PDA

View Full Version : Smithfraud



SteveC
2007-07-17, 18:28
Really need to get rid of this one, please help.

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 11:23:37 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\steve.corley\My Documents\?asks\??ool32.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\STEVE~1.COR\LOCALS~1\Temp\HijackThis.exe

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\rsqqktgv.dll",realset
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

ken545
2007-07-18, 04:20
Hello SteveC,

Welcome to Safer Networking, you do have a few issues going on.


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Before you post a new HJT log we need to move it to its own folder

Hijackthis 1.99.1 (http://www.thespykiller.co.uk/files/HJTsetup.exe)
Its important that Hijackthis is installed in its own permanent folder for backup purposes.


Go to where you currently have HJT installed and delete the whole folder.
Use the link above to download HJT 1.99.1 setup to your desktop
Double Click on the Setup icon and by defaut it will unzip to C:\Program Files\Hijackthis



Go to C:\Program Files\HijackThis and open the folder and right click on the HJT Icon, (looks like a red stick of dynamite with a plunger) and rename it to Scanner.exe. <-- Don't forget the .exe and post a new log.



I need to see the Combofix log and a New HJT log renamed.

SteveC
2007-07-18, 16:32
Ran combofix and hijackthis again, logs follow:

"Steve.Corley" - 2007-07-18 9:18:43 - ComboFix 07-07-14.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\bawgrkjb.dll
C:\WINDOWS\system32\bggwwfdf.dll
C:\WINDOWS\system32\fdvvrwfw.dll
C:\WINDOWS\system32\funcwfrc.dll
C:\WINDOWS\system32\fvemaard.dll
C:\WINDOWS\system32\hmnnlpcu.dll
C:\WINDOWS\system32\kfdsymba.dll
C:\WINDOWS\system32\nskgkfeu.dll
C:\WINDOWS\system32\pymgilvu.dll
C:\WINDOWS\system32\rsqqktgv.dll
C:\WINDOWS\system32\rubfqjgf.dll
C:\WINDOWS\system32\tttbdnrl.dll
C:\WINDOWS\system32\xybcnpwi.dll
C:\WINDOWS\system32\lkuqbuwb.exe
C:\WINDOWS\system32\alalmkwj.dll
C:\WINDOWS\system32\albtqksi.dll
C:\WINDOWS\system32\bcbbxxvk.dll
C:\WINDOWS\system32\bpnjobkh.dll
C:\WINDOWS\system32\coxftrmp.dll
C:\WINDOWS\system32\dncsnxmn.dll
C:\WINDOWS\system32\ekcbxytc.dll
C:\WINDOWS\system32\emlcdsym.dll
C:\WINDOWS\system32\fopygmpa.dll
C:\WINDOWS\system32\gpeljpyb.dll
C:\WINDOWS\system32\hkwnougg.dll
C:\WINDOWS\system32\hoxtdgmi.dll
C:\WINDOWS\system32\hwfrjwmy.dll
C:\WINDOWS\system32\hytwbcsh.dll
C:\WINDOWS\system32\iecglcix.dll
C:\WINDOWS\system32\iggkqtej.dll
C:\WINDOWS\system32\isykghmu.dll
C:\WINDOWS\system32\jstdyvag.dll
C:\WINDOWS\system32\jwatmodd.dll
C:\WINDOWS\system32\kcfibyks.dll
C:\WINDOWS\system32\kdxqpexc.dll
C:\WINDOWS\system32\kxrcsnlo.dll
C:\WINDOWS\system32\lmrrbkkw.dll
C:\WINDOWS\system32\mtkoceen.dll
C:\WINDOWS\system32\mxnyriqn.dll
C:\WINDOWS\system32\oerwijjy.dll
C:\WINDOWS\system32\pcptnrpu.dll
C:\WINDOWS\system32\rjtlbhlb.dll
C:\WINDOWS\system32\rycerkwg.dll
C:\WINDOWS\system32\sighnrvb.dll
C:\WINDOWS\system32\tbpivtij.dll
C:\WINDOWS\system32\tcluaaay.dll
C:\WINDOWS\system32\touijmbd.dll
C:\WINDOWS\system32\ulggggar.dll
C:\WINDOWS\system32\uuncvwrf.dll
C:\WINDOWS\system32\vthgxhyd.dll
C:\WINDOWS\system32\wdxogedx.dll
C:\WINDOWS\system32\wiykddim.dll
C:\WINDOWS\system32\xdfjrlqj.dll
C:\WINDOWS\system32\ygjdithe.dll
C:\WINDOWS\system32\yudhfbma.dll
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\bjkrgwab.ini
C:\WINDOWS\system32\fdfwwggb.ini
C:\WINDOWS\system32\wfwrvvdf.ini
C:\WINDOWS\system32\crfwcnuf.ini
C:\WINDOWS\system32\draamevf.ini
C:\WINDOWS\system32\ucplnnmh.ini
C:\WINDOWS\system32\abmysdfk.ini
C:\WINDOWS\system32\uefkgksn.ini
C:\WINDOWS\system32\uvligmyp.ini
C:\WINDOWS\system32\vgtkqqsr.ini
C:\WINDOWS\system32\fgjqfbur.ini
C:\WINDOWS\system32\lrndbttt.ini
C:\WINDOWS\system32\iwpncbyx.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\pmnli.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\asks~1
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\macromedia\Flash Player\#SharedObjects\G7W9HVWX\www.broadcaster.com
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\STEVE~1.COR\MYDOCU~1.\asks~1
C:\Documents and Settings\steve.corley.\err.log
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\javaw.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\svhost
C:\Program Files\winpop
C:\Program Files\xloadnet
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\mantec~1
C:\WINDOWS\mantec~1\s?chost.exe
C:\WINDOWS\system32\aohygogl.exe
C:\WINDOWS\system32\bidyaiga.exe
C:\WINDOWS\system32\bqhixysp.exe
C:\WINDOWS\system32\bybsrkdh.exe
C:\WINDOWS\system32\cofovxsl.exe
C:\WINDOWS\system32\dnhwadou.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\etnioqhv.exe
C:\WINDOWS\system32\eytwoytt.exe
C:\WINDOWS\system32\gwuroyxd.exe
C:\WINDOWS\system32\gxc.dll
C:\WINDOWS\system32\hdtelypc.exe
C:\WINDOWS\system32\htbjobbj.exe
C:\WINDOWS\system32\hvqaudtv.exe
C:\WINDOWS\system32\icfodbbh.exe
C:\WINDOWS\system32\iemwwnbl.exe
C:\WINDOWS\system32\iwssrgwy.exe
C:\WINDOWS\system32\iywxrlok.exe
C:\WINDOWS\system32\jckasiob.exe
C:\WINDOWS\system32\jfndgsqg.exe
C:\WINDOWS\system32\kstldjfp.exe
C:\WINDOWS\system32\lansrgpm.exe
C:\WINDOWS\system32\lymcpjie.exe
C:\WINDOWS\system32\msbcloak.exe
C:\WINDOWS\system32\mtkhatlf.exe
C:\WINDOWS\system32\npgbpwqr.exe
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\orpdirvo.exe
C:\WINDOWS\system32\peasctpn.exe
C:\WINDOWS\system32\pgmqmhto.exe
C:\WINDOWS\system32\qeyxbltg.exe
C:\WINDOWS\system32\qlqqddja.exe
C:\WINDOWS\system32\rbeebpde.exe
C:\WINDOWS\system32\rkrrtylm.exe
C:\WINDOWS\system32\slxvybeh.exe
C:\WINDOWS\system32\tokdtmst.exe
C:\WINDOWS\system32\txrhruko.exe
C:\WINDOWS\system32\ujcnwnod.exe
C:\WINDOWS\system32\unyjhfno.exe
C:\WINDOWS\system32\vcfiinch.exe
C:\WINDOWS\system32\vgepqowy.exe
C:\WINDOWS\system32\vllpkjjq.exe
C:\WINDOWS\system32\vrjotdjg.exe
C:\WINDOWS\system32\vwrpwfqe.exe
C:\WINDOWS\system32\wcpsvit32.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\xcoltjpb.exe
C:\WINDOWS\system32\xyvyabvf.exe
C:\WINDOWS\system32\yclfbvay.exe
C:\WINDOWS\system32\yluggaon.exe
C:\WINDOWS\system32\ywsudgwy.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


2007-07-18 09:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-16 11:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-28 14:05 <DIR> d-------- C:\DOCUME~1\STEVE~1.COR\APPLIC~1\Help
2007-06-26 16:10 <DIR> d-------- C:\WINDOWS\system32\%%DATA_DIR%%
2007-06-22 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-20 09:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-20 09:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-17 15:12:45 -------- d-----w C:\Program Files\Nortel Networks
2007-06-13 16:08:50 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-13 16:06:54 -------- d-----w C:\Program Files\GeoWhere Lite
2007-05-30 15:27:04 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-30 15:16:58 42,473 ----a-w C:\WINDOWS\WpAJTrYf67HazytRD.exe
2007-05-30 15:16:52 103,191 ----a-w C:\WINDOWS\qwr67.exe
2007-05-22 15:29:42 -------- d-----w C:\Program Files\Apple Software Update
2007-05-22 15:29:40 -------- d-----w C:\Program Files\QuickTime
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 16:00:10 1,481,159 --sha-w C:\WINDOWS\system32\jjkkj.ini2
2007-05-09 15:45:45 1,478,820 --sha-w C:\WINDOWS\system32\jjkkj.bak2
2007-05-07 12:53:54 1,469,349 --sha-w C:\WINDOWS\system32\jjkkj.bak1
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-24 16:11:49 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-24 16:11:46 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{546BBBA1-D025-446A-A876-EC0F38CEBBBD}]
C:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2005-09-08 05:20 110652 --a------ C:\WINDOWS\System32\DLA\DLASHX_W.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{626E13D3-F46F-87EF-1E17-8E8DBC278FC9}]
C:\WINDOWS\system32\gxc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79774F04-5535-473D-8ACD-F0996A843280}]
C:\WINDOWS\system32\tfxbcuio.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-10-22 23:20 321120 --------- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
2006-02-17 17:28 94208 --a------ c:\Program Files\BAE\BAE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Tair"="C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" []
"Rcsuak"="C:\WINDOWS\??mantec\s?chost.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjj]
C:\WINDOWS\system32\jkkjj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqqro]
rqrqqro.dll


Contents of the 'Scheduled Tasks' folder
2007-05-11 16:13:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 09:25:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-18 9:25:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 09:25

--- E O F ---

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:29, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {546BBBA1-D025-446A-A876-EC0F38CEBBBD} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {626E13D3-F46F-87EF-1E17-8E8DBC278FC9} - C:\WINDOWS\system32\gxc.dll (file missing)
O2 - BHO: (no name) - {79774F04-5535-473D-8ACD-F0996A843280} - C:\WINDOWS\system32\tfxbcuio.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Rcsuak] C:\WINDOWS\??mantec\s?chost.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe

--
End of file - 7626 bytes

ken545
2007-07-18, 19:29
Hello Steve,

Your doing well :bigthumb: but still more to do. Combofix removed a lot of Vundo but I would like you to run the tool to get rid of it all.


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Let me see the Vundo Log and a New HJT log please.

SteveC
2007-07-18, 20:16
Here is the VundoFix Log and new HJT Log...

I REALLY, REALLY APPRECIATE YOUR HELP ON THIS! Thank you for a job well done!


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 13:06:35 2007-07-18

Listing files found while scanning....

C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jjkkj.tmp
C:\WINDOWS\system32\jkkjj.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jjkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkkj.tmp
C:\WINDOWS\system32\jjkkj.tmp Has been deleted!

Performing Repairs to the registry.
Done!

+++++++++++++++++++

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {546BBBA1-D025-446A-A876-EC0F38CEBBBD} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {626E13D3-F46F-87EF-1E17-8E8DBC278FC9} - C:\WINDOWS\system32\gxc.dll (file missing)
O2 - BHO: (no name) - {79774F04-5535-473D-8ACD-F0996A843280} - C:\WINDOWS\system32\tfxbcuio.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Rcsuak] C:\WINDOWS\??mantec\s?chost.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe

--
End of file - 7495 bytes

ken545
2007-07-18, 20:30
Steve,

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {546BBBA1-D025-446A-A876-EC0F38CEBBBD} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {626E13D3-F46F-87EF-1E17-8E8DBC278FC9} - C:\WINDOWS\system32\gxc.dll (file missing)
O2 - BHO: (no name) - {79774F04-5535-473D-8ACD-F0996A843280} - C:\WINDOWS\system32\tfxbcuio.dll (file missing)

O4 - HKCU\..\Run: [Rcsuak] C:\WINDOWS\??mantec\s?chost.exe



Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment (JRE) Version 6 Update 1 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future


Go here C:\Program Files\Trend Micro\HijackThis\HijackThis.exe right click on it and rename it to Scanner.exe and post a new log please. Hang in, where almost home :bigthumb:

SteveC
2007-07-18, 20:53
Did all of the above and here's the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe

--
End of file - 7624 bytes

ken545
2007-07-18, 21:01
Steve,

FYI, the lowlife that write the vundo garbage have written it to evade HJT and by having you rename it to scanner.exe it shows up in your log. so remove these 2 entries with HJT.

O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)


Let me ask you about this entry.
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
Did you or do you use NetMeeting, if not you can remove it also.


How is your system running now??

SteveC
2007-07-18, 21:09
OK, I deleted the 2 entries. I do use netmeeting.

The system is running great! Thank you soooooo much, you rock!

Steve

ken545
2007-07-19, 01:10
Your very welcome Steve, :) here are some tips and free tools for you to install to help keep you more secure.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it



How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Ad-Aware 2007 7.0.1.5 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.


Thanks for stopping by Safer Networking, I'm glad I was able to help you.

SteveC
2007-07-19, 15:27
Thanks again Ken!

ken545
2007-07-19, 19:12
Your very welcome Steve :bigthumb:

tashi
2007-07-26, 00:11
Glad we could help, as the problem appears to be resolved this topic has been archived.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.