View Full Version : jkhhf.dll
Swiftkill
2007-10-31, 08:19
I have tried everything, i've searched the web for 2 days trying different ways to get rid of this virus. Now i must post. Please help in english, im not a computer god, but i know my way around one.
Logfile of HijackThis v1.99.1
Scan saved at 12:08:19 AM, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Canucks\Desktop\scanner.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {D522881B-8889-42A9-ACB0-5872FFD20E34} - C:\WINDOWS\system32\jkhhf.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/164e5248eae5fddc6a05/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Rorschach112
2007-10-31, 09:44
Hello, my name is Rorschach and I'll be helping you with your problems.
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Swiftkill
2007-10-31, 11:49
I already have tried vundo, it doesnt find it. as you can see from dss its still there!. Thanks for your help, ill check back tomorrow morning
too long gotta do it in 3 replys.
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 1:54:23 PM 27/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\bhgsbmxu.dll
C:\WINDOWS\system32\jkkjkki.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkjkki.dll
C:\WINDOWS\system32\jkkjkki.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jkkjkki.dll
C:\WINDOWS\system32\jkkjkki.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 2:01:33 PM 27/10/2007
Listing files found while scanning....
C:\windows\system32\jkkjkki.dll
Beginning removal...
Attempting to delete C:\windows\system32\jkkjkki.dll
C:\windows\system32\jkkjkki.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 2:08:24 PM 27/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\qppxjalx.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\qppxjalx.dll
C:\WINDOWS\system32\qppxjalx.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 2:30:20 PM 27/10/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 3:17:20 PM 28/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\efrdnoca.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\efrdnoca.dll
C:\WINDOWS\system32\efrdnoca.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 3:25:28 PM 28/10/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 7:12:17 PM 28/10/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 9:51:11 PM 30/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\ahysxcmo.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ahysxcmo.dll
C:\WINDOWS\system32\ahysxcmo.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 11:36:36 PM 30/10/2007
Listing files found while scanning....
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Scan started at 3:36:57 AM 31/10/2007
Listing files found while scanning....
C:\WINDOWS\system32\rjjkalpa.dll
Beginning removal...
Performing Repairs to the registry.
Done!
Swiftkill
2007-10-31, 11:54
Deckard's System Scanner v20071014.68
Run by Canucks on 2007-10-31 03:51:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------
System Drive C: has 7.78 GiB (less than 15%) free.
-- HijackThis (run as Canucks.exe) ---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 3:51:37 AM, on 31/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\Mixer.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Canucks\Desktop\dss.exe
C:\DOCUME~1\Canucks\Desktop\Canucks.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {9D46221F-14D2-4207-BAB9-EF39A5832CCA} - C:\WINDOWS\system32\jkhhf.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/164e5248eae5fddc6a05/netzip/RdxIE601.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab40641.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CB4574A5-D463-46BE-8E12-8CD0DCA9EDA1} (LIVECHAT Control) - http://www.wcgzone.com/LiveChat.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by104fd.bay104.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-- Files created between 2007-09-30 and 2007-10-31 -----------------------------
2007-10-30 23:50:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-10-30 23:32:17 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2007-10-30 23:16:12 53248 --a------ C:\Documents and Settings\Canucks\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-30 23:16:12 11254 --a------ C:\Documents and Settings\Canucks\locate.com
2007-10-30 23:05:55 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2007-10-30 23:05:51 0 d-------- C:\Program Files\Security Task Manager
2007-10-28 15:24:09 0 d-------- C:\Program Files\backups
2007-10-27 13:54:23 0 d-------- C:\VundoFix Backups
2007-10-27 13:37:26 0 d--hs---- C:\WINDOWS\CSC
2007-10-25 00:18:46 0 d-------- C:\Documents and Settings\Canucks\Application Data\F?nts
2007-10-23 11:35:20 0 d-------- C:\Program Files\iPod
2007-10-23 11:35:02 0 d-------- C:\Program Files\iTunes
2007-10-23 11:24:48 287401 ---hs---- C:\WINDOWS\system32\fhhkj.bak2
2007-10-22 22:12:34 6470 ---hs---- C:\WINDOWS\system32\fhhkj.bak1
2007-10-22 22:11:01 316000 --a------ C:\WINDOWS\system32\jkhhf.dll
2007-10-22 22:09:22 0 d-------- C:\Program Files\Temporary
2007-10-22 22:05:36 0 d-------- C:\Program Files\s?stem
2007-10-22 22:05:30 0 d-------- C:\WINDOWS\system32\vMW07a
2007-10-22 22:05:17 41723 ---hs---- C:\Program Files\Common Files\Yazzle1396OinUninstaller.exe
2007-10-22 22:01:26 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-10-22 22:01:26 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-10-22 22:01:26 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-10-22 22:01:26 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2007-10-22 22:01:26 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-10-22 22:01:26 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-10-22 22:01:26 0 dr------- C:\Documents and Settings\Administrator\My Documents
2007-10-22 22:01:26 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-10-22 22:01:26 0 dr------- C:\Documents and Settings\Administrator\Favorites
2007-10-22 22:01:26 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-10-22 22:01:26 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2007-10-22 22:01:26 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-10-22 22:01:26 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-10-22 22:01:25 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-10-22 17:10:47 0 --a------ C:\WINDOWS\b.exe
2007-10-12 09:56:40 146432 ---hs---- C:\Program Files\Common Files\Yazzle1396OinAdmin.exe
2007-10-10 18:37:48 14716 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-10-07 13:35:59 35382 --a------ C:\WINDOWS\scunin.dat
2007-10-07 13:35:58 967 --a------ C:\WINDOWS\ScUnin.pif
2007-10-07 13:35:58 94208 --a------ C:\WINDOWS\ScUnin.exe <Not Verified; Blizzard Entertainment; Starcraft Uninstaller>
2007-10-07 13:23:39 0 d-------- C:\Program Files\Starcraft
-- Find3M Report ---------------------------------------------------------------
2007-10-30 18:43:14 0 d-------- C:\Program Files\Steam
2007-10-28 16:12:30 5621 --a------ C:\WINDOWS\mozver.dat
2007-10-28 16:12:21 0 d-------- C:\Program Files\Java
2007-10-25 01:34:55 0 d-------- C:\Program Files\s?stem
2007-10-25 00:18:46 0 d-------- C:\Documents and Settings\Canucks\Application Data\F?nts
2007-10-22 22:05:17 0 d-------- C:\Program Files\Common Files
2007-10-22 17:25:33 0 d-------- C:\Program Files\LimeWire
2007-10-10 19:32:21 0 d-------- C:\Program Files\mIRC
2007-10-03 12:30:15 0 d-------- C:\Documents and Settings\Canucks\Application Data\Adobe
2007-09-23 14:24:45 0 d-------- C:\Program Files\Apple Software Update
2007-09-06 22:39:08 0 d-------- C:\Documents and Settings\Canucks\Application Data\Azureus
2007-09-06 17:45:48 0 d-------- C:\Program Files\Azureus
2007-09-06 12:04:32 0 d-------- C:\Documents and Settings\Canucks\Application Data\Apple Computer
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9D46221F-14D2-4207-BAB9-EF39A5832CCA}]
30/10/2007 11:07 PM 316000 --a------ C:\WINDOWS\system32\jkhhf.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility"="Logi_MwX.Exe" [17/12/2003 09:50 AM C:\WINDOWS\LOGI_MWX.EXE]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [18/03/2004 10:33 AM]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [10/12/2002 05:54 PM]
"C-Media Mixer"="Mixer.exe" [07/12/2001 08:24 AM C:\WINDOWS\Mixer.exe]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [24/03/2004 10:04 AM]
"SetIcon"="\Program Files\WDC\SetIcon.exe" [28/04/2004 03:02 PM]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [24/03/2004 10:04 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [14/05/2007 03:22 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 07:51 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [29/06/2007 06:24 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [26/09/2007 02:42 PM]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\jkhhf.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1ef81820-a1e1-11d8-86d9-806d6172696f}]
AutoRun\command- E:\SETUP.EXE
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a7c8f70-4056-11dc-a2ee-000021285acf}]
AutoRun\command- F:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2007-10-31 03:52:11 ------------
Swiftkill
2007-10-31, 11:55
Extra.txt popped up, i accidently closed it while trying to make 3 reposts. and i cant get it to come back after a scan again
Rorschach112
2007-10-31, 20:01
Don't worry about the Extra.Txt
Please go to UploadMalware (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Browse for this filename: C:\WINDOWS\system32\jkhhf.dll
In the comments, please mention that I asked you to upload this file
Click on Send File
Download Combofix (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe) and save it to your desktop.
**Note: It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
--------------------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
This will remove that file for sure, so bear with me :)
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.
Select "Add More Files?" from the menu that comes up.
This will open a new VundoFix window that says "Paste files into the boxes below:"
In that window, copy and paste the following file path in the first (top) field:
C:\WINDOWS\system32\jkhhf.dll
Click the 'Add Files' button.
Click the 'Close Window' button.
Click the 'Remove Vundo' button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Also post a new HijackThis log.
Swiftkill
2007-10-31, 22:28
Problem! one of the scans must have changed something. I no longer go straight into windows, it now asks for my user name and password, well i made the computer 5 years ago and have no clue what the password is. So i no longer can log into my computer.
Any help would be appreciated.
Rorschach112
2007-10-31, 22:41
Try this
When your PC starts, before it asks you for your password, keep pressing F8 and a list of options hopefully should pop up. Click on "Last known good configuration" and see if that will work for you.
In the meantime I will find another solution.
Swiftkill
2007-10-31, 23:19
I tried that, i also tried pulling he battery out of the motherboard for 15 minutes, no changes
Rorschach112
2007-11-01, 00:31
I am just asking two people about your problem. I will get back to you as soon as possible.
Swiftkill
2007-11-01, 21:27
I hope i dont have to reformat, I'f i hook it up to another computer as a secondary slave, and take my pictures off, maybe my music, thats all i care about, will the other computer get the virus?
p.s. i rather not do this if you happen to find a way to get into my computer
I've tried a few more things, they didnt work, i.e windows cd, program thats supposed to reset your password . . .
Rorschach112
2007-11-01, 23:44
Hello Swiftkill
I hope i dont have to reformat, I'f i hook it up to another computer as a secondary slave, and take my pictures off, maybe my music, thats all i care about, will the other computer get the virus?
p.s. i rather not do this if you happen to find a way to get into my computer
I don't want you to reformat either, I've never heard of this problem happening before after running the tools we ran. You can hook your other computer as a secondary slave and you won't have to worry about the other PC getting the virus as we had removed it. However there are a few more things we should try first that might fix the problem.
Please read this link and try all the steps in it
http://support.microsoft.com/kb/321305
Let me know how that goes.
Rorschach112
2007-11-04, 21:57
Hello Swiftkill
You still with me? We have a solution if you are there.
In Step #6, which program did you run first, was it ComboFix or VundoFix?
Let me know and we can fix you up.
This topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.