HijackThis
>>
Logfile of HijackThis v1.99.1
Scan saved at 11:55:29 AM, on 7/7/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cusrvc.exe
C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\hidserv.exe
C:\WINNT\system32\NALNTSRV.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\wm.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\NOVELL\ZENRC\wuser32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
H:\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
E:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINNT\system32\dpmw32.exe
H:\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\system32\NWTRAY.EXE
H:\HP\HP Software Update\HPWuSchd2.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\hukujn.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
H:\HP\Digital Imaging\bin\hpqtra08.exe
H:\Program Files\Trillian\trillian.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\PeDevice\PeDev.exe
C:\PROGRA~1\WinZip\winzip32.exe
H:\exe's\Spy Ware Stuff\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: PEDEV_IEListener Class - {E1412445-4FF8-410e-8D24-F2CF86B171A4} - C:\Program Files\PeDevice\PeDev.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - E:\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [ProDsl.exe] ProDsl.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] H:\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [zBrowser Launcher] E:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\system32\dpmw32.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [HP Software Update] H:\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [exp.exe] C:\WINNT\system32\exp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\system32\hukujn.exe reg_run
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Trillian.lnk = H:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = E:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: U.S. Bancorp - VPN Client 4.0.4.lnk = C:\Program Files\USBancorp\USBancorp VPN Client\vpngui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://E:\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://E:\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://E:\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://E:\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: RemindU - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: RemindU - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\topMoxie\TEMP\upromise_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Transaction Management - https://tmm6.care.us...com/Tmm/Tmm.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {335C8923-2DCC-4966-BF36-36C2277D4598} (Siebel Option Pack for IE 7.5.3) - http://prod.commerci...lOptionPack.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} -
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-mo.../cabs/alien.cab
O16 - DPF: {7B461720-5910-45A3-B617-3B53A972F209} (Pixami-PhotoWorks Upload UI Control) - http://services.phot...SFWUploader.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft...tail/DASAct.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one...ransferCtrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} -
O20 - Winlogon Notify: CSCSettings - C:\WINNT\system32\CTMCAT.DLL
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINNT\system32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\USBancorp\USBancorp VPN Client\cvpnd.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINNT\system32\NALNTSRV.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\KODAK\KODAK Picture Transfer Software\PTSsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINNT\system32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: ZipToA - Unknown owner - C:\WINNT\System32\ZipToA.exe (file missing)
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:32:10 AM, 7/7/2005
+ Report-Checksum: CD560EB
+ Scan result:
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Applications\STC.exe -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Applications\STC.exe\shell -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8940E505-72C6-44DE-BE85-1D746780EFBF} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\motoin -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1202660629-725345543-839522115-500\Software\Mvu -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\RFSMAN.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\zxib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINNT\system32\rYsauto.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\SWRT01.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINNT\mqctdyqy.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1015.dll -> Spyware.Browsertoolbar : Cleaned with backup
C:\WINNT\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINNT\tdtb.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINNT\ISNSYS.dll -> TrojanSpy.Justin : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca : Cleaned with backup
C:\WINNT\mm15201518.Stub.exe -> Adware.eZula : Cleaned with backup
C:\WINNT\_MSRSTRT.EXE -> Not-A-Virus.Tool.Reboot : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
::Report End
Panda
>>
Incident Status Location
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\ncecpop.dll
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\hukujn.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcdc.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\Program Files\stc
Adware:Adware/SAHAgent No disinfected C:\WINNT\unstall.exe
Adware:Adware/BookedSpace No disinfected C:\WINNT\bsx32
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\InnerVBInstall.log
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\tvm*.dll
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\Lycos
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/ImGiant No disinfected C:\Program Files\joystick networks
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\wyqya.dat
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\ncecpop.dll
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\hukujn.exe
Virus:Trj/Downloader.DKB Disinfected C:\WINNT\system32\dqcqnrn.exe
Adware:Adware/AdBehavior No disinfected C:\WINNT\system32\ivrvw.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERVBINSTALL.LOG
Adware:Adware/Look2Me No disinfected C:\WINNT\system\UpdInst.exe
Spyware:Spyware/Media-motor No disinfected C:\WINNT\Downloaded Program Files\m67m.inf
Adware:Adware/ImGiant No disinfected C:\WINNT\myurlff.exe
Spyware:Spyware/Media-motor No disinfected C:\WINNT\unstall.exe
Adware:Adware/AdBehavior No disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rcdc.exe
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\tvmcwrd.dll
Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\ADMINISTRATOR\Application Data\tvmknwrd.dll
Adware:Adware/VirtualBouncer No disinfected C:\myPcsearch.exe
Thanks - Kat