9

Tonyess9

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 01 January 2010 - 09:07 AM

To clean up temporary files, unwanted cookies and internet explorer history I regularly run (a licensed version of) PurgeIE.
Recently, though, 4 temporary file objects cannot be removed by this program.

For example (NLY90807 is my network userid), see these purge log entries :

Temp Folders:
Locked - C:\DOCUMENTS AND SETTINGS\NLY90807\LOCAL SETTINGS\TEMP\E4J2.TMP_DIR24320\EXE4JLIB.JAR
Dir Not Empty - C:\DOCUMENTS AND SETTINGS\NLY90807\LOCAL SETTINGS\TEMP\E4J2.TMP_DIR24320
Locked - C:\DOCUMENTS AND SETTINGS\NLY90807\LOCAL SETTINGS\TEMP\HSPERFDATA_NLY90807\2952
Dir Not Empty - C:\DOCUMENTS AND SETTINGS\NLY90807\LOCAL SETTINGS\TEMP\HSPERFDATA_NLY90807
Purge "Temp Folders" Function Completed. 4 Files/Directories Processed.

When i look around the internet, it seems that this may be harmless and the result of a Java Runtime bug.
If that is the case I will not worry further but I want to know if the files are an indication of infection.
Are you able to help ? Thanks in advance.

DDS (Ver_09-12-01.01) - NTFSx86
Run by nly90807 at 14:46:22.14 on Fri 01/01/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3574.2708 [GMT 1:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Iron Mountain\Connected BackupPC\AgentService.exe
C:\Program Files\iPass\iPassConnect iRAS\iPassPeriodicUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PurgeIE\PurgeIE_Service.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeClient.exe
C:\Program Files\Utimaco\SafeGuard Easy\SgeCtl.exe
C:\WINDOWS\system32\SgLogPlayer.exe
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Utimaco\SafeGuard Easy\WksCfgSrv.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect iRAS\iPassPeriodicUpdateApp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Utimaco\SafeGuard Easy\Ecview.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\Program Files\Iron Mountain\Connected BackupPC\Agent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Open Text\Livelink Explorer\LLSynch3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\nly90807\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://m.www.yahoo.com/
uInternet Settings,ProxyServer = 161.83.20.225:8080
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: LLIEHlprObj Class: {f757fbbf-10e5-4dda-bbea-2357e54bea2b} - c:\program files\open text\livelink explorer\LLBHO3.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Communicator] "c:\program files\microsoft office communicator\communicator.exe" /fromrunkey
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [SgeEcView] c:\program files\utimaco\safeguard easy\Ecview.exe
mRun: [EdWizard] c:\program files\utimaco\safeguard easy\EdWizard.exe as
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [RemoteControl] c:\program files\roxio\roxio dvdmax player\PDVDServ.exe
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\udaterui.exe" /StartedFromRunKey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [AgentUiRunKey] "c:\program files\iron mountain\connected backuppc\Agent.exe" -ni -sss -e http://localhost:16386/
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mExplorerRun: [1] "c:\program files\microsoft efs assistant\EFSAssistant.exe"
StartupFolder: c:\docume~1\nly90807\startm~1\programs\startup\liveli~1.lnk - c:\program files\open text\livelink explorer\LLSynch3.exe
uPolicies-explorer: DisallowCpl = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: musicmatch.com\online
DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} - hxxps://www.quick.philips.com/qp2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} - hxxp://pww.meetings.philips.com/sametime/STMeetingRoomClient/STJNILoader.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\sapgui\SAPHTMLP.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
Notify: NotLog - SGLogEx.dll
Notify: SGLogNotification - SGLogNotification.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\nly90807\applic~1\mozilla\firefox\profiles\0p1upi35.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 2
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 AES-128;AES-128;c:\windows\system32\drivers\AES128.sys [2005-6-8 17952]
R0 AES-256;AES-256;c:\windows\system32\drivers\AES256.sys [2005-6-8 17952]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-4-3 64288]
R0 SgeFlt;SgeFlt;c:\windows\system32\drivers\SGEFLT.sys [2005-6-8 54880]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [2008-12-19 10880]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R2 AgentService;AgentService;c:\program files\iron mountain\connected backuppc\AgentService.exe [2009-3-10 6608192]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-9-24 1181328]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-9-22 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2009-1-27 54608]
R2 NgVpnMgr;Aventail VPN Client;c:\windows\system32\ngvpnmgr.exe [2009-5-11 225885]
R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2007-7-17 26137]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-12-18 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-12-18 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-12-18 177864]
R3 NgLog;Aventail VPN Logging;c:\windows\system32\drivers\nglog.sys [2009-5-11 25216]
R3 NgVpn;Aventail VPN Adapter;c:\windows\system32\drivers\ngvpn.sys [2009-5-11 77952]
S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2007-7-17 157648]
S3 LV_Tracker;LV_Tracker;c:\windows\system32\drivers\LV_Tracker.sys [2009-3-10 45384]
S3 NgFilter;Aventail VPN Filter;c:\windows\system32\drivers\ngfilter.sys [2009-5-11 20608]
S3 NgWfp;Aventail VPN Callout;c:\windows\system32\drivers\ngwfp.sys [2009-5-11 23168]
S3 NVCService;Nortel VPN Service;c:\program files\nortel networks\vpnclient\Extranet_serv.exe [2007-7-17 798720]

=============== Created Last 30 ================

2010-01-01 12:56:30 0 d-----w- c:\program files\Trend Micro
2009-12-30 22:08:25 0 d-----w- c:\docume~1\nly90807\applic~1\AVG8
2009-12-27 17:24:04 0 d-----w- c:\windows\pss
2009-12-27 16:56:58 0 d-----w- c:\program files\Musicmatch
2009-12-26 18:28:15 0 d-----w- C:\DRAGONFLY_D7
2009-12-23 08:15:42 265728 -c----w- c:\windows\system32\dllcache\http.sys
2009-12-19 18:22:01 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-12-18 20:47:34 0 d-----w- C:\soeur_sourire
2009-12-18 19:48:13 0 d-----w- C:\50_dead_men_walking
2009-12-18 18:33:06 0 d-----w- C:\SEVEN_BENELUX
2009-12-17 22:25:12 26024 ----a-w- c:\windows\system32\drivers\ElbyCDIO.sys
2009-12-16 05:40:28 1771 ----a-w- c:\windows\ngvpn.mif
2009-12-16 05:40:00 0 d-----w- c:\docume~1\alluse~1\applic~1\Aventail
2009-12-16 05:39:58 0 d-----w- c:\program files\Aventail Connect
2009-12-08 19:33:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Email Backup Optimization
2009-12-07 09:47:56 0 d-----w- c:\program files\Iron Mountain
2009-12-03 08:07:41 24770 ----a-w- c:\windows\IT.ico

==================== Find3M ====================

2009-10-31 19:04:59 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-30 21:18:12 77064 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-29 07:46:59 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46:50 17408 ----a-w- c:\windows\system32\corpol.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2006-12-29 14:15:42 3100672 ----a-w- c:\program files\common files\sapxlhelper.dll
2006-12-29 14:15:40 626688 ----a-w- c:\program files\common files\sapconsaccess.dll
2006-12-29 14:15:40 40960 ----a-w- c:\program files\common files\DigitalSignature.ocx
2006-12-29 14:15:40 192512 ----a-w- c:\program files\common files\sapconsr3.dll
2006-12-07 09:26:26 1129984 ----a-w- c:\program files\common files\SAPActiveXL.xlt
2006-12-07 09:26:26 1124864 ----a-w- c:\program files\common files\SAPActiveXL_nosig.xlt

============= FINISH: 14:46:56.75 ===============

Attached Files

  • Attached File  ark.txt   2.01KB   3 downloads


BC AdBot (Login to Remove)

 


#2 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 PM

Posted 03 January 2010 - 08:03 AM

Hi Tonyess9,

Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

The systems looks infected.
  • From the log:

    uInternet Settings,ProxyServer = 161.83.20.225:8080

  • Tell me if you have set a proxy server yourself to a server in The Netherlands.

  • Please post a fresh DDS.txt log, no need for the Attach.txt unless you have installed or uninstalled new software since your post.

  • Download the GMER Rootkit Scanner exe file from here and save it to your desktop.
    • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
    • Click on this link to see a list of programs that should be disabled.
    • Disconnect from the Internet and close all running programs.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
    • In the right panel, you will see several boxes that have been checked. Make sure the following are unchecked:
    • Sections
    • IAT/EAT
    • Drives/Partition other than C:\ drive (C:\ drive should remain checked)
    • Show All (this one also should be unchecked)
  • Then click the Scan button & wait for it to begin. (Please be patient as it can take some time to complete).
  • When the scan is finished, you will see the scan button appears again. Click Save to save the scan results to your Desktop.
  • Save the file as gmer.log and copy/paste the contents in your next reply.


#3 Tonyess9

Tonyess9
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:51 PM

Posted 03 January 2010 - 05:32 PM

Hello farbar
Yes the proxy server in the Netherlands is set by myself... I travel a lot and change proxies according to the site at which I work.
Thanks for your reply, but I do not think I will be able to carry out your full procedure. The laptop belongs to my company and although I can install software I am not able to start the machine in Windows safe mode. Simple safe mode gives me a blank screen and safe with networking results in an insufficient authorization message. Since I use my work computer extensively for private applications I usually take responsibility for cleaning and problem solving but in this case I think I will have to contact the IT help desk. I hope you do not think I have been wasting your time that was not my intention. Do you have any idea what kind of infection is concerned and how serious it might be ? This would help me to know the urgency of solving the problem. Thanks again for your quick response, all the best, Tonyess9.

#4 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:51 PM

Posted 03 January 2010 - 09:12 PM

Hi Tonyess9,

Though I didn't ask you to go to Safe Mode, the cleaning requires that you have administrative privileges. So contacting the IT is required.

RootRepeal detected MBR infection. With GMER log I could tell more. The infection, if also confirmed by GMER is a Backdoor trojan.

A backdoor Trojan can allow an attacker to gain control of the system, log keystrokes, steal passwords, access personal data, send malevolent outgoing traffic, and close the security warning messages displayed by some anti-virus and security programs.

Therefore a reimaging bij the IT help desk in this case might urgently be needed before doing any sensitive work.

*********

This thread will now be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users