Logfile of HijackThis v1.99.1
Scan saved at 9:15:34 AM, on 12/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\crypserv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
D:\Apps\security suite\ewidoctrl.exe
D:\Apps\security suite\ewidoguard.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\Apps\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\winan.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
D:\APPS\OMNIPAGE\ocrawr32.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\system32\addej.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Jabber\Messenger\JabberMessenger.exe
C:\PROGRA~1\CA\Common\SCANEN~1\InoDist.exe
D:\Documents and Settings\qz9d2t.W2QZ9D2T01\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wzuod.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by EDS COE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://autoproxy.gm.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=internetabh.eds.com:81;gopher=internetabh.eds.com:80;http=internetabh.eds.com:80;https=internetabh.eds.com:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.eds.com; ori*.*; 164.*; 120.*; *.gm.com; *.gmeds.com;<local>
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: load=d:\apps\omnipage\ocraware.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {93145802-1A51-B7C4-038A-9D3B9341A24F} - C:\WINDOWS\msuj.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Apps\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Tivoli_Check] C:\WINDOWS\COE\Tivoli\Tiv_Run.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HWINV2K] C:\Em\Bin\Tivoli_EM\HwInv2K.exe
O4 - HKLM\..\Run: [SwdisUsrPCN.W2QZ9D2T01] "C:\em\opt\Tivoli\lcf\dat\1\cache\lib\w32-ix86\wdusrpcn.exe" "C:\em\opt\Tivoli\swdis\1\wdusrpcn.env"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\Integrity Client\iclient.exe"
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [EMFINV] C:\Program Files\Eds\EmfInv\emfinv.exe
O4 - HKLM\..\Run: [PDUiP6000DMon] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMon.exe
O4 - HKLM\..\Run: [PDUiP6000DTskbr] C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DTskbr.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [WinVNC] "D:\Apps\UltraVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [nths32.exe] C:\WINDOWS\system32\nths32.exe
O4 - HKLM\..\Run: [5B.tmp] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [5B.tmp.exe] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5B.tmp.exe
O4 - HKLM\..\Run: [5C.tmp.exe] D:\DOCUME~1\QZ9D2T~1.W2Q\LOCALS~1\Temp\5C.tmp.exe
O4 - HKLM\..\Run: [addej.exe] C:\WINDOWS\system32\addej.exe
O4 - HKLM\..\Run: [THGuard] "D:\Apps\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunOnce: [winan.exe] C:\WINDOWS\winan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Jabber Messenger] C:\Program Files\Jabber\Messenger\JabberMessenger.exe -hidden
O4 - Startup: Realmon.lnk = C:\Program Files\CA\eTrust\Antivirus\Realmon.exe
O4 - Startup: VPN Dialer (OnStartup).lnk = ?
O4 - Startup: ZoneAlarm Pro.lnk = C:\Program Files\zafiles\Zone Labs\ZoneAlarm\zapro.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Apps\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://infocentre.eds.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - https://quickplace02...net.com/qp2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk....ViewerSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\Software\..\Telephony: DomainName = amer.corp.eds.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{06BBCDF7-C7EC-45AB-A886-38C6B472A1EB}: NameServer = 68.87.64.196,68.87.66.196
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.corp.eds.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{06BBCDF7-C7EC-45AB-A886-38C6B472A1EB}: NameServer = 68.87.64.196,68.87.66.196
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\nthl32.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CIMPLICITY HMI Service (CIMPLICITY) - Unknown owner - C:\WINDOWS\System32\cimplicity.exe
O23 - Service: Crypkey License - Unknown owner - C:\WINDOWS\System32\crypserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dnWhoDisp - Unknown owner - D:\Apps\Rockwell Software\RSLINX\dnwhodisp.exe
O23 - Service: EGD Service - Unknown owner - C:\WINDOWS\egdservice.exe
O23 - Service: ewido security suite control - ewido networks - D:\Apps\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Apps\security suite\ewidoguard.exe
O23 - Service: FirstPAGE Server (FirstPAGEServer) - NETCON Technologies Incorporated - London, Ontario, Canada - d:\Apps\CIMPLICITY\HMI\PAGER\EXE\fpserver.exe
O23 - Service: Harmony - Rockwell Software Inc. - D:\Apps\ROCKWE~1\RSCOMMON\RSOBSERV.EXE
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\em\opt\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: OPCEnum - Unknown owner - C:\Program Files\Common Files\OPC Foundation\OPCENUM.EXE
O23 - Service: Canon PIXMA iP6000D Memory Card Manager (PDUiP6000DMemCrdMgr) - CANON INC. - C:\Program Files\Canon\Memory Card Utility\PIXMA iP6000D\PDUiP6000DMemCrdMgr.exe
O23 - Service: RSLinx - Rockwell Software, Inc. - D:\Apps\ROCKWE~1\RSLINX\RSLINX.EXE
O23 - Service: TrcBoot - IBM Corporation - C:\WINDOWS\System32\drivers\trcboot.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: CIMPLICITY WebView Service (WEBVIEW) - GE Fanuc Automation - C:\WINDOWS\System32\prowlerservice.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - D:\Apps\UltraVNC\WinVNC.exe" -service (file missing)