Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

W32/Mabezat.B.worm shredding my PC apart [RESOLVED]


  • This topic is locked This topic is locked

#31
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thanks A million rathat for all the help u offered ... U believed there was a way when no one else stepped up to help :)
Um installing all protection now and I hope nothing re-occurs ...

I got one last thing to ask about, I will finish my exams in a week or so and was thinking of applying to geek U but there's not enough info about it & i dont want to make an application and then "drop out :)" Would u like me to PM u about this ?!!

Almost forgot, when I start my computer when startup programs are loading the mouse cursor is turned to this weird black cursor, I can live with it :) but was wondering is it worm-related or can be fixed ? If not , its not that bad :)
  • 0

Advertisements


#32
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hussam,

Go ahead and apply for Geek U, it is hard work though, and a lot of reading, followed by a lot more reading. Some people join then drop out, but who knows, maybe you will get through it all, then end up helping people with seemingly incurable logs! I know when I started, I never imagined that I would make it through, or get to the stage I am at now (which is far behind some of the experts we have here!).

I don't know about the mouse cursor, or what could cause it. It may be something to do with the Mabezat worm, maybe not. I would still advise re-formatting your computer after backing up all your files. I have infected a machine with Mabezat to see what it does, and so far it only infects executable files or zipped/RAR files, not documents. Be warned though that it does infect flash drives, so be sure to run the Flash_Disinfector as outlined in post 13 after reformatting your machine, and clean all flash drives that you have again.

Regards,
RatHat
  • 0

#33
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#34
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thanks for re-opening that fast :) hope 2 hear from u soon ...
  • 0

#35
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Topic reopened at user request.

OK, firstly we need to make sure your machine is clean again.

DO NOT REBOOT THE COMPUTER OR RUN ANY OTHER PROGRAMS UNTIL YOU HAVE COMPLETED THIS FIX.

Open your browser, and download both the files required for the fix first, then run OTMoveIt followed by the Kaspersky Virus Removal Tool.

Download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\autorun.inf
C:\zPharaoh.exe
C:\Documents and Settings\hook.dl_
C:\Documents and Settings\tazebama.dll
C:\Documents and Settings\tazebama.dl_


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Download the Kaspersky Virus Removal Tool to your Desktop
  • Note that the version to download is at the bottom of the list
  • Double click the downloaded installer to run the installation tool
  • After installation the Kaspersky Virus Removal Tool will start automatically
  • Before scanning, click Settings (it will change to underlined when you mouse over it)
  • Set Security Level to High
  • Under Action, make sure the Do not prompt for action radio button is set on
  • Ensure Disinfect and Delete if disinfection fails are both ticked
  • Click Apply then OK
  • Click the Scan button to begin scanning
This will take a while so be patient.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save Report As Text button:
  • Under Save as type, choose Text file (*.txt)
  • Save the file to your desktop as Kaspersky.txt
  • Copy and paste that information in your next post.

Regards,
RatHat
  • 0

#36
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
OTMoveIt log ...

C:\autorun.inf moved successfully.
File/Folder C:\zPharaoh.exe not found.
File/Folder C:\Documents and Settings\hook.dl_ not found.
File/Folder C:\Documents and Settings\tazebama.dll not found.
File/Folder C:\Documents and Settings\tazebama.dl_ not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06052008_150622


Kaspersky virus removal tool didnt find anything even on the ipod

Kaspersky Web Scanner Report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 05, 2008 9:58:30 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/06/2008
Kaspersky Anti-Virus database records: 831759
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 79074
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:22:28

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Application Data\Real\RealPlayer\skins\data\normal\imgcache.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\dfsr.db Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\fsr.log Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\tmp.edb Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\dfsr.db Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\fsr.log Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_1C2C_4B03_2C4A_D782\tmp.edb Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\hsperfdata_Hussamofe\952 Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DF38C2.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DF3A34.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DF40BD.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DFAF85.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DFB00E.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DFDF99.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DFE0EA.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DFEAE1.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temp\~DFEB03.tmp Object is locked skipped
C:\Documents and Settings\Hussamofe\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hussamofe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hussamofe\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\06052008_150622\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
D:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
F:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Nothing on ipod too ...
  • 0

#37
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
This is the report of Avira of the scan I did before reopening this topic , there was an infection :) Um not crazy :)

Avira AntiVir Personal
Report file date: Thursday, June 05, 2008 14:36

Scanning for 1309825 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Hussamofe
Computer name: HUSSAM

Version information:
BUILD.DAT : 8.1.0.308 16478 Bytes 5/28/2008 17:03:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 08:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 07:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 07:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 07:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 09:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 12:08:58
ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 6/1/2008 11:05:17
ANTIVIR3.VDF : 7.0.4.142 82432 Bytes 6/4/2008 13:47:06
Engineversion : 8.1.0.51
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 08:58:21
AESCRIPT.DLL : 8.1.0.37 270715 Bytes 6/1/2008 08:24:44
AESCN.DLL : 8.1.0.20 119157 Bytes 6/1/2008 08:24:40
AERDL.DLL : 8.1.0.20 418165 Bytes 6/1/2008 08:24:37
AEPACK.DLL : 8.1.1.5 364918 Bytes 6/1/2008 08:24:28
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 6/1/2008 08:24:20
AEHEUR.DLL : 8.1.0.29 1253750 Bytes 6/1/2008 08:24:16
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/1/2008 08:23:54
AEGEN.DLL : 8.1.0.25 307573 Bytes 6/1/2008 08:23:51
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/1/2008 08:23:45
AECORE.DLL : 8.1.0.30 168311 Bytes 6/1/2008 08:23:39
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 16:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 09:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 12:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 16:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 07:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 07:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 16:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 16:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 11:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 13:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 11:02:11

Configuration settings for the scan:
Jobname..........................: ShlExt
Configuration file...............: C:\DOCUME~1\HUSSAM~1\LOCALS~1\Temp\453cc595.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: J:,
Scan memory......................: on
Process scan.....................: off
Scan registry....................: off
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Thursday, June 05, 2008 14:36

Starting the file scan:

Begin scan in 'J:\' <HUSSAM>
J:\autorun.inf
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B.79
[NOTE] The file was moved to '48bbd023.qua'!
J:\zPharaoh.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48afcffe.qua'!
J:\iPod_Control\iTunes\iTunes .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bcd002.qua'!
J:\iPod_Control\iTunes\JetAudio dump.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bbd014.qua'!
J:\iPod_Control\Device\Device .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bdd014.qua'!
J:\iPod_Control\Device\InstallMSN11Ar.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad01d.qua'!
J:\iPod_Control\Device\Accessories\Accessories .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad012.qua'!
J:\iPod_Control\Device\Accessories\Crack_GoogleEarthPro.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48a8d022.qua'!
J:\iPod_Control\Music\Music .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad025.qua'!
J:\iPod_Control\Music\InstallMSN11En.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad01e.qua'!
J:\iPod_Control\Music\F00\F00 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877cfe5.qua'!
J:\iPod_Control\Music\F00\AmericanOnLine.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48acd023.qua'!
J:\iPod_Control\Music\F01\F01 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4878cfee.qua'!
J:\iPod_Control\Music\F01\msjavx86.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b1d032.qua'!
J:\iPod_Control\Music\F02\F02 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4879cff7.qua'!
J:\iPod_Control\Music\F02\FloppyDiskPartion.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d034.qua'!
J:\iPod_Control\Music\F03\HP_LaserJetAllInOneConfig.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48a6d023.qua'!
J:\iPod_Control\Music\F03\F03 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ad005.qua'!
J:\iPod_Control\Music\F04\F04 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487bd010.qua'!
J:\iPod_Control\Music\F04\Microsoft Windows Network.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Mabezat.A
[NOTE] The file was moved to '48aad04a.qua'!
J:\iPod_Control\Music\F05\F05 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487cd01d.qua'!
J:\iPod_Control\Music\F05\Adjust Time.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b1d051.qua'!
J:\iPod_Control\Music\F06\F06 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487dd024.qua'!
J:\iPod_Control\Music\F06\Recycle Bin.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad05b.qua'!
J:\iPod_Control\Music\F07\F07 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ed033.qua'!
J:\iPod_Control\Music\F07\WindowsXp StartMenu Settings.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d06d.qua'!
J:\iPod_Control\Music\F08\F08 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487fd03d.qua'!
J:\iPod_Control\Music\F08\MakeUrOwnFamilyTree.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b2d06f.qua'!
J:\iPod_Control\Music\F09\F09 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4880d049.qua'!
J:\iPod_Control\Music\F09\Win98compatibleXP.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d083.qua'!
J:\iPod_Control\Music\F10\F10 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d056.qua'!
J:\iPod_Control\Music\F10\LockWindowsPartition.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad095.qua'!
J:\iPod_Control\Music\F11\F11 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4878d062.qua'!
J:\iPod_Control\Music\F11\BrowseAllUsers.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d0a3.qua'!
J:\iPod_Control\Music\F12\F12 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4879d06f.qua'!
J:\iPod_Control\Music\F12\ShowDesktop.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d0a7.qua'!
J:\iPod_Control\Music\F13\F13 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ad07b.qua'!
J:\iPod_Control\Music\F13\CD Burner.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d08e.qua'!
J:\iPod_Control\Music\F14\F14 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487bd085.qua'!
J:\iPod_Control\Music\F14\Disk Defragmenter.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad0bd.qua'!
J:\iPod_Control\Music\F15\F15 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487cd08e.qua'!
J:\iPod_Control\Music\F15\RecycleBinProtect.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad0c3.qua'!
J:\iPod_Control\Music\F16\F16 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487dd098.qua'!
J:\iPod_Control\Music\F16\FaxSend.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bfd0c9.qua'!
J:\iPod_Control\Music\F17\F17 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ed0a4.qua'!
J:\iPod_Control\Music\F17\Windows Keys Secrets.exe
[DETECTION] Contains detection pattern of the Windows virus W32/Mabezat.B
[NOTE] The file was moved to '48b5d0dc.qua'!
J:\iPod_Control\Music\F18\F18 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487fd0af.qua'!
J:\iPod_Control\Music\F18\IDE Conector P2P.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '488cd0c2.qua'!
J:\iPod_Control\Music\F19\F19 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4880d0bb.qua'!
J:\iPod_Control\Music\F19\Sony Erikson DigitalCam.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d0fa.qua'!
J:\iPod_Control\Music\F20\F20 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d0c7.qua'!
J:\iPod_Control\Music\F20\Microsoft MSN.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad0fe.qua'!
J:\iPod_Control\Music\F21\F21 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4878d0d1.qua'!
J:\iPod_Control\Music\F21\RadioTV.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48abd101.qua'!
J:\iPod_Control\Music\F22\F22 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4879d0db.qua'!
J:\iPod_Control\Music\F22\Antenna2Net.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bbd118.qua'!
J:\iPod_Control\Music\F23\F23 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ad0e5.qua'!
J:\iPod_Control\Music\F23\PanasonicDVD_DigitalCam.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d116.qua'!
J:\iPod_Control\Music\F24\F24 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487bd0f3.qua'!
J:\iPod_Control\Music\F24\GoogleToolbarNotifier.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d130.qua'!
J:\iPod_Control\Music\F25\F25 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487cd0fe.qua'!
J:\iPod_Control\Music\F25\MyDocuments.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '488bd145.qua'!
J:\iPod_Control\Music\F26\F26 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487dd107.qua'!
J:\iPod_Control\Music\F26\backup.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48aad136.qua'!
J:\iPod_Control\Music\F27\F27 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ed114.qua'!
J:\iPod_Control\Music\F27\source.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48bcd151.qua'!
J:\iPod_Control\Music\F28\F28 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487fd11f.qua'!
J:\iPod_Control\Music\F28\windows_secrets.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48b5d156.qua'!
J:\iPod_Control\Music\F29\F29 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4880d12a.qua'!
J:\iPod_Control\Music\F29\passwords.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48bad15a.qua'!
J:\iPod_Control\Music\F30\F30 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d136.qua'!
J:\iPod_Control\Music\F30\serials.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48b9d168.qua'!
J:\iPod_Control\Music\F31\F31 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4878d141.qua'!
J:\iPod_Control\Music\F31\WinrRarSerialInstall.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d178.qua'!
J:\iPod_Control\Music\F32\F32 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4879d14b.qua'!
J:\iPod_Control\Music\F32\NokiaN73Tools.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b2d188.qua'!
J:\iPod_Control\Music\F33\F33 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ad156.qua'!
J:\iPod_Control\Music\F33\Make Windows Original.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b2d184.qua'!
J:\iPod_Control\Music\F34\F34 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487bd15f.qua'!
J:\iPod_Control\Music\F34\Office2003 CD-Key.doc.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48add193.qua'!
J:\iPod_Control\Music\F35\F35 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487cd16c.qua'!
J:\iPod_Control\Music\F35\Office2007 Serial.txt.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48add19f.qua'!
J:\iPod_Control\Music\F36\F36 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487dd176.qua'!
J:\iPod_Control\Music\F36\KasperSky6.0 Key.doc.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad1a4.qua'!
J:\iPod_Control\Music\F37\F37 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ed188.qua'!
J:\iPod_Control\Music\F37\JetAudio dump.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bbd1bb.qua'!
J:\iPod_Control\Music\F38\F38 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487fd19f.qua'!
J:\iPod_Control\Music\F38\InstallMSN11Ar.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad1da.qua'!
J:\iPod_Control\Music\F39\F39 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4880d1aa.qua'!
J:\iPod_Control\Music\F39\InstallMSN11En.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad1e6.qua'!
J:\iPod_Control\Music\F40\F40 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d1bc.qua'!
J:\iPod_Control\Music\F40\Lock Folder.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad1f8.qua'!
J:\iPod_Control\Music\F41\F41 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4878d1c7.qua'!
J:\iPod_Control\Music\F41\Crack_GoogleEarthPro.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48a8d206.qua'!
J:\iPod_Control\Music\F42\F42 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4879d1d2.qua'!
J:\iPod_Control\Music\F42\AmericanOnLine.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48acd20c.qua'!
J:\iPod_Control\Music\F43\F43 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ad1de.qua'!
J:\iPod_Control\Music\F43\msjavx86.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b1d21d.qua'!
J:\iPod_Control\Music\F44\F44 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487bd1ec.qua'!
J:\iPod_Control\Music\F44\FloppyDiskPartion.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d224.qua'!
J:\iPod_Control\Music\F45\F45 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487cd1f8.qua'!
J:\iPod_Control\Music\F45\HP_LaserJetAllInOneConfig.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48a6d214.qua'!
J:\iPod_Control\Music\F46\F46 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487dd202.qua'!
J:\iPod_Control\Music\F46\Microsoft Windows Network.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad239.qua'!
J:\iPod_Control\Music\F47\F47 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ed211.qua'!
J:\iPod_Control\Music\F47\Adjust Time.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b1d242.qua'!
J:\iPod_Control\Music\F48\F48 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487fd21e.qua'!
J:\iPod_Control\Music\F48\Recycle Bin.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B.4
[NOTE] The file was moved to '48aad250.qua'!
J:\iPod_Control\Music\F49\F49 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4880d229.qua'!
J:\iPod_Control\Music\F49\WindowsXp StartMenu Settings.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d260.qua'!
J:\iPod_Control\Artwork\Artwork .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bbd26e.qua'!
J:\iPod_Control\Artwork\Lock Folder.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad26b.qua'!
J:\Contacts\Contacts .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d26c.qua'!
J:\Contacts\WinrRarSerialInstall.exe
[DETECTION] Contains detection pattern of the worm WORM/Agent.161175
[NOTE] The file was moved to '48b5d267.qua'!
J:\Calendars\Calendars .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b3d260.qua'!
J:\Calendars\NokiaN73Tools.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B.67
[NOTE] The file was moved to '48b2d26f.qua'!
J:\Notes\Notes .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bbd270.qua'!
J:\Notes\Make Windows Original.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b2d263.qua'!
J:\Notes\Family Guy Trivia\Family Guy Trivia .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b4d265.qua'!
J:\Notes\Family Guy Trivia\MakeUrOwnFamilyTree.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b2d266.qua'!
J:\Notes\WWE Wrestling Trivia\WWE Wrestling Trivia .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '488cd260.qua'!
J:\Notes\WWE Wrestling Trivia\Win98compatibleXP.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d273.qua'!
J:\100CANON\100CANON .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d23c.qua'!
J:\100CANON\Office2003 CD-Key.doc.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48add272.qua'!
J:\Photos\Photos .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d275.qua'!
J:\Photos\Office2007 Serial.txt.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48add273.qua'!
J:\Photos\Thumbs\Thumbs .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bcd276.qua'!
J:\Photos\Thumbs\LockWindowsPartition.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad27e.qua'!
J:\Photos\Full Resolution\Full Resolution .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b3d284.qua'!
J:\Photos\Full Resolution\BrowseAllUsers.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d282.qua'!
J:\Photos\Full Resolution\2006\2006 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d240.qua'!
J:\Photos\Full Resolution\2006\ShowDesktop.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B.137
[NOTE] The file was moved to '48b6d279.qua'!
J:\Photos\Full Resolution\2006\03\03 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d244.qua'!
J:\Photos\Full Resolution\2006\03\CD Burner.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d256.qua'!
J:\Photos\Full Resolution\2006\03\12\12 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '49c2b555.qua'!
J:\Photos\Full Resolution\2006\03\12\FaxSend.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bfd274.qua'!
J:\Photos\Full Resolution\2006\04\04 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d248.qua'!
J:\Photos\Full Resolution\2006\04\Disk Defragmenter.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad27d.qua'!
J:\Photos\Full Resolution\2006\04\27\27 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d24d.qua'!
J:\Photos\Full Resolution\2006\04\27\Windows Keys Secrets.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d27f.qua'!
J:\Photos\Full Resolution\2006\04\01\01 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '49c2b559.qua'!
J:\Photos\Full Resolution\2006\04\01\IDE Conector P2P.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '488cd25c.qua'!
J:\Photos\Full Resolution\2006\04\20\20 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d249.qua'!
J:\Photos\Full Resolution\2006\04\20\Sony Erikson DigitalCam.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B.2
[NOTE] The file was moved to '48b5d288.qua'!
J:\Photos\Full Resolution\2006\04\21\21 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.C
[NOTE] The file was moved to '4867d24b.qua'!
J:\Photos\Full Resolution\2006\04\21\Microsoft MSN.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad283.qua'!
J:\Photos\Full Resolution\2006\05\05 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4867d250.qua'!
J:\Photos\Full Resolution\2006\05\RecycleBinProtect.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48aad281.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\iPod Photo Cache .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d26c.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\RadioTV.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48abd27e.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F00\F00 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4877d24e.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F00\Antenna2Net.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bbd28c.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F01\F01 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4878d24f.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F01\PanasonicDVD_DigitalCam.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d280.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F02\F02 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4879d250.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F02\GoogleToolbarNotifier.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b6d290.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F03\F03 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ad251.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F03\MyDocuments.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '488bd29b.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F04\F04 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487bd252.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F04\backup.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48aad284.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F05\F05 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487cd254.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F05\source.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48bcd294.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F06\F06 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487dd256.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F06\windows_secrets.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48b5d291.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F07\F07 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487ed25a.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F07\office_crack.rar
[0] Archive type: RAR
--> Documents and Settings\MyDocuments\Readme.doc .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.B
[NOTE] The file was moved to '48add291.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F08\F08 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '487fd25e.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F08\WinrRarSerialInstall.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b5d298.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F09\F09 .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '4880d261.qua'!
J:\Photos\Full Resolution\2006\05\iPod Photo Cache\F09\NokiaN73Tools.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48b2d2a1.qua'!
J:\Heba\Heba .exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48a9d29d.qua'!
J:\Heba\KasperSky6.0 Key.doc.exe
[DETECTION] Contains detection pattern of the worm WORM/Mabezat.b
[NOTE] The file was moved to '48bad29a.qua'!


End of the scan: Thursday, June 05, 2008 14:49
Used time: 13:50 min

The scan has been done completely.

313 Scanning directories
11055 Files were scanned
172 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
172 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
10883 Files not concerned
28 Archives were scanned
0 Warnings
172 Notes
  • 0

#38
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hussam,

A couple of questions;

Is this a fresh installation of Avira, installed after clearing your machine?

My error, I did not tell you to Check the My Computer checkbox under Automatic Scan, in the Kaspersky Virus Removal Tool, but did you check it?

Regards,
RatHat
  • 0

#39
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
For the second question , Yes :) I checked it and till nothing...
About the first question , Yesss I installed Avira and all the protection after we cleaned the computer and u recommended some software to keep me clean , everything went nice till I connected my Ipod and when I scanned it with Avira all those files were moved to quarantine I guess ...
  • 0

#40
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Great! I have a feeling that Avira caught it before it did any damage.

OK, I would like you to re-connect your iPod and run the Kaspersky Virus Removal Tool again, make sure you check My Computer, but this time, go to Settings, and set Security Level to Recommended before running the scan.

When done, and with the iPod still connected, run DSS and post me the logs:

Download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, DSS will open two Notepad files: main.txt and extra.txt
  • Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

Regards,
RatHat
  • 0

Advertisements


#41
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Main.txt

Deckard's System Scanner v20071014.68
Run by Hussamofe on 2008-06-06 11:32:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-06 08:32:35 UTC - RP10 - Deckard's System Scanner Restore Point
1: 2008-06-05 19:31:06 UTC - RP9 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Hussamofe.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:12 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Hussamofe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Hussamofe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVP] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O20 - AppInit_DLLs:
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: setup_7.0.0.180_18.05.2008_22-36 - Kaspersky Lab - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe

--
End of file - 9259 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080531-161012-127 O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
backup-20080531-161012-148 O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
backup-20080531-161012-365 O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
backup-20080531-161012-907 O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys (file missing)
S1 SASKUTIL - c:\program files\superantispyware\saskutil.sys (file missing)
S2 zntport (NTPort Library Driver) - c:\windows\system32\zntport.sys (file missing)
S3 Ad-Watch Connect Filter (Ad-Watch Connect Kernel Filter) - c:\windows\system32\drivers\nsdriver.sys <Not Verified; Lavasoft AB; Ad-Watch Connections>
S3 SASENUM - c:\program files\superantispyware\sasenum.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 aawservice (Ad-Aware 2007 Service) - "c:\program files\lavasoft\ad-aware 2007\aawservice.exe" <Not Verified; Lavasoft AB; Ad-Aware 2007 Service>
R2 AntiVirScheduler (Avira AntiVir Personal – Free Antivirus Scheduler) - "c:\program files\avira\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; AntiVir Workstation>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_00801462&REV_02\3&13C0B0C5&0&FD
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_8086&DEV_24D5&SUBSYS_00801462&REV_02\3&13C0B0C5&0&FD
Service:


-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-05 15:20:59 849952 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 07:56:16 0 d-------- C:\Program Files\Bytescout XLS Viewer
2008-06-01 11:17:53 0 d-------- C:\Program Files\Avira
2008-06-01 11:17:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-01 11:11:48 0 dr-h----- C:\MSOCache
2008-06-01 10:53:12 0 d-------- C:\Program Files\Tall Emu
2008-05-31 22:36:27 0 d-------- C:\Program Files\Innovatools
2008-05-31 22:31:44 0 d-------- C:\WINDOWS\pss
2008-05-31 20:59:09 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-31 20:51:18 0 d-------- C:\Program Files\Sun
2008-05-31 20:40:59 0 d-------- C:\Program Files\iPod
2008-05-31 20:40:46 0 d-------- C:\Program Files\iTunes
2008-05-31 20:39:08 0 d-------- C:\Program Files\QuickTime
2008-05-31 18:43:33 0 d-------- C:\Program Files\Alwil Software
2008-05-31 18:17:13 0 d-------- C:\Program Files\Trillian
2008-05-31 18:04:51 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Comodo
2008-05-31 18:04:47 0 d-------- C:\Program Files\COMODO
2008-05-31 17:58:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 04:13:13 0 d-------- C:\Documents and Settings\Hussamofe\DoctorWeb
2008-05-28 15:44:50 0 d-------- C:\fsaua.data
2008-05-28 07:29:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 07:29:27 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 07:27:31 0 d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-05-25 07:22:42 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-05-25 07:22:34 0 d-------- C:\WINDOWS\system32\PAV
2008-05-25 07:22:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-23 06:22:14 0 d-------- C:\Program Files\Trend Micro
2008-05-22 13:44:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-22 12:52:13 0 d-------- C:\Program Files\Panda Security
2008-05-22 12:44:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-22 12:44:31 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\SUPERAntiSpyware.com
2008-05-22 12:37:43 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Malwarebytes
2008-05-22 12:37:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 12:37:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 12:37:27 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 15:59:23 0 d-------- C:\Program Files\MSXML 6.0
2008-05-21 15:58:01 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-20 12:56:16 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-13 03:34:57 283648 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-05-13 03:34:55 0 d-------- C:\Documents and Settings\Hussamofe\WINDOWS
2008-05-13 03:29:04 0 d-------- C:\Program Files\Common Files\eSellerate
2008-05-09 20:35:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-09 20:33:25 0 d-------- C:\Program Files\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-06-05 19:13:11 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Azureus
2008-06-04 15:58:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-04 15:57:03 0 d-------- C:\Program Files\SpeederXP
2008-05-31 20:59:09 0 d-------- C:\Program Files\Common Files
2008-05-31 20:58:56 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 20:50:51 0 d-------- C:\Program Files\Java
2008-05-31 06:40:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 18:19:09 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\DMCache
2008-05-28 11:11:42 0 d-------- C:\Program Files\Messenger
2008-05-28 11:11:41 0 d-------- C:\Program Files\HP
2008-05-28 07:12:04 0 d-------- C:\Program Files\Windows NT
2008-05-28 07:12:04 0 d-------- C:\Program Files\Movie Maker
2008-05-22 10:58:43 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\GetRightToGo
2008-05-21 15:59:29 0 d-------- C:\Program Files\Nokia
2008-05-20 12:40:14 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\HP
2008-05-19 17:31:34 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\LimeWire
2008-04-26 17:27:55 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\vlc
2008-04-25 05:04:27 0 d-------- C:\Program Files\VideoLAN
2008-04-18 16:13:52 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Adobe
2008-04-18 12:59:34 0 d-------- C:\Program Files\Azureus
2008-04-05 17:38:30 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 10:52 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 08:58 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"AVP"="C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe" [10/12/2007 04:29 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/19/2007 11:13 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 10:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 08:02 PM 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56be063e-2707-11dd-af39-001109d8d800}]
AutoRun\command- G:\zPharaoh.exe
explore\command- G:\zPharaoh.exe
open\command- G:\zPharaoh.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d500e08-ffd8-11dc-aeb8-001109d8d800}]
AutoRun\command- G:\oufddh.exe
explore\Command- G:\oufddh.exe
open\Command- G:\oufddh.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44D9EEEE-BDA5-3DFA-E627-EDCE9309E395}]
C:\Program Files\WindowsUpdate\svchost.exe s



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8554 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-06 11:37:32 ------------
  • 0

#42
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.40GHz
Percentage of Memory in Use: 58%
Physical Memory (total/avail): 767.48 MiB / 320.71 MiB
Pagefile Memory (total/avail): 1877.7 MiB / 1395.14 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1910.25 MiB

C: is Fixed (NTFS) - 15.8 GiB total, 4.08 GiB free.
D: is Fixed (FAT32) - 29.34 GiB total, 1.07 GiB free.
E: is Fixed (FAT32) - 29.33 GiB total, 4.66 GiB free.
F: is Fixed (NTFS) - 37.26 GiB total, 8.25 GiB free.
I: is CDROM (No Media)
J: is Removable (FAT32)

\\.\PHYSICALDRIVE1 - WDC WD400EB-00CPF0 - 37.27 GiB - 1 partition
\PARTITION0 - Extended w/Extended Int 13 - 37.26 GiB - F:

\\.\PHYSICALDRIVE0 - WDC WD800BB-22JHC0 - 74.53 GiB - 3 partitions
\PARTITION0 (bootable) - Installable File System - 15.8 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 58.72 GiB - D: - E:

\\.\PHYSICALDRIVE2 - Apple iPod USB Device - 55.89 GiB - 1 partition
\PARTITION0 - Unknown - 55.78 GiB - J:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Online Armor Firewall v2.1.0.131 (Tall Emu) Disabled
FW: COMODO Firewall Pro v3.0 (COMODO)
AV: Panda Antivirus 2008 v3.00.00 (Panda Security) Disabled
AV: Avira AntiVir PersonalEdition v8.0.1.18 (Avira GmbH)
AV: avast! antivirus 4.8.1201 [VPS 080531-1] v4.8.1201 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Hussamofe\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HUSSAM
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Hussamofe
LOGONSERVER=\\HUSSAM
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Windows Live\Messenger\;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Panda Security\Panda Antivirus 2008;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
RNLOG_BASEKEY=Software\RealNetworks\RealPlayer\6.0\Preferences\BrowserRecordPluginLog
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\HUSSAM~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HUSSAM~1\LOCALS~1\Temp
USERDOMAIN=HUSSAM
USERNAME=Hussamofe
USERPROFILE=C:\Documents and Settings\Hussamofe
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Hussamofe (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 8.1.2 Professional --> msiexec /I {AC76BA86-1033-F400-7760-000000000003}
Adobe Flash Player 9 ActiveX --> MsiExec.exe /X{685A56F8-75B6-44AD-B3DA-FB0A3266B47C}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Apple Mobile Device Support --> MsiExec.exe /I{44734179-8A79-4DEE-BB08-73037F065543}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
Avira AntiVir Personal – Free Antivirus --> C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Bytescout XLS Viewer 2.00 (FREEWARE) --> "C:\Program Files\Bytescout XLS Viewer\unins000.exe"
EES - Engineering Equation Solver - Academic --> C:\EES_AV\UNWISE.EXE C:\EES_AV\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Customer Participation Program 8.0 --> C:\Program Files\HP\Digital Imaging\ExtCapUninstall\hpzscr01.exe -datfile hpqhsc01.dat
HP Deskjet 8.0 Software --> C:\Program Files\HP\Digital Imaging\{58535A90-1788-44f5-80BB-CFF62D9CE6D5}\setup\hpzscr01.exe -datfile hphscr13.dat -showdisconnect -forcereboot
HP Imaging Device Functions 8.0 --> C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photosmart Essential --> MsiExec.exe /X{EB21A812-671B-4D08-B974-2A347F0D8F70}
HP Product Detection --> MsiExec.exe /X{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}
HP Solution Center 8.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update --> MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HPSSupply --> MsiExec.exe /X{EB75DE50-5754-4F6F-875D-126EDF8E4CB3}
Innovatools Add/Remove Plus! 2006 version 5.1 --> "C:\Program Files\Innovatools\Add Remove Plus! 2006\unins000.exe"
iTunes --> MsiExec.exe /I{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}
Java DB 10.3.1.4 --> MsiExec.exe /X{CD49361E-3FE6-457E-90A1-9C59E29B5D02}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ SE Development Kit 6 Update 6 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160060}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007 --> MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser --> MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Munga Bunga's HTTP Brute Forcer 1.0.2 Build 2 --> C:\Program Files\Munga Bunga's HTTP Brute Forcer\Setup\Setup.exe /u
Nokia Connectivity Cable Driver --> MsiExec.exe /X{4F1DCA42-2030-437C-A94E-736692A499C1}
Nokia Flashing Cable Driver --> MsiExec.exe /X{A4E0CA0F-1903-440A-9B98-FEA6CB049999}
Nokia Software Updater --> MsiExec.exe /X{5D19E730-D3C6-47F4-AE4B-DCB26EC2D905}
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
QuickTime --> MsiExec.exe /I{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SLD Codec Pack --> C:\Program Files\SLD Codec Pack\uninstall.exe
SpeederXP 1.60 --> "C:\Program Files\SpeederXP\unins000.exe"
System Requirements Lab --> C:\Program Files\SystemRequirementsLab\Uninstall.exe
Trillian --> C:\Program Files\Trillian\trillian.exe /uninstall
Update for Outlook 2007 Junk Email Filter (kb943597) --> msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {A751F0DB-8476-4207-956E-20AEBBA4B1DA}
VideoLAN VLC media player 0.8.1 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type9466 / Success
Event Submitted/Written: 06/06/2008 10:02:45 AM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type9460 / Error
Event Submitted/Written: 06/06/2008 09:45:06 AM
Event ID/Source: 4001 / Sentinel
Event Description:
Unexpected failure during Anti-virus On-Access Scan Engine initialization. The AvRtlInitializeAnalyzer
API failed unrecoverably (Error Status was -1).

This may be because a needed image file is missing
or corrupt.
The Panda Anti-virus Service failed to initialize properly.

Event Record #/Type9446 / Warning
Event Submitted/Written: 06/05/2008 02:29:45 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
WORM/Mabezat.bJ:\iPod_Control\Music\InstallMSN11En.exe

Event Record #/Type9445 / Warning
Event Submitted/Written: 06/05/2008 02:29:44 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
WORM/Mabezat.bJ:\iPod_Control\Music\Music .exe

Event Record #/Type9444 / Warning
Event Submitted/Written: 06/05/2008 02:29:43 PM
Event ID/Source: 4113 / Avira AntiVir
Event Description:
WORM/Mabezat.bJ:\iPod_Control\Device\Accessories\Crack_GoogleEarthPro.exe



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type819 / Warning
Event Submitted/Written: 06/06/2008 10:21:12 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type797 / Error
Event Submitted/Written: 06/06/2008 09:45:42 AM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
SASDIFSV
SASKUTIL

Event Record #/Type796 / Error
Event Submitted/Written: 06/06/2008 09:45:28 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The NTPort Library Driver service failed to start due to the following error:
%%2

Event Record #/Type795 / Error
Event Submitted/Written: 06/06/2008 09:45:28 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Panda anti-virus service service terminated with the following error:
%%3221225473

Event Record #/Type793 / Error
Event Submitted/Written: 06/06/2008 09:45:07 AM
Event ID/Source: 1002 / Dhcp
Event Description:
The IP address lease 192.168.2.2 for the Network Card with network address 001109D8D800 has been
denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).



-- End of Deckard's System Scanner: finished at 2008-06-06 11:37:32 ------------
  • 0

#43
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hussam,

Uninstall the following programs:

Azureus
Java DB 10.3.1.4
Java™ 6 Update 3
LimeWire 4.16.6
Munga Bunga's HTTP Brute Forcer 1.0.2 Build 2
Online Armor Firewall v2.1.0.131

  • Go to Start then Settings, then Control Panel
  • Choose Add or Remove Programs
  • Remove all of the above
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


I need you to run a small registry script to clean up some entries. Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= -

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\LimeWire\\LimeWire.exe"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{56be063e-2707-11dd-af39-001109d8d800}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d500e08-ffd8-11dc-aeb8-001109d8d800}]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.

After that, Reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone and iPod. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.


Post me a fresh DSS log, and let me know how your machine is doing when you have completed all the above.

Regards,
RatHat
  • 0

#44
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Deckard's System Scanner v20071014.68
Run by Hussamofe on 2008-06-06 13:31:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Hussamofe.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:40 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Hussamofe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HUSSAM~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [AVP] "C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: setup_7.0.0.180_18.05.2008_22-36 - Kaspersky Lab - C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe

--
End of file - 9089 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 13:26:20 0 drahs---- C:\autorun.inf
2008-06-05 15:20:59 997408 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-04 07:56:16 0 d-------- C:\Program Files\Bytescout XLS Viewer
2008-06-01 11:17:53 0 d-------- C:\Program Files\Avira
2008-06-01 11:17:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-01 11:11:48 0 dr-h----- C:\MSOCache
2008-06-01 10:53:12 0 d-------- C:\Program Files\Tall Emu
2008-05-31 22:36:27 0 d-------- C:\Program Files\Innovatools
2008-05-31 22:31:44 0 d-------- C:\WINDOWS\pss
2008-05-31 20:59:09 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-31 20:40:59 0 d-------- C:\Program Files\iPod
2008-05-31 20:40:46 0 d-------- C:\Program Files\iTunes
2008-05-31 20:39:08 0 d-------- C:\Program Files\QuickTime
2008-05-31 18:43:33 0 d-------- C:\Program Files\Alwil Software
2008-05-31 18:17:13 0 d-------- C:\Program Files\Trillian
2008-05-31 18:04:51 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Comodo
2008-05-31 17:58:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 04:13:13 0 d-------- C:\Documents and Settings\Hussamofe\DoctorWeb
2008-05-28 15:44:50 0 d-------- C:\fsaua.data
2008-05-28 07:29:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 07:29:27 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 07:27:31 0 d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-05-25 07:22:42 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2008-05-25 07:22:34 0 d-------- C:\WINDOWS\system32\PAV
2008-05-25 07:22:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-23 06:22:14 0 d-------- C:\Program Files\Trend Micro
2008-05-22 13:44:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-22 12:52:13 0 d-------- C:\Program Files\Panda Security
2008-05-22 12:44:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-22 12:44:31 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\SUPERAntiSpyware.com
2008-05-22 12:37:43 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Malwarebytes
2008-05-22 12:37:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 12:37:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 12:37:27 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 15:59:23 0 d-------- C:\Program Files\MSXML 6.0
2008-05-21 15:58:01 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-20 12:56:16 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-13 03:34:57 283648 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-05-13 03:34:55 0 d-------- C:\Documents and Settings\Hussamofe\WINDOWS
2008-05-13 03:29:04 0 d-------- C:\Program Files\Common Files\eSellerate
2008-05-09 20:35:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-09 20:33:25 0 d-------- C:\Program Files\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-06-06 12:42:26 0 d-------- C:\Program Files\Azureus
2008-06-05 19:13:11 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Azureus
2008-06-04 15:58:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-04 15:57:03 0 d-------- C:\Program Files\SpeederXP
2008-05-31 20:59:09 0 d-------- C:\Program Files\Common Files
2008-05-31 20:58:56 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 20:50:51 0 d-------- C:\Program Files\Java
2008-05-31 06:40:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 18:19:09 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\DMCache
2008-05-28 11:11:42 0 d-------- C:\Program Files\Messenger
2008-05-28 11:11:41 0 d-------- C:\Program Files\HP
2008-05-28 07:12:04 0 d-------- C:\Program Files\Windows NT
2008-05-28 07:12:04 0 d-------- C:\Program Files\Movie Maker
2008-05-22 10:58:43 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\GetRightToGo
2008-05-21 15:59:29 0 d-------- C:\Program Files\Nokia
2008-05-20 12:40:14 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\HP
2008-05-19 17:31:34 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\LimeWire
2008-04-26 17:27:55 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\vlc
2008-04-25 05:04:27 0 d-------- C:\Program Files\VideoLAN
2008-04-18 16:13:52 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Adobe
2008-04-05 17:38:30 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 10:52 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 08:58 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"AVP"="C:\Documents and Settings\All Users\Desktop\Kaspersky Lab Tool\setup_7.0.0.180_18.05.2008_22-36.exe" [10/12/2007 04:29 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/19/2007 11:13 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 10:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 08:02 PM 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44D9EEEE-BDA5-3DFA-E627-EDCE9309E395}]
C:\Program Files\WindowsUpdate\svchost.exe s



-- End of Deckard's System Scanner: finished at 2008-06-06 13:32:43 ------------



Only main.txt ... there's no extra.txt this time :S

About online armor , I uninstalled it a while ago because the computer was so slow , but somehow there are still traces of it and comodo firewall and panda security , all uninstalled but still there ... Can't find them in ADD/REMOVE programs
  • 0

#45
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, your log looks clean, but there are a few things to tidy up.

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Check the box that says Scan All User Accounts
  • Check the box that says Include MD5
  • Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 60 Days
  • Check the Radio button under Drivers for Non Microsoft
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please zip the log and attach the zipped file in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post
And let me know if you have had any more warnings or problems with the computer.

Regards,
RatHat
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP