Guest Lauren Posted July 10, 2007 Posted July 10, 2007 My apologies if this is the wrong group. I recently bought a Lasonic MP-02GY MP3 player from Fry's and have found it loads a program called jjjha.exe which appears to be sending information whenever a google search is done to a website in China. The device has an autorun inf which changes the right click menu for the drive and runs an exe on the root of the device. It loads a fake svchost file into Windows/inf and sets an autorun key. The svchost then loads and reloads the jjjha.exe which monitors the browser. Once you stop the svchost process it is not to bad to remove everything. I don't know where something like this should be reported. Thanks Lauren Quote
Guest David H. Lipman Posted July 10, 2007 Posted July 10, 2007 From: "Lauren" <blah@blahblah.blah> | My apologies if this is the wrong group. I recently bought a Lasonic | MP-02GY MP3 player from Fry's and have found it loads a program called | jjjha.exe which appears to be sending information whenever a google search | is done to a website in China. The device has an autorun inf which changes | the right click menu for the drive and runs an exe on the root of the | device. It loads a fake svchost file into Windows/inf and sets an autorun | key. The svchost then loads and reloads the jjjha.exe which monitors the | browser. Once you stop the svchost process it is not to bad to remove | everything. I don't know where something like this should be reported. | | Thanks | Lauren | Before it can be reported, jjjha.exe *must* be intentified. Then once it is identified as malware you should file a formal complaint with Fry's as well as the Attorney General of your state. The following is how you should go about identifying the file... Please submit a sample to Virus Total -- http://www.virustotal.com/flash/index_en.html The submission will then be tested against many different AV vendor's scanners. That will give you an idea what it is and who recognizes it. In addition, unless told otherwise, Virus Total will provide the sample to all participating vendors. You can also submit a suspect, one at a time, via the following email URL... mailto:scan@virustotal.com?subject=SCAN When you get the report, please post back the exact results and use the report as proof of the malware infection. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Guest Milo (MSPSS) Posted July 10, 2007 Posted July 10, 2007 you can submit a copy of such here http://support.microsoft.com/kb/921161/en-us -- Milo MSPSS "Lauren" wrote: > My apologies if this is the wrong group. I recently bought a Lasonic > MP-02GY MP3 player from Fry's and have found it loads a program called > jjjha.exe which appears to be sending information whenever a google search > is done to a website in China. The device has an autorun inf which changes > the right click menu for the drive and runs an exe on the root of the > device. It loads a fake svchost file into Windows/inf and sets an autorun > key. The svchost then loads and reloads the jjjha.exe which monitors the > browser. Once you stop the svchost process it is not to bad to remove > everything. I don't know where something like this should be reported. > > Thanks > Lauren > > > Quote
Guest Sharon Franks Posted July 10, 2007 Posted July 10, 2007 Google blocks certain Chinese websites and censors others, perhaps since this is an MP3 player that software may aid in the censoring. -- Sharon Franks MCC group Microsoft Certified Solutions Developer (MCSD) Microsoft Certified Trainer (MCT). "Lauren" <blah@blahblah.blah> wrote in message news:e173$IzwHHA.1168@TK2MSFTNGP02.phx.gbl... > My apologies if this is the wrong group. I recently bought a Lasonic > MP-02GY MP3 player from Fry's and have found it loads a program called > jjjha.exe which appears to be sending information whenever a google search > is done to a website in China. The device has an autorun inf which > changes the right click menu for the drive and runs an exe on the root of > the device. It loads a fake svchost file into Windows/inf and sets an > autorun key. The svchost then loads and reloads the jjjha.exe which > monitors the browser. Once you stop the svchost process it is not to bad > to remove everything. I don't know where something like this should be > reported. > > Thanks > Lauren > Quote
Guest Lauren Posted July 11, 2007 Posted July 11, 2007 Heres the results for the svchost file : Antivirus Version Update Result AhnLab-V3 2007.7.11.1 07.11.2007 no virus found AntiVir 7.4.0.39 07.10.2007 TR/VB.Yongfu Authentium 4.93.8 07.10.2007 no virus found Avast 4.7.997.0 07.11.2007 no virus found AVG 7.5.0.476 07.10.2007 Worm/Delf.CRQ BitDefender 7.2 07.11.2007 no virus found CAT-QuickHeal 9.00 07.10.2007 (Suspicious) - DNAScan ClamAV devel-20070416 07.11.2007 no virus found DrWeb 4.33 07.11.2007 no virus found eSafe 7.0.15.0 07.10.2007 suspicious Trojan/Worm eTrust-Vet 30.8.3778 07.10.2007 no virus found Ewido 4.0 07.10.2007 no virus found FileAdvisor 1 07.11.2007 no virus found Fortinet 2.91.0.0 07.11.2007 VBWorm.C F-Prot 4.3.2.48 07.10.2007 no virus found Ikarus T3.1.1.8 07.11.2007 Win32.SuspectCrc Kaspersky 4.0.2.24 07.11.2007 Virus.Win32.AutoRun.cy McAfee 5071 07.10.2007 no virus found Microsoft 1.2704 07.11.2007 TrojanDownloader:Win32/Banload.DC NOD32v2 2390 07.10.2007 no virus found Norman 5.80.02 07.10.2007 no virus found Panda 9.0.0.4 07.11.2007 Adware/SearchExplorer Sophos 4.19.0 07.06.2007 Mal/VBWorm-C Sunbelt 2.2.907.0 07.11.2007 no virus found Symantec 10 07.11.2007 W32.SillyFDC TheHacker 6.1.6.144 07.09.2007 no virus found VBA32 3.12.0.2 07.10.2007 no virus found VirusBuster 4.3.23:9 07.10.2007 no virus found Webwasher-Gateway 6.0.1 07.11.2007 Trojan.VB.Yongfu Aditional Information File size: 15872 bytes MD5: 103bd3254c4aa8786ed1545261238d8f SHA1: d08d7572b4a471216fa92967180887f995831a6a packers: UPX packers: UPX packers: UPX "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uHNN3NzwHHA.2040@TK2MSFTNGP03.phx.gbl... > From: "Lauren" <blah@blahblah.blah> > > | My apologies if this is the wrong group. I recently bought a Lasonic > | MP-02GY MP3 player from Fry's and have found it loads a program called > | jjjha.exe which appears to be sending information whenever a google > search > | is done to a website in China. The device has an autorun inf which > changes > | the right click menu for the drive and runs an exe on the root of the > | device. It loads a fake svchost file into Windows/inf and sets an > autorun > | key. The svchost then loads and reloads the jjjha.exe which monitors > the > | browser. Once you stop the svchost process it is not to bad to remove > | everything. I don't know where something like this should be reported. > | > | Thanks > | Lauren > | > > Before it can be reported, jjjha.exe *must* be intentified. Then once it > is identified as > malware you should file a formal complaint with Fry's as well as the > Attorney General of > your state. > > The following is how you should go about identifying the file... > > > Please submit a sample to Virus Total -- > http://www.virustotal.com/flash/index_en.html > The submission will then be tested against many different AV vendor's > scanners. > That will give you an idea what it is and who recognizes it. In addition, > unless told > otherwise, Virus Total will provide the sample to all participating > vendors. > > You can also submit a suspect, one at a time, via the following email > URL... > mailto:scan@virustotal.com?subject=SCAN > > When you get the report, please post back the exact results and use the > report as proof of > the malware infection. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > Quote
Guest Lauren Posted July 11, 2007 Posted July 11, 2007 Here are the results for the second file which had renamed itself. Antivirus Version Update Result AhnLab-V3 2007.7.11.1 07.11.2007 no virus found AntiVir 7.4.0.39 07.10.2007 TR/VB.Yongfu Authentium 4.93.8 07.10.2007 no virus found Avast 4.7.997.0 07.11.2007 no virus found AVG 7.5.0.476 07.10.2007 Worm/Delf.CRQ BitDefender 7.2 07.11.2007 no virus found CAT-QuickHeal 9.00 07.10.2007 (Suspicious) - DNAScan ClamAV devel-20070416 07.11.2007 no virus found DrWeb 4.33 07.11.2007 no virus found eSafe 7.0.15.0 07.10.2007 suspicious Trojan/Worm eTrust-Vet 30.8.3778 07.10.2007 no virus found Ewido 4.0 07.10.2007 no virus found FileAdvisor 1 07.11.2007 no virus found Fortinet 2.91.0.0 07.11.2007 VBWorm.C F-Prot 4.3.2.48 07.10.2007 no virus found Ikarus T3.1.1.8 07.11.2007 Win32.SuspectCrc Kaspersky 4.0.2.24 07.11.2007 Virus.Win32.AutoRun.cy McAfee 5071 07.10.2007 no virus found Microsoft 1.2704 07.11.2007 TrojanDownloader:Win32/Banload.DC NOD32v2 2390 07.10.2007 no virus found Norman 5.80.02 07.10.2007 no virus found Panda 9.0.0.4 07.11.2007 Adware/SearchExplorer Sophos 4.19.0 07.06.2007 Mal/VBWorm-C Sunbelt 2.2.907.0 07.11.2007 no virus found Symantec 10 07.11.2007 W32.SillyFDC TheHacker 6.1.6.144 07.09.2007 no virus found VBA32 3.12.0.2 07.10.2007 no virus found VirusBuster 4.3.23:9 07.10.2007 no virus found Webwasher-Gateway 6.0.1 07.11.2007 Trojan.VB.Yongfu Aditional Information File size: 15872 bytes MD5: 103bd3254c4aa8786ed1545261238d8f SHA1: d08d7572b4a471216fa92967180887f995831a6a packers: UPX packers: UPX packers: UPX "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:uHNN3NzwHHA.2040@TK2MSFTNGP03.phx.gbl... > From: "Lauren" <blah@blahblah.blah> > > | My apologies if this is the wrong group. I recently bought a Lasonic > | MP-02GY MP3 player from Fry's and have found it loads a program called > | jjjha.exe which appears to be sending information whenever a google > search > | is done to a website in China. The device has an autorun inf which > changes > | the right click menu for the drive and runs an exe on the root of the > | device. It loads a fake svchost file into Windows/inf and sets an > autorun > | key. The svchost then loads and reloads the jjjha.exe which monitors > the > | browser. Once you stop the svchost process it is not to bad to remove > | everything. I don't know where something like this should be reported. > | > | Thanks > | Lauren > | > > Before it can be reported, jjjha.exe *must* be intentified. Then once it > is identified as > malware you should file a formal complaint with Fry's as well as the > Attorney General of > your state. > > The following is how you should go about identifying the file... > > > Please submit a sample to Virus Total -- > http://www.virustotal.com/flash/index_en.html > The submission will then be tested against many different AV vendor's > scanners. > That will give you an idea what it is and who recognizes it. In addition, > unless told > otherwise, Virus Total will provide the sample to all participating > vendors. > > You can also submit a suspect, one at a time, via the following email > URL... > mailto:scan@virustotal.com?subject=SCAN > > When you get the report, please post back the exact results and use the > report as proof of > the malware infection. > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htm > > Quote
Guest Lauren Posted July 11, 2007 Posted July 11, 2007 Thanks for the tip. I submitted the files. "Milo (MSPSS)" <v-4jpaca@mssupport.microsoft.com> wrote in message news:5AAB12C8-EC68-4D20-8419-F03974D080A2@microsoft.com... > you can submit a copy of such here > > http://support.microsoft.com/kb/921161/en-us > > -- > Milo > MSPSS > > > "Lauren" wrote: > >> My apologies if this is the wrong group. I recently bought a Lasonic >> MP-02GY MP3 player from Fry's and have found it loads a program called >> jjjha.exe which appears to be sending information whenever a google >> search >> is done to a website in China. The device has an autorun inf which >> changes >> the right click menu for the drive and runs an exe on the root of the >> device. It loads a fake svchost file into Windows/inf and sets an >> autorun >> key. The svchost then loads and reloads the jjjha.exe which monitors the >> browser. Once you stop the svchost process it is not to bad to remove >> everything. I don't know where something like this should be reported. >> >> Thanks >> Lauren >> >> >> Quote
Guest jesburgers Posted July 18, 2007 Posted July 18, 2007 "Lauren" wrote: > My apologies if this is the wrong group. I recently bought a Lasonic > MP-02GY MP3 player from Fry's and have found it loads a program called > jjjha.exe which appears to be sending information whenever a google search > is done to a website in China. The device has an autorun inf which changes > the right click menu for the drive and runs an exe on the root of the > device. It loads a fake svchost file into Windows/inf and sets an autorun > key. The svchost then loads and reloads the jjjha.exe which monitors the > browser. Once you stop the svchost process it is not to bad to remove > everything. I don't know where something like this should be reported. > > Thanks > Lauren > > > Quote
Guest jesburgers Posted July 18, 2007 Posted July 18, 2007 > Hi, same experience when I bought a mp3-player via ebay (1 GB mp3 player shuffle). The program "icygddkg.exe" contains the malware trojan TR/VB.Yongfu. My antivirus program ANTIVIR did recognize and killed it. Anyway this lousy chinese programm did read my outlook adressbook. Short time afterwards a lot of chinese spam emails occured to my partners. My Advice: By the original products. Quote
Guest Lauren Posted July 18, 2007 Posted July 18, 2007 I bought mine from Fry's, a well known outlet. Lauren "jesburgers" <jesburgers@discussions.microsoft.com> wrote in message news:64D19409-756D-49E8-8032-AE4276B9FF67@microsoft.com... >> Hi, > same experience when I bought a mp3-player via ebay (1 GB mp3 player > shuffle). The program "icygddkg.exe" contains the malware trojan > TR/VB.Yongfu. > > > My antivirus program ANTIVIR did recognize and killed it. Anyway this > lousy > chinese programm did read my outlook adressbook. Short time afterwards a > lot > of chinese spam emails occured to my partners. > > My Advice: By the original products. Quote
Guest David H. Lipman Posted July 18, 2007 Posted July 18, 2007 From: "Lauren" <blah@blahblah.blah> | I bought mine from Fry's, a well known outlet. | Lauren Did you file a formal complaint with Fry's and your State's Attorney General ? -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.