SecThought.E

I really need some help. I have AVG 6.0 and a window keeps popping up saying that I have SecThought.E. I have deleted my temporary internet files, and ran the virus scan again and it dosen't find anything. I have set my adaware and spybot search and destroy to the standards that this site recommended. I have read all of the post regarding this issue, and followed through on them. But nevertheless I still get the pop up. I downloaded the Highjacker program and I have my log from that:

Logfile of HijackThis v1.98.0
Scan saved at 11:48:02 AM, on 7/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\hvmnmdp.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe
C:\Program Files\Ahead\NeroVision\NeroVision.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\HijackThis.exe

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Winsock2 driver] hvmnmdp.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab

If someone could help me I would really be thankful. Thank you soo much.
-Seedlebug

Just a little more information... I have windows XP, and I have already disabled my restore files. Also went into safe mode and ran TDS trojan seeker, and it only found one thing that was related to spybot, and also I ran my virus scan while I was in there. It also came up with nothing.

 

Hi Seedlebug,

Before you start, create a permanent folder for Hijackthis and move HijackThis.exe into the permanent folder.

Place a check beside the following items in HijackThis.
Close all windows except HijackThis, and click *Fix checked:

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
(This is Broadband troubleshooting software and not needed at start up. You may want to consider removing it through the through the Add/Remove Programs.
For more information see: http://www.liutilities.com/products/wintaskspro/processlibrary/cfd/ )

O4 - HKLM\..\Run: [Winsock2 driver] hvmnmdp.exe

(this one is not bad, but it is a resource hog and recommended to be fixed)
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


Make sure you have all files and folders viewable:
How to Show Hidden Files and Folders

Reboot your computer into Safe Mode by tapping the F8 key just before windows begins to load.

Locate the hvmnmdp.exe file in the C:\Windows\System32 folder, zip up a copy of it (password protect it and use the word infected as the password) and email the zipped copy of the file to pieterATwilderssecurity.org (replace the AT with an @) for analysis. In the body of the email message, state that the password is "infected" and include a link to this thread, so Pieter will be able to find it easily. Can you also submit a zipped copy to submit@diamondcs.com.au

Also, upload the file to Kaspersky for a scan, and post back here what the scan results are.

Then delete the hvmnmdp.exe file.

Use the Disk cleanup Utility to clean out your Temp folders. Disk Cleanup Utility

Reboot your computer normally, and do a FULL system scan at one of these on-line scan sites: Free Services

Once your computer is clean, remember to reset a new Restore Point.

Post a new log here to be checked.

Regards,

snap

Symantec Reference for more information: sdbot.t