Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumumdo? & Disappearing Icons/ Taskbar


  • Please log in to reply
1 reply to this topic

#1 indiarts

indiarts

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 08 March 2008 - 11:03 PM

I keep getting reinfected with Vundo variants even though I have run Vundo Fix and VirtumundoBe Gone. I believe that this is what is causing Explorer and my desktop to disappear and reappear (when they are quarantined by AVG it stops).

Even so, there is something that is using a lot of CPU power and making my computer run slow. I have a HP Pavillion laptop with a 1.66G INTEL 2300 dual core proc. Task Manager is showing 100% CPU usage right now. Plus, my version of windows no longer seems validated.

Here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:11:22 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\kmw_run.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\KMW_SHOW.EXE
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Allway Sync\bin\syncappw.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\MSPRIN~1\LOCALS~1\Temp\RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 129.41.63.81 mail-01
O1 - Hosts: 129.41.63.81 mail-01.atlarge.net
O1 - Hosts: 129.41.63.215 mail-02ps
O1 - Hosts: 129.41.63.215 mail-02ps.atlarge.net
O1 - Hosts: 129.41.63.30 mail-10ps
O1 - Hosts: 129.41.63.30 mail-10ps.atlarge.net
O1 - Hosts: 129.41.63.206 mail-11ps
O1 - Hosts: 129.41.63.206 mail-11ps.atlarge.net
O1 - Hosts: 129.41.63.62 mail-12ps
O1 - Hosts: 129.41.63.62 mail-12ps.atlarge.net
O1 - Hosts: 129.41.63.106 mail-13ps
O1 - Hosts: 129.41.63.106 mail-13ps.atlarge.net
O1 - Hosts: 129.41.63.113 mail-14ps
O1 - Hosts: 129.41.63.113 mail-14ps.atlarge.net
O1 - Hosts: 129.41.63.124 mail-15ps
O1 - Hosts: 129.41.63.124 mail-15ps.atlarge.net
O1 - Hosts: 129.41.63.14 mail-16ps
O1 - Hosts: 129.41.63.14 mail-16ps.atlarge.net
O1 - Hosts: 129.41.63.96 mail-17ps
O1 - Hosts: 129.41.63.96 mail-17ps.atlarge.net
O1 - Hosts: 129.41.63.89 mail-18ps
O1 - Hosts: 129.41.63.89 mail-18ps.atlarge.net
O1 - Hosts: 129.41.63.223 mail-19ps
O1 - Hosts: 129.41.63.223 mail-19ps.atlarge.net
O1 - Hosts: 129.41.63.28 mail-20ps
O1 - Hosts: 129.41.63.28 mail-20ps.atlarge.net
O1 - Hosts: 129.41.63.68 mail-21ps
O1 - Hosts: 129.41.63.68 mail-21ps.atlarge.net
O1 - Hosts: 129.41.63.169 mail-22ps.atlarge.net
O1 - Hosts: 129.41.63.169 mail-22ps
O1 - Hosts: 129.41.63.50 mail-23ps.atlarge.net
O1 - Hosts: 129.41.63.50 mail-23ps
O1 - Hosts: 129.41.63.51 mail-24ps.atlarge.net
O1 - Hosts: 129.41.63.51 mail-24ps
O1 - Hosts: 170.224.231.41 mail-25ps.atlarge.net
O1 - Hosts: 170.224.231.41 mail-25ps
O1 - Hosts: 170.224.231.224 mail-26ps.atlarge.net
O1 - Hosts: 170.224.231.224 mail-26ps
O1 - Hosts: 129.41.63.239 mail-27ps
O1 - Hosts: 129.41.63.239 mail-27ps.atlarge.net
O1 - Hosts: 129.41.63.112 mail-28ps
O1 - Hosts: 129.41.63.112 mail-28ps.atlarge.net
O1 - Hosts: 129.41.63.105 mail-29ps
O1 - Hosts: 129.41.63.105 mail-29ps.atlarge.net
O1 - Hosts: 129.41.63.225 mail-30ps
O1 - Hosts: 129.41.63.225 mail-30ps.atlarge.net
O1 - Hosts: 129.41.63.45 mail-31ps
O1 - Hosts: 129.41.63.45 mail-31ps.atlarge.net
O1 - Hosts: 129.41.63.36 mail-32ps
O1 - Hosts: 129.41.63.36 mail-32ps.atlarge.net
O1 - Hosts: 129.41.63.38 mail-33ps
O1 - Hosts: 129.41.63.38 mail-33ps.atlarge.net
O1 - Hosts: 129.41.63.22 mail-34ps
O1 - Hosts: 129.41.63.22 mail-34ps.atlarge.net
O1 - Hosts: 129.41.63.93 mail-35ps
O1 - Hosts: 129.41.63.93 mail-35ps.atlarge.net
O1 - Hosts: 170.224.231.143 CHI1SGRS001.atlarge.net
O1 - Hosts: 129.41.63.139 aquilex-01-ex.atlarge.net
O1 - Hosts: 129.41.63.139 aquilex-01-ex
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Allway Sync] "C:\Program Files\Allway Sync\bin\syncappw.exe" /m
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Shortcut to DateInTray.exe.lnk = C:\Program Files\DateInTray\DateInTray.exe
O4 - Global Startup: Allway Sync.lnk = C:\Program Files\Allway Sync\Bin\syncappw.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PDFill PDF Editor - {FB858B22-55E2-413f-87F5-30ADC5552151} - C:\Program Files\PlotSoft\PDFill\\DownloadPDF.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://C:\Program Files\AutoCAD LT 2000i\AcPreview.ocx
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 9842 bytes

Attached Files



BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:05:55 AM

Posted 27 March 2008 - 10:16 AM

I apologize for the very long delay. We have a huge backlog of HijackThis Logs to handle and it has been taking us greater time than normal to get caught up. If you are still having a problem, and want us to analyze your information, please post a brand new hijackthis log. If we do not hear back from you within a couple of days we will need to close your topic.

When posting your logs please post them directly into the reply. Do not attach them.

Also make sure you have already followed the steps outlined below:

Preparation Guide For Use Before Posting A Hijackthis Log

Thank you for your patience.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users