Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

W32/Mabezat.B.worm shredding my PC apart [RESOLVED]


  • This topic is locked This topic is locked

#46
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Attached File  OTScanIt.Txt   167.71KB   81 downloads I was just wondering how could I completely rmeove panda and comodo and online armor ... and what about azureus , can I install again ?!!
  • 0

Advertisements


#47
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hussam,


Start OTScanIt.exe Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Processes - Non-Microsoft Only]
YY -> psctrls.exe -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
YY -> psimsvc.exe -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\PsImSvc.exe
[Win32 Services - Non-Microsoft Only]
YY -> (Panda Software Controller) Panda Software Controller [Win32_Own | Auto | Running] -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\PsCtrlS.exe
YY -> (PAVSRV) Panda anti-virus service [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\PAVSRV51.EXE
YY -> (PSIMSVC) Panda IManager Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\PsImSvc.exe
[Driver Services - Non-Microsoft Only]
YY -> (pavdrv) pavdrv [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\pavdrv51.sys
NY -> (SASDIFSV) SASDIFSV [Kernel | System | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASDIFSV.SYS
NY -> (SASENUM) SASENUM [Kernel | On_Demand | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASENUM.SYS
NY -> (SASKUTIL) SASKUTIL [Kernel | System | Stopped] -> %ProgramFiles%\SUPERAntiSpyware\SASKUTIL.sys
[Registry - Non-Microsoft Only]
< Drives - Autoruns > -> 
NY -> autorun.inf [] -> D:\autorun.inf [ FAT32 ]
NY -> autorun.inf [] -> E:\autorun.inf [ FAT32 ]
NY -> autorun.inf [] -> F:\autorun.inf [ NTFS ]
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
NY -> Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000003 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000004 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000005 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000006 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000007 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000008 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000009 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000010 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000011 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000012 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000013 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000014 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
NY -> Protocol_Catalog9\Catalog_Entries\000000000015 -> %ProgramFiles%\Panda Security\Panda Antivirus 2008\pavlsp.dll
[Files/Folders - Created Within 90 days]
NY -> pavdrv51.sys -> %SystemRoot%\System32\drivers\pavdrv51.sys
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> PAV -> %SystemRoot%\System32\PAV
NY -> pavcpl.cpl -> %SystemRoot%\System32\pavcpl.cpl
NY -> PavCPL.dat -> %SystemRoot%\System32\PavCPL.dat
[Files/Folders - Modified Within 60 days]
NY -> 14 C:\Documents and Settings\Hussamofe\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Hussamofe\Local Settings\Temp\*.tmp
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanIt scan. This time though, under Additional Scans check the following:
  • Reg - App Paths
  • Reg - Approved Shell Extensions
  • Reg - Disabled MS Config Items
  • Reg - File Associations
  • Reg - MountPoints2
  • Reg - NeverShowExt Settings
  • Reg - Security Settings
  • Reg - Session Manager Settings
  • Reg - Shell Spawning
  • Reg - Software Policy Settings
  • Reg - Uninstall List

Let me know of any problems you encountered performing the steps above.


Regards,
RatHat
  • 0

#48
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
we messed with a wrong part here i guess rathat heres a list of problems i discoveres
first msn messenger told me somethinb critical changed and it needed a restart but it opened again cant try it though coz i dont have internet connection it has been saying acquiring network address for an hour now.. yahoo messenger gives me an initialization error coz it cant initialize a required network component and it doesnt open ... please a quick help coz um online from my archos .
  • 0

#49
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hussam,

Please copy the entire contents of the codebox below into Notepad:
  • Open Notepad
  • Copy the contents of the codebox below using CTRL C

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]
  • Now return to Notepad and use CTRL V to paste the script
  • Verify that you have pasted the complete script
  • Save the Notepad file to your Desktop as FixReg.reg using Save as Type: All files
  • Locate FixReg.reg on your desktop
  • Double click to run, and when prompted Allow the file to merge with your registry
  • OK your way out.

After that, Reboot your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


After the reboot, we will reinstall TCP/IP
  • Go to Start the Settings and choose Network Connections
  • Right click on your normal connection icon, and choose Properties
  • Click the Install button
  • Choose Protocol then click Add
  • Click Have disk
  • In the drop down box, type in: C:\WINDOWS\INF and click OK
  • In the next dialog, click Internet Protocol (TCP/IP) then click OK
  • Click Close to leave the properties box
After that, Reboot your computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


After reboot you should be able to access the internet again. Please run OTScanIt again as outlined in my last post, and attach the results in your next reply.

Regards,
RatHat
  • 0

#50
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Ok , Um back on my pc ... sorry for the late reply I had an exam today ...
Btw , when trying to start my computer without internet , I just got my background and no start menu , NOHTING ... when i opened task manager "shift+ctrl+del" I found like 5 svchost applications and few other processes and it didnt do anything else , tried running explorer task , nothing happened , when I tried to restart it told me thet explorer.exe was not responding and I need to end task and so I did and restarted in safe mode which worked fine & applied the registry there .... then restarted back to normal mode which worked fine and reindstall TCP/IP ... that was a brief discription of what happened :)

So what were we doing in the first place ?? :)
  • 0

#51
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
We were removing Panda, which had taken over some Windsock keys.

Could you post me the new OTScanIt log?

Regards,
RatHat
  • 0

#52
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Attached File  OTScanIt.zip   34.87KB   86 downloads Oh sorry , didnt notice u requested it ...
  • 0

#53
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
OK, lets uninstall the Kaspersky Virus Removal Tool
  • Open the tool.
  • Click Settings (it will change to underlined when you mouse over it)
  • Under Options, Uncheck Enable Self Defense
  • Click Apply, then OK. Close the tool
  • Now open the Kaspersky Lab Tool folder
  • Locate the uninstall file: unins000.exe
  • Double click the uninstall file to run it
  • Click Yes, then Yes to the Reboot.
The Tool will now be uninstalled.

Post me a final DSS log, and let me know how the machine, and iPod are running now.

Regards,
RatHat
  • 0

#54
Hussam Magdy

Hussam Magdy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Deckard's System Scanner v20071014.68
Run by Hussamofe on 2008-06-09 00:22:14
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Hussamofe.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:19 AM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20696)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Hussamofe\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\HUSSAM~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.h...ctDetection.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8195 bytes

-- Files created between 2008-05-09 and 2008-06-09 -----------------------------

2008-06-06 13:26:20 0 drahs---- C:\autorun.inf
2008-06-05 15:20:59 1167392 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-01 11:17:53 0 d-------- C:\Program Files\Avira
2008-06-01 11:17:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-01 11:11:48 0 dr-h----- C:\MSOCache
2008-06-01 10:53:12 0 d-------- C:\Program Files\Tall Emu
2008-05-31 22:31:44 0 d-------- C:\WINDOWS\pss
2008-05-31 20:59:09 0 d-------- C:\Program Files\Common Files\xing shared
2008-05-31 20:40:59 0 d-------- C:\Program Files\iPod
2008-05-31 20:40:46 0 d-------- C:\Program Files\iTunes
2008-05-31 20:39:08 0 d-------- C:\Program Files\QuickTime
2008-05-31 18:43:33 0 d-------- C:\Program Files\Alwil Software
2008-05-31 18:17:13 0 d-------- C:\Program Files\Trillian
2008-05-31 18:04:51 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Comodo
2008-05-31 17:58:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 04:13:13 0 d-------- C:\Documents and Settings\Hussamofe\DoctorWeb
2008-05-28 15:44:50 0 d-------- C:\fsaua.data
2008-05-28 07:29:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-28 07:29:27 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-25 07:27:31 0 d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2008-05-25 07:22:19 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-23 06:22:14 0 d-------- C:\Program Files\Trend Micro
2008-05-22 13:44:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-22 12:52:13 0 d-------- C:\Program Files\Panda Security
2008-05-22 12:44:48 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-22 12:44:31 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\SUPERAntiSpyware.com
2008-05-22 12:37:43 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Malwarebytes
2008-05-22 12:37:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 12:37:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 12:37:27 0 d-------- C:\Program Files\Common Files\Download Manager
2008-05-21 15:59:23 0 d-------- C:\Program Files\MSXML 6.0
2008-05-21 15:58:01 0 d-------- C:\Program Files\Common Files\Nokia
2008-05-20 12:56:16 0 d-------- C:\WINDOWS\Downloaded Installations
2008-05-13 03:34:57 283648 --a------ C:\WINDOWS\uninst.exe <Not Verified; Stirling Technologies, Inc.; InstallShield Deinstaller>
2008-05-13 03:34:55 0 d-------- C:\Documents and Settings\Hussamofe\WINDOWS
2008-05-13 03:29:04 0 d-------- C:\Program Files\Common Files\eSellerate
2008-05-09 20:35:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-09 20:33:25 0 d-------- C:\Program Files\Yahoo!


-- Find3M Report ---------------------------------------------------------------

2008-06-06 12:42:26 0 d-------- C:\Program Files\Azureus
2008-06-05 19:13:11 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Azureus
2008-06-04 15:58:02 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-04 15:57:03 0 d-------- C:\Program Files\SpeederXP
2008-05-31 20:59:09 0 d-------- C:\Program Files\Common Files
2008-05-31 20:58:56 0 d-------- C:\Program Files\Common Files\Real
2008-05-31 20:50:51 0 d-------- C:\Program Files\Java
2008-05-31 06:40:02 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-30 18:19:09 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\DMCache
2008-05-28 11:11:42 0 d-------- C:\Program Files\Messenger
2008-05-28 11:11:41 0 d-------- C:\Program Files\HP
2008-05-28 07:12:04 0 d-------- C:\Program Files\Windows NT
2008-05-28 07:12:04 0 d-------- C:\Program Files\Movie Maker
2008-05-22 10:58:43 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\GetRightToGo
2008-05-21 15:59:29 0 d-------- C:\Program Files\Nokia
2008-05-20 12:40:14 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\HP
2008-05-19 17:31:34 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\LimeWire
2008-04-26 17:27:55 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\vlc
2008-04-25 05:04:27 0 d-------- C:\Program Files\VideoLAN
2008-04-18 16:13:52 0 d-------- C:\Documents and Settings\Hussamofe\Application Data\Adobe
2008-04-05 17:38:30 0 --a------ C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [12/10/2006 10:52 PM]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [01/11/2008 08:54 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [10/22/2006 12:22 PM]
"nwiz"="nwiz.exe" [10/22/2006 12:22 PM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [10/22/2006 12:22 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05/31/2008 08:58 PM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [12/19/2007 11:13 PM]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [08/30/2007 05:43 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [1/2/2007 10:40:10 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 02/15/2007 08:02 PM 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44D9EEEE-BDA5-3DFA-E627-EDCE9309E395}]
C:\Program Files\WindowsUpdate\svchost.exe s



-- End of Deckard's System Scanner: finished at 2008-06-09 00:22:49 ------------




Everything seems fine now Rathat ... how about this log ?!! Can I re-install azureus or do u suggest something else ?!!
  • 0

#55
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hussam,

Your log is clean, so you are good to go. I would not advise reinstalling Azureus or any other P2P program, as this is the most likely cause of infection. The malware writers love these programs as they can attach all sorts of nasties to seemingly innocent files. Once downloaded, the malware can then use the P2P programs as a conduit to download additional nasties.

However, the choice is yours.

Now click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Next, set a clean restore point:

Turn OFF System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer.

Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

I will keep this log open for the next couple of days, so if you have any further problems post another reply here.

OK, all the best, and stay safe!

Best regards,
RatHat
  • 0

Advertisements


#56
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP