ajdnjhfonmco.exe ...virus?

I recently formatted and I have mcafee VS installed. Recently I've been getting a very weird error msg. Ever once in a while for no apparent reason (pops up when I'm doing different things) I get this:

http://members.rogers.com/j3ko/images/error.bmp
http://members.rogers.com/j3ko/images/error2.bmp

Its normally ajdnjhfonmco.exe but once in a blue moon I'll get something like "cadfdsffsdflkjl.exe" anyone know what could cause this? I did a search and the only file with ajdnjhfonmco was one in the winxp precache folder. Does this sound familiar to anyone as a virus or trojan? I really want to find the cause of this...any help is appreciated!

 

Download both Spybot and Ad-aware from the links in my signature. Install, immediately update and run both. Delete what they find. Download and run CWShredder, with ALL other windows closed, using the fix button. Do some online virus scans. eTrust in my sig.

RAV

Housecall

Incidentally, C:\Windows\prefetch is basically an index of programs recently accessed and provides faster loading of said programs upon next use. You can safely select all and delete everything inside of that folder.

 

Yes
After both of those online scans and Adaware & SpyBot
Post a hijackthis log, heres how.
=========
Post a log from HijackThis so our forum members can see
what's going on. The current version is 1.97.7 [created by merijn bellekom]
Most of what it lists will be harmless, even essential,DON'T fix anything yet please.

Firt make a new folder, for instance C:Antispyware

Get it here http://radiosplace.com/ choose save, NOT OPEN
Save it to that new folder, double-click HijackThis.exe,
and hit "Scan ". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, It will load it in Notepad, and copy its contents here.
Close hijackthis and notepad.


If you've used it before please dont have anything excluded

 

ok, I ran the spyware software and the adware software...didn't find much but a couple of dataminers...I cant seem to dl cwshredder or hijackthis. All the mirrors dont work either...is it me or are they all down?

 

Try right click save as on this link
http://www.allsecpros.com/download/HijackThis.exe

If that wont work for you PM me with your email address and I will send it

 

See if this direct download works. And this one. Might even try right click>save target.

 

yup tried those don't work...do they work for you? Just hangs on the downloading file window and the status bar doesn't move.

 

Yes they work for me.

Here is a Hosts File Reader, which will find and allow you to delete one that may be blocking you from these downloads. You can also reset the default. If it won't download either, or doesn't find one blocking access, I can email you a copy of HJT and CWShredder also. Private Message me with your address.

 

Email should be there. Good luck!

 

cool thanks just ran both...CWShredder didn't find anything and here's my hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 2:30:11 PM, on 06/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\ATI Multimedia\main\ATISched.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\mysql\bin\winmysqladmin.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\inetsrv\DavCData.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BPFTP Server\G6FTPSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [ATI Scheduler] C:\Program Files\ATI Multimedia\main\ATISched.EXE
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38047.4983333333
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8DBF90BE-36D3-4459-88FC-FEDB2DC2C30A}: NameServer = 24.153.23.66,24.153.22.67

edit note - I remove the code tabs. Didn't like the way it handled the long lines in this version of the bbs software. - Newt

 

Nothing stands out I can see

Would you make(and post) a log with all your program's you normaly have running running, when those two strange proccess's show in task manger please ?

also find and get the property's and version info to

Did you go get those online scans ? if so what did they find and where ?


and did you use the Hosts File Reader to reset to default's ?


wait the other's will or might have an idea or two to

 

I see nothing out of the ordinary either. A google on rtcll.dll comes up with nothing. I would include that and any other dll noted with these popups in with Lonny's suggestion of finding and getting properties and version info. I would also move them when found, to another location and see if problems persist, delete if all is well. If you are unable to d/l the hosts file reader, search the drive for HOSTS. Include hidden files. You can open them with notepad. Also, check the links here provided by PeteC to see if anything helps with the d/l problem.

 

well I found the problem just so you guys know, it turns out it was a trojan from who know's where. Here's the Mcafee virus profile of it: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=122414

for some reason it also stopped me from intalling activex controls and it was related to my dl problems

Thanks for all your help!

 

Good to hear you got it cleaned up. Thanks for posting back.