View Full Version : Smithfraud
Really need to get rid of this one, please help.
Here is my log:
Logfile of HijackThis v1.99.1
Scan saved at 11:23:37 AM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\steve.corley\My Documents\?asks\??ool32.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\STEVE~1.COR\LOCALS~1\Temp\HijackThis.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\rsqqktgv.dll",realset
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
Hello SteveC,
Welcome to Safer Networking, you do have a few issues going on.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Before you post a new HJT log we need to move it to its own folder
Hijackthis 1.99.1 (http://www.thespykiller.co.uk/files/HJTsetup.exe)
Its important that Hijackthis is installed in its own permanent folder for backup purposes.
Go to where you currently have HJT installed and delete the whole folder.
Use the link above to download HJT 1.99.1 setup to your desktop
Double Click on the Setup icon and by defaut it will unzip to C:\Program Files\Hijackthis
Go to C:\Program Files\HijackThis and open the folder and right click on the HJT Icon, (looks like a red stick of dynamite with a plunger) and rename it to Scanner.exe. <-- Don't forget the .exe and post a new log.
I need to see the Combofix log and a New HJT log renamed.
Ran combofix and hijackthis again, logs follow:
"Steve.Corley" - 2007-07-18 9:18:43 - ComboFix 07-07-14.6 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\ddaba.dll
C:\WINDOWS\system32\bawgrkjb.dll
C:\WINDOWS\system32\bggwwfdf.dll
C:\WINDOWS\system32\fdvvrwfw.dll
C:\WINDOWS\system32\funcwfrc.dll
C:\WINDOWS\system32\fvemaard.dll
C:\WINDOWS\system32\hmnnlpcu.dll
C:\WINDOWS\system32\kfdsymba.dll
C:\WINDOWS\system32\nskgkfeu.dll
C:\WINDOWS\system32\pymgilvu.dll
C:\WINDOWS\system32\rsqqktgv.dll
C:\WINDOWS\system32\rubfqjgf.dll
C:\WINDOWS\system32\tttbdnrl.dll
C:\WINDOWS\system32\xybcnpwi.dll
C:\WINDOWS\system32\lkuqbuwb.exe
C:\WINDOWS\system32\alalmkwj.dll
C:\WINDOWS\system32\albtqksi.dll
C:\WINDOWS\system32\bcbbxxvk.dll
C:\WINDOWS\system32\bpnjobkh.dll
C:\WINDOWS\system32\coxftrmp.dll
C:\WINDOWS\system32\dncsnxmn.dll
C:\WINDOWS\system32\ekcbxytc.dll
C:\WINDOWS\system32\emlcdsym.dll
C:\WINDOWS\system32\fopygmpa.dll
C:\WINDOWS\system32\gpeljpyb.dll
C:\WINDOWS\system32\hkwnougg.dll
C:\WINDOWS\system32\hoxtdgmi.dll
C:\WINDOWS\system32\hwfrjwmy.dll
C:\WINDOWS\system32\hytwbcsh.dll
C:\WINDOWS\system32\iecglcix.dll
C:\WINDOWS\system32\iggkqtej.dll
C:\WINDOWS\system32\isykghmu.dll
C:\WINDOWS\system32\jstdyvag.dll
C:\WINDOWS\system32\jwatmodd.dll
C:\WINDOWS\system32\kcfibyks.dll
C:\WINDOWS\system32\kdxqpexc.dll
C:\WINDOWS\system32\kxrcsnlo.dll
C:\WINDOWS\system32\lmrrbkkw.dll
C:\WINDOWS\system32\mtkoceen.dll
C:\WINDOWS\system32\mxnyriqn.dll
C:\WINDOWS\system32\oerwijjy.dll
C:\WINDOWS\system32\pcptnrpu.dll
C:\WINDOWS\system32\rjtlbhlb.dll
C:\WINDOWS\system32\rycerkwg.dll
C:\WINDOWS\system32\sighnrvb.dll
C:\WINDOWS\system32\tbpivtij.dll
C:\WINDOWS\system32\tcluaaay.dll
C:\WINDOWS\system32\touijmbd.dll
C:\WINDOWS\system32\ulggggar.dll
C:\WINDOWS\system32\uuncvwrf.dll
C:\WINDOWS\system32\vthgxhyd.dll
C:\WINDOWS\system32\wdxogedx.dll
C:\WINDOWS\system32\wiykddim.dll
C:\WINDOWS\system32\xdfjrlqj.dll
C:\WINDOWS\system32\ygjdithe.dll
C:\WINDOWS\system32\yudhfbma.dll
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\bjkrgwab.ini
C:\WINDOWS\system32\fdfwwggb.ini
C:\WINDOWS\system32\wfwrvvdf.ini
C:\WINDOWS\system32\crfwcnuf.ini
C:\WINDOWS\system32\draamevf.ini
C:\WINDOWS\system32\ucplnnmh.ini
C:\WINDOWS\system32\abmysdfk.ini
C:\WINDOWS\system32\uefkgksn.ini
C:\WINDOWS\system32\uvligmyp.ini
C:\WINDOWS\system32\vgtkqqsr.ini
C:\WINDOWS\system32\fgjqfbur.ini
C:\WINDOWS\system32\lrndbttt.ini
C:\WINDOWS\system32\iwpncbyx.ini
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\ilnmp.bak1
C:\WINDOWS\system32\ilnmp.bak2
C:\WINDOWS\system32\ilnmp.ini
C:\WINDOWS\system32\ilnmp.ini2
C:\WINDOWS\system32\ilnmp.tmp
C:\WINDOWS\system32\pmnli.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\asks~1
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\macromedia\Flash Player\#SharedObjects\G7W9HVWX\www.broadcaster.com
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\STEVE~1.COR\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\STEVE~1.COR\MYDOCU~1.\asks~1
C:\Documents and Settings\steve.corley.\err.log
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~1\javaw.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\poolsv
C:\Program Files\svhost
C:\Program Files\winpop
C:\Program Files\xloadnet
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\mantec~1
C:\WINDOWS\mantec~1\s?chost.exe
C:\WINDOWS\system32\aohygogl.exe
C:\WINDOWS\system32\bidyaiga.exe
C:\WINDOWS\system32\bqhixysp.exe
C:\WINDOWS\system32\bybsrkdh.exe
C:\WINDOWS\system32\cofovxsl.exe
C:\WINDOWS\system32\dnhwadou.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\etnioqhv.exe
C:\WINDOWS\system32\eytwoytt.exe
C:\WINDOWS\system32\gwuroyxd.exe
C:\WINDOWS\system32\gxc.dll
C:\WINDOWS\system32\hdtelypc.exe
C:\WINDOWS\system32\htbjobbj.exe
C:\WINDOWS\system32\hvqaudtv.exe
C:\WINDOWS\system32\icfodbbh.exe
C:\WINDOWS\system32\iemwwnbl.exe
C:\WINDOWS\system32\iwssrgwy.exe
C:\WINDOWS\system32\iywxrlok.exe
C:\WINDOWS\system32\jckasiob.exe
C:\WINDOWS\system32\jfndgsqg.exe
C:\WINDOWS\system32\kstldjfp.exe
C:\WINDOWS\system32\lansrgpm.exe
C:\WINDOWS\system32\lymcpjie.exe
C:\WINDOWS\system32\msbcloak.exe
C:\WINDOWS\system32\mtkhatlf.exe
C:\WINDOWS\system32\npgbpwqr.exe
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\orpdirvo.exe
C:\WINDOWS\system32\peasctpn.exe
C:\WINDOWS\system32\pgmqmhto.exe
C:\WINDOWS\system32\qeyxbltg.exe
C:\WINDOWS\system32\qlqqddja.exe
C:\WINDOWS\system32\rbeebpde.exe
C:\WINDOWS\system32\rkrrtylm.exe
C:\WINDOWS\system32\slxvybeh.exe
C:\WINDOWS\system32\tokdtmst.exe
C:\WINDOWS\system32\txrhruko.exe
C:\WINDOWS\system32\ujcnwnod.exe
C:\WINDOWS\system32\unyjhfno.exe
C:\WINDOWS\system32\vcfiinch.exe
C:\WINDOWS\system32\vgepqowy.exe
C:\WINDOWS\system32\vllpkjjq.exe
C:\WINDOWS\system32\vrjotdjg.exe
C:\WINDOWS\system32\vwrpwfqe.exe
C:\WINDOWS\system32\wcpsvit32.exe
C:\WINDOWS\system32\win
C:\WINDOWS\system32\xcoltjpb.exe
C:\WINDOWS\system32\xyvyabvf.exe
C:\WINDOWS\system32\yclfbvay.exe
C:\WINDOWS\system32\yluggaon.exe
C:\WINDOWS\system32\ywsudgwy.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))
2007-07-18 09:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-16 15:32 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-16 11:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-28 14:05 <DIR> d-------- C:\DOCUME~1\STEVE~1.COR\APPLIC~1\Help
2007-06-26 16:10 <DIR> d-------- C:\WINDOWS\system32\%%DATA_DIR%%
2007-06-22 15:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-06-20 09:09 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-06-20 09:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-07-17 15:12:45 -------- d-----w C:\Program Files\Nortel Networks
2007-06-13 16:08:50 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-06-13 16:06:54 -------- d-----w C:\Program Files\GeoWhere Lite
2007-05-30 15:27:04 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-05-30 15:16:58 42,473 ----a-w C:\WINDOWS\WpAJTrYf67HazytRD.exe
2007-05-30 15:16:52 103,191 ----a-w C:\WINDOWS\qwr67.exe
2007-05-22 15:29:42 -------- d-----w C:\Program Files\Apple Software Update
2007-05-22 15:29:40 -------- d-----w C:\Program Files\QuickTime
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 16:00:10 1,481,159 --sha-w C:\WINDOWS\system32\jjkkj.ini2
2007-05-09 15:45:45 1,478,820 --sha-w C:\WINDOWS\system32\jjkkj.bak2
2007-05-07 12:53:54 1,469,349 --sha-w C:\WINDOWS\system32\jjkkj.bak1
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-24 16:11:49 249,856 ------w C:\WINDOWS\Setup1.exe
2007-04-24 16:11:46 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{546BBBA1-D025-446A-A876-EC0F38CEBBBD}]
C:\WINDOWS\system32\jkkjj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
2005-09-08 05:20 110652 --a------ C:\WINDOWS\System32\DLA\DLASHX_W.DLL
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{626E13D3-F46F-87EF-1E17-8E8DBC278FC9}]
C:\WINDOWS\system32\gxc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79774F04-5535-473D-8ACD-F0996A843280}]
C:\WINDOWS\system32\tfxbcuio.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
2006-10-22 23:20 321120 --------- C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
2006-02-17 17:28 94208 --a------ c:\Program Files\BAE\BAE.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Tair"="C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" []
"Rcsuak"="C:\WINDOWS\??mantec\s?chost.exe" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjj]
C:\WINDOWS\system32\jkkjj.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrqqro]
rqrqqro.dll
Contents of the 'Scheduled Tasks' folder
2007-05-11 16:13:08 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
**************************************************************************
catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-18 09:25:05
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-07-18 9:25:34 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-18 09:25
--- E O F ---
Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:29, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {546BBBA1-D025-446A-A876-EC0F38CEBBBD} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {626E13D3-F46F-87EF-1E17-8E8DBC278FC9} - C:\WINDOWS\system32\gxc.dll (file missing)
O2 - BHO: (no name) - {79774F04-5535-473D-8ACD-F0996A843280} - C:\WINDOWS\system32\tfxbcuio.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Rcsuak] C:\WINDOWS\??mantec\s?chost.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
--
End of file - 7626 bytes
Hello Steve,
Your doing well :bigthumb: but still more to do. Combofix removed a lot of Vundo but I would like you to run the tool to get rid of it all.
Download VundoFix (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
Let me see the Vundo Log and a New HJT log please.
Here is the VundoFix Log and new HJT Log...
I REALLY, REALLY APPRECIATE YOUR HELP ON THIS! Thank you for a job well done!
VundoFix V6.5.6
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 13:06:35 2007-07-18
Listing files found while scanning....
C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jjkkj.tmp
C:\WINDOWS\system32\jkkjj.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\jjkkj.bak1
C:\WINDOWS\system32\jjkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjkkj.bak2
C:\WINDOWS\system32\jjkkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjkkj.ini
C:\WINDOWS\system32\jjkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjkkj.ini2
C:\WINDOWS\system32\jjkkj.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\jjkkj.tmp
C:\WINDOWS\system32\jjkkj.tmp Has been deleted!
Performing Repairs to the registry.
Done!
+++++++++++++++++++
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:15, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {546BBBA1-D025-446A-A876-EC0F38CEBBBD} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {626E13D3-F46F-87EF-1E17-8E8DBC278FC9} - C:\WINDOWS\system32\gxc.dll (file missing)
O2 - BHO: (no name) - {79774F04-5535-473D-8ACD-F0996A843280} - C:\WINDOWS\system32\tfxbcuio.dll (file missing)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O4 - HKCU\..\Run: [Rcsuak] C:\WINDOWS\??mantec\s?chost.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
--
End of file - 7495 bytes
Steve,
Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {546BBBA1-D025-446A-A876-EC0F38CEBBBD} - C:\WINDOWS\system32\jkkjj.dll (file missing)
O2 - BHO: (no name) - {626E13D3-F46F-87EF-1E17-8E8DBC278FC9} - C:\WINDOWS\system32\gxc.dll (file missing)
O2 - BHO: (no name) - {79774F04-5535-473D-8ACD-F0996A843280} - C:\WINDOWS\system32\tfxbcuio.dll (file missing)
O4 - HKCU\..\Run: [Rcsuak] C:\WINDOWS\??mantec\s?chost.exe
Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment (JRE) Version 6 Update 1 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future
Go here C:\Program Files\Trend Micro\HijackThis\HijackThis.exe right click on it and rename it to Scanner.exe and post a new log please. Hang in, where almost home :bigthumb:
Did all of the above and here's the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:52, on 2007-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nortel Networks\Extranet_serv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\FNTS~1\javaw.exe" -vt ndrv
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O16 - DPF: {100C659D-2B0B-4BEF-B79A-34E4659B9A9C} (Pivotal ePower Lifecycle Engine (Version 5.7) - Platform Access (rdaclnt.dll)) - https://avenerm.avendra.com/epower/cab/RDACLNT.CAB
O16 - DPF: {149006D7-3F51-49CD-8BB7-B57B07255F28} (Pivotal eRelationship Active Access (Version 5.7) - Static list Support (rdauistaticlists.dll)) - https://avenerm.avendra.com/epower/cab/RDAUISTATICLISTS.CAB
O16 - DPF: {154E3A83-BDE2-441E-A22C-EDAED67CF23A} (Pivotal eRelationship Active Access (Version 5.7) - Resources (rdares.dll)) - https://avenerm.avendra.com/epower/cab/RDARES.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {286BCCBE-B061-4EF3-BAFA-C6D36F164DAB} (Pivotal eRelationship Active Access (Version 5.7) - Portal Preferences Page (rprefs.dll)) - https://avenerm.avendra.com/epower/cab/RDAPREFS.CAB
O16 - DPF: {309F16B3-B30C-4114-BE89-E63C4F593B41} (Pivotal eRelationship Active Access (Version 5.7) - Smart Portal (rdaprtl.dll)) - https://avenerm.avendra.com/epower/cab/RDAPRTL.CAB
O16 - DPF: {44F898AB-C146-4252-AEDC-7D46B32F7FA8} (Pivotal eRelationship Active Access (Version 5.7) - Report Interface (rdaRprt.dll)) - https://avenerm.avendra.com/epower/cab/RDARPRT.CAB
O16 - DPF: {46286333-DFFE-48FC-BF9A-DE461D8E682E} (Pivotal eRelationship Active Access (Version 5.7) - Colour Scheme Details (rdashare.dll)) - https://avenerm.avendra.com/epower/cab/RDASHARE.CAB
O16 - DPF: {644A61B8-C407-46D4-B455-05696AB16017} (Pivotal eRelationship Active Access (Version 5.7) - Charting Class (rdachart.dll)) - https://avenerm.avendra.com/epower/cab/RDACHART.CAB
O16 - DPF: {678C83FA-9073-466B-B4B2-D33A80C8BF62} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express Options (RdaUI.dll)) - https://avenerm.avendra.com/epower/cab/RDAUI.CAB
O16 - DPF: {8C42DAC2-0B6A-4F80-9794-3130E1C28345} (Pivotal eRelationship Active Access (Version 5.7) - Email Connector (rdaemail.dll)) - https://avenerm.avendra.com/epower/cab/RDAEMAIL.CAB
O16 - DPF: {A4BD9732-328D-11D4-BB89-00A0C9843488} (Pivotal ePower Lifecycle Engine (Version 5.7) - EMail Class (rn1sendx.dll)) - https://avenerm.avendra.com/epower/cab/RN1SENDX.CAB
O16 - DPF: {AE4F48D0-6A0A-11D3-9FB0-005004A79108} (Pivotal eRelationship Active Access (Version 5.7) - Plug-in Result Return Collection (dfoutils.dll)) - https://avenerm.avendra.com/epower/cab/DFOUTILS.CAB
O16 - DPF: {B6656F10-AE21-470F-8435-4030A8C05C9E} (Pivotal eRelationship Active Access (version 5.7) - Shortcut Menu Handler) - https://avenerm.avendra.com/epower/cab/RSHORTCUT.CAB
O16 - DPF: {E774F171-CCB6-424B-877B-1D4F95DF60AD} (Pivotal eRelationship Active Access (Version 5.7) - Letter Express (rdaletex.dll)) - https://avenerm.avendra.com/epower/cab/RDALETEX.CAB
O16 - DPF: {F9FEBBA1-5C27-4CC5-817C-C26AC8861DFD} (Pivotal ePower Lifecycle Engine (Version 5.7) - Component Catalog (rdaobjcreate.dll)) - https://avenerm.avendra.com/epower/cab/RDAOBJCREATE.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = avendra.com
O17 - HKLM\Software\..\Telephony: DomainName = avendra.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA3C4394-C34E-4D7C-ACB6-B51DC0B68CBB}: NameServer = 172.31.19.110,172.31.19.111
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = avendra.com
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Common Framework\FrameworkService.exe
--
End of file - 7624 bytes
Steve,
FYI, the lowlife that write the vundo garbage have written it to evade HJT and by having you rename it to scanner.exe it shows up in your log. so remove these 2 entries with HJT.
O20 - Winlogon Notify: jkkjj - C:\WINDOWS\system32\jkkjj.dll (file missing)
O20 - Winlogon Notify: rqrqqro - rqrqqro.dll (file missing)
Let me ask you about this entry.
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
Did you or do you use NetMeeting, if not you can remove it also.
How is your system running now??
OK, I deleted the 2 entries. I do use netmeeting.
The system is running great! Thank you soooooo much, you rock!
Steve
Your very welcome Steve, :) here are some tips and free tools for you to install to help keep you more secure.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
Tom Coyote (http://forums.tomcoyote.org/index.php?showtopic=48151)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Here are some free programs to install, don't leave home without them
Spybot Search and Destroy 1.4 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.
Ad-Aware 2007 7.0.1.5 (http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button)
Check for Updates and run a Full System Scan on a regular basis.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.
Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give you the option to deny the change.
IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Thanks for stopping by Safer Networking, I'm glad I was able to help you.
Your very welcome Steve :bigthumb:
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.