Logfile of HijackThis v1.99.1
Scan saved at 8:48:47 PM, on 11/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Browser mouse\1.2\mouse32a.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe
O4 - HKLM\..\Run: [FLMBROWSERMOUSE] C:\Program Files\Browser mouse\1.2\mouse32a.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Pop up Blocker] "C:\Program Files\Pop up Blocker\pd.exe" Minimize
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PD - {CFA68635-9AE4-4D4D-B9A7-F2F11447CD2C} - C:\Program Files\Pop up Blocker\pd.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
********
7:59 PM: | Start of Session, Sunday, November 20, 2005 |
7:59 PM: Spy Sweeper started
7:59 PM: Sweep initiated using definitions version 574
8:00 PM: Starting Memory Sweep
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: Found Adware: icannnews
8:01 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
8:01 PM: Detected running threat: C:\WINDOWS\system32\enl6l13s1.dll (ID = 83)
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:02 PM: Detected running threat: C:\WINDOWS\system32\mpcsubs.dll (ID = 83)
8:02 PM: Memory Sweep Complete, Elapsed Time: 00:02:49
8:02 PM: Starting Registry Sweep
8:03 PM: Found Adware: dialerplatform
8:03 PM: HKLM\software\ptssa\ (2 subtraces) (ID = 125166)
8:03 PM: Found Adware: purityscan
8:03 PM: HKCR\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137348)
8:03 PM: HKCR\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137349)
8:03 PM: HKLM\software\classes\interface\{3517fb25-305d-4012-b531-186e3851e7ed}\ (8 subtraces) (ID = 137678)
8:03 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\ (8 subtraces) (ID = 137679)
8:03 PM: HKLM\software\classes\interface\{4781daa6-4de5-47a1-b02a-945f0d017a9e}\typelib\ (2 subtraces) (ID = 137680)
8:03 PM: HKLM\software\classes\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 137687)
8:03 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/mediaticketsinstaller.ocx\ (2 subtraces) (ID = 137986)
8:03 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\mediaticketsinstaller.ocx (ID = 139077)
8:03 PM: HKCR\typelib\{5530d356-0063-41b9-b20d-e9d799e8d907}\ (9 subtraces) (ID = 139091)
8:03 PM: Found Trojan Horse: trojan-backdoor-5sec
8:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0656a137-b161-cadd-9777-e37a75727e78} (ID = 144013)
8:03 PM: Found Trojan Horse: trojan-downloader-chup
8:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler\ || {0211c4d9-bc71-8916-38ad-9dea5d213614} (ID = 144455)
8:03 PM: Found Trojan Horse: trojan-downloader-procounter.biz
8:03 PM: HKLM\system\currentcontrolset\services\moto\ || imagepath (ID = 383423)
8:03 PM: Found Trojan Horse: trojan-backdoor-zubox
8:03 PM: HKCR\acpi.acpi.1\ (3 subtraces) (ID = 484081)
8:03 PM: HKCR\acpi.acpi.1\clsid\ (1 subtraces) (ID = 484083)
8:03 PM: HKCR\acpi.ext\ (5 subtraces) (ID = 484085)
8:03 PM: HKCR\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484093)
8:03 PM: HKCR\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484124)
8:03 PM: HKLM\software\classes\acpi.acpi.1\ (3 subtraces) (ID = 484140)
8:03 PM: HKLM\software\classes\acpi.ext\ (5 subtraces) (ID = 484144)
8:03 PM: HKLM\software\classes\*\shellex\contextmenuhandlers\sysacpildap\ (1 subtraces) (ID = 484152)
8:03 PM: HKLM\software\classes\typelib\{5e2121e1-0300-11d4-8d3b-444553540000}\ (9 subtraces) (ID = 484210)
8:03 PM: Found Adware: mirinda
8:03 PM: HKCR\clsid\{7a1693a1-afaf-4f1e-9b05-eec38a85fbf3}\ (4 subtraces) (ID = 501125)
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:03 PM: HKLM\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list\ || c:\windows\tool1.exe (ID = 890587)
8:03 PM: Found Adware: spysheriff
8:03 PM: HKU\WRSS_Profile_S-1-5-21-2000478354-1532298954-682003330-500\software\spysheriff\ (ID = 142125)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\classes\clsid\{0211c4d9-bc71-8916-38ad-9dea5d213614}\ (3 subtraces) (ID = 144454)
8:03 PM: Found Trojan Horse: trojan-downloader-moneymind
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\xjado\ (1 subtraces) (ID = 144725)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\mzs\mdms\ (4 subtraces) (ID = 480808)
8:03 PM: HKU\S-1-5-21-2000478354-1532298954-682003330-1003\software\mzs\mdms\mzu\ || pt (ID = 656825)
8:03 PM: Registry Sweep Complete, Elapsed Time:00:00:28
8:03 PM: Starting Cookie Sweep
8:03 PM: Found Spy Cookie: yieldmanager cookie
8:03 PM: titanium
[email protected][2].txt (ID = 3751)
8:03 PM: Found Spy Cookie: adecn cookie
8:03 PM: titanium phoenix@adecn[1].txt (ID = 2063)
8:03 PM: Found Spy Cookie: adknowledge cookie
8:03 PM: titanium phoenix@adknowledge[2].txt (ID = 2072)
8:03 PM: Found Spy Cookie: hbmediapro cookie
8:03 PM: titanium
[email protected][2].txt (ID = 2768)
8:03 PM: Found Spy Cookie: specificclick.com cookie
8:03 PM: titanium
[email protected][1].txt (ID = 3400)
8:03 PM: Found Spy Cookie: addynamix cookie
8:03 PM: titanium
[email protected][1].txt (ID = 2062)
8:03 PM: Found Spy Cookie: ask cookie
8:03 PM: titanium phoenix@ask[1].txt (ID = 2245)
8:03 PM: Found Spy Cookie: azjmp cookie
8:03 PM: titanium phoenix@azjmp[2].txt (ID = 2270)