jkkli = nasty Options

[shedrick]

Hey all. First time on here and first post. I wanted to share this story with you all. Maybe someone will find it useful. Just as a quick summary (before the whole story), I found jkkli.dll and jkkli.exe on my friends computer and was helping him remove it. I used the latest vundofix but vundofix could not remove it (well, it DID remove it, but it would keep coming back).

The computer is running Vista 32-bit (all security patched automatically applied). And about me some, I'm a computer programmer and I also have had jobs managing computer systems so I know the basics of the windows OS/registry/startup/etc... (However, I don't have much experience with Vista). And I'm also a network engineer..

My friend start noticing popup browser windows opening up without him doing anything. Also, I then noticed that his hard drive light was consistently and constantly showing activity (when it really shouldn't be).

So I started poking around and noticed a couple things:
- I checked thru all of the typical "run" registry settings for both LM and User and noticed several weirdos. There was something called "MSServer" that was loading a weird named DLL from windows\system32. And there was a command that used rundll32 to load the DLL c:\windows\system32\jkkli.dll.

- I looked at the Windows Defender history and noticed that it had recorded several "unknowns" that cooresponded to those weirdos I noticed in the "run" registry stuff.

So, the first thing I did was do a search thru the registry for "jkkli" just to see where it all existed. I found two classes that pointed to this jkkli.dll file so wrote down those class IDs and used those to also search thru the registry. I found those classes being loaded as Browser Helper Objects.

Now, I'm the kind of geek that tries to do stuff myself, so I started trying to remove this myself. The basic thing I was gonna try was to simply remove the files and remove any trace of that info from the registry (both keys that directly have "jkkli" and also any class references that pointed to those DLLs).

I started with "jkkli". Searching thru the registry and removing the appropriate keys/values... Now here was the weird thing that took me a few 'deletions' to notice. I found a reference to jkkli.dll in a multi string key called "Authentication Providers" (sorry, don't remember the full path). After I removed this entry in that key and saved it, I happened to open it up again and IT WAS BACK AGAIN immediately! So I thought: Ok, I did something wrong and tried it again... but sure enough, it behaved as if I didn't save it at all. So I then refreshed the registry and noticed that ALL of the keys I had removed came back again. I started confirming this.. One of the keys that jkkli.exe was found in was: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows. In this key, is a string called "Load" that had the value "c:\windows\system32\jkkli.exe". I deleted it and it immediately was back in.

Ok, at this point, I ran Sysinternal's Regmon utility (I always keep those sysinternal's tools around.. regmon, filemon, procexp, etc). As soon as I started regmon, it was quite obvious what was happening. jkkli.dll itself was continually opening/querying all of it's registry keys/values and if it noticed that it got removed from those, it immediately would write them back in! This was happening several times a second (thus the slowness of the computer). Great, so now instead of dealing with removing a benign little hijacker, I was dealing with something alot more malicious.. something that was trying to be self-preserving. So all of this explains the constant/continual hard drive light.

Alright, now seeing that if jkkli.dll itself was running and constantly putting registry values back in, i'd have no chance of getting rid of this if I couldn't unload jkkli.dll. Using sysinternals procexp utility, I found that jkkli.dll was pretty deeply embedded (I think it was in lsass.exe and explorer.exe as well as rundll32.exe).

What I decided to try was removing the files jkkli.dll and jkkli.exe. This is how i did that:
1. boot from the windows vista DVD
2. select "repair my computer"
3. After clicking on the OS and selecting Next, you get a list of tools. I clicked on "Command Prompt". This gives you full access to your hard drive files (regardless of NTFS/FAT32).
4. Using this command prompt, I went to windows\system32 and I deleted jkkli.exe and jkkli.dll.

At this point, I'm thinking, Ok I got you finally!.. I'd just boot up the computer and then remove all of the registry keys left behind and I'd be done... right!

I booted up and as expected, received an error from "desktop" that it coulded load "c:\windows\system32\jkkli.exe".. fine. Before clicking "OK", I went to a command prompt and looked to confirm that jkkli.dll and jkkli.exe were missing... yep.. still gone. I then clicked "OK" to that message and the rest of the startup stuff continued to load...

I started removing those registry keys again, and what do I see?... they are popping back in again magically!... sigh. Ok, I then look in windows\system32 and lo and behold... jkkli.dll and jkkli.exe are back.

Ok, at this point, I got kind of lucky, because of this fact: When you have something in that CU\S\M\Windows NT\CurrentVersion\Windows\Load string, if what it's trying to load is missing, it pauses the rest of the startup stuff. Because of this fact and the fact that I happened to noticed that jkkli.dll did NOT exist up the point of the message, but then it did exist after I clicked OK, that gave me a great opportunity to figure this out.

Enter FileMon.. another sysinternals utility. This one monitors all open/query/write/close activity on your computer. So here's what I did:
1. Rebooted computer using the DVD and went thru the process of removing jkkli.dll and jkkli.exe again.
2. When the computer came back up, I again received the "cant load .." message.
3. At this point, I ran Filemon and then clicked the OK button on that message.
4. After I confirmed jkkli.dll existed again, I stopped filemon from capturing events and searched thru and analyzed the Filemon log.

After seeing this log, I now see that our little malicious spyware is not benign at all.. in fact, I'd consider this a malicious trojan/virus.

To make an already too longer story shorter, here is what I was noticing: CTHELPER.EXE (a utility that is included with Soundblaster software) was RECREATING jkkli.dll. After a lot more investigating, I'll just try and sum up what was going on:

Every application on my friends computer that is included in the HKLM\S\M\Windows\CurrentVersion\Run had been re-written. I found this in:
- Adobe's "AdobeUpdater.exe"
- Nero's "NeroCheck.exe"
- Winamp's "Winampa.exe" (winamp agent)
- Creative lab's CTHELPER.exe and CTXIFHLP.EXE
- Mcafee's "UdaterUI.exe" (it's updater program).
- QuickTime's updater (qtsomething.exe.. can't remember)

For each of those programs listed above, this UNDETECTABLE VIRUS had done the following:
1. Made a copy of the original file in the same directory, but added a space in front of the .exe.. so for example, it would copy "NeroCheck.exe" to "NeroCheck .exe" (note the space).
2. It then re-wrote those executables so that they contained the code so that when they ran, in addition to doing whatever that program did, to recreate jkkli.dll. Probably some kind of smart "wrapper" got added to the executable so that the original code of that file was still intact and worked, but in addition, it would check for jkkli.dll and if it didn't exist, it had the ability to create it.

So, we had 6 normal applications that all had code that could re-write jkkli.dll if it was missing...

Another thing I noticed is that if I manually put the .exe back, the jkkli.exe program that got re-created would re-hijack that application.

WHAT A MESS.. so we have the original virus that re-wrote all Startup apps so that if the virus was removed, any one of those startup apps could re-write it... and if those startup apps were fixed, the virus itself would re-hijack them.

During all of this discovery/research: I ran the latest VundoFix... it did find the jkkli.dll and jkkli.exe and it did remove it... but because of the fact that all of the hijacked start up programs had the ability to recreate jkkli.*, Vundofix didn't completely clear it.. after one reboot, it's back.

So in the end, here is what I did to get rid of this (and I'm sure I could have done this another way):
1. I manually uninstalled/removed all of those programs above (Nero, Quicktime, Adobe Reader/Updater, Winamp, Mcafee Virusscan). NOTE: I also manually removed the folders so that those remanent virus files were removed as well.
2. I rebooted to DVD and ran the "Repair" and "Command Prompt"
3. I removed the jkkli.exe and jkkli.dll
4. I manually fixed CTHELPER.EXE and CTXIFHLP.EXE: IE: Del CTHELPER.EXE.. Rename "CTHELPER .EXE" CTHELPER.EXE
5. Restarted the computer.
6. manually cleaned up all registry keys that referenced jkkli and the class keys that pointed to jkkli.

That seemed to get rid of it finally.

Anyway, I felt I'd share this as I couldn't find any mention of this extremely malicious version of this jkkli.dll/.exe anywhere. I mean, I found mention of that, but not the fact that the Startup applications all got re-written so that jkkli.dll/.exe would get re-created by any one of them.

Hope this helps someone down the road.

Oh and PS: I tried to get my friend to help me figure out HOW/WHERE he got this from, but couldn't pinpoint it exactly. What I do know is that he downloaded a you tube converter program (not going to say which as it's not the culprit) at roughly the same time that all of this started happening (I know the time from looking at the Windows Defender logs). However, I don't think that program itself is the issue. He then started looking for a "Serial Number" online for it... I noticed that he went to about three sites for downloading a "crack/serial/keygen" for the program... I'm 99 percent certain that is where he got this from. I think the sites he hit and tried downloading this from where (he's got cookies for these three sites all created at roughly the same time this all started happening):

- crackserialkeygen.com
- dollarwarez.com
- fulldownloads.us

He has one more odd cookie that points to an IP address only: 82.98.235.70. This cookie was created at roughly the same time as well.

I googled that IP address and all I get is hits about it being related to malware/adware...

A reverse DNS query shows:
Query for 70.235.98.82.in-addr.arpa type=255 class=1
235.98.82.in-addr.arpa SOA (Zone of Authority)
Primary NS: ns.mycyberhosting.com
Responsible person: sysadmin@mycyberhosting.com

Also, if I do a whois on that IP, it's part of the entire 82.0.0.0 class A block owned by RIPE Network Coordination Centre in Amsterdam.

Anway, something he downloaded from one of those sites is what started all of this.

[shedrick]

Oh, and for those curious. Those sysinternals utilities like filemon/regmon/etc are now part of the Microsoft's world.

http://technet.microsoft.com/en-us/sysinternals/default.aspx

And it looks like the better utility is now called "Process Monitor".. it combines filemon/regmon and is supported for Vista/etc.

Lot's of great utilities here.

[JohnBlenk]

This is really helpful, thanks for the detailed explanation. Your comment about the searching for keycodes rings a bell with me, like an idiot I was doing the same thing just before Xmas.

Following my earlier post on the forum, I suspect that jkkli is just one possible name for the same basic virus/trojan and that means that to follow your steps each user would have to work out what the relevant Vundo .exe is called on their machine. It's certainly not on my machine, but something doing exactly the same thing is. Apologies if your post explained how to find that out, it's been many years since I had to immerse myself this deep in technical stuff just to try and keep my machine running!

Thanks

[shedrick]

There's several ways to find out what the name of the file might be (if you've got the same kind of virus/trojan thing I had... but maybe just using a different random .dll/.exe name...)


Perhaps the easiest would be to look at the registry key "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows". In that key will be a string value called "Load". If that contains anything suspicious that loads a .exe file from "c:\windows\system32" that might help identify it.

You could also use Regmon or Procmon to monitor your registry. If you see the same activity over and over doing an "open" and "query" on those "run" and "load" keys, then that is a good bet to be the virus/trojan file. (those utilities will show you what file/process is doing that registry activity).