Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Back Door Troajns - TagSaurus

Started by itstime4me , Dec 30 2007 05:46 PM

  • Please log in to reply

#1
itstime4me
Posted 30 December 2007 - 05:46 PM

itstime4me

    New Member

  • Member
  • Pip
  • 8 posts
Hi!!!

My Computer got infected with Trojans and spyware by name "SearchUS" and "tagASaurus".
Please find attached the Hijackthis log and help in removing the spyware as soon as possible.
As this is my office Laptop, immediate help is requested.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:36 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora_client\bin\omtsreco.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.merck.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.merck.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webconfig.mer...om/merckie6.ins
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CurrentUserRegistryUpdate] C:\core\local\CurrentUserRegistryUpdate.EXE
O4 - HKLM\..\Run: [MRLOverlay] C:\core\utils\MRLOverlay.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - .DEFAULT User Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: Keyflow ProForms Client - file://C:\PROGRA~1\GLOBAL~1\KEYFLO~1\Program\KEYFLO~1.CAB
O16 - DPF: {38229E67-8867-418B-8AFC-2E0E68E99478} (Merck.WebInstall) - http://softwareondem...allui/Merck.CAB
O16 - DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} (Java Plug-in 1.3.1_16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = merck.com
O17 - HKLM\Software\..\Telephony: DomainName = merck.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = merck.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Documentum Desktop Component Installer - Documentum, a division of EMC. - C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora_client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown owner - C:\oracle\ora_client\BIN\ONRSD.EXE
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8661 bytes
  • 0

Advertisements

#2
itstime4me
Posted 30 December 2007 - 05:56 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Symantec Scan Gets failed
It doesnt allow the Trend Anti spyware, Windows Defender to get Installed.
Unknown Error prevented from installing is the message shown.
  • 0

#3
sarahw
Posted 30 December 2007 - 06:04 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instuctions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)
  • 0

#4
sarahw
Posted 30 December 2007 - 06:08 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#5
itstime4me
Posted 30 December 2007 - 06:17 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
The new Log ...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:31 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora_client\bin\omtsreco.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\explorer.exe
C:\Program Files\Documentum\Shared\dcathmgr.exe
C:\Program Files\Documentum\Shared\dcevtsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.merck.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.merck.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webconfig.mer...om/merckie6.ins
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CurrentUserRegistryUpdate] C:\core\local\CurrentUserRegistryUpdate.EXE
O4 - HKLM\..\Run: [MRLOverlay] C:\core\utils\MRLOverlay.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - .DEFAULT User Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: Keyflow ProForms Client - file://C:\PROGRA~1\GLOBAL~1\KEYFLO~1\Program\KEYFLO~1.CAB
O16 - DPF: {38229E67-8867-418B-8AFC-2E0E68E99478} (Merck.WebInstall) - http://softwareondem...allui/Merck.CAB
O16 - DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} (Java Plug-in 1.3.1_16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = merck.com
O17 - HKLM\Software\..\Telephony: DomainName = merck.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = merck.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Documentum Desktop Component Installer - Documentum, a division of EMC. - C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora_client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown owner - C:\oracle\ora_client\BIN\ONRSD.EXE
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 8677 bytes
  • 0

#6
itstime4me
Posted 30 December 2007 - 06:26 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Deckard's System Scanner v20071014.68
Run by aitha on 2007-12-30 19:18:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2007-12-31 00:18:23 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as aitha.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:20:11 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora_client\bin\omtsreco.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\explorer.exe
C:\Program Files\Documentum\Shared\dcathmgr.exe
C:\Program Files\Documentum\Shared\dcevtsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\aitha\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\aitha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.merck.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.merck.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webconfig.mer...om/merckie6.ins
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - C:\WINDOWS\system32\rqrrpoo.dll
O2 - BHO: (no name) - {31FCB080-4452-4F83-87D9-646298607D22} - C:\WINDOWS\system32\iifee.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CurrentUserRegistryUpdate] C:\core\local\CurrentUserRegistryUpdate.EXE
O4 - HKLM\..\Run: [MRLOverlay] C:\core\utils\MRLOverlay.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - .DEFAULT User Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: Keyflow ProForms Client - file://C:\PROGRA~1\GLOBAL~1\KEYFLO~1\Program\KEYFLO~1.CAB
O16 - DPF: {38229E67-8867-418B-8AFC-2E0E68E99478} (Merck.WebInstall) - http://softwareondem...allui/Merck.CAB
O16 - DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} (Java Plug-in 1.3.1_16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = merck.com
O17 - HKLM\Software\..\Telephony: DomainName = merck.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = merck.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rqrrpoo - C:\WINDOWS\SYSTEM32\rqrrpoo.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Documentum Desktop Component Installer - Documentum, a division of EMC. - C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora_client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown owner - C:\oracle\ora_client\BIN\ONRSD.EXE
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9589 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 ClntMgmt.sys (ClntMgmt) - c:\windows\system32\drivers\clntmgmt.sys <Not Verified; Compaq Computer Corp; Compaq Client Management Driver>
R1 EABFiltr - c:\windows\system32\drivers\eabfiltr.sys <Not Verified; Compaq Computer Corp.; Easy Access Button Utility>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 cpqdfw (Diagnostics Driver) - c:\windows\system32\drivers\cpqdfw.sys
R2 cq_mem (Diagnostics Memory Driver) - c:\windows\system32\drivers\cq_mem.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 cqcpu (Diagnostics CPU Driver) - c:\windows\system32\drivers\cqcpu.sys <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
R2 Scap (SecureClient Application Policy Module) - c:\windows\system32\drivers\scap.sys <Not Verified; Check Point Software Technologies; desktop>
R2 VPN-1 (VPN-1 Module) - c:\windows\system32\drivers\vpn.sys <Not Verified; Check Point Software Technologies; vpn1>

S2 LMIInfo (LogMeIn Kernel Information Provider) - c:\program files\logmein\x86\rainfo.sys (file missing)
S3 eabusb - c:\windows\system32\drivers\eabusb.sys <Not Verified; Compaq Computer Corp.; Easy Access Button Utility>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Documentum Desktop Component Installer - c:\program files\documentum\shared\dccomponentinstaller.exe <Not Verified; Documentum, a division of EMC.; Documentum Desktop>
R2 OracleMTSRecoveryService - c:\oracle\ora_client\bin\omtsreco.exe "oraclemtsrecoveryservice" <Not Verified; Oracle Corporation; Oracle MTS Recovery Service>
R2 Reflection TimeSync - "c:\program files\reflection\rtsserv.exe" <Not Verified; WRQ, Inc.; Reflection TimeSync>
R2 SR_Service (Check Point SecuRemote Service) - "c:\program files\checkpoint\securemote\bin\sr_service.exe" <Not Verified; Check Point Software Technologies; VPN-1 SecuRemote/SecureClient>
R2 SR_WatchDog (Check Point SecuRemote WatchDog) - "c:\program files\checkpoint\securemote\bin\sr_watchdog.exe" <Not Verified; Check Point Software Technologies; desktop>

S3 OracleOra_Client_HomeClientCache - c:\oracle\ora_client\bin\onrsd.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {6BDD1FC5-810F-11D0-BEC7-08002BE2092F}
Description: SMC IrCC - Fast Infrared Port
Device ID: ACPI\SMCF010\5&2074B54B&0
Manufacturer: SMC
Name: SMC IrCC - Fast Infrared Port
PNP Device ID: ACPI\SMCF010\5&2074B54B&0
Service: SMCIRDA

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VPN-1 SecureClient Adapter
Device ID: ROOT\NET\0000
Manufacturer: Check Point
Name: VPN-1 SecureClient Adapter
PNP Device ID: ROOT\NET\0000
Service: OMVA


-- Files created between 2007-11-30 and 2007-12-30 -----------------------------

2007-12-30 18:23:15 0 d-------- C:\Program Files\Trend Micro
2007-12-30 16:31:22 0 d-------- C:\Program Files\Microsoft Silverlight
2007-12-30 12:42:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-12-30 12:30:46 8791 --ahs---- C:\WINDOWS\system32\eefii.ini2
2007-12-30 12:30:00 349696 --a------ C:\WINDOWS\system32\iifee.dll
2007-12-30 12:28:02 0 d-------- C:\Program Files\Spruce
2007-12-30 12:22:31 39936 --a------ C:\WINDOWS\system32\rqrrpoo.dll
2007-12-30 12:22:02 0 d-------- C:\WINDOWS\system32\ardCo02
2007-12-28 15:23:34 0 d--h----- C:\Documents and Settings\goelg\Templates
2007-12-28 15:23:34 0 dr------- C:\Documents and Settings\goelg\Start Menu
2007-12-28 15:23:34 0 d--h----- C:\Documents and Settings\goelg\SendTo
2007-12-28 15:23:34 0 dr-h----- C:\Documents and Settings\goelg\Recent
2007-12-28 15:23:34 0 d--h----- C:\Documents and Settings\goelg\PrintHood
2007-12-28 15:23:34 1048576 --ah----- C:\Documents and Settings\goelg\NTUSER.DAT
2007-12-28 15:23:34 0 d--h----- C:\Documents and Settings\goelg\NetHood
2007-12-28 15:23:34 0 dr------- C:\Documents and Settings\goelg\My Documents
2007-12-28 15:23:34 0 d--h----- C:\Documents and Settings\goelg\Local Settings
2007-12-28 15:23:34 0 dr------- C:\Documents and Settings\goelg\Favorites
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Desktop
2007-12-28 15:23:34 0 d---s---- C:\Documents and Settings\goelg\Cookies
2007-12-28 15:23:34 0 dr-h----- C:\Documents and Settings\goelg\Application Data
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Application Data\Sun
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Application Data\Real
2007-12-28 15:23:34 0 d---s---- C:\Documents and Settings\goelg\Application Data\Microsoft
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Application Data\Macromedia
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Application Data\Identities
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Application Data\ICAClient
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\Application Data\Adobe
2007-12-28 15:23:34 0 d-------- C:\Documents and Settings\goelg\.java
2007-12-27 09:26:57 0 d-------- C:\WINDOWS\ms
2007-12-19 17:05:48 212992 --a------ C:\WINDOWS\troy44.exe <Not Verified; ; troy44>
2007-12-16 23:05:18 0 d-------- C:\Documents and Settings\aitha\Application Data\Help
2007-12-10 20:37:19 0 d-------- C:\ans
2007-12-06 20:20:49 0 d-------- C:\Documents and Settings\aitha\Application Data\U3


-- Find3M Report ---------------------------------------------------------------

2007-12-30 18:19:43 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-27 10:43:10 0 d-------- C:\Documents and Settings\aitha\Application Data\Quest Software
2007-11-24 01:52:35 0 d-------- C:\Documents and Settings\aitha\Application Data\vlc
2007-11-23 23:36:07 0 d-------- C:\Program Files\VideoLAN
2007-11-19 10:33:51 447576 --ahs---- C:\WINDOWS\system32\badgh.ini2
2007-11-19 09:56:24 0 d-------- C:\Program Files\SUPERAntiSpyware
2007-11-19 09:56:01 0 d-------- C:\Program Files\Common Files
2007-11-19 09:56:01 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-18 23:56:06 3242 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-18 18:55:08 72865 --a------ C:\WINDOWS\system32\wwlbypmm.dll
2007-10-31 09:52:43 0 d-------- C:\Program Files\DynGate
2007-10-03 23:36:46 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}]
12/30/2007 12:22 PM 39936 --a------ C:\WINDOWS\system32\rqrrpoo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31FCB080-4452-4F83-87D9-646298607D22}]
12/30/2007 12:30 PM 349696 --a------ C:\WINDOWS\system32\iifee.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
11/29/2007 10:28 AM 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/21/2005 12:33 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [05/26/2006 10:51 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Distillr\Acrotray.exe" [01/12/2006 07:52 PM]
"@"="" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 09:32 PM]
"IMEKRMIG6.1"="C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE" [08/23/2001 05:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/03/2004 09:31 PM]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [08/01/2002 02:43 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/01/2002 02:43 PM]
"AGRSMMSG"="AGRSMMSG.exe" [05/30/2003 04:01 PM C:\WINDOWS\AGRSMMSG.exe]
"hkss"="C:\Program Files\Compaq\Hotkey Software\hkss.exe" [09/19/2002 01:30 PM]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [04/09/2002 10:49 AM]
"CurrentUserRegistryUpdate"="C:\core\local\CurrentUserRegistryUpdate.EXE" [01/25/2007 02:50 PM]
"MRLOverlay"="C:\core\utils\MRLOverlay.exe" [06/20/2007 03:33 PM]
"runner1"="C:\WINDOWS\mrofinu77.exe" []
"troy44"="C:\WINDOWS\troy44.exe" [12/19/2007 05:05 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [02/22/2005 07:55 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/03/2004 11:56 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"My Computer"=C:\core\install\apps\MYComputer\MYComputer.EXE

C:\Documents and Settings\aitha\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [12/30/2007 12:27:54 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [10/13/2006 11:24:39 AM]
Program Neighborhood Agent.lnk - C:\WINDOWS\Installer\{E89956F9-5B89-470E-818D-BD46102D0A01}\Icon80951CEC.exe.20FBBF0A_A7E5_4BDE_9798_9811C3D135AC.exe [10/26/2007 7:55:33 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoInstrumentation"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"NoMSAppLogo5ChannelNotify"=1 (0x1)
"NoToolbarCustomize"=0 (0x0)
"NoBandCustomize"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=1 (0x1)
"NoResolveSearch"=1 (0x1)
"NoResolveTrack"=1 (0x1)
"NoInstrumentation"=0 (0x0)
"NoStartMenuMFUprogramsList"=0 (0x0)
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Media"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=2 (0x2)
"SpecifyDefaultButtons"=1 (0x1)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)
"Btn_PrintPreview"=0 (0x0)
"NoInternetIcon"=0 (0x0)
"NoDesktop"=0 (0x0)
"NoFavoritesMenu"=0 (0x0)
"NoFind"=0 (0x0)
"NoRun"=0 (0x0)
"NoSetActiveDesktop"=0 (0x0)
"NoChangeStartMenu"=0 (0x0)
"NoFolderOptions"=0 (0x0)
"NoRecentDocsMenu"=0 (0x0)
"NoRecentDocsHistory"=0 (0x0)
"ClearRecentDocsOnExit"=0 (0x0)
"NoLogoff"=0 (0x0)
"NoClose"=0 (0x0)
"NoSetFolders"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoTrayContextMenu"=0 (0x0)
"NoFileMenu"=0 (0x0)
"EnforceShellExtensionSecurity"=0 (0x0)
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoNetConnectDisconnect"=0 (0x0)
"NoDeletePrinter"=0 (0x0)
"NoAddPrinter"=0 (0x0)
"NoPrinterTabs"=0 (0x0)
"NoStartMenuMyMusic"=1 (0x1)
"NoSMMyPictures"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"= shdocvw.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 01:55 PM 77824]
"{2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73}"= C:\WINDOWS\system32\rqrrpoo.dll [12/30/2007 12:22 PM 39936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 02/03/2005 12:37 PM 24673 C:\WINDOWS\system32\ckpNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 10/02/2007 03:51 PM 75064 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrpoo]
rqrrpoo.dll 12/30/2007 12:22 PM 39936 C:\WINDOWS\system32\rqrrpoo.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\iifee.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-6776287-1952083785-2110791508-330005\Scripts\Logon\0\0]
"Script"=MerckLS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-6776287-1952083785-2110791508-66233\Scripts\Logon\0\0]
"Script"=MerckLS.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a72a449-a403-11dc-9ddf-000ff84f194a}]
AutoRun\command- F:\PCConnect.exe




-- End of Deckard's System Scanner: finished at 2007-12-30 19:25:09 ------------
  • 0

#7
itstime4me
Posted 30 December 2007 - 06:27 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1600MHz
Percentage of Memory in Use: 33%
Physical Memory (total/avail): 1535.36 MiB / 1024.03 MiB
Pagefile Memory (total/avail): 2155.67 MiB / 1812.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1925 MiB

C: is Fixed (NTFS) - 37.26 GiB total, 25.22 GiB free.
D: is CDROM (No Media)
J: is Network (Unformatted)
S: is Network (Unformatted)
U: is Network (Unformatted)
Y: is Network (Unformatted)

\\.\PHYSICALDRIVE0 - TOSHIBA MK4025GAS - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

AV: Symantec AntiVirus Corporate Edition v10.0.2.2021 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\aitha\Application Data
CLASSPATH=C:\Program Files\Documentum\dctm.jar;C:\Documentum\Config
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=USBLMR62974
ComSpec=C:\WINDOWS\system32\cmd.exe
DeployShare=\\uswpsm0401\ecorexp
ECOREXP=YES
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\aitha
HOMESHARE=\\ushome02\aitha
LOGONSERVER=\\CNHKDC1100V
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Internet Explorer;;C:\Program Files\Reflection;C:\oracle\ora_client\bin;C:\Program Files\Oracle\jre\1.1.8\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\Hummingbird\Connectivity\7.11\Accessories\;C:\Program Files\Documentum\Shared\;C:\Program Files\RSA Security\RSA SecurID Software Token\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PathOracleBackup=C:\oracle\Ora_Client\jre\1.4.2\bin\client;C:\oracle\Ora_Client\jre\1.4.2\bin;C:\oracle\ora_client\bin;C:\Program Files\Oracle\jre\1.3.1\bin;C:\Program Files\Oracle\jre\1.1.8\bin;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\aitha\LOCALS~1\Temp
TMP=C:\DOCUME~1\aitha\LOCALS~1\Temp
USERDNSDOMAIN=MERCK.COM
USERDOMAIN=NORTHAMERICA
USERNAME=aitha
USERPROFILE=C:\Documents and Settings\aitha
WF_RESOURCES=C:\oracle\ora_client\WF\RES\WFus.RES
windir=C:\WINDOWS
_LDC=mrllogon


-- User Profiles ---------------------------------------------------------------

AdminProfCopy (new local, admin)
Administrator (admin)
deteau (new local, admin, net ready)
ugpcsc (new local, admin, net ready)
goelg (new local, admin, net ready)
aitha (admin)
hartmam (new local, admin, net ready)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 7.0.7 Professional --> msiexec /I {AC76BA86-1033-0000-7760-100000000002}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{786547F9-59BB-4FA3-B2D8-327FF1F14870}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Agere Systems AC'97 Modem --> agrsmdel
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Check Point VPN-1 SecureClient NG_AI_R56 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FCF2FC0-8268-11D4-A313-0006290D766E}\setup.exe" ADD_REMOVE
Cisco Aironet Installation Wizard --> C:\WINDOWS\Cisco\DInstall\IWSetup.exe /cp
Citrix Presentation Server Client --> MsiExec.exe /I{E89956F9-5B89-470E-818D-BD46102D0A01}
Compaq Easy Access Buttons 3.00 B3 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\EAB\Uninst.isu" -c"C:\Program Files\Compaq\EAB\EABINST.DLL"
Compaq HotKey Support Software --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Compaq\Hotkey Software\Uninst.isu" -c"C:\Program Files\Compaq\Hotkey Software\uninst.dll"
Compatibility Pack for the 2007 Office system --> MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Diagnostics for Windows --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1881AE03-2BD4-11D4-86BF-00508B10AA88}\setup.exe" UNINSTALL
EAB Settings for Compaq N610 & N410 --> C:\UNWISE.EXE C:\INSTALL.LOG
eRoom 7 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\eRoom 7\Uninst.isu" -c"C:\Program Files\eRoom 7\eRClientUninstall.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Intel® PRO Ethernet Adapter and Software --> Prounstl.exe
InterVideo WinDVD --> "C:\Program Files\InstallShield Installation Information\{98E8A2EF-4EAE-43B8-A172-74842B764777}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 11 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150110}
Java 2 Runtime Environment Standard Edition v1.3.1_19 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68249B7A-B714-11D7-88E8-0050DA21757E}\Setup.exe" -uninst
Java 2 Runtime Environment, SE v1.4.2_13 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142130}
LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Visio Viewer 2003 (English) --> MsiExec.exe /I{90520409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
ODWeb Plug-in --> C:\WINDOWS\ODPNunst\Odwsetup\UNWISE.EXE /Z /U C:\WINDOWS\ODPNunst\Odwsetup\INSTODW.LOG
RSA SecurID Software Token --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{432DDCA6-5CF6-4F02-93D3-BD78E327DA66}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe"
Spruce --> "C:\Program Files\Spruce\un_SpruceSetup_17737.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Symantec AntiVirus --> MsiExec.exe /I{46B63F23-2B4A-4525-A827-688026BE5E40}
Synaptics TouchPad --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Messenger 5.1 --> MsiExec.exe /I{A433AE09-2126-4dad-9CBD-C1B05DC42787}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type4373 / Error
Event Submitted/Written: 12/30/2007 06:21:27 PM
Event ID/Source: 15 / AutoEnrollment
Event Description:
Automatic certificate enrollment for NORTHAMERICA\aitha failed to contact the active directory (0x8007054b). The specified domain either does not exist or could not be contacted.
Enrollment will not be performed.

Event Record #/Type4372 / Error
Event Submitted/Written: 12/30/2007 06:20:06 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type4368 / Error
Event Submitted/Written: 12/30/2007 06:19:10 PM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.

Event Record #/Type4360 / Warning
Event Submitted/Written: 12/30/2007 06:09:29 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 25 files inside C:\Documents and Settings\ugpcsc\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\Quarantine\Quarantine - 11-19-2007 - 10-34-16.SBU due to extraction errors encountered by the Decomposer Engines.

Event Record #/Type4359 / Warning
Event Submitted/Written: 12/30/2007 06:08:32 PM
Event ID/Source: 6 / Symantec AntiVirus
Event Description:
Could not scan 83 files inside C:\Documents and Settings\aitha\My Documents\UAT3.zip due to extraction errors encountered by the Decomposer Engines.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type17777 / Error
Event Submitted/Written: 12/30/2007 07:25:06 PM
Event ID/Source: 29 / W32Time
Event Description:
The time provider NtpClient is configured to acquire time from one or more
time sources, however none of the sources are currently accessible.
No attempt to contact a source will be made for 1 minutes.
NtpClient has no source of accurate time.

Event Record #/Type17776 / Warning
Event Submitted/Written: 12/30/2007 07:25:06 PM
Event ID/Source: 14 / W32Time
Event Description:
The time provider NtpClient was unable to find a domain controller to use as a time
source. NtpClient will try again in 60 minutes.

Event Record #/Type17769 / Error
Event Submitted/Written: 12/30/2007 06:59:15 PM
Event ID/Source: 1 / FW1
Event Description:
FW1: -->f bit category 6

Event Record #/Type17768 / Error
Event Submitted/Written: 12/30/2007 06:59:15 PM
Event ID/Source: 1 / FW1
Event Description:
FW1: FW-1: fwconn_get_bits: failed to get bit value o-->

Event Record #/Type17767 / Error
Event Submitted/Written: 12/30/2007 06:59:15 PM
Event ID/Source: 1 / FW1
Event Description:
FW1: -->ookup failed (19)



-- End of Deckard's System Scanner: finished at 2007-12-30 19:25:09 ------------
  • 0

#8
sarahw
Posted 30 December 2007 - 07:02 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
  • 0

#9
itstime4me
Posted 30 December 2007 - 08:42 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi After Vundo Fix....
This is the Hijack this Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:41:53 PM, on 12/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora_client\bin\omtsreco.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\troy44.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\Program Files\Citrix\ICA Client\PNAMain.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.merck.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Merck & Co., Inc.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webconfig.mer...om/merckie6.ins
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CurrentUserRegistryUpdate] C:\core\local\CurrentUserRegistryUpdate.EXE
O4 - HKLM\..\Run: [MRLOverlay] C:\core\utils\MRLOverlay.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9
B1894E754BE54C29159A7DBE80DC744B6CDE3F516CAC59B6
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - .DEFAULT User Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: Keyflow ProForms Client - file://C:\PROGRA~1\GLOBAL~1\KEYFLO~1\Program\KEYFLO~1.CAB
O16 - DPF: {38229E67-8867-418B-8AFC-2E0E68E99478} (Merck.WebInstall) - http://softwareondem...allui/Merck.CAB
O16 - DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} (Java Plug-in 1.3.1_16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = merck.com
O17 - HKLM\Software\..\Telephony: DomainName = merck.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = merck.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Documentum Desktop Component Installer - Documentum, a division of EMC. - C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora_client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown owner - C:\oracle\ora_client\BIN\ONRSD.EXE
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9209 bytes
  • 0

#10
itstime4me
Posted 30 December 2007 - 08:43 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
This is the Vundo Fix Log


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.11

Scan started at 8:19:37 PM 12/30/2007

Listing files found while scanning....

C:\windows\system32\aylncuhj.dllbox
C:\WINDOWS\system32\eefii.ini
C:\WINDOWS\system32\eefii.ini2
C:\WINDOWS\system32\iifee.dll
C:\WINDOWS\system32\rqrrpoo.dll
C:\WINDOWS\system32\wwlbypmm.dll

Beginning removal...

Attempting to delete C:\windows\system32\aylncuhj.dllbox
C:\windows\system32\aylncuhj.dllbox Has been deleted!

Attempting to delete C:\WINDOWS\system32\eefii.ini
C:\WINDOWS\system32\eefii.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\eefii.ini2
C:\WINDOWS\system32\eefii.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifee.dll
C:\WINDOWS\system32\iifee.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqrrpoo.dll
C:\WINDOWS\system32\rqrrpoo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\wwlbypmm.dll
C:\WINDOWS\system32\wwlbypmm.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqrrpoo.dll
C:\WINDOWS\system32\rqrrpoo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.11

Scan started at 8:54:56 PM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\rqrrpoo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqrrpoo.dll
C:\WINDOWS\system32\rqrrpoo.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqrrpoo.dll
C:\WINDOWS\system32\rqrrpoo.dll Could not be deleted.

Performing Repairs to the registry.
Done!
  • 0

#11
sarahw
Posted 30 December 2007 - 08:51 PM

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#12
itstime4me
Posted 30 December 2007 - 09:24 PM

itstime4me

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi !!!

This is the latest Hijack this Log after the combofix.exe
Thanks a lot for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:21, on 2007-12-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\oracle\ora_client\bin\omtsreco.exe
C:\Program Files\Reflection\rtsserv.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Distillr\Acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\WINDOWS\troy44.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.merck.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://webconfig.mer...om/merckie6.ins
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FCB080-4452-4F83-87D9-646298607D22} - C:\WINDOWS\system32\iifee.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [CurrentUserRegistryUpdate] C:\core\local\CurrentUserRegistryUpdate.EXE
O4 - HKLM\..\Run: [MRLOverlay] C:\core\utils\MRLOverlay.exe
O4 - HKLM\..\Run: [troy44] C:\WINDOWS\troy44.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [My Computer] C:\core\install\apps\MYComputer\MYComputer.EXE
O4 - .DEFAULT User Startup: Monitor My eRooms (V7).lnk = C:\Program Files\eRoom 7\ERClient7.exe (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Program Neighborhood Agent.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .rx: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O12 - Plugin for .rxc: C:\Program Files\Internet Explorer\Plugins\iewrqxrx.dll
O14 - IERESET.INF: START_PAGE_URL=http://my.merck.com
O16 - DPF: Keyflow ProForms Client - file://C:\PROGRA~1\GLOBAL~1\KEYFLO~1\Program\KEYFLO~1.CAB
O16 - DPF: {38229E67-8867-418B-8AFC-2E0E68E99478} (Merck.WebInstall) - http://softwareondem...allui/Merck.CAB
O16 - DPF: {CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA} (Java Plug-in 1.3.1_16) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = merck.com
O17 - HKLM\Software\..\Telephony: DomainName = merck.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = merck.com
O18 - Protocol: qcom - {B8DBD265-42C3-43E6-B439-E968C71984C6} - C:\PROGRA~1\COMMON~1\QUESTS~1\CODEXP~1\qcom.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Documentum Desktop Component Installer - Documentum, a division of EMC. - C:\Program Files\Documentum\Shared\DcComponentInstaller.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora_client\bin\omtsreco.exe
O23 - Service: OracleOra_Client_HomeClientCache - Unknown owner - C:\oracle\ora_client\BIN\ONRSD.EXE
O23 - Service: Reflection TimeSync - WRQ, Inc. - C:\Program Files\Reflection\rtsserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 9327 bytes
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP