jkhhe.exe

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

READ & RUN ME FIRST. Malware Removal Guide


If you cannot download the tools on the problem PC, you will need to download them using another PC and then transfer them to the problem PC using a USB drive, a CD,.....etc. The same will be true for the logs but in reverse order.

 

You did not follow the instructions in the READ & RUN ME properly. In the very first steps we specify that you must not have more than one antivirus program installed. You have both CA Etrust and McAfee installed. Once of these must be uninstalled immediately. If you uninstall McAfee then also run the below after uninstalling it:

McAfee Consumer Product Removal Tool

You also need to uninstall Viewpoint Media Player as requested in step 1.

You do need to uninstall Java 2 Runtime Environment, SE v1.4.2_03 which is 3 or more years out of date and is a major security risk, but we will wait until you have an internet connect so you can also update to the current version.

You don't need it. It is already embedded in MGtools.

Installing multiple antivirus program and multiple firewalls (not sure it you had more than one firewall) can break many things.


What is in the below folder? Do you recognize this folder?
2008-01-16 11:46 . 2008-01-16 11:46 <DIR> d-------- C:\temp\Ryuan1


*** IMPORTANT WARNING ****

You have a Trojan.Bancos infection.

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned. If you have network compters, start checking them for problems too.
2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.



Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SPOLSV] C:\WINDOWS\system32\tracerts.exe

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Okay then delete that folder.

Also delete the below file:
C:\WINDOWS\mrofinu572.exe.tmp


Other than the above your logs are clean, but you should consider whether you can really trust this PC anymore. Do you use it for any financial transactions? If so, you may really want to consider, a total reinstall after deleting your partition. Do not just reinstall, you must delete the partition to be safe.

It's your decision on how you want to proceed.

Not sure if you want to try fixing this or you want to reinstall. Running the below, may or may not fix your connections issues:

XP TCP/IP Repair

 

That still is not a guarantee. We always see people reporting that all scans are clean but when we look at the logs we ask for, we always find problems.

See this: http://support.microsoft.com/kb/313348

There are many links on the internet that discuss things like this. disk partitioning is the creation of logical divisions upon a hard disk that allows one to apply operating system-specific logical formatting. See: http://en.wikipedia.org/wiki/Disk_partitioning

 

Do you know what the below folder is for?

Code:

C:\Program Files\
118_PR~1      Jan 18 2008              "118_problems"

Now let's remove a bad service.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to .NET Framework Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste.NET Connection Service into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Uninstall the below software:
Java 2 Runtime Environment, SE v1.4.0_01
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment


Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [ PAL Evidence Eliminator] C:\Program Files\PAL Evidence Eliminator\Cleaner.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

Netstat is run by GetRunKey.bat which is part of MGtools but it is not run at reboot. It is run when you run GetLogs.bat. Is that what you really meant, or did you really mean during boot?

Please give the full IP address.


Your logs are clean.

 

I would assume that IP address is your ISP?

Code:

[B]IP Address[/B]   : 24.64.89.59 [ S0106001636c8cdce.cn.shawcable.net ]
[B]ISP          :[/B] Shaw Communications
[B]Organization :[/B] Shaw Communications
[B]Location     :[/B] [IMG]http://img.cqcounter.com/flags/ca.gif[/IMG] CA, Canada
 

 

Perhaps you need to check who is actually providing your internet service. Shaw Communications is a legit ISP.

Are you using Road Runner now?

Did you use to use Shaw?

Does Road Runner lease from Shaw?

Attach a piece from your firewall log.