Nasty Trjn, juhmjl.exe. Can't eradicate!!

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Courtanee

Thread Starter
Joined
Jun 24, 2005
Messages
40
I am in need of a little help. I was surfing Collegehumor.com and caught some nasty trojan. I caught it from viewing a picture (Arrrgh!!). I have done away with a all the malware that with exception of one. The process name is juhmjl.exe. It causes pop ups when I go to a new site and really slows down my Internet. MY system is a Toshiba Satellite Laptop P4 with Win XP & SP1. When I look at processes running in Task Manager, it is there for only an instant and ends. I used HJT and it shows up in the log as a running process (Note: If I run HJT while task manager is open, it doesn't show up in HJT log...interesting). When I follow the paths that are given (registry & directory), there is nothing. The HJT path for the registry is (HKLM\...\Run: [KavSvc] C:\WINDOWS\System32\juhmjl.exe reg_run) and there is no key that should't be there. There are only anufacturer keys that run the power meter and hotkeys. I have looked in other "run" or "run once" locations under "HKey current users" and "HKEY user" and there is nothing. When I go to the directory, again, there is no file (C:\WINDOWS\System32\juhmjl.exe reg_run). Another thing, when I look in msconfig, it shows up as this (C:\WINDOWS\System32\juhmjl.exe reg_run) also. What is this reg_run at the end of the file name? How can I find this elusive juhmjl.exe?
I have my files views to show everything (hidden folders & system files). I have googled the juhmjl.exe file and I get nothing (Google, Yahoo, & Dogpile). I have run multiple virus and adware scans and nothing comes up (adwarealert, panda, symantec, & McAfee). If anyone has experience with the SOB, please help.

- Courtney
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,897
Hi and welcome to TSG,

Please do this. Click here: http://www.thespykiller.co.uk/files/hijackthis_sfx.exe
to download HijackThis.

Close all open windows and open HijackThis. Click “Scan”. When the scan is finished, the scan button will change to “Save Log”. Click on “Save Log” and then save it to Notepad. Click on “Edit” – “Select all” – “copy” and then “paste” into the thread.

DO NOT FIX ANYTHING YET, most items that appear in the log are harmless or even needed.
 

Courtanee

Thread Starter
Joined
Jun 24, 2005
Messages
40
Here is my HJT log. This whole issue started with auroa, elite bar to name a few. I have deleted all those nuisnces. here's the log

Logfile of HijackThis v1.99.1
Scan saved at 4:11:06 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
C:\WINDOWS\System32\juhmjl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dogpile.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshiba.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\juhmjl.exe reg_run
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshiba.com
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://aumail5.american.edu/iNotes6W.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4474/mcfscan.cab
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,897
Download Find_Qoologic2.zip save it to your Desktop.

http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981


Extract (unzip) the files inside into their own folder called FindQoologic.
Open the FindQoologic folder.

Locate and double-click the Find-Qoologic.bat file to run it. Wait until a text opens, post it in a reply to your thread.

You might find you get an error message when first running this file, if so close it and run again and wait until file.txt opens on desktop

Ignore the first list that opens with a long list of files and wait for FILE.TXT to pop up.

It normally takes somewhere between 10 to 15 minutes depending on your computer.
 

Courtanee

Thread Starter
Joined
Jun 24, 2005
Messages
40
That is an interesting tool. Here is file.text:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\IBOGINP.DLL
* KavSvc C:\WINDOWS\System32\KQODK.DLL
* KavSvc C:\WINDOWS\System32\PCNUPYE.DLL
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* KavSvc C:\WINDOWS\System32\WVINW.DLL
* aspack C:\WINDOWS\System32\AYWVA.DAT
* aspack C:\WINDOWS\System32\JUHMJL.EXE
* aspack C:\WINDOWS\System32\NQDONXC.EXE
* aspack C:\WINDOWS\System32\PCNUPYE.DLL
* aspack C:\WINDOWS\System32\WVINW.DLL
* UPX! C:\WINDOWS\System32\IBOGINP.DLL
* UPX! C:\WINDOWS\System32\SCOPENR.DLL
* UPX! C:\WINDOWS\System32\SICON.DLL
* UPX! C:\WINDOWS\System32\SS.DLL
* UPX! C:\WINDOWS\System32\SUPDATE.DLL
* UPX! C:\WINDOWS\System32\SVC.DLL
* UPX! C:\WINDOWS\System32\THIN.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\KCRT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini
kcrt.exe

User Startup:
C:\Documents and Settings\Courtney Schrader\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\nkmqnsgq
<NO NAME> REG_SZ {2c3c98fb-ee34-4c21-9d52-4c71c990f097}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
 

Courtanee

Thread Starter
Joined
Jun 24, 2005
Messages
40
I went through and tried looking for the files. I am unable to find them in their designated locations. They are there, I just can't see them. I tried looking for them in safe mode and still no luck. How can I make it to where I can view the files. I have set all my folder views to show everything. One of the files I found, I looked at it with note pad. There were lines in there so that the tasks wouldn't appear in task manager. Could it be that the files are written so that I am not able to view them with explorer? I was able to get to SUPDATE.DLL, but here is a list of the files I can't view.

* KavSvc C:\WINDOWS\System32\IBOGINP.DLL
* KavSvc C:\WINDOWS\System32\KQODK.DLL
* KavSvc C:\WINDOWS\System32\PCNUPYE.DLL
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* KavSvc C:\WINDOWS\System32\WVINW.DLL
* aspack C:\WINDOWS\System32\AYWVA.DAT
* aspack C:\WINDOWS\System32\JUHMJL.EXE
* aspack C:\WINDOWS\System32\NQDONXC.EXE
* aspack C:\WINDOWS\System32\PCNUPYE.DLL
* aspack C:\WINDOWS\System32\WVINW.DLL
 

Courtanee

Thread Starter
Joined
Jun 24, 2005
Messages
40
I tried looking for the files from the command prompt and I was able to see them there. I went ahead and deleted them and the problem is no more. I have never seen files that were able to hide themselves from view with windows explorer. Thanks for all the help!!!
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
121,897
Download Killbox here: http://www.thespykiller.co.uk/files/killbox.exe and save it to your desktop but don’t run it yet.

Then boot to safe mode:


How to restart to safe mode:
http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam

Now configure your computer to show all hidden files and folders like so:

Go to Start - Search and under "More advanced search options", make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders."

Next, click on My Computer, Go to Tools - Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types". Now click "Apply to all folders." Click "Apply" and then "OK."


Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confirmation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\IBOGINP.DLL
C:\WINDOWS\System32\KQODK.DLL
C:\WINDOWS\System32\PCNUPYE.DLL
C:\WINDOWS\System32\SUPDATE.DLL
C:\WINDOWS\System32\WVINW.DLL
C:\WINDOWS\System32\AYWVA.DAT
C:\WINDOWS\System32\JUHMJL.EXE
C:\WINDOWS\System32\NQDONXC.EXE
C:\WINDOWS\System32\PCNUPYE.DLL
C:\WINDOWS\System32\WVINW.DLL
C:\WINDOWS\System32\IBOGINP.DLL
C:\WINDOWS\System32\SCOPENR.DLL
C:\WINDOWS\System32\SICON.DLL
C:\WINDOWS\System32\SS.DLL
C:\WINDOWS\System32\SUPDATE.DLL
C:\WINDOWS\System32\SVC.DLL
C:\WINDOWS\System32\THIN.DLL
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KCRT.EXE


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

Exit the Killbox.

Reboot and post another Hijack This log please.
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top