Logfile of HijackThis v1.99.1
Scan saved at 8:45:37 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
E:\SPROTECT\SpntSvc.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\tcpsvcs.exe
E:\SPROTECT\EarthAgent.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
E:\OfficeScan\PCCSRV\web\service\ofcservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
C:\WINNT\System32\CpqRcmc.exe
C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\sysdown.exe
C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cpqteam.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\rundll32.exe
C:\Documents and Settings\Administrator\Desktop\2000\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://hot-searches....h.php?v=6&aff=0
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hot-searches....x.php?v=6&aff=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINNT\System32\SEARCH~1.DLL
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts
O1 - Hosts: 82.179.166.164 lender-search.com
O1 - Hosts: 82.179.166.165 hot-searches.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Microsoft AntiSpyware helper - {DD51DCD2-F8D5-41C7-9B67-54BCDFE38F91} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {DD51DCD2-F8D5-41C7-9B67-54BCDFE38F91} - (no file) (HKCU)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = JFK.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0E1B4D50-EF13-4DAB-BB1B-33F6F5D18131}: NameServer = 10.146.40.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = JFK.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0E1B4D50-EF13-4DAB-BB1B-33F6F5D18131}: NameServer = 10.146.40.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = JFK.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0E1B4D50-EF13-4DAB-BB1B-33F6F5D18131}: NameServer = 10.146.40.2
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O18 - Filter: text/html - {4F7681E5-6CAF-478D-9CB8-4CA593BEE7FB} - C:\WINNT\system32\xplugin.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - C:\Program Files\APC\PowerChute Business Edition\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - C:\Program Files\APC\PowerChute Business Edition\server\pbeserver.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINNT\System32\CPQNiMgt\cpqnimgt.exe
O23 - Service: Compaq Remote Monitor Service (CpqRcmc) - Compaq - C:\WINNT\System32\CpqRcmc.exe
O23 - Service: Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\Compaq\vcagent\vcagent.exe
O23 - Service: Web Agent (CpqWebMgmt) - HP Corporation - C:\WINNT\System32\CPQMgmt\cpqwmgmt.exe
O23 - Service: Foundation Agent (CqMgHost) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINNT\System32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Trend ServerProtect Agent (EarthAgent) - Trend Micro Inc. - E:\SPROTECT\EarthAgent.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: FairCom Server - Unknown owner - g:\faircom\ctsrvr.exe
O23 - Service: OfficeScan Master Service (ofcservice) - Trend Micro Inc. - E:\OfficeScan\PCCSRV\web\service\ofcservice.exe
O23 - Service: Trend ServerProtect (SpntSvc) - Trend Micro Inc. - E:\SPROTECT\SpntSvc.exe
O23 - Service: Surveyor - Hewlett-Packard Development Group, L.P. - C:\compaq\survey\Surveyor.EXE
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\System32\sysdown.exe
ACTIVESCAN LOG
Incident Status Location
Adware:Adware/XPlugin No disinfected C:\WINNT\nsdb
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
Adware:Adware/Hotoffers No disinfected C:\WINNT\system32\SEARCHDLL.DLL
Adware:Adware/Admess No disinfected C:\WINNT\system32\TCPService2.exe
Virus:Trj/Agent.OM Disinfected C:\!Submit\wp.exe
Virus:Trj/Dropper.FW Disinfected C:\Documents and Settings\Administrator\Desktop\2000\uninstall.exe
Virus:Trj/Downloader.BQS Disinfected C:\Program Files\Internet Explorer\xcifyrsn.exe
Adware:Adware/XPlugin No disinfected C:\WINNT\Downloaded Program Files\file.exe
Virus:Trj/Downloader.BCK Disinfected C:\WINNT\system32\searchdll.dll
Adware:Adware/Admess No disinfected C:\WINNT\system32\TCPService2.exe
Adware:Adware/Admess No disinfected C:\WINNT\system32\uc1362.exe
Adware:Adware/Admess No disinfected C:\WINNT\system32\ucsi.exe
Adware:Adware/Admess No disinfected C:\WINNT\system32\ucsl.exe
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
Virus:Trj/StartPage.I Disinfected C:\WINNT\update13.js