Spyware Protect 2009

**acoustikarl** · 02-05-2009, 10:26 PM

I ran Malwarebytes again this morning. SUPERAntiSpyware as well. I will paste the three SAS logs that have been generated so far, in chronological order.

Malwarebytes' Anti-Malware 1.33
Database version: 1731
Windows 5.1.2600 Service Pack 2

2/5/2009 11:29:48 AM
mbam-log-2009-02-05 (11-29-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 97175
Time elapsed: 34 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\autochk (Trojan.Opachki) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\NetworkService\protect.dll (Trojan.Opachki) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\protect.dll (Trojan.Opachki) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Opachki) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\9.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\msb.dll (Trojan.Opachki) -> Quarantined and deleted successfully.

__________________________________________________ __

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2009 at 11:57 AM

Application Version : 4.25.1012

Core Rules Database Version : 3716
Trace Rules Database Version: 1690

Scan type : Quick Scan
Total Scan Time : 00:11:02

Memory items scanned : 594
Memory threats detected : 0
Registry items scanned : 510
Registry threats detected : 22
File items scanned : 8125
File threats detected : 1

Rootkit.TDSServ
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s#start
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s#type
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s#imagepath
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s#group
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#TDSSserv
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#TDSSl
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdssservers
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdssmain
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdsslog
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdssadw
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdssinit
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdssurls
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdsspanels
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#tdsserrors
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\modules#TDSSproc
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\Enum
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Services\TDSSserv.sy s\Enum#INITSTARTFAILED

Rootkit.TDSServ-Trace
C:\WINDOWS\SYSTEM32\TDSSOSVD.DAT

__________________________________________________ _________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/03/2009 at 12:28 PM

Application Version : 4.25.1012

Core Rules Database Version : 3716
Trace Rules Database Version: 1690

Scan type : Complete Scan
Total Scan Time : 00:22:15

Memory items scanned : 563
Memory threats detected : 0
Registry items scanned : 6051
Registry threats detected : 0
File items scanned : 17858
File threats detected : 0

__________________________________________________ ___

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/05/2009 at 11:50 AM

Application Version : 4.25.1012

Core Rules Database Version : 3744
Trace Rules Database Version: 1712

Scan type : Complete Scan
Total Scan Time : 00:18:41

Memory items scanned : 614
Memory threats detected : 0
Registry items scanned : 6052
Registry threats detected : 0
File items scanned : 17878
File threats detected : 4

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@ehg-eset.hitbox[1].txt
C:\Documents and Settings\User\Cookies\user@hitbox[2].txt

Trojan.Dropper/Sys-NV
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\PROTECT.D LL
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEMPROFILE\START MENU\PROGRAMS\STARTUP\CHKDISK.DLL

**jholland1964** · 02-05-2009, 11:16 PM

Tell you what, these infections should NOT be returning. Something is being missed.
Please do the following;
Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Doubleclick the combofix icon on the desktop to run the program.

Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

**acoustikarl** · 02-05-2009, 11:22 PM

Thanks, Judy!

I'm running a Spybot S&D scan at the moment. Combofix was going to be next. I will get those to you as soon as they are done.

**acoustikarl** · 02-06-2009, 12:22 AM

Here is the Combofix log. I am unable to disable McAfee. The disable buttons are grayed out. Probably by the school to prevent the students from disabling it. Can ComboFix be run under Safe Mode?

ComboFix 09-02-05.01 - User 2009-02-05 20:59:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.344 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS

((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-05 20:06 . 2009-02-05 20:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-05 20:06 . 2009-02-05 20:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 12:49 . 2009-02-05 12:49 268 --ah----- C:\sqmdata09.sqm
2009-02-05 12:49 . 2009-02-05 12:49 244 --ah----- C:\sqmnoopt09.sqm
2009-02-05 12:42 . 2009-02-05 12:42 268 --ah----- C:\sqmdata08.sqm
2009-02-05 12:42 . 2009-02-05 12:42 244 --ah----- C:\sqmnoopt08.sqm
2009-02-03 12:33 . 2009-02-03 14:07 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-03 11:58 . 2009-02-03 11:58 268 --ah----- C:\sqmdata07.sqm
2009-02-03 11:58 . 2009-02-03 11:58 244 --ah----- C:\sqmnoopt07.sqm
2009-02-03 11:42 . 2009-02-03 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 11:38 . 2009-02-03 11:38 268 --ah----- C:\sqmdata06.sqm
2009-02-03 11:38 . 2009-02-03 11:38 244 --ah----- C:\sqmnoopt06.sqm
2009-02-03 10:52 . 2009-02-03 10:52 268 --ah----- C:\sqmdata05.sqm
2009-02-03 10:52 . 2009-02-03 10:52 244 --ah----- C:\sqmnoopt05.sqm
2009-02-03 10:23 . 2009-02-03 10:23 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-02-01 17:27 . 2009-02-01 17:27 268 --ah----- C:\sqmdata04.sqm
2009-02-01 17:27 . 2009-02-01 17:27 244 --ah----- C:\sqmnoopt04.sqm
2009-01-29 13:25 . 2009-01-29 13:25 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-29 13:25 . 2009-01-29 13:25 <DIR> d-------- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-01-29 13:24 . 2009-01-29 13:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-29 11:56 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 11:55 . 2009-02-03 10:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 11:55 . 2009-01-29 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 11:55 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 11:47 . 2009-01-29 11:47 <DIR> d-------- c:\program files\CCleaner
2009-01-28 22:28 . 2009-01-28 22:28 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 12:41 . 2009-02-03 10:57 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-15 12:20 . 2009-01-15 12:20 268 --ah----- C:\sqmdata03.sqm
2009-01-15 12:20 . 2009-01-15 12:20 244 --ah----- C:\sqmnoopt03.sqm
2009-01-13 16:50 . 2009-01-13 16:50 268 --ah----- C:\sqmdata02.sqm
2009-01-13 16:50 . 2009-01-13 16:50 244 --ah----- C:\sqmnoopt02.sqm
2009-01-13 11:11 . 2009-01-13 11:11 268 --ah----- C:\sqmdata01.sqm
2009-01-13 11:11 . 2009-01-13 11:11 244 --ah----- C:\sqmnoopt01.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-04 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 03:29 --------- d-----w c:\program files\Google
2000-04-13 20:10 73,184 ----a-w c:\program files\Common Files\Dao2535.tlb
2000-04-13 20:09 582,144 ----a-w c:\program files\Common Files\Dao350.dll
2008-11-14 17:17 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 17:17 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 17:17 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 17:17 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 17:17 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-30 143360]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-03-06 136472]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMo nitor.exe" [2008-03-11 1274744]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMo nitor.exe" [2008-03-06 884696]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2008-05-05 413968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-18 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-09-18 137752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"nulej"="c:\windows\system32\wouqua.exe" [2008-11-25 195584]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"nulej"="c:\windows\system32\wouqua.exe" [2008-11-25 195584]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-27 671744]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Softphone Reset.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Avaya IP Softphone Reset.lnk
backup=c:\windows\pss\Avaya IP Softphone Reset.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-03 01:23 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-09 12:30 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 21:22 57344 c:\program files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
--a------ 2007-04-30 07:19 20480 c:\program files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-06-11 18:27 291760 c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnamon]
--a------ 2007-12-17 01:55 16040 c:\program files\Lexmark 2600 Series\lxdnamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnmon.exe]
--a------ 2007-12-17 01:55 660136 c:\program files\Lexmark 2600 Series\lxdnmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2007-02-02 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2007-01-05 21:36 872448 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-09 11:38 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2006-09-05 18:02 184320 c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnamon.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdntime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdnjswx.exe"=
"c:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxddtime.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [2008-03-06 517848]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2008-07-10 1042192]
R2 eu9ov7wo3oge9t1g;ASF Agent;c:\windows\system32\fodob.exe [2008-11-27 195584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepK E.sys [2008-08-27 3712]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddco ms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdnco ms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.s ys [2007-07-24 41216]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S2 fujjg6bplgeiilyx;Ati External Event Utility;c:\windows\system32\kepuwali.exe [2008-11-27 195584]
S2 lxddCATSCustConnectService;lxddCATSCustConnectServ ice;c:\windows\system32\spool\drivers\w32x86\3\lxd dserv.exe [2008-07-09 99248]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectServ ice;c:\windows\system32\spool\drivers\w32x86\3\lxd nserv.exe [2008-07-08 98984]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2008-07-03 33024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a2b88df4-47bf-11dd-91ed-001a73fe6500}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-08 c:\windows\Tasks\Defrag.job
- c:\support\Maint\Defrag.bat [2005-05-27 11:29]

2009-01-19 c:\windows\Tasks\DiskClean.job
- c:\support\Maint\DiskClean.bat [2005-05-27 10:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-Shockwave Updater - c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1100465 -Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET
MSConfigStartUp-CognizanceTS - c:\progra~1\HEWLET~1\IAM\Bin\ASTSVCC.dll
MSConfigStartUp-FaxCenterServer - c:\program files\Lexmark Fax Solutions\fm3032.exe
MSConfigStartUp-HP Software Update - c:\program files\HP\HP Software Update\HPWuSchd2.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://insightschools.angellearning.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\cwalsp.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\bjhroswq.default\
FF - prefs.js: browser.startup.homepage - hxxp://insightschools.angellearning.com/frames.aspx
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 21:04:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1084)
c:\windows\system32\relog_ap.dll
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\lxddcoms.exe
c:\windows\system32\lxdncoms.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-02-05 21:07:52 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2009-02-06 05:07:47

Pre-Run: 50,290,454,528 bytes free
Post-Run: 50,181,177,344 bytes free

264 --- E O F --- 2008-07-01 23:05:43

**jholland1964** · 02-06-2009, 12:57 AM

Go here http://virusscan.jotti.org/
I want you to upload some files from the computer and let this website do some scans on them. Report back the full report for each file.
Here are the files, you can copy/paste them one at a time into the box at the top of the page;

c:\windows\system32\twain32

c:\windows\system32\wouqua.exe

**acoustikarl** · 02-06-2009, 02:02 AM

Here is the report for wouqua.exe

File: wouqua.exe
Status: INFECTED/MALWARE
MD5: 2d4f30fde1df2de924154112a2347a55
Packers detected: -

Scan taken on 06 Feb 2009 06:50:02 (GMT)
A-Squared Found Backdoor.Win32.Oderoor!IK
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.Oderoor.3.Gen
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found Backdoor.Oderoor.3.Gen
Ikarus Found Backdoor.Win32.Oderoor.D
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Meslice.A
Norman Virus Control Found nothing
Panda Antivirus Found Generic
Sophos Antivirus Found Mal/EncPk-CK
VirusBuster Found nothing
VBA32 Found nothing

This was at the bottom of the page. I don't know if it is related or not.

Last file scanned at least one scanner reported something about: ldup.exe (MD5: 9e937819f9eaea48a242a8833dc402f3, size: 20480 bytes), detected by:

Scanner Malware name
A-Squared Trojan-Downloader.Win32.IstBar!IK
AntiVir TR/Dldr.IstBar.ggy
ArcaVir X
Avast Win32:Trojan-gen {Other}
AVG Antivirus Generic10.BFLF
BitDefender Trojan.Downloader.DXT
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus W32/Downldr2.DSOS
F-Secure Anti-Virus Trojan-Downloader.Win32.IstBar.ggy
G DATA Win32:Trojan-gen
Ikarus X
Kaspersky Anti-Virus Trojan-Downloader.Win32.IstBar.ggy
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Mal/Generic-A
VirusBuster X
VBA32 Trojan-Downloader.Win32.IstBar.vu

I can't find a file in system32 folder called twain32. There is a folder called twain32, though. It has two files in it. I will scan those. Is there an easy way to get the log other than copying and pasting from the web site?

**acoustikarl** · 02-06-2009, 02:17 AM

There are two files in the folder c:\windows\system32\twain32; local.ds and useer.ds. When I tried running a scan on user.ds it came back with the following message; "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file".

local.ds came up with the following.
File: local.ds
Status: OK(Note: file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5: 25cec3cc86210ae8e9deca77e449815b

Did ComboFix run ok even with the antivirus scanner and software running?

**jholland1964** · 02-06-2009, 11:47 AM

· Make sure that combofix.exe that you downloaded on your Desktop but Do not run it!
If it is not on your Desktop, the below will not work.
· Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):

KillAll::

File::

c:\windows\system32\wouqua.exe

Registry::

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]nulej

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]nulej

· Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
· At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
· You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
· Now use your mouse to drag CFscript.txt on top of ComboFix.exe
· Follow the prompts.
· When it finishes, a log will be produced named c:\combofix.txt
· Post that log here.

**acoustikarl** · 02-06-2009, 01:23 PM

Here is the ComboFix log

ComboFix 09-02-06.01 - User 2009-02-06 10:13:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.438 [GMT -8:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFscript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

FILE ::
c:\windows\system32\wouqua.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\wouqua.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-02-05 23:20 . 2009-02-05 23:20 268 --ah----- C:\sqmdata11.sqm
2009-02-05 23:20 . 2009-02-05 23:20 244 --ah----- C:\sqmnoopt11.sqm
2009-02-05 22:33 . 2009-02-05 22:33 268 --ah----- C:\sqmdata10.sqm
2009-02-05 22:33 . 2009-02-05 22:33 244 --ah----- C:\sqmnoopt10.sqm
2009-02-05 20:06 . 2009-02-05 20:06 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-02-05 20:06 . 2009-02-05 20:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-05 12:49 . 2009-02-05 12:49 268 --ah----- C:\sqmdata09.sqm
2009-02-05 12:49 . 2009-02-05 12:49 244 --ah----- C:\sqmnoopt09.sqm
2009-02-05 12:42 . 2009-02-05 12:42 268 --ah----- C:\sqmdata08.sqm
2009-02-05 12:42 . 2009-02-05 12:42 244 --ah----- C:\sqmnoopt08.sqm
2009-02-03 12:33 . 2009-02-03 14:07 <DIR> d-------- c:\program files\EsetOnlineScanner
2009-02-03 11:58 . 2009-02-03 11:58 268 --ah----- C:\sqmdata07.sqm
2009-02-03 11:58 . 2009-02-03 11:58 244 --ah----- C:\sqmnoopt07.sqm
2009-02-03 11:42 . 2009-02-03 11:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-03 11:38 . 2009-02-03 11:38 268 --ah----- C:\sqmdata06.sqm
2009-02-03 11:38 . 2009-02-03 11:38 244 --ah----- C:\sqmnoopt06.sqm
2009-02-03 10:52 . 2009-02-03 10:52 268 --ah----- C:\sqmdata05.sqm
2009-02-03 10:52 . 2009-02-03 10:52 244 --ah----- C:\sqmnoopt05.sqm
2009-02-03 10:23 . 2009-02-03 10:23 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-02-01 17:27 . 2009-02-01 17:27 268 --ah----- C:\sqmdata04.sqm
2009-02-01 17:27 . 2009-02-01 17:27 244 --ah----- C:\sqmnoopt04.sqm
2009-01-29 13:25 . 2009-01-29 13:25 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-29 13:25 . 2009-01-29 13:25 <DIR> d-------- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2009-01-29 13:24 . 2009-01-29 13:24 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-29 11:56 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-29 11:55 . 2009-02-03 10:56 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-29 11:55 . 2009-01-29 11:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-29 11:55 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-29 11:47 . 2009-01-29 11:47 <DIR> d-------- c:\program files\CCleaner
2009-01-28 22:28 . 2009-01-28 22:28 <DIR> d-------- c:\program files\Trend Micro
2009-01-28 12:41 . 2009-02-03 10:57 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-15 12:20 . 2009-01-15 12:20 268 --ah----- C:\sqmdata03.sqm
2009-01-15 12:20 . 2009-01-15 12:20 244 --ah----- C:\sqmnoopt03.sqm
2009-01-13 16:50 . 2009-01-13 16:50 268 --ah----- C:\sqmdata02.sqm
2009-01-13 16:50 . 2009-01-13 16:50 244 --ah----- C:\sqmnoopt02.sqm
2009-01-13 11:11 . 2009-01-13 11:11 268 --ah----- C:\sqmdata01.sqm
2009-01-13 11:11 . 2009-01-13 11:11 244 --ah----- C:\sqmnoopt01.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-02-04 19:25 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-08 03:29 --------- d-----w c:\program files\Google
2000-04-13 20:10 73,184 ----a-w c:\program files\Common Files\Dao2535.tlb
2000-04-13 20:09 582,144 ----a-w c:\program files\Common Files\Dao350.dll
2008-11-14 17:17 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-14 17:17 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-14 17:17 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-14 17:17 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-14 17:17 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-10-19 177456]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-16 111952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1040384]
"AeXAgentLogon"="c:\program files\Altiris\Altiris Agent\AeXAgentActivate.exe" [2008-01-30 143360]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-03-06 136472]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageEchoWorkstation\TrueImageMo nitor.exe" [2008-03-11 1274744]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageEchoWorkstation\TimounterMo nitor.exe" [2008-03-06 884696]
"cwcptray"="c:\program files\ContentWatch\Internet Protection\cwtray.exe" [2008-05-05 413968]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-18 166424]
"Persistence"="c:\windows\system32\igfxpers.ex e" [2007-09-18 137752]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Logitech Hardware Abstraction Layer"="c:\program files\Common Files\Logitech\khalshared\KHALMNPR.EXE" [2006-07-19 94208]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-07-19 c:\windows\KHALMNPR.Exe]

c:\documents and settings\User\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 101784]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-02-06 561213]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-08-27 671744]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Avaya IP Softphone Reset.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Avaya IP Softphone Reset.lnk
backup=c:\windows\pss\Avaya IP Softphone Reset.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-03 01:23 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 06:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-09 12:30 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 1200 Series]
--a------ 2006-07-12 21:22 57344 c:\program files\Lexmark 1200 Series\lxczbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
--a------ 2007-04-30 07:19 20480 c:\program files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
--a------ 2007-06-11 18:27 291760 c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnamon]
--a------ 2007-12-17 01:55 16040 c:\program files\Lexmark 2600 Series\lxdnamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxdnmon.exe]
--a------ 2007-12-17 01:55 660136 c:\program files\Lexmark 2600 Series\lxdnmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2007-02-02 08:00 1116920 c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2007-01-05 21:36 872448 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-07-09 11:38 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
--a------ 2006-09-05 18:02 184320 c:\program files\InterVideo\DVD Check\DVDCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\WINDOWS\\system32\\lxdncoms.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnamon.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\frun.exe"=
"c:\\Program Files\\Lexmark 2600 Series\\lxdnmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdnpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdntime.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxdnjswx.exe"=
"c:\\Program Files\\Common Files\\Acronis\\Agent\\agent.exe"=
"c:\\WINDOWS\\system32\\lxddcoms.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=
"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxddpswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxddjswx.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\ \lxddtime.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R2 AcronisAgent;Acronis Remote Agent;c:\program files\Common Files\Acronis\Agent\agent.exe [2008-03-06 517848]
R2 CwAltaService20;ContentWatch;c:\program files\ContentWatch\Internet Protection\cwsvc.exe [2008-07-10 1042192]
R2 eu9ov7wo3oge9t1g;ASF Agent;c:\windows\system32\fodob.exe --> c:\windows\system32\fodob.exe [?]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepK E.sys [2008-08-27 3712]
R2 lxdd_device;lxdd_device;c:\windows\system32\lxddco ms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]
R2 lxdn_device;lxdn_device;c:\windows\system32\lxdnco ms.exe -service --> c:\windows\system32\lxdncoms.exe -service [?]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.s ys [2007-07-24 41216]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S2 fujjg6bplgeiilyx;Ati External Event Utility;c:\windows\system32\kepuwali.exe [2008-11-27 195584]
S2 lxddCATSCustConnectService;lxddCATSCustConnectServ ice;c:\windows\system32\spool\drivers\w32x86\3\lxd dserv.exe [2008-07-09 99248]
S2 lxdnCATSCustConnectService;lxdnCATSCustConnectServ ice;c:\windows\system32\spool\drivers\w32x86\3\lxd nserv.exe [2008-07-08 98984]
S3 HP24X;HP PC Card Smart Card Reader;c:\windows\system32\drivers\HP24X.sys [2008-07-03 33024]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{a2b88df4-47bf-11dd-91ed-001a73fe6500}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-08 c:\windows\Tasks\Defrag.job
- c:\support\Maint\Defrag.bat [2005-05-27 11:29]

2009-01-19 c:\windows\Tasks\DiskClean.job
- c:\support\Maint\DiskClean.bat [2005-05-27 10:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-nulej - c:\windows\system32\wouqua.exe
HKLM-RunServices-nulej - c:\windows\system32\wouqua.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://insightschools.angellearning.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
LSP: c:\windows\system32\cwalsp.dll
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\bjhroswq.default\
FF - prefs.js: browser.startup.homepage - hxxp://insightschools.angellearning.com/frames.aspx
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\npr pbrowserrecordplugin.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-06 10:18:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(1080)
c:\windows\system32\relog_ap.dll
c:\windows\system32\cwalsp.dll
c:\windows\system32\wxbase28u_vc_CW.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\scardsvr.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\windows\system32\lxddcoms.exe
c:\windows\system32\lxdncoms.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-02-06 10:21:26 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-06 18:21:20
ComboFix2.txt 2009-02-06 05:07:55

Pre-Run: 50,157,387,776 bytes free
Post-Run: 50,135,425,024 bytes free

266 --- E O F --- 2008-07-01 23:05:43

**jholland1964** · 02-06-2009, 01:55 PM

Ok, now do another HiJackThis and post the log.
Almost there I believe.
Judy

Thread: Spyware Protect 2009

Thread Tools

Display

Thread Information

Users Browsing this Thread

Posting Permissions