What have I got

Discussion in 'Malware Help (A Specialist Will Reply)' started by gsumner, Dec 24, 2007.

  1. gsumner

    gsumner Private E-2

    Its Christmas eve and I'm feeling miserable at the thought of re formatting.

    Please can you check out my logs etc. and see if you can find out whats going on.

    Thanks and Merry Christmas

    Graham
     

    Attached Files:

    gsumner, Dec 24, 2007
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please use add/remove programs to uninstall:
    J2SE Runtime Environment 5.0"
    Java 2 Runtime Environment, SE v1.4.2_05

    Reboot and install:
    Java Runtime 6

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now download The Avenger by Swandog469, and save it to your Desktop.

    * Extract avenger.exe from the Zip file and save it to your desktop
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:

    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 24, 2007
    #2
  3. gsumner

    gsumner Private E-2

    Hi done all reqd.

    Here are the logs

    Thanks
     

    Attached Files:

    gsumner, Dec 25, 2007
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    First Disable Spybot's TeaTimer as requested in the READ ME

    * Run Spybot and click Mode
    * Select Advanced Mode.
    * Then click Tools and select Resident.
    * Now in the right window pane, uncheck TeaTimer.
    * Also while this is open, in the left column now select IE Tweaks
    * and then in the right pane make sure all the Miscellaneous locks are unchecked.
    * Now quit Spybot!

    Please disable all anti-virus and anti-spyware programs while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
     
    TimW, Dec 25, 2007
    #4
  5. gsumner

    gsumner Private E-2

    Hi Tim,

    All done here is the results

    Thanks

    Graham
     

    Attached Files:

    gsumner, Dec 26, 2007
    #5
  6. gsumner

    gsumner Private E-2

    Just noticed something please read before you read my reply to yesterdays instructions below.

    I have a program called unlocker. I unlocked the file jkhfg.dll to try to delete it. It syas it is in use by some processes. They are "Explorer.exe" yes this has a capital "E". Is that a rogue process. Also 2 instances of lsass.exe

    I've also nitced a few programs that are loaded at startup. They don't look right. They are sitting in memory as I type and are:-

    jusched .exe
    zlclient .exe

    notice the space before the .exe

    are these rogues?

    there is already 2 identical ones in memory too:-

    jusched.exe
    zlclient.exe

    without that space before the .exe

    Perhaps something suspicious with these processes that we are missing and therefore cant get rid if the jkhfg.dll

    hope this helps

    Graham
     
    gsumner, Dec 26, 2007
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Both legit ...java scheduler and zone labs.

    Now:
    Please disable all anti-virus and anti-spyware programs(including TeaTImer!) while we do the following:

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    * Double-click ATF-Cleaner.exe to run the program.
    * Under Main choose: Select All
    * Click the Empty Selected button.

    If you use Firefox browser

    * Click Firefox at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser

    * Click Opera at the top and choose: Select All
    * Click the Empty Selected button.
    o NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main ATF Cleaner menu to close the program.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 26, 2007
    #7
  8. gsumner

    gsumner Private E-2

    Hi,

    All done again.

    Just a question or 2 how come theres 2 versions of jusched running and 2 versions of zlclient. One with a space and one with and one without a space. I also had earlier in the week a program that was started at boot called frmempro this had several version ie:-

    frmempro.exe
    frmempro .exe
    frmempro .exe

    It may be good to point out that all these programs were picked up by a virus checker before I contacted major geeks even the jusched .exe and the zlclient .exe. The program that found them was AVG but had to be uninstalled becuase it reported a version of itself that was a virus so a removed it for good measure.

    I notice using hijackthis I have a version of Explorer.exe with a capital E as a running process. This not windows as I cant terminate it without the computer shutting down. Some searches on google say this is a trojan. Just wondered what your thoughts are on this.

    Seems hijackthis is having no effect on the files:-
    jkhfg.dll and jkhfg.exe as they are still in the sys32 folder no matter what we do.

    Please find attached the results you requested.

    Thanks for all the work

    Graham
     

    Attached Files:

    gsumner, Dec 27, 2007
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Are you sure you are turning off all anti-virus and anti-spyware programs (Including ZoneAlarm)?

    Boot into safe mode ---> disable ALL security programs ...

    Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    * Run avenger.exe by double-clicking on it.
    * Check the 'Input script manually' box.
    * Click on the magnifying glass icon.
    * Copy everything in the Quote box below, and paste it in the box that opens:
    * Now click the 'Done' button.
    * Click on the traffic light icon and OK the prompt.
    * You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
    * A log file from Avenger will be produced at C:\avenger.txt

    Boot into normal mode and run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.
     
    TimW, Dec 27, 2007
    #9
  10. gsumner

    gsumner Private E-2

    Hi,

    Check this out Tim. Apparently there is a new version of the vundo trojan out that infects other files on the computer. Those files I found are rogues written by the virus itself. I ran a tool called RenV.exe and here is the log it produced.

    Code:
    Ran on Fri 12/28/2007 -  9:58:12.17

----a-w           884,736 2007-12-22 06:50:02  C:\Program Files\8start Launcher\8start .exe
----a-w         1,961,984 2007-12-24 05:06:32  C:\Program Files\Ahead\Nero BackItUp\NBJ      .exe
----a-w           344,064 2007-12-23 18:03:01  C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe
----a-w           418,304 2007-12-24 05:06:31  C:\Program Files\FreeMem Professional\fmempro      .exe
----a-w           579,072 2007-12-23 18:02:53  C:\Program Files\Grisoft\AVG Free\avgcc .exe
----a-w           579,072 2007-12-23 22:11:17  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           256,576 2007-12-23 18:03:09  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2007-12-28 06:49:55  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w            25,600 2007-12-23 18:02:40  C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher .exe
----a-w            36,864 2007-12-23 18:02:56  C:\Program Files\Roland\VSC32\vsc32cnf .exe
----a-w            36,864 2007-12-23 18:02:57  C:\Program Files\Roland\VSC32\vscvol .exe
----a-w            81,920 2007-12-23 18:03:16  C:\Program Files\Sony\SonicStage\SsAAD .exe
----a-w         1,460,560 2007-12-26 12:32:47  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w           919,280 2007-12-28 06:49:54  C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
----a-w            82,432 2007-12-24 05:06:29  C:\WINDOWS\hffext\hffsrv  .exe
----a-w           158,208 2007-12-25 19:47:01  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w           155,648 2007-12-23 18:02:47  C:\WINDOWS\system32\NeroCheck .exe

 Entries:               17  (17)
 Directories:            0  Files:            17
 Bytes:          8,113,680  Blocks:       15,849

    Look at all those programs that start up at boot time that have a space before the .exe. I am disabling all my virus checkers zonealarm etc. but the 2 files i mentioned before:-

    jusched .exe
    zlclient .exe

    are in memory and look like they are definetly not legit and are slapping those jkhfg files right back in there as we try to get rid of them.

    Graham
     
    gsumner, Dec 28, 2007
    #10
  11. gsumner

    gsumner Private E-2

    Hi I think I made some good progress.

    By chance I updated zonealarm to the latest version. This must have prevented zlclient .exe [notice the space] from loading into memory at startup. Now heres the strange bit. there was now no trace of the jkhfg.dll or jkhfg.exe anywhere. I think that was loading them. I couldn't close zlclient .exe previously because windows was protecting it. Now its not loaded a preceded to delete all the files picked up with RenV.exe with avenger.

    That log is below. Let me know which logs to post now to see if im clean. Still got Explorer.exe as a process. Is that a legit process [i mean with the capital E]. Also no report of instances jkhfg.dll in memory by zonealarm.

    Thanks



    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\xcjfatmu

    *******************

    Script file located at: \??\C:\Documents and Settings\ouputocm.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:


    File C:\WINDOWS\system32\jkhfg.exe not found!
    Deletion of file C:\WINDOWS\system32\jkhfg.exe failed!

    Could not process line:
    C:\WINDOWS\system32\jkhfg.exe
    Status: 0xc0000034



    File C:\WINDOWS\system32\jkhfg.dll not found!
    Deletion of file C:\WINDOWS\system32\jkhfg.dll failed!

    Could not process line:
    C:\WINDOWS\system32\jkhfg.dll
    Status: 0xc0000034


    Could not process line:
    C:\pogigbqy.bat
    Status: 0xc0000034

    File C:\WINDOWS\system32\gfhkj.ini deleted successfully.
    File C:\WINDOWS\system32\gfhkj~1.ini deleted successfully.
    File C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx .exe deleted successfully.
    File C:\Program Files\FreeMem Professional\fmempro .exe deleted successfully.
    File C:\Program Files\Grisoft\AVG Free\avgcc .exe deleted successfully.
    File C:\Program Files\Grisoft\AVG7\avgcc .exe deleted successfully.
    File C:\Program Files\iTunes\iTunesHelper .exe deleted successfully.
    File C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe deleted successfully.
    File C:\Program Files\r2 Studios\Startup Delayer\Startup Launcher .exe deleted successfully.
    File C:\Program Files\Roland\VSC32\vsc32cnf .exe deleted successfully.
    File C:\Program Files\Roland\VSC32\vscvol .exe deleted successfully.
    File C:\Program Files\Sony\SonicStage\SsAAD .exe deleted successfully.
    File C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe deleted successfully.
    File C:\RECYCLER\S-1-5-21-1085031214-492894223-725345543-1003\Dc3\8start .exe deleted successfully.
    File C:\WINDOWS\hffext\hffsrv .exe deleted successfully.
    File C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe deleted successfully.
    File C:\WINDOWS\system32\NeroCheck .exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
     
    gsumner, Dec 28, 2007
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    atiptaxx .exe =
    This file is used by your system to run the ATi Control panel. it is not required for your ATi Card, but it can access certain settings that windows can not access on the ATi Card. Only remove this file if you are experiencing problems or do not wish to reconfigure the card.


    avgcc .exe =
    It's not recommended you disable the Control Center. It provides the Pop-Up windows from the AVG Resident Shield. If you disable the AVG Control Center then:

    - AVG Resident Shield won't display the information window when it finds a virus, but it will stop it.

    C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe = if you go to start / run / type "msconfig" without quotes ...does it start?

    And you have removed Spybot's teatimer ....did you want to do that?

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file
     
    TimW, Dec 28, 2007
    #12
  13. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Apparently this is a new form of Vundo infection and leaves your system untrustworthy of the real system files ...lets see what this turns up:

    • Download and save to RenV.exe from following link to Desktop (must be on the Desktop)
    • Doubleclick RenV.exe
      • When finished, it will produce a new log named Log.txt on the Desktop.
      • Attach this log to your next reply.
     
    TimW, Dec 28, 2007
    #13
  14. gsumner

    gsumner Private E-2

    Ive already run the RenV.exe thing and binned all the things it came up with. I've posted a few posts since last time you wrote to me. The result of that origianal scan is in an earlier post. Teatimer came up on the list and was installed.

    I think I'm clean now but get a blue screen when doing a long virus scan using "any" scanner.

    Just wondered what this can be.

    Graham

    Here is the result of a RenV.exe scan now

    Code:
    Ran on Sat 12/29/2007 -  5:55:07.89

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0
     
    gsumner, Dec 28, 2007
    #14
  15. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    It's very likely that some of your system and program files were replaced with the infected files ......go to start / run / type "sfc /scannow" without quotes and have your xp cd handy.

    You may also have to reinstall some of your software ...esp the security software.
     
    TimW, Dec 29, 2007
    #15
  16. gsumner

    gsumner Private E-2

    Things seem better now.

    I did a scandisc and re installed some software that was infected and therefore removed. No Blue screens today.

    I will run the computer for a couple of days to see what happens and report back when all is clear.

    Things definately much better now Tim. Although I seem to be getting about 60 or so junk emails per day.

    Guess thats down to the vundo thing.

    Thanks for now, will report back soon
     
    gsumner, Dec 29, 2007
    #16
  17. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You can use a mailwasher ....let me know how things are running as this new Vundo is still also new to us as to what all it can do. :)
     
    TimW, Dec 29, 2007
    #17
  18. gsumner

    gsumner Private E-2

    Ok I'll stay vigilant for a few weeks and keep running RenV.exe and others virus scanners and see if they come up with anything.

    Thanks
    Graham
     
    gsumner, Dec 30, 2007
    #18
  19. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Not a problem ...safe surfing. :)
     
    TimW, Dec 30, 2007
    #19

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds