backdoor.tidserv!inf virus

kgstew · July 16, 2010

Here is the DDS log and the ark.txt and attach.txt are in the zip folder

DDS (Ver_10-03-17.01) - NTFSx86

Run by HP_Owner at 18:37:34.79 on Wed 07/14/2010

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.472 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Ahead\InCD\InCDsrv.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\j2re1.4.2_09\bin\jusched.exe

C:\windows\system\hpsysdrv.exe

svchost.exe

C:\WINDOWS\system32\hphmon06.exe

C:\HP\KBD\KBD.EXE

C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\ALCWZRD.EXE

C:\WINDOWS\ALCMTR.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\HP\ToolBoxFX\bin\HPTLBXFX.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe

c:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe

C:\Program Files\Greetings Workshop\GWREMIND.EXE

C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe

C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Documents and Settings\HP_Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com

uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

mSearch Page =

mStart Page = hxxp://www.excite.com/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll

TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

mRun: [sunJavaUpdateSched] c:\program files\java\j2re1.4.2_09\bin\jusched.exe

mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [HPHUPD06] c:\program files\hp\{aac4fc36-8f89-4587-8dd3-ebc57c83374d}\hphupd06.exe

mRun: [HPHmon06] c:\windows\system32\hphmon06.exe

mRun: [KBD] c:\hp\kbd\KBD.EXE

mRun: [updateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [VTTimer] VTTimer.exe

mRun: [AlcxMonitor] ALCXMNTR.EXE

mRun: [PS2] c:\windows\system32\ps2.exe

mRun: [AGRSMMSG] AGRSMMSG.exe

mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [Alcmtr] ALCMTR.EXE

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [inCD] c:\program files\ahead\incd\InCD.exe

mRun: [share-to-Web Namespace Daemon] c:\program files\hp\hp share-to-web\hpgs2wnd.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [QuickCare2.2] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare2.2

mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /systrayIcon:on

mRun: [<NO NAME>]

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\epsonp~1.lnk - e:\titles\register\EPSONREG.EXE

StartupFolder: c:\docume~1\hp_owner\startm~1\programs\startup\greeti~1.lnk - c:\program files\greetings workshop\GWREMIND.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\309731\program\Updates from HP.exe

mPolicies-system: EnableLUA = 0 (0x0)

IE: Add to EverNote - c:\program files\evernote\evernote\enbar.dll/2000

IE: Add To HP Organize... - c:\progra~1\hewlet~1\hporga~1\bin/module.main/favorites\ie_add_to.html

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - {2151DA8C-C5B6-4B4F-86AB-BDA449BF8747} - c:\program files\evernote\evernote\enbar.dll

IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll

DPF: {0BCADE60-1E93-11D8-ABDA-0004759647B3} - hxxp://www.bxwa.com/fastbid/fastbidx1.cab

DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll

DPF: {32322460-3E7D-11D7-ABD8-0001029A9BA6} - hxxp://www.bxwa.com/fastbid/fastbidx2.cab

DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {CAFEEFAC-0014-0002-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

TCP: NameServer = 93.188.162.229,93.188.166.209

TCP: {B52DE8D7-34D0-4847-8676-5D5E2CABDDBB} = 93.188.162.229,93.188.166.209

Notify: igfxcui - igfxsrvc.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

LSA: Notification Packages = scecli scecli scecli scecli scecli

Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_owner\applic~1\mozilla\firefox\profiles\7777ynnq.default\

FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=

FF - plugin: c:\documents and settings\hp_owner\application data\facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\hp_owner\local settings\application data\yahoo!\browserplus\2.8.1\plugins\npybrowserplus_2.8.1.dll

FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPJava11.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPJava12.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPJava13.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPJava14.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPJava32.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPJPI142_09.dll

FF - plugin: c:\program files\java\j2re1.4.2_09\bin\NPOJI610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false

FF - user.js: browser.sessionstore.resume_from_crash - false

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]

R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]

R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100705.002\naveng.sys [2010-7-5 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100705.002\navex15.sys [2010-7-5 1347504]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-29 135664]

S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]

=============== Created Last 30 ================

2010-07-15 00:30:36 0 ----a-w- c:\documents and settings\hp_owner\defogger_reenable

2010-07-15 00:14:03 0 ----a-w- c:\documents and settings\hp_owner\settings.dat

2010-07-14 10:49:55 45568 ----a-w- c:\windows\system32\ernel32.dll

2010-07-05 21:34:42 0 d-----w- c:\program files\Trend Micro

2010-07-05 21:15:12 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-07-05 21:15:11 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-07-05 19:35:01 0 d-----w- c:\program files\CCleaner

2010-07-05 02:56:30 54016 ----a-w- c:\windows\system32\drivers\ejidty.sys

2010-07-05 01:41:07 0 d-----w- c:\docume~1\hp_owner\applic~1\Malwarebytes

2010-07-05 01:40:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 01:40:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-07-04 21:51:39 45568 ----a-w- c:\docume~1\hp_owner\applic~1\09718943.exe

==================== Find3M ====================

2005-03-28 01:28:22 0 --sha-w- c:\windows\sminst\HPCD.sys

============= FINISH: 18:39:03.37 ===============

Here is the malewarebyts log. This was ran after the creating the other log files, we found that we were only able to run malwarebytes in safe mode. Malwarebytes was run several times in the past few days (in safe mode) but the system becomes reinfected or was never clean even though the log stated that the infected file was deleted successfully. Aargh!

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4277

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 6.0.2900.5512

7/15/2010 6:43:07 PM

mbam-log-2010-07-15 (18-43-07).txt

Scan type: Quick scan

Objects scanned: 142263

Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.229,93.188.166.209 -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{b52de8d7-34d0-4847-8676-5d5e2cabddbb}\NameServer (Trojan.DNSChanger) -> Data: 93.188.162.229,93.188.166.209 -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Windows Server\eskfwc.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\ernel32.dll (Trojan.Agent) -> Quarantined and deleted successfully.

ark.zip

kahdah · July 16, 2010

Hello kgstew

Welcome to Malwarebytes.

=====================

Download ComboFix from one of these locations:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

kgstew · July 16, 2010

Ran combofix and here is the log.

ComboFix 10-07-15.05 - HP_Owner 07/16/2010 16:10:52.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.562 [GMT -6:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\HP_Owner\Application Data\09718943.exe

c:\documents and settings\NetworkService\Local Settings\Application Data\Windows Server

c:\program files\Shared

c:\windows\system32\ernel32.dll

c:\windows\system32\spool\prtprocs\w32x86\317g31aA.dll

c:\windows\system32\spool\prtprocs\w32x86\317i3qGM.dll

c:\windows\system32\spool\prtprocs\w32x86\3mY93o7o.dll

c:\windows\system32\spool\prtprocs\w32x86\3mYW3uOC.dll

c:\windows\system32\spool\prtprocs\w32x86\55555.dll

c:\windows\system32\spool\prtprocs\w32x86\5mY55.dll

c:\windows\system32\spool\prtprocs\w32x86\5q55c.dll

c:\windows\system32\spool\prtprocs\w32x86\5qGMY.dll

c:\windows\system32\spool\prtprocs\w32x86\7931m9g.dll

c:\windows\system32\spool\prtprocs\w32x86\79c1sKU.dll

c:\windows\system32\spool\prtprocs\w32x86\7kUO7oC.dll

c:\windows\system32\spool\prtprocs\w32x86\931cEIQG9.dll

c:\windows\system32\spool\prtprocs\w32x86\9m17wS179.dll

c:\windows\system32\spool\prtprocs\w32x86\c793yW.dll

c:\windows\system32\spool\prtprocs\w32x86\cE3a7kU.dll

c:\windows\system32\spool\prtprocs\w32x86\e17kUOC9.dll

c:\windows\system32\spool\prtprocs\w32x86\eIQG1i.dll

c:\windows\system32\spool\prtprocs\w32x86\g31a9k1yW.dll

c:\windows\system32\spool\prtprocs\w32x86\iQG3iQ.dll

c:\windows\system32\spool\prtprocs\w32x86\K9yW793.dll

c:\windows\system32\spool\prtprocs\w32x86\MY9317.dll

c:\windows\system32\spool\prtprocs\w32x86\o931iQG.dll

c:\windows\system32\spool\prtprocs\w32x86\QGMY17.dll

c:\windows\system32\spool\prtprocs\w32x86\s793u7.dll

c:\windows\system32\spool\prtprocs\w32x86\SK1y93o7o.dll

c:\windows\system32\spool\prtprocs\w32x86\W93y79o.dll

D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected

Restored copy from - Kitty had a snack

.

((((((((((((((((((((((((( Files Created from 2010-06-16 to 2010-07-16 )))))))))))))))))))))))))))))))

.

2010-07-16 21:47 . 2010-07-16 21:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2010-07-16 21:46 . 2010-07-16 21:46 93440 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-16 01:38 . 2010-07-16 01:38 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-07-16 00:31 . 2010-07-16 00:31 -------- d-s---w- c:\documents and settings\Administrator\UserData

2010-07-16 00:28 . 2010-07-16 00:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder

2010-07-16 00:25 . 2010-07-16 00:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-15 00:14 . 2010-07-15 00:14 0 ----a-w- c:\documents and settings\HP_Owner\settings.dat

2010-07-04 22:23 . 2010-07-05 02:08 -------- d-----w- c:\documents and settings\HP_Owner\Local Settings\Application Data\fpjbwhruh

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-16 22:24 . 2005-06-29 01:35 -------- d-----w- c:\program files\Symantec AntiVirus

2010-07-16 22:22 . 2005-05-25 21:36 -------- d-----w- c:\program files\Greetings Workshop

2010-07-15 11:51 . 2004-10-22 01:46 -------- d--h--w- c:\program files\InstallShield Installation Information

2010-07-05 21:34 . 2010-07-05 21:34 -------- d-----w- c:\program files\Trend Micro

2010-07-05 21:15 . 2010-07-05 01:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-07-05 19:35 . 2010-07-05 19:35 -------- d-----w- c:\program files\CCleaner

2010-07-05 13:14 . 2009-08-20 02:03 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-07-05 13:14 . 2009-08-20 02:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-07-05 02:56 . 2010-07-05 02:56 54016 ----a-w- c:\windows\system32\drivers\ejidty.sys

2010-07-05 01:41 . 2010-07-05 01:41 -------- d-----w- c:\documents and settings\HP_Owner\Application Data\Malwarebytes

2010-07-05 01:40 . 2010-07-05 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-05-01 05:49 . 2010-05-01 05:49 862872 ------w- c:\documents and settings\HP_Owner\Application Data\Yahoo!\SearchProtection\fudogs_2.0.1.13_msgr_bts_setup.2010.04.01.01.exe

2010-04-29 21:39 . 2010-07-05 21:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 21:39 . 2010-07-05 21:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2005-03-28 01:28 . 2005-03-28 01:28 0 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_09\bin\jusched.exe" [2005-07-26 32881]

"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]

"HPHUPD06"="c:\program files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-08 49152]

"HPHmon06"="c:\windows\system32\hphmon06.exe" [2004-06-08 659456]

"KBD"="c:\hp\KBD\KBD.EXE" [2003-02-12 61440]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-15 233472]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-08 57344]

"PS2"="c:\windows\system32\ps2.exe" [2002-10-16 81920]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 88209]

"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 253952]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-05-21 180269]

"SoundMan"="SOUNDMAN.EXE" [2005-04-07 90112]

"AlcWzrd"="ALCWZRD.EXE" [2005-04-07 2805248]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]

"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2004-10-06 161096]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-09-13 1450096]

"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-04-17 196608]

"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]

"ToolBoxFX"="c:\program files\HP\ToolBoxFX\bin\HPTLBXFX.exe" [2005-11-21 45056]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2005-3-27 209016]

QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-3-27 724992]

Updates from HP.lnk - c:\program files\Updates from HP\309731\Program\Updates from HP.exe [2004-10-21 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Intuit\\QuickBooks Pro\\QBW32.EXE"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/29/2010 6:40 AM 135664]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 5:56 PM 173392]

.

Contents of the 'Scheduled Tasks' folder

2010-06-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:39]

2010-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-29 12:39]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

mStart Page = hxxp://www.excite.com/

mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop

uInternet Settings,ProxyOverride = <local>

uInternet Settings,ProxyServer = http=127.0.0.1:5577

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com

IE: Add to EverNote - c:\program files\EverNote\EverNote\enbar.dll/2000

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html

DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-VTTimer - VTTimer.exe

AddRemove-Red Alert 2 - k:\red alert\Uninstll.EXE

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-07-16 16:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3844)

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll

c:\program files\Windows Media Player\wmpband.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Ahead\InCD\InCDsrv.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\AGRSMMSG.exe

c:\windows\SOUNDMAN.EXE

c:\windows\ALCWZRD.EXE

c:\progra~1\SYMANT~1\vptray.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Symantec AntiVirus\Rtvscan.exe

c:\program files\HP\HP Share-to-Web\hpgs2wnf.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe

c:\program files\Greetings Workshop\GWREMIND.EXE

c:\program files\Canon\CAL\CALMAIN.exe

c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2010-07-16 16:30:10 - machine was rebooted

ComboFix-quarantined-files.txt 2010-07-16 22:30

Pre-Run: 139,667,464,192 bytes free

Post-Run: 139,714,768,896 bytes free

- - End Of File - - F68307D88A2D67F7D475CB8BF5B5AFE0

kahdah · July 16, 2010

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

DDS::
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577

Folder::
c:\documents and settings\HP_Owner\Local Settings\Application Data\fpjbwhruh

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

Combofix.txt

===========

Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.

Click on the update tab then click on Check for updates.
If an update is found, it will download and install the latest version.
Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.

=====

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

kgstew · July 17, 2010

Here is the Combo Fix report:

ComboFix 10-07-15.05 - HP_Owner 07/16/2010 19:17:56.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.472 [GMT -6:00]

Running from: c:\documents and settings\HP_Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\HP_Owner\Desktop\CFScript.txt

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\HP_Owner\LOCALS~1\Temp\IadHide5.dll

c:\documents and settings\HP_Owner\Local Settings\Application Data\fpjbwhruh

c:\documents and settings\HP_Owner\Local Settings\Temp\IadHide5.dll

.

((((((((((((((((((((((((( Files Created from 2010-06-17 to 2010-07-17 )))))))))))))))))))))))))))))))

.

2010-07-16 21:47 . 2010-07-16 21:47 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec

2010-07-16 21:46 . 2010-07-16 21:46 93440 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-07-16 01:38 . 2010-07-16 01:38 -------- d-s---w- c:\documents and settings\NetworkService\UserData

2010-07-16 00:31 . 2010-07-16 00:31 -------- d-s---w- c:\documents and settings\Administrator\UserData

2010-07-16 00:28 . 2010-07-16 00:28 -------- d-----w- c:\documents and settings\Administrator\Application Data\Share-to-Web Upload Folder

2010-07-16 00:25 . 2010-07-16 00:25 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-07-15 00:14 . 2010-07-15 00:14 0 ----a-w- c:\documents and settings\HP_Owner\settings.dat

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-07-17 01:35 . 2005-05-25 21:36 -------- d-----w- c:\program files\Greetings Workshop

2010-07-17 01:35 . 2005-06-29 01:35 -------- d-----w- c:\program files\Symantec AntiVirus