Downloader.Generic6.AKFS

Status
Not open for further replies.
R

RocksOfSteel

Hello Guys,
I have a very nasty virus. Here's what it did:

It attacked my AVG and turned it off and does not allow re-installation.
Turned off my firewall and will not allow it to be turned beck on (Comodo).
The PC will no longer start in Safe Mode...
As soon as it sees HijackThis it attacks it (amongst many others) and prevents it from running. It does this by changing one byte near the begining of the file (0x4C changed to 0x00) The result is "This is not a valid win32 application" However by changing the name of HiJackThis_v2.exe to Jack2.exe it did not spot it and allowed it to execute. I've shown the log below.

I removed the HDD and have checked it on other PC's with the latest anti-virus software, Mcafee, Sophos and AVG. Until today they found nothing but this morning AVG reports finding Downloader.Generic6.AKFS. I can find no info on this not even on the AVG website.

Please help.

Many thanks
Andy

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:02:42, on 28/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Program Launcher\launch.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Cadence\license_manager\lmgrd.exe
C:\WINDOWS\system32\crypserv.exe
C:\Cadence\license_manager\lmgrd.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Cadence\license_manager\CDSLMD.exe
C:\WINDOWS\system32\PGPserv.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\svchost.exe
L:\Jack2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Program Launcher 95] C:\Program Files\Program Launcher\launch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ntdsbcli32 - ntdsbcli32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Cadence License Manager - Macrovision Corporation - C:\Cadence\license_manager\lmgrd.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Flexlm (lmgrd) - Unknown owner - C:\Cadence\SPB_15.5\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing)
O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
O23 - Service: PMService - Unknown owner - C:\Program Files\richcomm\PowerManagerII\PMService.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
O23 - Service: VPOP3 Email Server (VPOP3) - Unknown owner - C:\PROGRA~1\vpop3\vpop3svc.exe

--
End of file - 5941 bytes
 
I am not a qualified HJT log viewer
But I do not see any issues (malware or otherwise) with your HJT log

Regarding Downloader.Generic6.AKFS

This trojan may be Win32/SillyDl.DNM

Win32/SillyDl variants may download other trojans, or non-malicious programs such as adware. At any given moment in time, the program(s) it attempts to download may be changed or updated, or may be unavailable altogether. This family of trojans usually downloads using HTTP.

In order to avoid SillyDl infections it is important to follow safe computing practices, such as keeping your Operating System and third party applications up to date and patched with the latest updates, and use an Anti-Spyware and Adware solution

Risk Level 1: Very Low (Any AntiVirus Spyware program will do)

And can be associated with: (Please remove these if found)
C:\WINDOWS\System32\akfs
File.exe

Or possibly comming in through your email program Vpop3 Mail Server
By the way, why are you using this email program?
 
Yes, I couldn't see anything either that's why I posted it here for someone more knowledgeable to cast an eye over.

AVG has managed to remove this problem. All "seems" well now.

In order to avoid SillyDl infections it is important to follow safe computing practices, such as keeping your Operating System and third party applications up to date and patched with the latest updates, and use an Anti-Spyware and Adware solution
Click to expand...
I do, I update AVG every night. And I install all the XP security updates as they apear.

You may ask why I use AVG and not Mcafee or other main stream (paid for). Well AVG was the first of them to find the problem.

Or possibly comming in through your email program Vpop3 Mail Server
By the way, why are you using this email program?
Click to expand...
Strange question. Why do we use any software, to make our lives easier?
Ok, you asked so I'll tell you. I use VPOP3 because I have many email accounts and using VPOP3 is one way to collect them all together in one place and then filter to different users.

Many thanks
Andy
 
Strange question.re email client
Click to expand...
Why I asked is because, most of these infections come through users mail programs. And some programs (ie Outlook as an example) have good spam and filtering control.

You may ask why I use AVG
Click to expand...
Definately not. AVG is a world leader, and Grisoft, also offer some of the best spyware removing programs. I'd say stick with them. But you may want to include a good firewall too. (unless this is AVG Internet Security)

All "seems" well now.
Click to expand...
That's great

Many thanks
Andy
Click to expand...
Thank-you too, I hope you are satisfied with the support :)
 
Thanks, and yes the suport was great.

I do use firewall software. I use Comodo and Kerio (on different PC's :) ) and am happy with both.

What do you think of those two and would you recomend any others?

Many thanks
Andy
 
They're fine.

But any firewall is only as good as the settings that have been entered
ie Block all is perfect :)

Anyway, have to go for a while.

Please continue to use (and recommend) TechSpot to others
 
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
797
uber_beetle
uber_beetle
S
  • Locked
Inactive Am I infected?
Replies
8
Views
3K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back