[sungod000]

Hi, my computer seems to have some malware that I discovered when my uncle connected his USB key. Avast scan found some stuff, but could not clean/remove it. Defender scan would freeze after about 7 minutes. And MBAM full scan also froze after about 5 minutes, but the quick scan was ok. Here are the logs:

Avast:
18/06/2009 11:07:37 AM user 3652 Sign of "Win32:Ups [Cryp]" has been found in "D:\RECYCLER\S-1-5-21-1214440339-602162358-839522115-1003\Dd16\Outlook.pst\Personal Folders\Top of Personal Folders\Inbox\UPS Tracking Number 7124353990\UPS_INVOICE_978172.zip\UPS_INVOICE_9781 72.exe" file.
18/06/2009 11:06:59 AM user 3652 Sign of "Win32:Ups [Cryp]" has been found in "D:\RECYCLER\S-1-5-21-1214440339-602162358-839522115-1003\Dd16\Outlook.pst\Personal Folders\Top of Personal Folders\Deleted Items\UPS Tracking Number 7124353990\UPS_INVOICE_978172.zip\UPS_INVOICE_9781 72.exe" file.
18/06/2009 11:06:59 AM user 3652 Sign of "Win32:Ups [Cryp]" has been found in "D:\RECYCLER\S-1-5-21-1214440339-602162358-839522115-1003\Dd16\Outlook.pst\Personal Folders\Top of Personal Folders\Deleted Items\UPS Tracking Number 0762005263\invoice_8712.zip\INVOICE_8712.exe" file.
18/06/2009 11:06:58 AM user 3652 Sign of "Win32:Agent-AAPS [Trj]" has been found in "D:\RECYCLER\S-1-5-21-1214440339-602162358-839522115-1003\Dd16\Outlook.pst\Personal Folders\Top of Personal Folders\Deleted Items\UPS Tracking Number 3508422599\ups_invoice.zip\ups_invoice.exe" file.
18/06/2009 10:42:55 AM user 3652 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlookinfo@fcagroup.com (imap)-00000005.pst\info@fcagroup.com\Top of Personal Folders\[Gmail]\All Mail\Really cool photos\pussy.zip\pussy.exe" file.
18/06/2009 10:42:41 AM user 3652 Sign of "Win32:Ups [Cryp]" has been found in "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlookinfo@fcagroup.com (imap)-00000005.pst\info@fcagroup.com\Top of Personal Folders\[Gmail]\All Mail\UPS: Your Tracking # 358010698330\PDF76512.zip\PDF76512.exe" file.
18/06/2009 10:42:41 AM user 3652 Sign of "Win32:Ups [Cryp]" has been found in "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlookinfo@fcagroup.com (imap)-00000005.pst\info@fcagroup.com\Top of Personal Folders\[Gmail]\All Mail\UPS: Your Tracking # 145132932471\PDF76512.zip\PDF76512.exe" file.
18/06/2009 10:42:23 AM user 3652 Sign of "Win32:Ups [Cryp]" has been found in "C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook\Outlookinfo@fcagroup.com (imap)-00000005.pst\info@fcagroup.com\Top of Personal Folders\[Gmail]\All Mail\UPS: Your Tracking # 239293259082\EXL6512721.zip\EXL6512721.exe" file.
17/06/2009 5:36:18 PM SYSTEM 1328 Sign of "BV:AutoRun-T [Wrm]" has been found in "F:\Autorun.inf" file.




SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/19/2009 at 10:43 AM

Application Version : 4.26.1004

Core Rules Database Version : 3947
Trace Rules Database Version: 1889

Scan type : Complete Scan
Total Scan Time : 00:36:36

Memory items scanned : 631
Memory threats detected : 0
Registry items scanned : 6110
Registry threats detected : 0
File items scanned : 46796
File threats detected : 9

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@xiti[1].txt
C:\Documents and Settings\user\Cookies\user@revsci[2].txt
C:\Documents and Settings\user\Cookies\user@tribalfusion[2].txt
C:\Documents and Settings\user\Cookies\user@realmedia[2].txt
C:\Documents and Settings\user\Cookies\user@microsoftwindows.112.2o 7[1].txt
C:\Documents and Settings\user\Cookies\user@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\user\Cookies\user@adopt.euroclick[2].txt
C:\Documents and Settings\user\Cookies\user@specificclick[2].txt
C:\Documents and Settings\user\Cookies\user@247realmedia[1].txt





Malwarebytes' Anti-Malware 1.38
Database version: 2308
Windows 5.1.2600 Service Pack 3

19/06/2009 11:01:44 AM
mbam-log-2009-06-19 (11-01-44).txt

Scan type: Quick Scan
Objects scanned: 87063
Time elapsed: 2 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:04:24 AM, on 19/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Hamachi\hamachi.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\Twain_32\Samsung\SCX4x28\Scan2pc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Hamachi\hamachi.exe
C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhl.ca/ca/wfHomeLoggedIn.aspx
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit .exe
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [4x28 Scan2PC] "C:\WINDOWS\Twain_32\Samsung\SCX4x28\Scan2pc.e xe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Startup: Shortcut to Map Drive.lnk = C:\Documents and Settings\user\Desktop\Map Drive.bat
O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Web Capture - C:\Program Files\SmarThru Office\WebCapture.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1203273577140
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Hamachi Service (HamachiService) - LogMeIn Inc. - C:\Program Files\Hamachi\hamachi.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7353 bytes

[sjb007]

Howdy there and welcome to Computer Juice

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[sungod000]

Hey, thanks for helping. Here is the log:

ComboFix 09-06-21.01 - user 22/06/2009 10:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1511 [GMT -4:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090621-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winsusrm.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-22 to 2009-06-22 )))))))))))))))))))))))))))))))
.

2009-06-19 15:34 . 2009-06-19 15:34 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-19 14:07 . 2009-06-19 14:07 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2009-06-19 14:07 . 2009-06-17 15:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 14:07 . 2009-06-19 14:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-19 14:07 . 2009-06-19 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 14:07 . 2009-06-17 15:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-19 13:58 . 2009-06-19 13:58 117760 ----a-w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\ UIREPAIR.DLL
2009-06-19 13:57 . 2009-06-19 13:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-06-19 13:57 . 2009-06-19 13:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-06-19 13:57 . 2009-06-19 13:57 -------- d-----w- c:\documents and settings\user\Application Data\SUPERAntiSpyware.com
2009-06-19 13:57 . 2009-06-19 13:57 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-06-10 17:39 . 2009-06-10 17:39 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 00:53 . 2009-06-10 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Software
2009-05-29 11:46 . 2008-04-14 09:42 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-06-22 14:22 . 2009-04-28 15:03 -------- d-----w- c:\documents and settings\user\Application Data\Skype
2009-06-22 13:56 . 2008-02-17 21:01 -------- d-----w- c:\documents and settings\user\Application Data\Hamachi
2009-06-22 12:02 . 2009-04-28 15:18 -------- d-----w- c:\documents and settings\user\Application Data\skypePM
2009-06-19 13:35 . 2008-02-17 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-18 19:10 . 2008-06-19 15:20 31703397 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-12 07:08 . 2008-12-03 14:46 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-10 17:39 . 2009-03-26 15:12 -------- d-----w- c:\program files\Java
2009-06-10 16:58 . 2008-12-30 17:22 -------- d-----w- c:\documents and settings\user\Application Data\FileZilla
2009-05-30 21:05 . 2008-08-28 17:15 -------- d-----w- c:\program files\MK PowerTools
2009-05-25 04:24 . 2008-05-27 03:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-21 15:33 . 2008-12-06 16:44 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-12 19:12 . 2008-02-17 18:05 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-03 16:56 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 16:37 . 2009-02-07 19:53 -------- d-----w- c:\documents and settings\user\Application Data\Unyte
2009-04-29 04:46 . 2004-08-03 16:56 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2004-08-03 16:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-28 15:18 . 2009-04-28 15:18 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-04-28 15:02 . 2009-04-28 15:02 -------- d-----w- c:\program files\Common Files\Skype
2009-04-28 15:02 . 2009-04-28 15:02 -------- d-----r- c:\program files\Skype
2009-04-28 15:02 . 2009-04-28 15:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-04-17 12:26 . 2004-08-03 15:17 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-03 16:56 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-09 02:09 . 2009-04-09 02:04 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-04-01 21:57 . 2008-02-17 22:30 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-04-01 21:21 . 2009-04-01 21:21 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-31 21:41 . 2009-03-31 21:41 0 ----a-w- c:\windows\system32\WSSPOOL.TMP
2009-03-26 15:11 . 2009-03-26 15:11 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2008-06-23 22:36 . 2008-06-23 22:36 0 ----a-w- c:\program files\gditst
2008-05-22 20:04 . 2008-05-22 20:04 190 ----a-w- c:\program files\Common Files\psasetup.log
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-10-04 163840]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp. exe" [2009-02-05 81000]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-07-31 536576]
"4x28 Scan2PC"="c:\windows\Twain_32\Samsung\SCX4x28\Scan 2pc.exe" [2008-09-29 495616]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-26 16132608]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\user\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-2-17 625952]
Shortcut to Map Drive.lnk - c:\documents and settings\user\Desktop\Map Drive.bat [2008-7-30 42]
SyncBack.lnk - c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-11-15 2936064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Pervasive Software\\PSQL\\bin\\w3dbsmgr.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\ScanMgr.exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4x28\\Scan2Pc. exe"=
"c:\\WINDOWS\\twain_32\\Samsung\\SCX4x28\\Sscan2io .exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [07/04/2008 10:44 AM 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [26/05/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [26/05/2009 10:05 AM 72944]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswF sBlk.sys [07/04/2008 10:44 AM 20560]
R2 HamachiService;Hamachi Service;c:\program files\Hamachi\hamachi.exe [17/02/2008 5:01 PM 625952]
R2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [06/06/2008 1:03 PM 435488]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 8:19 PM 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [26/05/2009 10:05 AM 7408]
S1 KPSYSDRV;KPSYSDRV;c:\windows\system32\drivers\Kpsy sdrv.sys [23/06/2008 6:36 PM 17016]
S2 BulkUsb;Genesys Logic USB Controller NT 5.0;c:\windows\system32\drivers\usbprn.sys [23/06/2008 6:27 PM 7552]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPO RT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 Moarer;Moarer; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SASDIFSV
*NewlyCreated* - SASENUM
*NewlyCreated* - SASKUTIL
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

2009-06-22 c:\windows\Tasks\SyncBack Outlook.job
- c:\program files\2BrightSparks\SyncBack\SyncBack.exe [2008-11-15 16:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dhl.ca/ca/wfHomeLoggedIn.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Web Capture - c:\program files\SmarThru Office\WebCapture.dll
FF - ProfilePath -
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 10:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Pervasive Software\PSQL]
@Denied: ) (Everyone)
@=""
.
Completion time: 2009-06-22 10:32
ComboFix-quarantined-files.txt 2009-06-22 14:32

Pre-Run: 32,245,211,136 bytes free
Post-Run: 32,239,325,184 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Professional" /noexecute=optin /fastdetect

164 --- E O F --- 2009-06-18 19:28

[sjb007]

Howdy there

In this next post I want you to run an online virus scan, first lets remove some unwanted junk....

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back with the results from Kasperksy, also update me on how things are running

[sungod000]

Kaspersky started to scan all the network drives and it was going to take too long so I ended it manually. I tried pluggin my own USB key in, and nothing happened. My uncle is gone for 3 months, so I won't be able to test his. Here are teh results and a HJT log. -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Tuesday, June 23, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, June 23, 2009 08:23:51 Records in database: 2382361 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ S:\ X:\ Scan statistics: Files scanned: 111180 Threat name: 2 Infected objects: 2 Suspicious objects: 0 Duration of the scan: 03:04:48 File name / Threat name / Threats count S:\Backups\STORESERVER\Outlook\Outlook.pst Infected: Email-Worm.Win32.Agent.ev 1 S:\Backups\STORESERVER\Outlook\Outlook.pst Infected: Trojan-Dropper.Win32.Agent.rek 1 The scan was stopped by the user. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:39:24 AM, on 23/06/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe C:\Program Files\Hamachi\hamachi.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\SearchIndexer.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\RTHDCPL.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe C:\WINDOWS\Twain_32\Samsung\SCX4x28\Scan2pc.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\Windows Desktop Search\WindowsSearch.exe C:\Program Files\Hamachi\hamachi.exe C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe C:\Program Files\Skype\Plugin Manager\skypePM.exe C:\WINDOWS\explorer.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\Trend Micro\HijackThis\sniper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dhl.ca/ca/wfHomeLoggedIn.aspx R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 O1 - Hosts: 66.98.148.65 auto.search.msn.com O1 - Hosts: 66.98.148.65 auto.search.msn.es O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun O4 - HKLM\..\Run: [4x28 Scan2PC] "C:\WINDOWS\Twain_32\Samsung\SCX4x28\Scan2pc.e xe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Startup: Shortcut to Map Drive.lnk = C:\Documents and Settings\user\Desktop\Map Drive.bat O4 - Startup: SyncBack.lnk = C:\Program Files\2BrightSparks\SyncBack\SyncBack.exe O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Web Capture - C:\Program Files\SmarThru Office\WebCapture.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1203273577140 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: Hamachi Service (HamachiService) - LogMeIn Inc. - C:\Program Files\Hamachi\hamachi.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 7090 bytes

[sjb007]

Hi there

We really need to run a full system scan on the drive to be sure nothing is leftover.

One thing I do notice is that the online scanner picked up on a Phishing scam email. It does not tell us exactly which one it is but it does tell us that it is in your inbox. Phishing scams attempt to lure you into putting your details into sites so that criminals can then gain the information and use it for their own benefit. For more information on phishing read this article here. The email in question may look like it came from your own bank or other financial institution and will even carry logos stolen from the original site. Never log into any banking site or any other site from links from emails. Always go to the home page and log in from their. I would advise that you empty your deleted items folder alongside any other suspicious emails.

Lets try a full scan using a different scanner.

Perform an online scan with Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please post the contents of that log to your reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan.

Avast users note:

Please do continue with the online scan at Panda if you receive an alert. It is a false positive from Avast because Panda Antivirus does not encrypt its virus database.

For some reason the HJT log you submitted is unreadable, instead I want you to post a different type of log

Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

Post both logs back in your next reply

Also include the panda scan results and keep me updated on your system status