home
::Find ISP ::Forum ::Info ::Links 
Forum HomeMain  SearchSearch  please registerplease register  Log inLog in  FAQFAQ  RULESRULES  
Rats,trojans and .......

 
Post new topic   Reply to topic    Forum Index -> PC Protection
View previous topic :: View next topic  
Author Message
nightcrawler


 
Joined: 02 May 2009
Posts: 34
PostPosted: Sat Oct 31, 2009 3:02 am    Post subject: Rats,trojans and ....... Reply with quote
Hi,
I was gone to holidays and this pc was used by my friends.HE had installed all types of RATS,keyloggers and crypter etc etc.
I took help from shadowputerdude and after some cleaning he declared my pc clean.But still my friend still controls my pc.He can even open my cd-rom or delete anything from my pc :S.Please help
Back to top
View user's profile Send private message
Paddy

Malware Response Team
 Malware Response Team

Joined: 07 Apr 2005
Posts: 104
Location: Ireland
PostPosted: Sat Oct 31, 2009 12:59 pm    Post subject: Reply with quote
Start here.  http://www.freedomlist.com/forum/viewtopic.php?t=33557  


And follow the instructions and post the logs.


Paddy..
_________________
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)
Back to top
View user's profile Send private message
Corrine

Administrator
 
Joined: 18 Jan 2001
Posts: 12721
Location: Upstate, NY
PostPosted: Sat Oct 31, 2009 13:53 pm    Post subject: Reply with quote
If you were still having the problems on October 20, why didn't you tell shadowputerdude?  http://www.malwareteks.com/e107_plugins/fo...c.php?1879 
_________________
Freedomlist.com (2000 - 2010)



Take a walk through my Security Garden
Back to top
View user's profile Send private message
nightcrawler


 
Joined: 02 May 2009
Posts: 34
PostPosted: Sun Nov 01, 2009 0:12 am    Post subject: Reply with quote
Hi,
Well after 20 October I thought my pc was fine.But from 26 october my pc was again being controlled :S .So I thought of starting a new topic and this time in a new forum.

RSS LOG

LOG

Logfile of random's system information tool 1.06 (written by random/random)
Run by Hassaan at 2009-11-01 11:02:59
Microsoft Windows XP Professional Service Pack 3
System drive C: has 2 GB (10%) free of 19 GB
Total RAM: 478 MB (27% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:03:03 AM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Hassaan\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Hassaan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Quikc\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [sdfsdf] C:\WINDOWS\yahoo~.scr
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [Policies] c:\dir\install\install\server.exe
O4 - HKCU\..\Policies\Explorer\Run: [Policies] c:\dir\install\install\server.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: http://192.168.1.1
O15 - ESC Trusted IP range: http://192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{FE599F74-F910-4848-B0CE-55AB947D45D6}: NameServer = 203.99.163.240,202.125.132.12
O23 - Service: DriveHQ FileManagerFun - Drive Headquarter - C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5604 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-20 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-03-27 13684736]
"nwiz"=nwiz.exe /install []
"SW20"=C:\WINDOWS\system32\sw20.exe [2006-09-07 208896]
"SW24"=C:\WINDOWS\system32\sw24.exe [2006-09-07 69632]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2005-10-15 14864384]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-03-27 86016]
"snpstd3"=C:\WINDOWS\vsnpstd3.exe [2004-07-30 286720]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"QuickTime Task"=D:\Quikc\qttask.exe [2009-09-05 417792]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-20 149280]
"sdfsdf"=C:\WINDOWS\yahoo~.scr [2009-10-31 53248]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Policies"=c:\dir\install\install\server.exe [2009-10-30 283648]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Policies"=c:\dir\install\install\server.exe [2009-10-30 283648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DriveHQ FileManager]
C:\Program Files\DriveHQ\DriveHQ FileManager\DriveHQClient.exe [2009-07-06 1898496]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HTV Agent]
C:\Program Files\HTV\HTV.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-02-16 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe [2009-07-10 160592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program Files\Skype\Phone\Skype.exe /nosplash /minimized []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-20 149280]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE [2007-09-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Hassaan^Start Menu^Programs^Startup^FIFA 09 Registration.lnk]
D:\fifa09\Support\EAREGI~1.EXE /remind /language=ENB /PRID=ODS:15373.110.Base Product /WHPR=FIFA 09 /PRNM=Electronic Arts Product []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe"="C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe:*:Enabled:EasyShare"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe"="C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe"="C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\WINDOWS\system32\rtcshare.exe"="C:\WINDOWS\system32\rtcshare.exe:*:Enabled:RTC App Sharing"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Disabled:Windows® NetMeeting®"
"C:\Program Files\Xfire\Xfire.exe"="C:\Program Files\Xfire\Xfire.exe:*:Enabled:Xfire"
"C:\Documents and Settings\Hassaan\temp\TeamViewer\Version4\TeamViewer.exe"="C:\Documents and Settings\Hassaan\temp\TeamViewer\Version4\TeamViewer.exe:*:Enabled:TeamViewer Remote Control Application"
"D:\dghdg\MOHAA.exe"="D:\dghdg\MOHAA.exe:*:Enabled:Medal of Honor Allied Assault(tm)"
"D:\Counter Strike 1.6 version 3147\cstrike.exe"="D:\Counter Strike 1.6 version 3147\cstrike.exe:*:Enabled:Half-Life Launcher"
"D:\Counter Strike 1.6 version 3147\hl.exe"="D:\Counter Strike 1.6 version 3147\hl.exe:*:Enabled:Half-Life Launcher"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Documents and Settings\Hassaan\Desktop\Bifrost1.2d_cryptcrew.com\Bifrost1.2d_cryptcrew.com\Bifrost1.2d.exe"="C:\Documents and Settings\Hassaan\Desktop\Bifrost1.2d_cryptcrew.com\Bifrost1.2d_cryptcrew.com\Bifrost1.2d.exe:*:Enabled:Bifrost 1.2.1"
"C:\Documents and Settings\Hassaan\Desktop\Cerberus RAT 1_03_4 BETA\Cerberus RAT 1_03_4 BETA\Cerberus.exe"="C:\Documents and Settings\Hassaan\Desktop\Cerberus RAT 1_03_4 BETA\Cerberus RAT 1_03_4 BETA\Cerberus.exe:*:Enabled:Cerberus"
"C:\Documents and Settings\Hassaan\Desktop\PI2.3.2\Poison Ivy 2.3.2.exe"="C:\Documents and Settings\Hassaan\Desktop\PI2.3.2\Poison Ivy 2.3.2.exe:*:Enabled:Poison Ivy Remote Administration"
"C:\Program Files\Port Forwarding Wizard\bin\Port Forwarding Wizard.exe"="C:\Program Files\Port Forwarding Wizard\bin\Port Forwarding Wizard.exe:*:Enabled:Port Forwarding Wizard"
"C:\Documents and Settings\Hassaan\Desktop\Lost_Door_V4.1_Fix\Lost Door V4.1 Fix\Lost door V4.1 Fix.exe"="C:\Documents and Settings\Hassaan\Desktop\Lost_Door_V4.1_Fix\Lost Door V4.1 Fix\Lost door V4.1 Fix.exe:*:Enabled:By OussamiO"
"C:\Documents and Settings\Hassaan\Desktop\asas\Poison Ivy 2.3.2.exe"="C:\Documents and Settings\Hassaan\Desktop\asas\Poison Ivy 2.3.2.exe:*:Enabled:Poison Ivy Remote Administration"
"C:\Documents and Settings\Hassaan\Desktop\Remote_Access_Shell_v1.07__Public_\t3c4i3_s_FUD_Remote_Access_Shell_v1.07__Public_\t3c4i3\'s FUD Remote Access Shell v1.07 [Public].exe"="C:\Documents and Settings\Hassaan\Desktop\Remote_Access_Shell_v1.07__Public_\t3c4i3_s_FUD_Remote_Access_Shell_v1.07__Public_\t3c4i3\'s FUD Remote Access Shell v1.07 [Public].exe:*:Enabled:t3c4i3's FUD Remote Access Shell v1.07 [Public]"
"C:\Documents and Settings\Hassaan\Desktop\Pmaster1.0fix\Client.exe"="C:\Documents and Settings\Hassaan\Desktop\Pmaster1.0fix\Client.exe:*:Enabled:Client"
"C:\Documents and Settings\Hassaan\Desktop\Spy-Net_v2.2\SpyNet.exe"="C:\Documents and Settings\Hassaan\Desktop\Spy-Net_v2.2\SpyNet.exe:*:Enabled:SpyNet"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{00c2473a-581f-11de-92ca-00167686fd59}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe
shell\Open\command - I:\RECYCLER\S-1-5-21-1482476501-3352491937-682996330-1013\server.exe


======List of files/folders created in the last 1 months======

2009-11-01 11:02:59 ----D---- C:\rsit
2009-10-31 16:07:13 ----A---- C:\WINDOWS\wplog.txt
2009-10-31 16:07:11 ----D---- C:\Program Files\Web Publish
2009-10-31 16:06:41 ----D---- C:\Program Files\Microsoft Visual Studio
2009-10-31 11:33:52 ----A---- C:\WINDOWS\system32\scrrnfr.dll
2009-10-31 10:52:27 ----D---- C:\Program Files\Port Forwarding Wizard
2009-10-31 10:49:04 ----D---- C:\Program Files\PFConfig
2009-10-31 10:48:40 ----A---- C:\WINDOWS\Simple Port Forwarding Uninstall Log.txt
2009-10-31 10:38:59 ----A---- C:\WINDOWS\Simple Port Forwarding Setup Log.txt
2009-10-31 09:28:06 ----D---- C:\Program Files\No-IP
2009-10-30 19:23:16 ----D---- C:\dir
2009-10-30 12:54:24 ----D---- C:\WINDOWS\system32\28463
2009-10-27 21:59:13 ----D---- C:\Documents and Settings\Hassaan\Application Data\Samsung
2009-10-27 21:56:39 ----A---- C:\WINDOWS\system32\framedyn.dll
2009-10-27 21:56:18 ----D---- C:\WINDOWS\system32\Samsung_USB_Drivers
2009-10-27 21:55:43 ----D---- C:\Program Files\Samsung
2009-10-22 14:30:18 ----D---- C:\Program Files\IObit
2009-10-20 13:41:46 ----D---- C:\WINDOWS\temp
2009-10-20 13:35:31 ----A---- C:\WINDOWS\system32\javaws.exe
2009-10-20 13:35:31 ----A---- C:\WINDOWS\system32\javaw.exe
2009-10-20 13:35:31 ----A---- C:\WINDOWS\system32\java.exe
2009-10-20 09:11:39 ----D---- C:\Program Files\CodeHook
2009-10-19 19:45:05 ----D---- C:\Program Files\SBP
2009-10-19 15:16:50 ----D---- C:\Documents and Settings\All Users\Application Data\DriveHQ
2009-10-19 13:35:42 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-10-18 10:14:44 ----D---- C:\Program Files\DAMN NFO Viewer
2009-10-17 21:13:11 ----A---- C:\WINDOWS\system32\WgaTray.exe
2009-10-17 21:13:11 ----A---- C:\WINDOWS\system32\WgaLogon.dll
2009-10-17 21:08:13 ----D---- C:\WINDOWS\system32\URTTEMP
2009-10-17 21:07:08 ----D---- C:\Program Files\Common Files\BitDefender
2009-10-16 13:48:15 ----D---- C:\Program Files\OpenVPN
2009-10-15 04:58:06 ----A---- C:\WINDOWS\system32\xfcodec.dll
2009-10-14 19:41:58 ----D---- C:\WINDOWS\Logs
2009-10-10 15:45:23 ----D---- C:\Documents and Settings\Hassaan\Application Data\nHancer
2009-10-10 15:45:12 ----D---- C:\Documents and Settings\All Users\Application Data\NVIDIA
2009-10-10 15:44:57 ----D---- C:\Documents and Settings\All Users\Application Data\nHancer

======List of files/folders modified in the last 1 months======

2009-11-01 10:59:07 ----D---- C:\Program Files\Mozilla Firefox
2009-11-01 10:55:42 ----D---- C:\WINDOWS\system32\Lang
2009-10-31 21:01:02 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-10-31 20:08:35 ----D---- C:\WINDOWS\Prefetch
2009-10-31 16:36:55 ----A---- C:\WINDOWS\vbaddin.ini
2009-10-31 16:35:41 ----RD---- C:\Program Files
2009-10-31 16:22:46 ----D---- C:\WINDOWS
2009-10-31 16:07:24 ----A---- C:\WINDOWS\vb.ini
2009-10-31 16:07:11 ----HD---- C:\WINDOWS\inf
2009-10-31 16:07:11 ----D---- C:\WINDOWS\system32
2009-10-31 16:07:11 ----D---- C:\WINDOWS\Help
2009-10-31 16:07:05 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-10-31 16:06:53 ----D---- C:\Program Files\Common Files\DESIGNER
2009-10-31 15:16:57 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-10-31 11:55:52 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-10-31 11:25:01 ----D---- C:\Documents and Settings\Hassaan\Application Data\uTorrent
2009-10-31 10:49:06 ----D---- C:\WINDOWS\system32\CatRoot2
2009-10-31 10:49:03 ----SHD---- C:\WINDOWS\Installer
2009-10-31 10:49:02 ----D---- C:\Config.Msi
2009-10-28 09:40:55 ----D---- C:\Program Files\Common Files
2009-10-27 21:58:46 ----D---- C:\WINDOWS\system32\drivers
2009-10-27 21:55:42 ----HD---- C:\Program Files\InstallShield Installation Information
2009-10-27 21:16:32 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-10-27 21:14:20 ----D---- C:\Program Files\Common Files\InstallShield
2009-10-22 09:26:33 ----D---- C:\Program Files\Xfire
2009-10-21 19:58:02 ----D---- C:\Documents and Settings\Hassaan\Application Data\Xfire
2009-10-21 09:19:56 ----D---- C:\WINDOWS\system32\Restore
2009-10-21 09:19:44 ----SHD---- C:\System Volume Information
2009-10-21 09:18:02 ----D---- C:\WINDOWS\ERDNT
2009-10-20 13:44:35 ----A---- C:\WINDOWS\system.ini
2009-10-20 13:40:30 ----D---- C:\WINDOWS\AppPatch
2009-10-20 13:35:14 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-10-19 20:57:29 ----D---- C:\WINDOWS\system32\config
2009-10-19 19:47:02 ----SD---- C:\Documents and Settings\Hassaan\Application Data\Microsoft
2009-10-19 15:16:40 ----D---- C:\Documents and Settings\Hassaan\Application Data\DriveHQHOOK
2009-10-19 14:38:48 ----D---- C:\WINDOWS\WinSxS
2009-10-19 13:26:51 ----SD---- C:\WINDOWS\Tasks
2009-10-17 21:09:05 ----D---- C:\WINDOWS\Registration
2009-10-17 21:08:45 ----RSD---- C:\WINDOWS\assembly
2009-10-17 21:08:41 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-10-17 21:01:39 ----D---- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2009-10-14 15:58:13 ----D---- C:\Program Files\DivX
2009-10-10 15:37:06 ----D---- C:\Program Files\Google

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2006-07-24 5632]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2005-10-19 4034048]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-03-27 6280416]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
R3 tap0901;TAP-Win32 Adapter V9; C:\WINDOWS\system32\DRIVERS\tap0901.sys [2009-07-16 25984]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
S2 AKEProtect;AKEProtect; \??\C:\Program Files\Anti Keylogger Elite\AKEProtect.sys []
S3 aui7mhha;aui7mhha; C:\WINDOWS\system32\drivers\aui7mhha.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-14 17024]
S3 ddsxeiservice;ddsxeiservice2; \??\C:\Program Files\sXe Injected\ddsxei.sys []
S3 GMSIPCI;GMSIPCI; \??\E:\vga\G71-VN31020 (G)\INSTALL\GMSIPCI.SYS []
S3 MSICPL;MSICPL; \??\E:\vga\G71-VN31020 (G)\install4\MSICPL.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-14 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-14 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 NTACCESS;NTACCESS; \??\E:\vga\G71-VN31020 (G)\NTACCESS.sys []
S3 Profos;Profos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\profos.sys []
S3 SetupNTGLM7X;SetupNTGLM7X; \??\E:\vga\G71-VN31020 (G)\NTGLM7X.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-14 11136]
S3 SNPSTD3;USB PC Camera (SNPSTD3); C:\WINDOWS\system32\DRIVERS\snpstd3.sys [2004-11-25 419200]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-14 15232]
S3 Trufos;Trufos; \??\C:\Program Files\Common Files\BitDefender\BitDefender Threat Scanner\trufos.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;Usbscan; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-14 19200]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 DriveHQ FileManagerFun;DriveHQ FileManagerFun; C:\Program Files\DriveHQ\DriveHQ FileManager\DHQFMSvc.exe [2009-07-07 46080]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-20 153376]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-03-27 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-07-12 75064]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-10-31 215104]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-07-13 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 OpenVPNService;OpenVPN Service; C:\Program Files\OpenVPN\bin\openvpnserv.exe [2009-07-16 36352]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------



INFO


info.txt logfile of random's system information tool 1.06 2009-11-01 11:03:05

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
A4 TECH USB PC Camera-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECD03DA7-5952-406A-8156-5F0C93618D1F}\Setup.exe" -l0x9
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
AI RoboForm (All Users)-->"C:\Program Files\Siber Systems\AI RoboForm\rfwipeout.exe"
Apple Application Support-->MsiExec.exe /I{0C34B801-6AEC-4667-B053-03A67E2D0415}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
BPP i-Pass ACCA Paper F1-->C:\PROGRA~1\i-assess\..\BPPI-P~1\ACCAF1\UNWISE.EXE C:\PROGRA~1\i-assess\..\BPPI-P~1\ACCAF1\INSTALL.LOG
BPP i-Pass ACCA Paper F2-->C:\PROGRA~1\i-assess\..\BPPI-P~1\ACCAF2\UNWISE.EXE C:\PROGRA~1\i-assess\..\BPPI-P~1\ACCAF2\INSTALL.LOG
BPP i-Pass ACCA Paper F3 INT-->C:\PROGRA~1\i-assess\..\BPPI-P~1\ACCAF3I0\UNWISE.EXE C:\PROGRA~1\i-assess\..\BPPI-P~1\ACCAF3I0\INSTALL.LOG
Call of Duty(R) 4 - Modern Warfare(TM) 1.1 Patch-->C:\Program Files\InstallShield Installation Information\{5D7767FA-7FE8-4627-9F09-AEF7A25F1E07}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.2 Patch-->C:\Program Files\InstallShield Installation Information\{E5141379-B2D9-4BBC-BB2A-5805541571DD}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.3 Patch-->C:\Program Files\InstallShield Installation Information\{050C1C8E-4A4D-4C2F-B9AE-67E60EE91B7F}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.4 Patch-->C:\Program Files\InstallShield Installation Information\{3BD633E0-4BF8-4499-9149-88F0767D449C}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.5 Multiplayer Patch-->C:\Program Files\InstallShield Installation Information\{8503C901-85D7-4262-88D2-8D8B2A7B08B8}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch-->C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch-->C:\Program Files\InstallShield Installation Information\{931C37FC-594D-43A9-B10F-A2F2B1F03498}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM)-->C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
CCScore-->MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
CodeHook CMS 0.33b-->C:\Program Files\CodeHook\Uninstall.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
DriveHQ FileManager 4.5-->"C:\Program Files\InstallShield Installation Information\{F8AD7E02-21AC-4057-95F9-7DB59FF57FC8}\setup.exe" -runfromtemp -l0x0009 -removeonly
ESSBrwr-->MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK-->MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore-->MsiExec.exe /I{42938595-0D83-404D-9F73-F8177FDD531A}
ESSgui-->MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESSini-->MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD-->MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSSONIC-->MsiExec.exe /I{073F22CE-9A5B-4A40-A604-C7270AC6BF34}
ESSTOOLS-->MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
essvatgt-->MsiExec.exe /I{2D03B6F8-DF36-4980-B7B6-5B93D5BA3A8F}
fflink-->MsiExec.exe /I{608D2A3C-6889-4C11-9B54-A42F45ACBFDB}
Fraps-->"C:\Fraps\uninstall.exe"
Game Booster-->"C:\Program Files\IObit\Game Booster\unins000.exe"
Google Earth Plug-in-->MsiExec.exe /X{FE24D361-A3E8-11DE-88F3-005056806466}
Google Earth-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
i-assess runtime utilities Version 3-->C:\PROGRA~1\i-assess\UNWISE.EXE C:\PROGRA~1\i-assess\INSTALL.LOG
Java(TM) 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
kgcbase-->MsiExec.exe /I{F22C222C-3CE2-4A4B-A83F-AF4681371ABE}
K-Lite Mega Codec Pack 4.9.5-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kodak EasyShare software-->C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_140002_246978\Setup.exe /APR-REMOVE
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual Studio 6.0 Enterprise Edition-->"C:\Program Files\Microsoft Visual Studio\Common\Setup\1033\Setup.exe"
Microsoft Web Publishing Wizard 1.53-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie3x86.inf,WebPostUninstall
Mozilla Firefox (3.0.15)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
netbrdg-->MsiExec.exe /I{4537EA4B-F603-4181-89FB-2953FC695AB1}
No-IP.com DUC (remove only)-->"C:\Program Files\No-IP\DUC20.exe" -uninstall
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
OfotoXMI-->MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OpenVPN 2.1_rc19-->C:\Program Files\OpenVPN\Uninstall.exe
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
QuickTime-->MsiExec.exe /I{A429C2AE-EBF1-4F81-A221-1C115CAADDAD}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
SFR-->MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA-->MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
skin0001-->MsiExec.exe /I{5316DFC9-CE99-4458-9AB3-E8726EDE0210}
SKINXSDK-->MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
staticcr-->MsiExec.exe /I{8943CE61-53BD-475E-90E1-A580869E98A2}
Technitium MAC Address Changer v5.0 Release 3-->C:\Program Files\Technitium\TMACv5.0R3\Installer.exe
tooltips-->MsiExec.exe /I{E79987F0-0E34-42CC-B8FF-6C860AEEB26A}
Update for Windows Internet Explorer 8 (KB969497)-->"C:\WINDOWS\ie8updates\KB969497-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
VPRINTOL-->MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WIRELESS-->MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Xfire (remove only)-->"C:\Program Files\Xfire\uninst.exe"

=====HijackThis Backups=====

O4 - HKCU\..\Run: [Yahoo Messengger] C:\WINDOWS\system32\scvhost.exe [2009-05-28]
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe [2009-05-28]
F2 - REG:system.ini: Shell=Explorer.exe scvhost.exe [2009-05-28]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) [2009-07-15]
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) [2009-07-15]

======System event log======

Computer Name: HASSAAN-0F6E133
Event Code: 1002
Message: The IP address lease 192.168.7.83 for the Network Card with network address 00FF84B57D3B has been
denied by the DHCP server 192.168.7.126 (The DHCP Server sent a DHCPNACK message).

Record Number: 28580
Source Name: Dhcp
Time Written: 20091023091641.000000+300
Event Type: error
User:

Computer Name: HASSAAN-0F6E133
Event Code: 1002
Message: The IP address lease 192.168.7.83 for the Network Card with network address 00FF84B57D3B has been
denied by the DHCP server 192.168.7.126 (The DHCP Server sent a DHCPNACK message).

Record Number: 28484
Source Name: Dhcp
Time Written: 20091022183447.000000+300
Event Type: error
User:

Computer Name: HASSAAN-0F6E133
Event Code: 1002
Message: The IP address lease 192.168.7.83 for the Network Card with network address 00FF84B57D3B has been
denied by the DHCP server 192.168.7.126 (The DHCP Server sent a DHCPNACK message).

Record Number: 28386
Source Name: Dhcp
Time Written: 20091022162454.000000+300
Event Type: error
User:

Computer Name: HASSAAN-0F6E133
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 28299
Source Name: Tcpip
Time Written: 20091022150416.000000+300
Event Type: warning
User:

Computer Name: HASSAAN-0F6E133
Event Code: 1002
Message: The IP address lease 192.168.7.83 for the Network Card with network address 00FF84B57D3B has been
denied by the DHCP server 192.168.7.126 (The DHCP Server sent a DHCPNACK message).

Record Number: 28281
Source Name: Dhcp
Time Written: 20091022143212.000000+300
Event Type: error
User:

=====Application event log=====

Computer Name: HASSAAN-0F6E133
Event Code: 0
Message:
Record Number: 376
Source Name: Avira Firewall
Time Written: 20090606162132.000000+300
Event Type:
User:

Computer Name: HASSAAN-0F6E133
Event Code: 1000
Message: Faulting application hpzsetup.exe, version 7.0.0.71, faulting module hpzsetup.exe, version 7.0.0.71, fault address 0x00059231.

Record Number: 375
Source Name: Application Error
Time Written: 20090606123352.000000+300
Event Type: error
User:

Computer Name: HASSAAN-0F6E133
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0

Record Number: 373
Source Name: MsiInstaller
Time Written: 20090606123324.000000+300
Event Type: warning
User: HASSAAN-0F6E133\Hassaan

Computer Name: HASSAAN-0F6E133
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0

Record Number: 371
Source Name: MsiInstaller
Time Written: 20090606123315.000000+300
Event Type: warning
User: HASSAAN-0F6E133\Hassaan

Computer Name: HASSAAN-0F6E133
Event Code: 1015
Message: Failed to connect to server. Error: 0x800401F0

Record Number: 369
Source Name: MsiInstaller
Time Written: 20090606123302.000000+300
Event Type: warning
User: HASSAAN-0F6E133\Hassaan

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Common Files\DivX Shared;D:\Quikc\QTSystem;C:\Program Files\Samsung\Samsung PC Studio 3\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0409
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF-----------------


ROOTREPEAL REPORT

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/11/01 11:10
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3CB1000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A72000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PCI_PNP8294
Image Path: \Driver\PCI_PNP8294
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA630000 Size: 49152 File Visible: No Signed: -
Status: -

Name: spnx.sys
Image Path: spnx.sys
Address: 0xF732A000 Size: 1052672 File Visible: No Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "spnx.sys" at address 0xf732b0e0

#: 071 Function Name: NtEnumerateKey
Status: Hooked by "spnx.sys" at address 0xf7349ca4

#: 073 Function Name: NtEnumerateValueKey
Status: Hooked by "spnx.sys" at address 0xf734a032

#: 119 Function Name: NtOpenKey
Status: Hooked by "spnx.sys" at address 0xf732b0c0

#: 160 Function Name: NtQueryKey
Status: Hooked by "spnx.sys" at address 0xf734a10a

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "spnx.sys" at address 0xf7349f8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "spnx.sys" at address 0xf734a19c

==EOF==
Back to top
View user's profile Send private message
Corrine

Administrator
 
Joined: 18 Jan 2001
Posts: 12721
Location: Upstate, NY
PostPosted: Sun Nov 01, 2009 13:02 pm    Post subject: Reply with quote
Your computer was infected  the beginning of May  ,  the end of May  . It was infected again  in October  and reinfected in less than two weeks. What I am seeing in the logs was not on the computer on October 20.

You continue to use file-sharing software. There is no evidence of an antivirus software. One or more of the identified infections is a backdoor trojan. This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

-- TeamViewer is a computer software package for remote control, desktop sharing, and file transfer between computers ("C:\Documents and Settings\Hassaan\temp\TeamViewer\Version4\TeamViewer.exe")

-- Bifrost1.2d.exe is a backdoor trojan ("C:\Documents and Settings\Hassaan\Desktop\Bifrost1.2d_cryptcrew.com\Bifrost1.2d_cryptcrew.com\Bifrost1.2d.exe")

-- scrrnfr.dll appears to be a worm, with aliases W32/Amca-A, Trojan-Dropper.Win32.VB.pt, Win32/VB.NLK

Because of the backdoor and repeated infections, there is no way to be sure your computer can ever again be trusted or cleaned. The best course of action would be a reformat and reinstall of the OS. Please read these for more information:

_________________
Freedomlist.com (2000 - 2010)



Take a walk through my Security Garden
Back to top
View user's profile Send private message
Post new topic  Reply to topic     Forum Index -> PC Protection   All times are GMT - 5 Hours
Powered by phpBB ©    
*freedomlist.com assumes no responsibility for any postings
spacer
Find ISP | Forum | Contact Us | Add ISP | Info | Links | Site Map |
 © Copyright Freedomlist.com (2000 - 2010)