help with hijackthis

Discussion in 'Windows - Virus and spyware problems' started by ellegon18, Apr 28, 2008.

  1. ellegon18

    ellegon18 Member

    Joined:
    May 21, 2007
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    16
    Hello all. Having a bit of a problem with my computer. Antivirus says I have the vundo trojan and sd it was cleaned. Then tried the online virus scanner and sd still there and unable to clean. tried smitfraud, vundofix cant find anything, and ad-aware but still getting the constant popups. here is a copy of my hijackthis log. if anyone could help, it would be greatly appreciated.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:08:01 PM, on 4/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ICO.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\WINDOWS\system32\Pelmiced.exe
    C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
    O4 - HKLM\..\Run: [UC_Start] C:\IBMTools\Updater\ucstartup.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\jbuser\Local Settings\Temporary Internet Files\Content.IE5\ITGFY9M5\setup_sbd_en[1].exe
    O4 - HKLM\..\Run: [648635e8] rundll32.exe "C:\WINDOWS\system32\qvxcwctw.dll",b
    O4 - HKLM\..\Run: [BM67b50674] Rundll32.exe "C:\WINDOWS\system32\rqhywvpx.dll",s
    O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
    O9 - Extra 'Tools' menuitem: IBM Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\IBM\Java141\jre\bin\NPJPI141.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [JAVA_IBM] Java (IBM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://discover/securearea/Reports/ReportFiles/ScriptX.cab
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://webvpn.dayjet.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by4fd.bay4.hotmail.msn.com/resources/MsnPUpld.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 5393 bytes
     
    ellegon18, Apr 28, 2008
    #1
  2. ellegon18

    ellegon18 Member

    Joined:
    May 21, 2007
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    16
    Does anyone know of someplace else that might be able to help? Getting kinda desperate here. Thanks again for any help.
     
    ellegon18, May 1, 2008
    #2
  3. Chad_D

    Chad_D Member

    Joined:
    May 5, 2008
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    11
    To start, I don't like the following:

    O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\jbuser\Local Settings\Temporary Internet Files\Content.IE5\ITGFY9M5\setup_sbd_en[1].exe

    O4 - HKLM\..\Run: [648635e8] rundll32.exe "C:\WINDOWS\system32\qvxcwctw.dll",b

    O4 - HKLM\..\Run: [BM67b50674] Rundll32.exe "C:\WINDOWS\system32\rqhywvpx.dll",s

    Start with those and post another log.

    Edit: Take this out if you dont recognize it.

    O16 - DPF: {264AED84-12F1-4CA1-8AA7-EB939AE58D8D} (STCWeb Control) - https://webvpn.dayjet.com/CACHE/webvpn/stc/1/binaries/stcweb.cab
     
    Last edited: May 5, 2008
    Chad_D, May 5, 2008
    #3
  4. ellegon18

    ellegon18 Member

    Joined:
    May 21, 2007
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    16
    Thank you for responding. I went to another site and they were able to help me. Thanks again for taking the time to look.
     
    ellegon18, May 6, 2008
    #4

Share This Page