********
4:48 PM: | Start of Session, Saturday, October 29, 2005 |
4:48 PM: Spy Sweeper started
4:48 PM: Sweep initiated using definitions version 564
4:48 PM: Starting Memory Sweep
4:49 PM: Found Adware: virtumonde
4:49 PM: Detected running threat: C:\WINDOWS\SYSTEM32\jkhhh.dll (ID = 77)
4:49 PM: Detected running threat: C:\WINDOWS\SYSTEM32\mlljh.dll (ID = 77)
4:51 PM: Memory Sweep Complete, Elapsed Time: 00:02:50
4:51 PM: Starting Registry Sweep
4:51 PM: Found Adware: delfin
4:51 PM: HKLM\software\dsi\ (2 subtraces) (ID = 124852)
4:51 PM: Found Adware: subsearch
4:51 PM: HKCR\interface\{5a4e1627-8677-41f7-b78c-4cacdf5b12ff}\ (8 subtraces) (ID = 143047)
4:51 PM: HKCR\interface\{47d8f3a0-c511-4d91-a963-f00dddee4e49}\ (8 subtraces) (ID = 143049)
4:51 PM: HKLM\software\classes\interface\{5a4e1627-8677-41f7-b78c-4cacdf5b12ff}\ (8 subtraces) (ID = 143075)
4:51 PM: HKLM\software\classes\interface\{47d8f3a0-c511-4d91-a963-f00dddee4e49}\ (8 subtraces) (ID = 143077)
4:51 PM: Found Adware: wildmedia
4:51 PM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
4:51 PM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
4:51 PM: Found Adware: cws-aboutblank
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:51 PM: Found Adware: cws_ns3
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121295)
4:51 PM: Found Adware: ebates money maker
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
4:51 PM: Found Adware: ie driver
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
4:51 PM: Found Adware: drsnsrch.com hijack
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:52 PM: Found Adware: bho_sep
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\sep\ (9 subtraces) (ID = 141642)
4:52 PM: Found Trojan Horse: trojan-downloader-domcom
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\down\ (1 subtraces) (ID = 144517)
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:52 PM: Registry Sweep Complete, Elapsed Time:00:00:20
4:52 PM: Starting Cookie Sweep
4:52 PM: Found Spy Cookie: yieldmanager cookie
4:52 PM: jason
[email protected][2].txt (ID = 3751)
4:52 PM: Found Spy Cookie: adknowledge cookie
4:52 PM: jason aron@adknowledge[2].txt (ID = 2072)
4:52 PM: Found Spy Cookie: adrevolver cookie
4:52 PM: jason aron@adrevolver[2].txt (ID = 2088)
4:52 PM: jason aron@adrevolver[3].txt (ID = 2088)
4:52 PM: Found Spy Cookie: falkag cookie
4:52 PM: jason
[email protected][2].txt (ID = 2650)
4:52 PM: Found Spy Cookie: ask cookie
4:52 PM: jason aron@ask[1].txt (ID = 2245)
4:52 PM: Found Spy Cookie: belnk cookie
4:52 PM: jason
[email protected][2].txt (ID = 2293)
4:52 PM: Found Spy Cookie: banner cookie
4:52 PM: jason aron@banner[2].txt (ID = 2276)
4:52 PM: jason aron@belnk[2].txt (ID = 2292)
4:52 PM: Found Spy Cookie: casalemedia cookie
4:52 PM: jason aron@casalemedia[1].txt (ID = 2354)
4:52 PM: jason
[email protected][1].txt (ID = 2293)
4:52 PM: Found Spy Cookie: ru4 cookie
4:52 PM: jason
[email protected][2].txt (ID = 3269)
4:52 PM: Found Spy Cookie: fortunecity cookie
4:52 PM: jason aron@fortunecity[2].txt (ID = 2686)
4:52 PM: Found Spy Cookie: maxserving cookie
4:52 PM: jason aron@maxserving[2].txt (ID = 2966)
4:52 PM: Found Spy Cookie: realmedia cookie
4:52 PM: jason aron@realmedia[1].txt (ID = 3235)
4:52 PM: Found Spy Cookie: serving-sys cookie
4:52 PM: jason aron@serving-sys[1].txt (ID = 3343)
4:52 PM: Found Spy Cookie: tradedoubler cookie
4:52 PM: jason aron@tradedoubler[1].txt (ID = 3575)
4:52 PM: Found Spy Cookie: trafficmp cookie
4:52 PM: jason aron@trafficmp[2].txt (ID = 3581)
4:52 PM: Found Spy Cookie: tribalfusion cookie
4:52 PM: jason aron@tribalfusion[1].txt (ID = 3589)
4:52 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
4:52 PM: Starting File Sweep
4:52 PM: c:\documents and settings\all users\application data\ieservice (2 subtraces) (ID = -2147480200)
4:52 PM: c:\documents and settings\all users\application data\pcsvc (1 subtraces) (ID = -2147481135)
4:52 PM: c:\program files\common files\dpi (ID = -2147481129)
4:52 PM: Found Adware: coolwebsearch (cws)
4:52 PM: c:\documents and settings\jason aron\application data\winds_24 (ID = -2147481201)
5:10 PM: Found Adware: mds search booster
5:10 PM: a0129072.dll (ID = 69318)
5:10 PM: Found Trojan Horse: trojan-downloader-cat
5:10 PM: paydial.exe (ID = 80292)
5:11 PM: Warning: Failed to read file "c:\windows\inf\brmfcmf.pnf". Data error (cyclic redundancy check)
5:15 PM: Found Adware: purityscan
5:15 PM: mediaticketsinstaller.ocx (ID = 73162)
5:15 PM: mediaticketsinstaller.inf (ID = 73158)
5:16 PM: mediaticketsinstaller.inf (ID = 73158)
5:17 PM: mediaticketsinstaller.inf (ID = 73158)
5:17 PM: Found Adware: java byteverify
5:17 PM: verifierbug.class-3e1f6334-477f0f7b.class (ID = 64831)
5:18 PM: mediaticketsinstaller.ocx (ID = 73162)
5:19 PM: Found Trojan Horse: topconverting downloader
5:19 PM: loader2.ocx (ID = 79617)
5:23 PM: mediaticketsinstaller.ocx (ID = 73162)
5:23 PM: Found Adware: ez-finder toolbar
5:23 PM: webdlg32.dll (ID = 60328)
5:28 PM: loader2.ocx (ID = 79617)
5:28 PM: loader2.ocx (ID = 79606)
5:28 PM: mediaticketsinstaller.ocx (ID = 73162)
5:28 PM: mstasks2.exe (ID = 54306)
5:28 PM: Found Trojan Horse: trojan_downloader_winreg
5:28 PM: toolbar.exe (ID = 81502)
5:30 PM: verifierbug.class-5297c6aa-4764879d.class (ID = 64831)
5:31 PM: noeljeda.tmp (ID = 55185)
5:31 PM: Found Adware: cws_adslim
5:31 PM: popup.html (ID = 55745)
5:36 PM: Found Adware: ipinsight
5:36 PM: conscorr.ini (ID = 64264)
5:36 PM: Found Adware: abetterinternet
5:36 PM: alchem.inf (ID = 83109)
5:36 PM: Found Adware: twain-tech
5:36 PM: polmx.inf (ID = 81856)
5:36 PM: polall1r.inf (ID = 83425)
5:36 PM: Found Adware: azsearch toolbar
5:36 PM: today's specials.url (ID = 131129)
5:36 PM: sepsd.bin (ID = 75367)
5:36 PM: conscorr.inf (ID = 64277)
5:36 PM: dummy.class-2207c494-400880b7.class (ID = 64821)
5:36 PM: webdlg32.inf (ID = 60327)
5:36 PM: winsx.inf (ID = 54632)
5:36 PM: Found Adware: shopathomeselect
5:36 PM: setup4002b.ini (ID = 75934)
5:36 PM: dummy.class-3cf36b1e-4f16f93a.class (ID = 64821)
5:36 PM: Found System Monitor: potentially rootkit-masked files
5:36 PM: 13-coheed_and_cambria-the_willing_well_ii_-_fear_through_the_eyes_of_madness-tc.mp3 (ID = 0)
5:36 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.m3u (ID = 0)
5:36 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.nfo (ID = 0)
5:36 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.sfv (ID = 0)
5:36 PM: 000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(cover)-glasspane)-glasspane.jpg (ID = 0)
5:36 PM: moneen - are we really happy with who we are right now - 06 - i have never done anything for anyone that was not for me as well.mp3 (ID = 0)
5:36 PM: zolof the rock and roll destroyer - 10 - running starts will only get you faster to the place that will make you say ouch.mp3 (ID = 0)
5:36 PM: classload.jar-5b3646cb-4c5bcd90.zip (ID = 64823)
5:37 PM: loaderadv156.jar-8e3574-1d40d0b2.zip (ID = 64819)
5:37 PM: loaderadv157.jar-9c4cf5-60418d7d.zip (ID = 64819)
5:37 PM: loaderadv570.jar-573c46f6-691177b4.zip (ID = 64819)
5:37 PM: loaderadv410.jar-1818f7fb-12e18219.zip (ID = 64819)
5:37 PM: loaderadv408.jar-16d4db64-45d39e37.zip (ID = 64819)
5:37 PM: classload.jar-57df9d95-22c1e8b0.zip (ID = 64823)
5:43 PM: File Sweep Complete, Elapsed Time: 00:50:57
5:43 PM: Full Sweep has completed. Elapsed time 00:54:14
5:43 PM: Traces Found: 136
5:44 PM: Removal process initiated
5:44 PM: Quarantining All Traces: potentially rootkit-masked files
5:46 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
5:46 PM: 13-coheed_and_cambria-the_willing_well_ii_-_fear_through_the_eyes_of_madness-tc.mp3 is in use. It will be removed on reboot.
5:46 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.m3u is in use. It will be removed on reboot.
5:46 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.nfo is in use. It will be removed on reboot.
5:46 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.sfv is in use. It will be removed on reboot.
5:46 PM: 000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(cover)-glasspane)-glasspane.jpg is in use. It will be removed on reboot.
5:46 PM: moneen - are we really happy with who we are right now - 06 - i have never done anything for anyone that was not for me as well.mp3 is in use. It will be removed on reboot.
5:46 PM: zolof the rock and roll destroyer - 10 - running starts will only get you faster to the place that will make you say ouch.mp3 is in use. It will be removed on reboot.
5:46 PM: Quarantining All Traces: abetterinternet
5:46 PM: Quarantining All Traces: cws_ns3
5:46 PM: Quarantining All Traces: cws-aboutblank
5:46 PM: Quarantining All Traces: topconverting downloader
5:46 PM: Quarantining All Traces: trojan-downloader-cat
5:46 PM: Quarantining All Traces: trojan-downloader-domcom
5:46 PM: Quarantining All Traces: azsearch toolbar
5:46 PM: Quarantining All Traces: bho_sep
5:46 PM: Quarantining All Traces: coolwebsearch (cws)
5:46 PM: Quarantining All Traces: cws_adslim
5:46 PM: Quarantining All Traces: delfin
5:46 PM: Quarantining All Traces: drsnsrch.com hijack
5:46 PM: Quarantining All Traces: ebates money maker
5:46 PM: Quarantining All Traces: ez-finder toolbar
5:46 PM: Quarantining All Traces: ie driver
5:46 PM: Quarantining All Traces: ipinsight
5:46 PM: Quarantining All Traces: java byteverify
5:46 PM: Quarantining All Traces: mds search booster
5:46 PM: Quarantining All Traces: purityscan
5:46 PM: Quarantining All Traces: shopathomeselect
5:46 PM: Quarantining All Traces: subsearch
5:46 PM: Quarantining All Traces: trojan_downloader_winreg
5:46 PM: Quarantining All Traces: twain-tech
5:46 PM: Quarantining All Traces: virtumonde
5:46 PM: virtumonde is in use. It will be removed on reboot.
5:46 PM: C:\WINDOWS\SYSTEM32\jkhhh.dll is in use. It will be removed on reboot.
5:46 PM: C:\WINDOWS\SYSTEM32\mlljh.dll is in use. It will be removed on reboot.
5:46 PM: Quarantining All Traces: wildmedia
5:46 PM: Quarantining All Traces: adknowledge cookie
5:46 PM: Quarantining All Traces: adrevolver cookie
5:46 PM: Quarantining All Traces: ask cookie
5:46 PM: Quarantining All Traces: banner cookie
5:46 PM: Quarantining All Traces: belnk cookie
5:46 PM: Quarantining All Traces: casalemedia cookie
5:46 PM: Quarantining All Traces: falkag cookie
5:46 PM: Quarantining All Traces: fortunecity cookie
5:46 PM: Quarantining All Traces: maxserving cookie
5:46 PM: Quarantining All Traces: realmedia cookie
5:46 PM: Quarantining All Traces: ru4 cookie
5:46 PM: Quarantining All Traces: serving-sys cookie
5:46 PM: Quarantining All Traces: tradedoubler cookie
5:46 PM: Quarantining All Traces: trafficmp cookie
5:46 PM: Quarantining All Traces: tribalfusion cookie
5:46 PM: Quarantining All Traces: yieldmanager cookie
5:47 PM: Removal process completed. Elapsed time 00:02:30
********
4:47 PM: | Start of Session, Saturday, October 29, 2005 |
4:47 PM: Spy Sweeper started
4:48 PM: Your spyware definitions have been updated.
4:48 PM: | End of Session, Saturday, October 29, 2005 |
Logfile of HijackThis v1.99.1
Scan saved at 5:56:28 PM, on 10/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\fix\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\unzipped\MozillaFirebird-0.6-win32[1]\MozillaFirebird\MozillaFirebird.exe
C:\fix\Spy Sweeper\SpySweeper.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
http://a1540.g.akama...meInstaller.exeO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) -
http://www.nullsoft....ayx_vp6_aac.cabO20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\fix\Spy Sweeper\WRSSSDK.exe