Trojan? - Kevejekim.exe

While running Windows Update on my Windows 2000 machine, Avast! started picking up a number of ‘trojan’ files and recommended that I place them in the chest which I did. However the same files kept popping back up again and again and I also started recieving messages telling me the ‘trojan’ file could not be found. My question is this:

Is Avast! picking up Windows Update files and flagging them as trojan files?

My machine has the Sasser patch already installed and is currently running SP4

One of the trojan files it found is called ‘KEVEJEKIM.exe’

The other puzzling thing is while checking through Windows Task Manager I noticed a number of processes running that I have never seen before:

umwxupa.exe
uhapayire.exe
gewosow.exe
etineune.exe
hujiwege.exe
wenetoh.exe

does anyone recognise any of these? and are they malicious?

Thanks for your time :slight_smile:

Dave

Could you copy and paste your hijackthis log here please.

You can get the latest hijackthis from here: http://www.merijn.org/files/hijackthis.zip

–lee

Hahahah you must be joking :smiley: this machine was running slower than a elderly tortoise with no legs! I sent that message at work, I’ve just re-installed Win 2K, SP4 and the Sasser Patch. I’m currently using the internet without Avast! installed and I haven’t got around to putting the updates on. Currently the machine is running nice and smooth with the internet running as should be.

I don’t want to go through all that hassle again! Should I put the updates on first then install Avast!? Is Avast! picking up the Microsoft Update files as Trojans?

Spoke to soon :frowning: system is acting real strange now. Slow doing anything and mouse cursor bouncing all over the screen ‘wiping’ the screen to show what’s underneath. Not happy, here’s the hijackthis log…

Logfile of HijackThis v1.99.1
Scan saved at 00:50:25, on 22/04/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\SCardClnt.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\bootmng.exe
C:\WINNT\system32\wncdvbrwxc.exe
C:\WINNT\system32\internat.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Documents and Settings\SLAG1\My Documents\hijackthis\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM..\Run: [SpeedTouch USB Diagnostics] “C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe” /icon
O4 - HKLM..\Run: [Boot Manager] bootmng.exe
O4 - HKLM..\Run: [Vrcn Microsoft Config] wncdvbrwxc.exe
O4 - HKLM..\RunServices: [Boot Manager] bootmng.exe
O4 - HKLM..\RunServices: [Vrcn Microsoft Config] wncdvbrwxc.exe
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - HKCU..\Run: [Boot Manager] bootmng.exe
O4 - HKCU..\Run: [Vrcn Microsoft Config] wncdvbrwxc.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip..{A469E710-7DDE-41DF-979B-28CD3FD63FF5}: NameServer = 62.241.162.200 158.43.240.3
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\system32\SCardClnt.exe

Help!

EXTRACT FROM EDDY’S HIJACKTHIS LOG ANALYSER:


CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

Old version of Internet Explorer detected, please update.
Your operating system is not up to date. (Latest service pack not installed)
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


GENERAL INFORMATION :

All items in the original HijackThis log file which
are not shown here need further investigation.

Tutorial on the hijackthislog : http://members.home.nl/edeijl/

For email support on this application : hjtbeta@yahoo.com

Use www.google.com to find out more on items
not listed here or if you have doubts.

In addition to this application, you can also analyze the
original HijackThis log online at: http://hijackthis.de


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\winnt\web\related.htm


HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - global startup: winzip quick pick.lnk = c:\program files\winzip\wzqkpick.exe


THE FOLLOWING ITEMS ARE SAFE TO KEEP :

\winnt\system32\smss.exe
\winnt\system32\winlogon.exe
\winnt\system32\services.exe
\winnt\system32\lsass.exe
\winnt\system32\svchost.exe
\winnt\system32\spoolsv.exe
\winnt\system32\svchost.exe
\winnt\system32\regsvc.exe
\winnt\system32\mstask.exe
\winnt\system32\wbem\winmgmt.exe
\winnt\system32\svchost.exe
\winnt\explorer.exe
\program files\thomson\speedtouch usb\dragdiag.exe
\winnt\system32\internat.exe
\winnt\system32\wuauclt.exe
o3 - toolbar: @msdxmlc.dll
-1@1033
&radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\winnt\system32\msdxm.ocx
o4 - hklm..\run: [synchronization manager] mobsync.exe /logon
o4 - hklm..\run: [speedtouch usb diagnostics] “c:\program files\thomson\speedtouch usb\dragdiag.exe” /icon
o4 - hkcu..\run: [internat.exe] internat.exe

Here is the online scan of your log: http://hijackthis.de/logfiles/32e43f2a505332b4baf030e88adc0d5b.html

Hi kouryou,

Remove these:

O4 - HKLM..\Run: [Boot Manager] bootmng.exe
O4 - HKLM..\Run: [Vrcn Microsoft Config] wncdvbrwxc.exe
O4 - HKLM..\RunServices: [Boot Manager] bootmng.exe
O4 - HKLM..\RunServices: [Vrcn Microsoft Config] wncdvbrwxc.exe
O4 - HKCU..\Run: [Boot Manager] bootmng.exe
O4 - HKCU..\Run: [Vrcn Microsoft Config] wncdvbrwxc.exe
O17 - HKLM\System\CCS\Services\Tcpip..{A469E710-7DDE-41DF-979B-28CD3FD63FF5}: NameServer = 62.241.162.200 158.43.240.3
O23 - Service: Smart Card Client (SCardClnt) - Unknown owner - C:\WINNT\system32\SCardClnt.exe

These are also safe to remove: (they are not malware though, so what to remove is up to you)

Internet explorer Toolbar
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

Uneeded AutoStart Programs
O4 - HKLM..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU..\Run: [internat.exe] internat.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Internet Explorer Extra ‘Tools’ menuitems and buttons
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Then Run a boot time scan with avast set to scan inside archives (Open Avast > Menu (top left hand corner) >Boot time scan)

Then run any spyware scanners you have (Spybot/Ad-aware etc)

Then search for and delete these files: (if there)

KEVEJEKIM.exe
umwxupa.exe
uhapayire.exe
gewosow.exe
etineune.exe
hujiwege.exe
wenetoh.exe
bootmng.exe
wncdvbrwxc.exe
SCardClnt.exe

Then remove any temp files you may have, you can use CCleaner for this if you want: http://www.filehippo.com/download/ncAOCJr-Om3Lq35Rh3QQoQ2/download.html

Then go to windows update and fully update your OS and Browser (www.windowsupdate.com)

Then let us know if your problem is solved

–lee