Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32: Adware-gen [trj]


  • This topic is locked This topic is locked
14 replies to this topic

#1 hikaru123

hikaru123

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 16 February 2007 - 02:48 AM

Avast anti-virus keep alerting about the above infection. Even after boot scan, the problem still remains.

Logfile of HijackThis v1.99.1
Scan saved at 3:35:52 PM, on 2/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tcpx\Desktop\Anti Spyware\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\WINDOWS\nRPqS.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 16 February 2007 - 07:56 AM

Welcome to bleepingcomputer hikaru123 :thumbsup:

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

Click 'Exit' on the Main menu to close the program.

***************************

Download and scan with the free 15 day trial of Counterspy
Once installed launch Counterspy.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

***************************

Please run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols3.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.

Reboot your pc when you've finished.
Post the Counterspy report,the F-Secure report,and a new Hijackthis log in your next reply.
Posted Image
Posted Image

#3 hikaru123

hikaru123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 17 February 2007 - 06:19 AM

Counterspy
Scan History Details
Start Date: 2/17/2007 9:48:46 AM
End Date: 2/17/2007 10:01:12 AM
Total Time: 12 Min 26 Sec
Detected security risks

3721 Chinese Keywords (CNSMin) Browser Plug-in more information...
Details: 3721 Chinese Keywords, also known as CNSMin or Adware.CDN, is keyword-lookup provider that takes over the search feature of IE's address bar. It is aimed at providing keywords using Chinese characters.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\CDNPROT


Freeprod/Toolbar888 Toolbar more information...
Details: Freeprod/Toolbar888 is an adware application that installs a Internet Explorer Toolbar and may hijack search results.
Status: Deleted

Files detected
C:\Documents and Settings\tcpx\Local Settings\Temp\nsx3.tmp\System.dll
C:\WINDOWS\Temp\nsi7.tmp\System.dll


LttLogger Key Logger more information...
Details: LttLogger is a little keylogger that logs all the keys pressed on your keyboard and saves it to a file inside the \Windows folder.
Status: Deleted

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2BF41072-B2B1-21C1-B5C1-0305F4155515}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2BF41072-B2B1-21C1-B5C1-0305F4155515}


Adware.Sogou Adware (General) more information...
Details: Adware.Sogou is an adware program that modifies the Internet Explorer home page and search page and displays advertisements.
Status: Deleted

Files detected
c:\program files\common files\CPUSH\cpush.dll
C:\PROGRAM FILES\COMMON FILES\CPUSH\Uninst.exe
C:\PROGRAM FILES\COMMON FILES\CPUSH

Registry entries detected
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{34A12A06-48C0-420D-8F11-73552EE9631A}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\InprocServer32
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\ProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\Programmable
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\TypeLib
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{CDE9EB54-A08E-4570-B748-13F5DDB5781C}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK.1
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK.1
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.POPUPBLOCK\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR.1
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR.1
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR.1\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR\CLSID
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\NEWADPOPUP.TOOLBARDETECTOR\CurVer
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\0\win32
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\FLAGS
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\Software\Classes\TYPELIB\{DE2267BD-B163-407F-9E8D-6ADEC771E7AB}\1.0\HELPDIR
HKEY_LOCAL_MACHINE\SOFTWARE\CPUSH
HKEY_LOCAL_MACHINE\SOFTWARE\CPUSH\update
HKEY_LOCAL_MACHINE\SOFTWARE\CPUSH\update
HKEY_LOCAL_MACHINE\SOFTWARE\CPUSH\update
HKEY_LOCAL_MACHINE\SOFTWARE\CPUSH
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{11F09AFD-75AD-4E51-AB43-E09E9351CE16}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONTENTMATCH
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONTENTMATCH
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\CONTENTMATCH
HKEY_LOCAL_MACHINE\D
HKEY_LOCAL_MACHINE\D\Download
HKEY_LOCAL_MACHINE\D\Download
HKEY_LOCAL_MACHINE\D\Download


Trojan.Adclicker Trojan more information...

Registry entries detected
HKEY_LOCAL_MACHINE\D\DOWNLOAD


Adware.Adstation Adware (General) more information...
Status: Deleted

Files detected
C:\Documents and Settings\tcpx\Local Settings\Temp\LOGO.bmp


Elogger Key Logger more information...
Details: Elogger is a keylogger that logs every keystroke and sends them to a predefined e-mail address or FTP account.
Status: Deleted

Registry entries detected
HKEY_USERS\S-1-5-21-2025429265-1292428093-725345543-1003\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{2BF41072-B2B1-21C1-B5C1-0305F4155515}


Trojan-Downloader.ACF Trojan Downloader more information...
Status: Deleted

Files detected
C:\WINDOWS\028.exe


Trojan-Downloader.Agent.ASG Trojan Downloader more information...
Status: Deleted

Files detected
C:\Program Files\Ringz Studio\Storm Codec\stormupd.dll

F-SECURE
Scanning Report
Saturday, February 17, 2007 18:15:01 - 18:57:27
Computer name: OMEGARED
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 5 malware found
Adware.BHO(generic) (spyware)
System (Disinfected)
W32/Downloader (virus)
C:\WINDOWS\system32\bd1.exe (Submitted)
W32/Malware (virus)
C:\WINDOWS\036.exe (Submitted)
Worm.Win32.Delf.bi (virus)
C:\WINDOWS\nRPqS.exe (Renamed & Submitted)
D:\nRPqS.exe (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 68633
System: 3530
Not scanned: 32
Actions:
Disinfected: 1
Renamed: 2
Deleted: 0
None: 2
Submitted: 4
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\PERFLIB_PERFDATA_13C.DAT
C:\WINDOWS\TEMP\_AVAST4_\WEBSHLOCK.TXT
C:\WINDOWS\SYSTEM32\BIOS1.ROM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\Ad-Aware SE Default.skn
C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI\stream 19\AdAware_SE_default.ask\Ad-Aware SE Default.skn
C:\DOCUMENTS AND SETTINGS\TCPX\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\TEMP\~DFCE07.TMP
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\MESSENGER\TCPX@HOTMAIL.COM\SHARINGMETADATA\PENDING.DAT
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\MESSENGER\TCPX@HOTMAIL.COM\SHARINGMETADATA\WORKING\DATABASE_D4A0_3071_A030_5C64\DFSR.DB
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\MESSENGER\TCPX@HOTMAIL.COM\SHARINGMETADATA\WORKING\DATABASE_D4A0_3071_A030_5C64\FSR.LOG
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\MESSENGER\TCPX@HOTMAIL.COM\SHARINGMETADATA\WORKING\DATABASE_D4A0_3071_A030_5C64\FSRTMP.LOG
C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\MESSENGER\TCPX@HOTMAIL.COM\SHARINGMETADATA\WORKING\DATABASE_D4A0_3071_A030_5C64\TMP.EDB
C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MOZILLA\FIREFOX\PROFILES\00C94HB4.DEFAULT\PARENT.LOCK
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\NTUSER.DAT
C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR0.DAT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\NETWORK\DOWNLOADER\QMGR1.DAT
D:\MP3\POP\DARIUS DANESH - RUSHES.MP3
D:\MP3\POP\JUSTINTIMBERLAKE - JUSTIFIED - 05 - CRY ME A RIVER.MP3
D:\MP3\ALTERNATIVE\CREED - MY SACRIFICE .MP3
D:\MP3\ALTERNATIVE\LINKIN PARK\HYBRID THEORY()\LINKIN PARK - 01 - PAPPERCUT.MP3
D:\ANIME MP3\NARUTO\HARUKA KANATA.MP3
D:\ANIME MP3\BLEACH\LIFE - YUI - [ FULL VERSION ].MP3

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-02-14
F-Secure AVP: 7.0.171, 2007-02-16
F-Secure Orion: 1.2.37, 2007-02-16
F-Secure Blacklight: 1.0.53, 0000-00-00
F-Secure Draco: 1.0.35, 0260-02-44
F-Secure Pegasus: 1.19.0, 2007-01-13
Scanning options:
Scan all files
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

HIJACK THIS
Logfile of HijackThis v1.99.1
Scan saved at 7:12:09 PM, on 2/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\tcpx\Desktop\Anti Spyware\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\WINDOWS\nRPqS.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Windows Image Acquisition (WIA - Unknown owner - C:\WINDOWS\system32\Setup\iisnet.exe

Thanks waiting for your reply :thumbsup:

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 17 February 2007 - 06:59 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

Exit Hijackthis.

*************************

Please make sure all hidden files are showing:

* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.


Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\Setup\iisnet.exe
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
Go here: http://www.virustotal.com/en/virustotalf.html
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\Setup\iisnet.exe
Then click on 'Send'.
Post the results into your next reply.

*************************

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:
C:\WINDOWS\nRPqS.exe
Then press the red button with the white cross.
It will then provide a window for your to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

*************************

Copy and paste the following bold blue text below into Notepad.
Click on File(in the menu at the top)>Save as..Save as Type: 'All Files' File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktop and agree to merge it into the registry,then reboot.
==============================================
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

==============================================

Reboot,post the Jotti\Virustotal file scan results and a new Hijackthis log in your next reply.
Let me know how your pc is running now please.
Posted Image
Posted Image

#5 hikaru123

hikaru123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 17 February 2007 - 11:42 AM

Jotti\Virustotal file scan results
Complete scanning result of "iisnet.exe", received in VirusTotal at 02.17.2007, 17:21:41 (CET).

Antivirus Version Update Result
AntiVir 7.3.1.37 02.17.2007 no virus found
Authentium 4.93.8 02.16.2007 no virus found
Avast 4.7.936.0 02.16.2007 no virus found
AVG 386 02.16.2007 no virus found
BitDefender 7.2 02.17.2007 no virus found
CAT-QuickHeal 9.00 02.16.2007 no virus found
ClamAV devel-20060426 02.17.2007 no virus found
DrWeb 4.33 02.17.2007 no virus found
eSafe 7.0.14.0 02.16.2007 no virus found
eTrust-Vet 30.4.3408 02.17.2007 no virus found
Ewido 4.0 02.17.2007 no virus found
Fortinet 2.85.0.0 02.16.2007 no virus found
F-Prot 4.2.1.29 02.16.2007 no virus found
F-Secure 6.70.13030.0 02.17.2007 no virus found
Ikarus T3.1.0.31 02.17.2007 no virus found
Kaspersky 4.0.2.24 02.17.2007 no virus found
McAfee 4965 02.16.2007 no virus found
Microsoft 1.2204 02.17.2007 no virus found
NOD32v2 2067 02.17.2007 no virus found
Norman 5.80.02 02.16.2007 no virus found
Panda 9.0.0.4 02.17.2007 no virus found
Prevx1 V2 02.17.2007 no virus found
Sophos 4.14.0 02.16.2007 no virus found
Sunbelt 2.2.907.0 02.17.2007 no virus found
Symantec 10 02.17.2007 no virus found
TheHacker 6.1.6.059 02.16.2007 no virus found
UNA 1.83 02.16.2007 no virus found
VBA32 3.11.2 02.16.2007 no virus found
VirusBuster 4.3.19:9 02.17.2007 no virus found

Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709



hijack this
Logfile of HijackThis v1.99.1
Scan saved at 12:36:51 AM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tcpx\Desktop\Anti Spyware\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 17 February 2007 - 12:02 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Revert the following settings back to default:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/

Please Note:
Your version of Sun Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older versions of Sun Java,and then update.
1. Download the latest version of Java Runtime Environment (JRE)
2. Scroll down to where it says 'Java Runtime Environment (JRE) 6.0'.
3. Click the "Download" button to the right.
4. Check the box that says: "Accept License Agreement".
5. The page will refresh.
6. Click on the link to download 'Windows Offline Installation, Multi-language' and save to your desktop.
7. Close any programs you may have running - especially your web browser.
8. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
9. Check any item with Java Runtime Environment (JRE or J2SE) in the name.
10. Click the Change/Remove button.
11. Repeat as many times as necessary to remove each Java versions.
12. Reboot your computer once all Java components are removed.
13. Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Posted Image
Posted Image

#7 hikaru123

hikaru123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 18 February 2007 - 04:24 AM

Thanks for the advice,

But i made another scan using the avast and it found [/b]Win32:Cinmus-D[Adw][/color]

the Below is the Hijack this logfile[b]

Logfile of HijackThis v1.99.1
Scan saved at 5:21:13 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\tcpx\Desktop\Anti Spyware\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Need your advice :thumbsup:

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 18 February 2007 - 05:12 AM

Launch Counterspy again please.
Click on 'Spyware Scan',then click 'Updates' at the top right.
Once any available updates have been installed,click the 'Scan Now' button.
Save the report when it's finished:
1.Once Counterspy has done scanning,the 'Scan Results' box will appear.
2.Click on 'View Results'.
3.Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to 'Remove'.
4.Then click on 'Take Action'.
5.Once everything has been removed,click on 'View Details'.
6.Copy and Paste those details into a Word/Text document,then save it to your desktop.

***************************

Run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

Post the Counterspy and Activescan reports and a new Hijackthis log into your next reply please.
Posted Image
Posted Image

#9 hikaru123

hikaru123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 18 February 2007 - 06:54 AM

COUNTERSPY
Detected security risks

Freeprod/Toolbar888 Toolbar more information...
Details: Freeprod/Toolbar888 is an adware application that installs a Internet Explorer Toolbar and may hijack search results.
Status: Deleted

Files detected
C:\Documents and Settings\tcpx\Local Settings\Temp\nsh1A.tmp\System.dll
C:\Documents and Settings\tcpx\Local Settings\Temp\nsn3.tmp\System.dll
C:\Documents and Settings\tcpx\Local Settings\Temp\nst11.tmp\System.dll


Adware.Adstation Adware (General) more information...
Status: Deleted

Files detected
C:\Documents and Settings\tcpx\Local Settings\Temp\LOGO.bmp


Trojan-Downloader.Agent.ASG Trojan Downloader more information...
Status: Deleted

Files detected
C:\Program Files\Ringz Studio\Storm Codec\stormupd.dll

ACTIVESCAN
Couldn't get result cos avast scan worm and abort the connection

HIJACKTHIS
Logfile of HijackThis v1.99.1
Scan saved at 7:49:24 PM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\CounterSpy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\tcpx\Desktop\Anti Spyware\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 18 February 2007 - 07:07 AM

Download the free trial of Kaspersky Anti-Virus 6.0:
http://usa.kaspersky.com/downloads/trial-versions.php
Disconnect from the internet.
Uninstall Avast4 via Add\Remove Programs,then reboot.

Install Kaspersky Anti-Virus 6.0.
Reconnect to the internet and update Kaspersky's virus definitions.
Then run a full system scan.

Let me know the results please.
Posted Image
Posted Image

#11 hikaru123

hikaru123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 18 February 2007 - 08:21 AM

Kaspersky
File Anti-Virus
---------------
Scanned: 334
Detected: 0
Untreated: 0
Start time: 2/18/2007 8:53:54 PM
Duration: 00:25:20


Detected
--------
Status Object User Computer
------ ------ ---- --------


Events
------
Time Name Status Reason User Computer
---- ---- ------ ------ ---- --------
2/18/2007 8:54:16 PM File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe ok scanned avp.exe localhost
2/18/2007 8:54:16 PM File: C:\WINDOWS\WinSxS\Policies\x86_Policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_x-ww_77c24773\8.0.50727.163.policy ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:16 PM File: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb.Manifest ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:28 PM File: C:\WINDOWS\system32\rpcss.dll ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:29 PM File: C:\WINDOWS\system32\drivers\kmixer.sys ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:29 PM File: C:\WINDOWS\System32\CatRoot2\edb.chk skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:39 PM File: C:\WINDOWS\System32\drprov.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:40 PM File: C:\WINDOWS\System32\ntlanman.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:40 PM File: C:\WINDOWS\System32\NETUI0.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:40 PM File: C:\WINDOWS\System32\NETUI1.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:40 PM File: C:\WINDOWS\System32\NETRAP.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:40 PM File: C:\WINDOWS\System32\davclnt.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:40 PM File: C:\WINDOWS\System32\CatRoot2\edb.chk skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:46 PM File: C:\WINDOWS\System32\Drivers\Fastfat.SYS ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:46 PM File: C:\WINDOWS\AppPatch\drvmain.sdb ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:48 PM File: C:\WINDOWS\System32\upnp.dll ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:54:48 PM File: C:\WINDOWS\system32\SHELL32.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:48 PM File: C:\Documents and Settings\tcpx\NetHood\SharedDocs on Omegared\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:48 PM File: C:\Documents and Settings\tcpx\My Documents\My Pictures\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:48 PM File: C:\WINDOWS\System32\mydocs.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:48 PM File: C:\Documents and Settings\tcpx\My Documents\My Music\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:54:48 PM File: C:\WINDOWS\Explorer.exe ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:55:00 PM File: C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:00 PM File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX6J45M3\uuid_0013-10fa-a38a0000dfdc[1].xml ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:00 PM File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8TANWH2R\Layer3Forwarding_1[1].xml ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:00 PM File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8PEFSTAF\WANCommonInterfaceConfig_1[1].xml ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:00 PM File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\CX6J45M3\WANIPConnection_1[1].xml ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:00 PM File: C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GHEBS5I3\WANIPConnection_1[1] ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:15 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\S-1-5-18\A81BB17E1F5DC49A730B06B63F6D28E9_DA24E768-0D83-460B-A552-D0E1F214EAD0 ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:15 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\APSETTINGS.XML ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:15 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\APUSSETTINGS.XML ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:15 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\SCANSETTINGS.XML ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:15 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\SVCSETTINGS.XML ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:16 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SVCLOG.LOG skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\COUNTERSPY.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\ACCESSIBILITY\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\COMMUNICATIONS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\ENTERTAINMENT\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\SYSTEM TOOLS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\ADMINISTRATIVE TOOLS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\CDISPLAY\CDISPLAY.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\GAMES\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\STARTUP\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\SUNBELT SOFTWARE\COUNTERSPY\COUNTERSPY.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINDOWS LIVE MESSENGER.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINRAR\CONSOLE RAR MANUAL.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINRAR\WINRAR HELP.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\START MENU\PROGRAMS\WINRAR\WINRAR.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\COOKIES\INDEX.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\DESKTOP.INI ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\HISTORY\HISTORY.IE5\INDEX.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\LOCALSERVICE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\NETWORKSERVICE\LOCAL SETTINGS\DESKTOP.INI ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\AZUREUS.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\MOZILLA FIREFOX (2).LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\SHOW DESKTOP.SCF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\INTERNET EXPLORER\QUICK LAUNCH\WINDOWS LIVE MESSENGER.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\PROTECT\CREDHIST ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\PROTECT\S-1-5-21-2025429265-1292428093-725345543-1003\91EBC54B-5627-4052-843E-48AF8822BAA3 ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\APPLICATION DATA\MICROSOFT\PROTECT\S-1-5-21-2025429265-1292428093-725345543-1003\PREFERRED ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\COOKIES\INDEX.DAT ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\CDISPLAY.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\COUNTERSPY.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\JRE-6-WINDOWS-I586.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\STORMCODEC7.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\ICONCACHE.DB ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\CREDENTIALS\S-1-5-21-2025429265-1292428093-725345543-1003\CREDENTIALS skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\USRCLASS.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\DESKTOP.INI ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\HISTORY\HISTORY.IE5\INDEX.DAT ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\INDEX.DAT ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\MY DOCUMENTS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\ACCESSORIES\ACCESSIBILITY\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\ACCESSORIES\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\ACCESSORIES\ENTERTAINMENT\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\ACCESSORIES\NOTEPAD.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\STARTUP\DESKTOP.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\WINRAR\CONSOLE RAR MANUAL.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\WINRAR\WINRAR HELP.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\START MENU\PROGRAMS\WINRAR\WINRAR.LNK ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\PROGRAM FILES\CDISPLAY\CDISPLAY.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:17 PM File: C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\JUSCHED.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:18 PM File: C:\PROGRAM FILES\JAVA\JRE1.6.0\BIN\MSVCR71.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:20 PM File: C:\WINDOWS\System32\wbem\ncprov.dll ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:20 PM File: C:\WINDOWS\System32\wbem\wbemcons.dll ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:20 PM File: C:\WINDOWS\system32\WBEM\Logs\wbemess.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\COUNTERSPY.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBAP.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBCSRES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBCSSVC.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBCSTRAY.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBFDACCESSLAYER.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBTE.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBTEDEF.IDX ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\XMLSERIALIZE.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRAM FILES\WINRAR\WINRAR.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRA~1\MOVIEM~1\WMMRES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRA~1\MSNGAM~1\WINDOWS\BCKGRES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRA~1\MSNGAM~1\WINDOWS\CHKRRES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRA~1\MSNGAM~1\WINDOWS\HRTZRES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRA~1\MSNGAM~1\WINDOWS\RVSERES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\PROGRA~1\MSNGAM~1\WINDOWS\SHVLRES.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:23 PM File: C:\SBCSTRAY.LOG skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\SYSTEM VOLUME INFORMATION\_RESTORE{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\DRIVETABLE.TXT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\SYSTEM VOLUME INFORMATION\_RESTORE{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\_DRIVER.CFG skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\SYSTEM VOLUME INFORMATION\_RESTORE{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\_FILELST.CFG ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\APPPATCH\SYSMAIN.SDB ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\ATKKBSERVICE.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\BOOTSTAT.DAT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\DEBUG\USERMODE\USERENV.LOG skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\ARIAL.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\ARIALBI.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\CGA40WOA.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\CGA80WOA.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\COURE.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\DOSAPP.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\EGA40WOA.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\EGA80WOA.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\GULIM.TTC ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\L_10646.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\MARLETT.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\MICROSS.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\MINGLIU.TTC ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\MODERN.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\MSGOTHIC.TTC ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\ROMAN.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\SCRIPT.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\SERIFE.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\SIMSUN.TTC ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\SMALLE.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\SSERIFE.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\SYMBOLE.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\TAHOMA.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\TAHOMABD.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\TREBUCBD.TTF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\VGAFIX.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\VGAOEM.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\VGASYS.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_CZEC.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_ENGL.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_FREN.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_GERM.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_ITAL.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_SPAN.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\FONTS\WST_SWED.FON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\HELP\NVCPL.HLP ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\IME\IMJP8_1\IMJPMIG.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\INF\UNREGMP2.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\INSTALLER\{480F1C60-D071-43DC-973B-89AD7A35B4E2}\DESKTOPSHORTCUTICON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\INSTALLER\{480F1C60-D071-43DC-973B-89AD7A35B4E2}\MENUSHORTCUTICON ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\MEDIA\WINDOWS XP STARTUP.WAV ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\PCHSVC.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\REGISTRATION\R000000000007.CLB ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\RESOURCES\THEMES\LUNA\LUNA.MSSTYLES ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\RTHDCPL.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SCHEDLGU.TXT skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM.INI ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\$WINNT$.INF ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ACTIVEDS.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ACTXPRXY.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ADSLDPC.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ADVAPI32.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\APPHELP.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ATKDISP.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ATKOSDMINI.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\ATL.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\AUDIOSRV.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\AUTHZ.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\AUTOCHK.EXE ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\BASESRV.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\BATMETER.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\BROWSER.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\BROWSEUI.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\SYSTEM32\CERTCLI.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:24 PM File: C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:55:34 PM File: C:\WINDOWS\system32\WBEM\Logs\wbemess.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:56:04 PM File: C:\WINDOWS\System32\stdole2.tlb ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:56:04 PM File: C:\WINDOWS\System32\es.dll ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:56:19 PM File: C:\WINDOWS\System32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:56:19 PM File: C:\WINDOWS\System32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:56:19 PM File: C:\WINDOWS\System32\CatRoot2\edb.chk skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:56:19 PM File: C:\WINDOWS\System32\CatRoot2\edb.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:57:49 PM File: C:\WINDOWS\System32\DRIVERS\ACPI.sys ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:57:50 PM File: C:\WINDOWS\System32\DRIVERS\HDAudBus.sys ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:57:50 PM File: C:\WINDOWS\system32\WBEM\Logs\wmiprov.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:57:50 PM File: C:\WINDOWS\system32\WBEM\Logs\WinMgmt.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:58:04 PM File: C:\WINDOWS\system32\WBEM\Logs\wmiprov.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:58:04 PM File: C:\WINDOWS\system32\WBEM\Logs\WinMgmt.log skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:58:42 PM File: C:\DOCUME~1\tcpx\LOCALS~1\Temp\jusched.log skipped by type OMEGARED\tcpx localhost
2/18/2007 8:58:55 PM File: C:\DOCUME~1\tcpx\LOCALS~1\Temp\jusched.log skipped by type OMEGARED\tcpx localhost
2/18/2007 8:58:56 PM File: C:\Program Files\Sunbelt Software\CounterSpy\sbwsc.exe ok iChecker OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\Prefetch\SBWSC.EXE-336DA1C5.pf skipped by type OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\NTDLL.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\KERNEL32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\UNICODE.NLS ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\LOCALE.NLS ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\SORTTBLS.NLS ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\RPCRT4.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\MSVCRT.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\GDI32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\USER32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\SHLWAPI.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\CTYPE.NLS ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\IMM32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\LPK.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\USP10.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.10.0_X-WW_F7FB5805\COMCTL32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\WINDOWSSHELL.MANIFEST ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\COMCTL32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\SORTKEY.NLS ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\LOGS\SBWSC.LOG ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\OLE32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\NETAPI32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\CLBCATQ.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\OLEAUT32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\COMRES.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\VERSION.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\SHDOCVW.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\SYSTEM32\SETUPAPI.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:57 PM File: C:\WINDOWS\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.10.0.Policy ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:58 PM File: C:\WINDOWS\WinSxS\Manifests\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805.Manifest ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:58 PM File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scrchpg.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\Prefetch\COUNTERSPY.EXE-33357AC7.pf skipped by type OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\MSVBVM60.DLL ok scanned OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\MSCTFIME.IME ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\MSI.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBRES.DLL ok scanned OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WSHOM.OCX ok scanned OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WINSPOOL.DRV ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\MPR.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\SCRRUN.DLL ok scanned OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\SXS.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\WBEMDISP.DLL ok scanned OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\MSVCP60.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\WBEMPROX.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\WBEMCOMN.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\WMIUTILS.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WINLOGON.EXE ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\WBEMSVC.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\FASTPROX.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\WBEM\WBEMDISP.TLB ok scanned OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\WINDOWS\SYSTEM32\SHFOLDER.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:58:59 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\SBUSERDATA.SDB ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBANTISPYWARELIBRARY.DLL ok scanned OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\WINDOWS\SYSTEM32\MD5.DLL ok iChecker OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBSVCPX.DLL ok iChecker OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBSCANPX.DLL ok iChecker OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\PROGRAM FILES\SUNBELT SOFTWARE\COUNTERSPY\SBAPPX.DLL ok iChecker OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\WINDOWS\SYSTEM32\MSIMTF.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:00 PM File: C:\WINDOWS\SYSTEM32\MSCTF.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:02 PM File: C:\WINDOWS\System32\wbem\wmiprvse.exe ok iChecker NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:02 PM File: C:\WINDOWS\SYSTEM32\NCOBJAPI.DLL ok iSwift NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:02 PM File: C:\WINDOWS\SYSTEM32\WBEM\CIMWIN32.DLL ok iChecker NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:02 PM File: C:\WINDOWS\SYSTEM32\WBEM\FRAMEDYN.DLL ok scanned NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:02 PM File: C:\WINDOWS\SYSTEM32\SECUR32.DLL ok iSwift NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:02 PM File: C:\WINDOWS\SYSTEM32\WMI.DLL ok iSwift NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:04 PM File: C:\WINDOWS\Prefetch\SBCSTRAY.EXE-0D646526.pf skipped by type OMEGARED\tcpx localhost
2/18/2007 8:59:04 PM File: C:\Program Files\Sunbelt Software\CounterSpy\SBTCPLib.dll ok scanned OMEGARED\tcpx localhost
2/18/2007 8:59:04 PM File: C:\WINDOWS\system32\URLMON.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:04 PM File: C:\WINDOWS\system32\winhttp.dll ok iChecker OMEGARED\tcpx localhost
2/18/2007 8:59:04 PM File: C:\WINDOWS\System32\ws2_32.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:04 PM File: C:\WINDOWS\System32\WS2HELP.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:04 PM File: C:\WINDOWS\System32\mswsock.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:05 PM File: C:\WINDOWS\System32\DNSAPI.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:05 PM File: C:\WINDOWS\System32\winrnr.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:05 PM File: C:\WINDOWS\System32\drivers\etc\hosts ok iSwift NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:05 PM File: C:\WINDOWS\System32\wshtcpip.dll ok iSwift NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:05 PM File: C:\WINDOWS\SYSTEM32\SVCHOST.EXE ok iSwift NT AUTHORITY\NETWORK SERVICE localhost
2/18/2007 8:59:05 PM File: C:\WINDOWS\System32\rasadhlp.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 8:59:06 PM File: C:\WINDOWS\System32\mlang.dll ok scanned OMEGARED\tcpx localhost
2/18/2007 8:59:10 PM File: C:\Documents and Settings\All Users\Application Data\Sunbelt Software\CounterSpy\Logs\SBWSC.log skipped by type OMEGARED\tcpx localhost
2/18/2007 8:59:10 PM File: C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\SUNBELT SOFTWARE\COUNTERSPY\LOGS\SBWSC.LOG ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:10 PM File: C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:10 PM File: C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:10 PM File: C:\WINDOWS\Prefetch\SBWSC.EXE-336DA1C5.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:13 PM File: C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:15 PM File: C:\SBCSTray.log skipped by type OMEGARED\tcpx localhost
2/18/2007 8:59:15 PM File: C:\SBCSTRAY.LOG ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:15 PM File: C:\WINDOWS\Prefetch\SBCSTRAY.EXE-0D646526.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:20 PM File: C:\WINDOWS\Prefetch\COUNTERSPY.EXE-33357AC7.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 8:59:25 PM File: C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\system32\NOTEPAD.EXE ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\SYSTEM32\COMDLG32.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\SYSTEM32\WIN32K.SYS ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\SYSTEM32\UXTHEME.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\REPLY5.TXT ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\SYSTEM VOLUME INFORMATION\_RESTORE{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\RP8\CHANGE.LOG skipped by type OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\FONTS\LUCON.TTF ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\HIJACKTHIS4.LOG ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\HIJACKTHIS3.LOG ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\ANTI SPYWARE\HIJACKTHIS.LOG ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\DOCUMENTS AND SETTINGS\TCPX\DESKTOP\REPLY4.TXT ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\Documents and Settings\All Users\Application Data\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\Documents and Settings\All Users\Documents\My Music\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:47 PM File: C:\WINDOWS\system32\WININET.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:48 PM File: C:\Documents and Settings\tcpx\Local Settings\History\desktop.ini ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:06:48 PM File: C:\Documents and Settings\tcpx\Local Settings\History\History.IE5\MSHist012007021820070219\index.dat ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:07:00 PM File: C:\Documents and Settings\tcpx\Recent\reply5.txt.lnk ok iChecker OMEGARED\tcpx localhost
2/18/2007 9:07:00 PM File: C:\System Volume Information\_restore{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\RP8\A0000749.lnk ok scanned UN SPACY\OMEGARED$ localhost
2/18/2007 9:07:10 PM File: C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf skipped by type UN SPACY\OMEGARED$ localhost
2/18/2007 9:18:21 PM File: C:\program files\kaspersky lab\kaspersky anti-virus 6.0\basegui.ppl ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:21 PM File: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCP80.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:21 PM File: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\MSVCR80.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:21 PM File: C:\WINDOWS\System32\hhctrl.ocx ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:21 PM File: C:\WINDOWS\System32\NTMARTA.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:21 PM File: C:\WINDOWS\System32\SAMLIB.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:22 PM File: C:\WINDOWS\System32\itss.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:22 PM File: C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\Doc\context.chm ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:22 PM File: C:\Documents and Settings\tcpx\Application Data\Microsoft\HTML Help\hh.dat ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:22 PM File: C:\WINDOWS\System32\shdoclc.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:23 PM File: C:\WINDOWS\System32\mshtml.dll ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:23 PM File: C:\WINDOWS\System32\MSLS31.DLL ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:23 PM File: C:\WINDOWS\FONTS\TIMES.TTF ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:23 PM File: C:\WINDOWS\FONTS\ARIALBD.TTF ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:23 PM File: C:\WINDOWS\FONTS\WINGDING.TTF ok iSwift OMEGARED\tcpx localhost
2/18/2007 9:18:45 PM File: C:\WINDOWS\SYSTEM32\CRYPT32.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 9:18:45 PM File: C:\WINDOWS\SYSTEM32\IMAGEHLP.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 9:18:45 PM File: C:\WINDOWS\SYSTEM32\MSASN1.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 9:18:45 PM File: C:\WINDOWS\SYSTEM32\WLDAP32.DLL ok iSwift UN SPACY\OMEGARED$ localhost
2/18/2007 9:18:45 PM File: C:\WINDOWS\Prefetch\RUNDLL32.EXE-398386F9.pf skipped by type UN SPACY\OMEGARED$ localhost


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action
File types Scan programs and documents (by content)
Scan only new and changed files Yes
Scan archives No
Scan installation packages No
Scan embedded OLE objects New only
Postpone by size 0 MB
Skip if object is larger than 8 MB

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 18 February 2007 - 08:29 AM

So we'll take it your pc is clean then,hows it running now please.
Posted Image
Posted Image

#13 hikaru123

hikaru123
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 18 February 2007 - 08:30 AM

Sorry i tink this is wat u r looking for

Kaspersky

Protection
----------
Total scanned: 121069
Detected: 9
Untreated: 0
Start time: 2/18/2007 8:53:54 PM
Duration: 00:33:00


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.Cinmus.j File: c:\windows\system32\drivers\acpidisk.sys
deleted: adware not-a-virus:AdWare.Win32.Cinmus.j File: C:\System Volume Information\_restore{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\RP8\A0000740.sys
deleted: Trojan program Trojan-Downloader.Win32.Banload.alh File: C:\WINDOWS\036.exe//UPX
deleted: virus Worm.Win32.Delf.bi File: C:\WINDOWS\nRPqS.0xe//PE_Patch.UPX//UPX
deleted: Trojan program Trojan-Downloader.Win32.Small.ehp File: C:\WINDOWS\system32\bd1.exe
deleted: adware not-a-virus:AdWare.Win32.Boran.w File: C:\WINDOWS\system32\bd3.exe//data0002
deleted: adware not-a-virus:AdWare.Win32.Cinmus.j File: C:\WINDOWS\system32\bd4.exe//data0003//data0004
deleted: adware not-a-virus:AdWare.Win32.Softomate.ag File: C:\WINDOWS\system32\bd5.exe//stream//data0019
deleted: virus Worm.Win32.Delf.bi File: D:\nRPqS.0xe//PE_Patch.UPX//UPX


Events
------
Time Event
---- -----
2/18/2007 8:49:54 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
2/18/2007 8:49:58 PM Protection of your computer started.
2/18/2007 8:50:56 PM File c:\windows\system32\drivers\acpidisk.sys: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 8:50:56 PM Security threats have been detected. You are advised to neutralize them immediately.
2/18/2007 8:50:56 PM File c:\windows\system32\drivers\acpidisk.sys: is still infected, postponed.
2/18/2007 8:51:46 PM File C:\WINDOWS\System32\drivers\acpidisk.sys: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 8:51:46 PM File C:\WINDOWS\System32\drivers\acpidisk.sys: is still infected, postponed.
2/18/2007 8:51:47 PM File C:\WINDOWS\system32\drivers\acpidisk.sys: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 8:51:47 PM File C:\WINDOWS\system32\drivers\acpidisk.sys: is still infected, postponed.
2/18/2007 8:52:01 PM File c:\windows\system32\drivers\acpidisk.sys: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 8:52:38 PM File C:\System Volume Information\_restore{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\RP8\A0000740.sys: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 8:52:38 PM File C:\System Volume Information\_restore{D1F6A9A8-E347-4071-AB41-80697B9C11C1}\RP8\A0000740.sys: is still infected, postponed.
2/18/2007 8:52:48 PM File c:\windows\system32\drivers\acpidisk.sys: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 8:52:48 PM Startup object HKLM\System\ControlSet001\Services\acpidisk\acpidisk: deleted.
2/18/2007 8:52:48 PM Startup object HKLM\System\ControlSet003\Services\acpidisk\acpidisk: deleted.
2/18/2007 8:52:50 PM File c:\windows\system32\drivers\acpidisk.sys: deleted.
2/18/2007 8:53:02 PM Protection of your computer is not running. You are advised to resume protection.
2/18/2007 8:53:50 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
2/18/2007 8:53:54 PM Security threats have been detected. You are advised to neutralize them immediately.
2/18/2007 8:53:54 PM Protection of your computer started.
2/18/2007 8:54:28 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip/related.htm: is password protected.
2/18/2007 8:54:28 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip/sbRecovery.ini: is password protected.
2/18/2007 8:54:29 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Sogou.zip/sbRecovery.reg: is password protected.
2/18/2007 8:54:29 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Sogou.zip/sbRecovery.ini: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/Ad-Aware SE Default.skn: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/arrow1.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/arrow2.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bck1.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt11.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt12.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt13.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt21.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt22.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt23.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt31.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt32.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt33.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt41.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt42.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt43.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt51.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt52.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt53.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt61.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/bt62.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/checkbox1.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/checkbox2.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/checkbox3.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/checkbox4.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/defbtn1.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/defbtn2.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/defbtn3.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph1.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph2.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph3.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph4.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph5.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph6.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/glyph7.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/main.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/preview.bmp: is password protected.
2/18/2007 9:00:05 PM File C:\Program Files\Common Files\Wise Installation Wizard\WIS78CC3BABDE2A4FB48FBBE4DADDC26747_1_0_6.MSI//Cabs.w1.cab/AdAware_SE_default.ask/sprite1.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/Ad-Aware SE Default.skn: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/arrow1.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/arrow2.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bck1.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt11.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt12.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt13.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt21.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt22.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt23.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt31.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt32.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt33.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt41.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt42.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt43.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt51.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt52.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt53.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt61.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/bt62.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox1.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox2.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox3.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/checkbox4.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn1.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn2.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/defbtn3.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph1.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph2.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph3.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph4.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph5.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph6.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/glyph7.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/main.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/preview.bmp: is password protected.
2/18/2007 9:01:39 PM File C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask/sprite1.bmp: is password protected.
2/18/2007 9:02:21 PM File C:\WINDOWS\036.exe//UPX: detected Trojan program 'Trojan-Downloader.Win32.Banload.alh'.
2/18/2007 9:02:21 PM Security threats have been detected. You are advised to neutralize them immediately.
2/18/2007 9:02:21 PM File C:\WINDOWS\036.exe//UPX: is still infected, postponed.
2/18/2007 9:02:22 PM File C:\WINDOWS\nRPqS.0xe//PE_Patch.UPX//UPX: detected virus 'Worm.Win32.Delf.bi'.
2/18/2007 9:02:22 PM File C:\WINDOWS\nRPqS.0xe//PE_Patch.UPX//UPX: is still infected, postponed.
2/18/2007 9:03:35 PM File c:\windows\036.exe//UPX: detected Trojan program 'Trojan-Downloader.Win32.Banload.alh'.
2/18/2007 9:03:47 PM File c:\windows\036.exe: deleted.
2/18/2007 9:03:47 PM File c:\windows\nrpqs.0xe//PE_Patch.UPX//UPX: detected virus 'Worm.Win32.Delf.bi'.
2/18/2007 9:03:50 PM File c:\windows\nrpqs.0xe: deleted.
2/18/2007 9:06:10 PM File C:\WINDOWS\system32\bd1.exe: detected Trojan program 'Trojan-Downloader.Win32.Small.ehp'.
2/18/2007 9:06:10 PM Security threats have been detected. You are advised to neutralize them immediately.
2/18/2007 9:06:10 PM File C:\WINDOWS\system32\bd1.exe: is still infected, postponed.
2/18/2007 9:06:10 PM File C:\WINDOWS\system32\bd3.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.Boran.w'.
2/18/2007 9:06:10 PM File C:\WINDOWS\system32\bd3.exe//data0002: is still infected, postponed.
2/18/2007 9:06:11 PM File C:\WINDOWS\system32\bd4.exe//data0003//data0004: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 9:06:11 PM File C:\WINDOWS\system32\bd4.exe//data0003//data0004: is still infected, postponed.
2/18/2007 9:06:11 PM File C:\WINDOWS\system32\bd5.exe//stream//data0019: detected adware 'not-a-virus:AdWare.Win32.Softomate.ag'.
2/18/2007 9:06:11 PM File C:\WINDOWS\system32\bd5.exe//stream//data0019: is still infected, postponed.
2/18/2007 9:07:26 PM File D:\nRPqS.0xe//PE_Patch.UPX//UPX: detected virus 'Worm.Win32.Delf.bi'.
2/18/2007 9:07:26 PM File D:\nRPqS.0xe//PE_Patch.UPX//UPX: is still infected, postponed.
2/18/2007 9:12:32 PM File c:\windows\system32\bd1.exe: detected Trojan program 'Trojan-Downloader.Win32.Small.ehp'.
2/18/2007 9:16:44 PM File c:\windows\system32\bd1.exe: deleted.
2/18/2007 9:16:44 PM File c:\windows\system32\bd3.exe//data0002: detected adware 'not-a-virus:AdWare.Win32.Boran.w'.
2/18/2007 9:16:50 PM File c:\windows\system32\bd3.exe: deleted.
2/18/2007 9:16:50 PM File c:\windows\system32\bd4.exe//data0003//data0004: detected adware 'not-a-virus:AdWare.Win32.Cinmus.j'.
2/18/2007 9:16:54 PM File c:\windows\system32\bd4.exe: deleted.
2/18/2007 9:16:55 PM File c:\windows\system32\bd5.exe//stream//data0019: detected adware 'not-a-virus:AdWare.Win32.Softomate.ag'.
2/18/2007 9:16:55 PM File c:\windows\system32\bd5.exe: deleted.
2/18/2007 9:16:55 PM File d:\nrpqs.0xe//PE_Patch.UPX//UPX: detected virus 'Worm.Win32.Delf.bi'.
2/18/2007 9:16:55 PM File d:\nrpqs.0xe: deleted.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Proactive Defense running 2/18/2007 8:53:54 PM 0 bytes
File Anti-Virus running 2/18/2007 8:53:54 PM 109.7 KB
Mail Anti-Virus running 2/18/2007 8:53:54 PM 0 bytes
Web Anti-Virus running 2/18/2007 8:53:55 PM 20.4 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: adware not-a-virus:AdWare.Win32.Cinmus.j c:\windows\system32\bd4.exe 174.9 KB
Infected: adware not-a-virus:AdWare.Win32.Boran.w c:\windows\system32\bd3.exe 149.6 KB
Infected: Trojan program Trojan-Downloader.Win32.Small.ehp c:\windows\system32\bd1.exe 20 KB
Infected: adware not-a-virus:AdWare.Win32.Cinmus.j c:\system volume information\_restore{d1f6a9a8-e347-4071-ab41-80697b9c11c1}\rp8\a0000740.sys 207.9 KB
Infected: virus Worm.Win32.Delf.bi c:\windows\nrpqs.0xe 51 KB
Infected: adware not-a-virus:AdWare.Win32.Softomate.ag c:\windows\system32\bd5.exe 226.4 KB
Infected: virus Worm.Win32.Delf.bi d:\nrpqs.0xe 51 KB
Infected: adware not-a-virus:AdWare.Win32.Cinmus.j c:\windows\system32\drivers\acpidisk.sys 207.9 KB
Infected: Trojan program Trojan-Downloader.Win32.Banload.alh c:\windows\036.exe 22.5 KB

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 18 February 2007 - 08:41 AM

Your log is clean :thumbsup:
If all's ok,please do the following:

Revert the following settings back to default:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

You should now go to Windows Update and install any available critical/high priority updates.

Read through the info found here,to help you prevent any possible future infections.
How did I get infected?
http://www.bleepingcomputer.com/forums/t/2520/how-did-i-get-infected/
Posted Image
Posted Image

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:01:46 PM

Posted 24 February 2007 - 12:21 PM

Since your problem appears to be resolved, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users