Hello,
I just began working on a computer an found several viruses and malware. I believe the sys
Running processes:
C:\WINDOWS\System32\smss.e
xe
C:\WINDOWS\system32\winlog
on.exe
C:\WINDOWS\system32\servic
es.exe
C:\WINDOWS\system32\lsass.
exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\System32\svchos
t.exe
C:\WINDOWS\system32\svchos
t.exe
C:\WINDOWS\system32\spools
v.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
C:\Program Files\Symantec\pcAnywhere\
awhost32.e
xe
C:\WINDOWS\system32\proper
.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\GE\GE 97990 RF Optical Mouse\Ver5.3\MOUSE32A.EXE
C:\Program Files\ScanSoft\PaperPort\p
ptd40nt.ex
e
C:\Program Files\Brother\ControlCente
r2\brctrce
n.exe
C:\PROGRA~1\Yahoo!\browser
\ybrwicon.
exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\ctfmon
.exe
C:\PROGRA~1\Yahoo!\browser
\ycommon.e
xe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QB
Update\qbu
pdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
ngr.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\System32\snmp.e
xe
C:\WINDOWS\System32\svchos
t.exe
C:\Program Files\Viewpoint\Common\Vie
wpointServ
ice.exe
C:\WINDOWS\system32\fxssvc
.exe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\sessmg
r.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm
12.exe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digi
tal Imaging\Bin\hpoFXM08.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\PROGRA~1\Lavasoft\AD-AW
A~1\Ad-Awa
re.exe
C:\Program Files\Trend Micro\HijackThis\HijackThi
s.exe
R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Default_Page
_URL =
http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\In
ternet Explorer\Main,Search Bar =
http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.htmlR1 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5
838F569A31
D} - C:\Program Files\MyWebSearch\SrchAstt
\1.bin\MWS
SRCAS.DLL
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper
.exe
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5
838F569A31
D} - C:\Program Files\MyWebSearch\SrchAstt
\1.bin\MWS
SRCAS.DLL
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7
695ECA0567
0} - C:\Program Files\Yahoo!\Companion\Ins
talls\cpn\
yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
84B7D6BE0B
3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d
ll
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-1
70DE4475CC
A} - C:\Program Files\MyWebSearch\bar\1.bi
n\MWSBAR.D
LL
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2
FC0DE4A789
7} - C:\PROGRA~1\Yahoo!\Common\
yiesrvc.dl
l
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D
426709BBFE
B} - C:\PROGRA~1\SPYWAR~1\tools
\iesdsg.dl
l
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-1
45C4502FA2
0} - C:\WINDOWS\system32\nnnmkk
k.dll
O2 - BHO: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-3
3D12D468BF
0} - C:\Program Files\alot\bin\alot.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-E
D428FAE904
3} - C:\Program Files\ISM\BndDrive5.dll
O2 - BHO: (no name) - {CE4B0FDE-E60B-4DC6-B684-3
35298A46BC
F} - C:\WINDOWS\system32\geebb.
dll
O2 - BHO: IEHlprObjClass - {CE7C3CF0-4B15-11D1-ABED-7
09549C1000
0} - C:\Program Files\Kensington\MouseWork
s\IE_SPY.D
LL (file missing)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-3
9B826B492F
1} - C:\WINDOWS\system32\bronto
.dll
O2 - BHO: (no name) - {E64F0381-0053-4842-B3E5-0
8F6C4A0AEB
6} - C:\WINDOWS\system32\sjxsen
ca.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A
6CCDF9CBF6
D} - C:\Program Files\Yahoo!\browser\YSide
barIEBHO.d
ll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
090271D4F8
8} - C:\Program Files\Yahoo!\Companion\Ins
talls\cpn\
yt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-1
70DE4475CC
A} - C:\Program Files\MyWebSearch\bar\1.bi
n\MWSBAR.D
LL
O3 - Toolbar: ALOT eMusic Toolbar - {8260C2B8-E0D1-448a-B062-3
3D12D468BF
0} - C:\Program Files\alot\bin\alot.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\GE\GE 97990 RF Optical Mouse\Ver5.3\MOUSE32A.EXE
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgd
update.exe
" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\p
ptd40nt.ex
e
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrS
tDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCente
r2\brctrce
n.exe /autorun
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser
\ybrwicon.
exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
" -atboottime
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter
.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] "C:\PROGRA~1\SYMANT~1\VPTr
ay.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter
.exe
O4 - HKUS\S-1-5-21-1335466659-3
12565664-2
426259739-
1009\..\Ru
n: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
" /background (User 'QBDataServiceUser')
O4 - Startup: infos.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpqtra08.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digi
tal Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QB
Update\qbu
pdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlma
ngr.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O7 - HKCU\Software\Microsoft\Wi
ndows\Curr
entVersion
\Policies\
System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Wi
ndows\Curr
entVersion
\Policies\
System, DisableRegedit=1
O8 - Extra context menu item: &Search -
http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=zuzeb004YYUSO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4
\ART\Offic
e12\EXCEL.
EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\WINDOWS\system32\msjava
.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
0401C60850
1} - C:\WINDOWS\system32\msjava
.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~1\MICROS~4\ART\O
ffice12\ON
BttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5
663EE0C6C4
9} - C:\PROGRA~1\MICROS~4\ART\O
ffice12\ON
BttnIE.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2
FC0DE4A789
7} - C:\PROGRA~1\Yahoo!\Common\
yiesrvc.dl
l
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-4
7cb894244c
d} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-4
7cb894244c
d} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
C9C571A826
3} - C:\PROGRA~1\MICROS~4\ART\O
ffice12\RE
FIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
0C0F0318AF
E} - C:\WINDOWS\System32\Shdocv
w.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f
2ba3849658
3} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
0C04F79568
3} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=
http://www.emachines.comO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0
E3A5CAA8CD
8} (Office Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=67633O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
E41684E07B
B} -
http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cabO16 - DPF: {30528230-99f7-4bb4-88d8-f
a1d4f56a2a
b} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsth
elper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D
8356294013
4} (MySpace Uploader Control) -
http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {640B39C1-D713-464F-92C3-7
5BD972B95E
E} -
http://www.sidestep.com/get/k42037/sb02b.cabO16 - DPF: {8B6193F1-837F-11D4-89E6-0
050DA66618
4} (Sol2axctl Class) -
http://download.solitaire.com/download/solitaire.cabO16 - DPF: {E473A65C-8087-49A3-AFFD-C
5BC4A10669
B} (Quantum Streaming IE Player Class) -
http://mvnet.xlontech.net/qm/fox/06071909/qsp2ie06071909.cabO20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.
dat
O20 - Winlogon Notify: nnnmkkk - C:\WINDOWS\SYSTEM32\nnnmkk
k.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDev
iceService
.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\
awhost32.e
xe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver
\1050\Inte
l 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService
.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm
12.exe
O23 - Service: QuickBooksDB - Intuit, Inc. - C:\PROGRA~1\Intuit\QUICKB~
1\QBDBMgrN
.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\Vie
wpointServ
ice.exetem
is infected with vundo (nnnmkkk.dll and skuns.dat) here's the hijack log:
Thanks
Start Free Trial
