backdoor.tidserv!inf and Trojan Horse - need help

Symentac full scan is showing backdoor.tidserv!inf (file name TDSS135e.tmp ) and Trojan Horse (file name snapsnet.tmp ). Please find the hijackthis and fixwareout reports.

----------hijackthis log -------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:15:11 PM, on 12/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\DigitalPersona\Bin\DpHost.exe
C:\WINDOWS\system32\IFXSPMGT.exe
C:\WINDOWS\system32\IFXTCS.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ProtectTools\Embedded Security Software\PSDrt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Intel\AMT\atchk.exe
C:\WINDOWS\SMINST\Scheduler.exe
C:\PAYCLOCK\PCSCMGR.EXE
C:\PAYCLOCK\TouchStation\TSMGR.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\cbXNGyYo.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: (no name) - {F71A5BB8-9560-4941-8D92-4745475B7570} - C:\WINDOWS\system32\ddcBQjHy.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [atchk] "C:\Program Files\Intel\AMT\atchk.exe"
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [CognizanceTS] rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe
O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\SMINST\Scheduler.exe
O4 - HKLM\..\Run: [PayClockServer] C:\PAYCLOCK\PCSCMGR.EXE
O4 - HKLM\..\Run: [PayClockTerminalService] C:\PAYCLOCK\PC50\PCTSCMGR.EX_
O4 - HKLM\..\Run: [TouchStation] C:\PAYCLOCK\TouchStation\TSMGR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: FTP Utility.lnk = C:\Program Files\KONICA MINOLTA\FTP Utility\KMFtp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A01A7790-4640-4A52-AAF9-A5B269D9CEE1}: NameServer = 10.51.54.1
O20 - AppInit_DLLs: vjjaqt.dll
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Intel(R) AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: User Authentication Manager (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\WINDOWS\system32\IFXSPMGT.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\WINDOWS\system32\IFXTCS.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Program Files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7666 bytes

----------------Fixwareout report -----------

Username "Administrator" - 12/03/2008 19:47:36 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"RTHDCPL"="RTHDCPL.EXE"
"PTHOSTTR"="C:\\Program Files\\Hewlett-Packard\\HP ProtectTools Security Manager\\PTHOSTTR.EXE /Start"
"atchk"="\"C:\\Program Files\\Intel\\AMT\\atchk.exe\""
"SetRefresh"="C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe"
"CognizanceTS"="rundll32.exe C:\\PROGRA~1\\HPQ\\IAM\\Bin\\AsTsVcc.dll,RegisterModule"
"Recguard"="C:\\WINDOWS\\Sminst\\Recguard.exe"
"Reminder"="C:\\WINDOWS\\Creator\\Remind_XP.exe"
"Scheduler"="C:\\WINDOWS\\SMINST\\Scheduler.exe"
"PayClockServer"="C:\\PAYCLOCK\\PCSCMGR.EXE"
"PayClockTerminalService"="C:\\PAYCLOCK\\PC50\\PCTSCMGR.EX_"
"TouchStation"="C:\\PAYCLOCK\\TouchStation\\TSMGR.EXE"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Hello.
Fixwareout won't do anything, that fixes DNS hijackers, and you don't have a DNS hijacker.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {A63E645F-13BD-45ED-B15F-6E8C1BD57279} - C:\WINDOWS\system32\cbXNGyYo.dll (file missing)
  O2 - BHO: (no name) - {F71A5BB8-9560-4941-8D92-4745475B7570} - C:\WINDOWS\system32\ddcBQjHy.dll (file missing)
  O20 - AppInit_DLLs: C:\WINDOWS\system32\vjjaqt.dll
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

Delete this file in bold:
C:\WINDOWS\system32\vjjaqt.dll

• Download combofix from here, use the top links - combofix.exe
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 08-12-04.04 - Administrator 2008-12-04 21:59:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.501 [GMT -6:00]
Running from: c:\hijack\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\IUpd721
c:\documents and settings\Administrator\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\cyfair2\Application Data\gadcom
c:\documents and settings\cyfair2\Application Data\IUpd721
c:\documents and settings\cyfair2\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\cyfair2\Application Data\NI.GSCNS
c:\documents and settings\cyfair2\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\cyfair2\Application Data\NI.GSCNS\settings.ini
c:\documents and settings\cyfair2\Application Data\SpeedRunner
c:\documents and settings\cyfair2\Application Data\SpeedRunner\config.cfg
c:\documents and settings\cyfair2\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\cyfair2\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\cyfair2\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\cyfair2\Start Menu\Programs\Startup\DW_Start.lnk
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
c:\windows\system32\beyjmpmr.ini
c:\windows\system32\dlpxunyg.dll
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\gpitwgfl.ini
c:\windows\system32\kkneag.dll
c:\windows\system32\x64
c:\windows\system32\xfxlbkvs.ini
c:\windows\system32\yHjQBcdd.ini
c:\windows\system32\yHjQBcdd.ini2
c:\windows\wiaserviv.log
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-03 20:14 . 2008-12-03 20:14 d-------- c:\program files\Trend Micro
2008-12-03 19:47 . 2008-12-03 20:15 d-------- C:\fixwareout
2008-12-03 13:00 . 2008-12-03 13:00 0 --a------ c:\windows\vpc32.INI
2008-12-03 12:55 . 2008-12-03 12:55 d-------- c:\program files\Symantec
2008-12-03 12:55 . 2006-09-18 17:55 109,744 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2008-12-03 12:55 . 2006-09-18 17:55 48,816 --a------ c:\windows\system32\S32EVNT1.DLL
2008-12-03 12:54 . 2008-12-04 22:09 d-------- c:\program files\Symantec AntiVirus
2008-12-03 12:54 . 2008-12-03 12:55 d-------- c:\program files\Common Files\Symantec Shared
2008-12-03 12:54 . 2008-12-03 12:55 d-------- c:\documents and settings\All Users\Application Data\Symantec
2008-12-03 12:43 . 2008-12-03 12:43 d-------- c:\windows\ERUNT
2008-12-03 12:42 . 2008-12-03 12:52 d-------- C:\SDFix
2008-12-03 09:19 . 2008-12-03 18:46 d-------- c:\program files\UnHackMe
2008-12-03 09:19 . 2008-12-03 09:19 (2) -rahs-ot- c:\windows\winstart.bat
2008-12-03 03:02 . 2008-12-04 21:04 d-------- C:\hijack
2008-12-02 12:29 . 2008-12-02 12:26 70,892,224 --a------ C:\counterspy.exe
2008-12-01 20:48 . 2008-12-01 20:48 d--h----- c:\windows\system32\GroupPolicy
2008-12-01 18:49 . 2008-12-01 18:49 9,662 --a------ c:\windows\system32\pinkip.ico
2008-12-01 10:12 . 2008-12-01 21:05 118,784 --a------ c:\windows\system32\chg.exe
2008-12-01 08:36 . 2008-12-01 21:30 2,259 --a------ c:\windows\system32\TDSSxbqe.dll
2008-12-01 08:31 . 2008-12-03 13:29 d-------- c:\windows\system32\VC
2008-12-01 08:31 . 2008-12-03 13:39 d-------- c:\windows\system32\uv9
2008-12-01 08:31 . 2008-12-03 13:27 d-------- c:\windows\system32\ki3
2008-12-01 08:31 . 2008-12-03 13:27 d-------- c:\windows\system32\hov
2008-12-01 08:31 . 2008-12-01 08:31 d-------- c:\windows\system32\bin
2008-12-01 08:31 . 2008-12-01 08:31 d-------- c:\temp\DIV55
2008-12-01 08:31 . 2008-12-03 12:51 d-------- C:\Temp
2008-12-01 08:31 . 2008-12-01 08:31 192,604 --a------ c:\windows\system32\g80.exe
2008-11-30 09:26 . 2008-12-03 13:08 d-------- c:\documents and settings\cyfair2\Application Data\Twain
2008-11-29 09:15 . 2008-11-29 09:15 318,464 --a------ c:\windows\system32\DDCBQJHY.DLL.del

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-01 16:37 18,456 ----a-w c:\documents and settings\cyfair2\Application Data\GDIPFONTCACHEV1.DAT
2008-06-11 22:26 61,224 ----a-w c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2006-06-08 131072]
"atchk"="c:\program files\Intel\AMT\atchk.exe" [2007-01-09 404288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"CognizanceTS"="c:\progra~1\HPQ\IAM\Bin\AsTsVcc.dll" [2003-12-22 17920]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-04-24 888832]
"PayClockServer"="c:\payclock\PCSCMGR.EXE" [2007-12-12 372736]
"TouchStation"="c:\payclock\TouchStation\TSMGR.EXE" [2008-01-24 303104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-04 c:\windows\RTHDCPL.exe]

c:\documents and settings\cyfair2\Start Menu\Programs\Startup\
netuse.bat [2007-09-23 113]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
FTP Utility.lnk - c:\program files\KONICA MINOLTA\FTP Utility\KMFtp.exe [2004-10-27 102400]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
2006-06-07 13:26 40448 c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IfxWlxEN]
2006-04-06 22:00 434176 c:\windows\system32\IfxWlxEN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli AsWlnPkg

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\WINDOWS\\system32\\mstsc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Medisoft\\Bin\\MAPA.EXE"=
"c:\\Program Files\\Medisoft\\Bin\\Ohp.exe"=
"c:\\PAYCLOCK\\MAPDB.exe"=
"c:\\PAYCLOCK\\MapDBWizard.exe"=
"c:\\PAYCLOCK\\Bteng32m.exe"=
"c:\\PAYCLOCK\\Bt32smgr.exe"=
"c:\\PAYCLOCK\\RBEdit.exe"=
"c:\\PAYCLOCK\\InstChecker.exe"=
"c:\\PAYCLOCK\\Pcihsv.exe"=
"c:\\PAYCLOCK\\Pcscmgr.exe"=
"c:\\PAYCLOCK\\dbmgr.exe"=
"c:\\PAYCLOCK\\RENYRUN.exe"=
"c:\\PAYCLOCK\\TERMMGR.exe"=
"c:\\PAYCLOCK\\Export32.exe"=
"c:\\PAYCLOCK\\LicMgr32.exe"=
"c:\\PAYCLOCK\\Reny.exe"=
"c:\\PAYCLOCK\\RepWrite.exe"=
"c:\\PAYCLOCK\\Register32.exe"=
"c:\\PAYCLOCK\\EZConfig.exe"=
"c:\\PAYCLOCK\\ExpressConfig.exe"=
"c:\\PAYCLOCK\\QB02Sync.exe"=
"c:\\PAYCLOCK\\QBExport.exe"=
"c:\\PAYCLOCK\\QB03Sync.exe"=
"c:\\PAYCLOCK\\QBSetup.exe"=
"c:\\PAYCLOCK\\QB03Wiz.exe"=
"c:\\PAYCLOCK\\QB03Exp.exe"=
"c:\\PAYCLOCK\\EmpReports.exe"=
"c:\\PAYCLOCK\\PC50\\MAPDB.exe"=
"c:\\PAYCLOCK\\PC50\\MapDBWizard.exe"=
"c:\\PAYCLOCK\\PC50\\Bteng32m.exe"=
"c:\\PAYCLOCK\\PC50\\Bt32smgr.exe"=
"c:\\PAYCLOCK\\PC50\\RBEdit.exe"=
"c:\\PAYCLOCK\\PC50\\Pcihsv.exe"=
"c:\\PAYCLOCK\\PC50\\PCTSCMGR.EXE"=
"c:\\PAYCLOCK\\PC50\\FingerConvert.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\MAPDB.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\MapDBWizard.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\Bteng32m.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\Bt32smgr.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\RBEdit.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\Pcihsv.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\EnrollWiz.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\TSMgr.exe"=
"c:\\PAYCLOCK\\TOUCHS~1\\FingerConvert.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2006-04-06 31104]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-03 99376]
R3 IFXTPM;IFXTPM;c:\windows\system32\DRIVERS\IFXTPM.SYS [2007-07-06 36608]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe -k netsvcs [2006-02-27 14336]
S3 dpK00701;U.are.U® Fingerprint Reader Upper Driver;c:\windows\system32\DRIVERS\dpK00701.sys [2008-06-06 46592]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys []
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys []
S3 SavRoam;SAVRoam;"c:\program files\Symantec AntiVirus\SavRoam.exe" [2006-09-27 116464]
S3 TOUCHDSP;TouchStation LCD/LED USB driver;c:\windows\system32\Drivers\TOUCHDSP.sys [2008-06-06 49152]
S3 TOUCHSTA;TOUCHSTA;c:\windows\system32\drivers\TouchSta.sys [2008-06-06 20736]
S3 usbdpfp;U.are.U® Fingerprint Reader Class Driver;c:\windows\system32\DRIVERS\usbdpfp.sys [2008-06-06 47104]
S3 VirtDisk;XSS Virtual Disk Driver;\??\c:\windows\sminst\VirtDisk.sys [2007-07-06 57344]
S4 PayClockServer;PayClock Database Service;c:\payclock\BTENG32M.EXE /SCN:PayClockServer [2008-06-06 208955]
S4 PayClockTerminalServer;PayClock Terminal Service;c:\payclock\TOUCHS~1\BTENG32M.EXE /SCN:PayClockTerminalServer [2008-06-06 208955]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance REG_MULTI_SZ ASChannel

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480
.
Contents of the 'Scheduled Tasks' folder

2008-06-10 c:\windows\Tasks\shut.job
- c:\tools\shut.bat [2008-04-22 18:17]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PayClockTerminalService - c:\payclock\PC50\PCTSCMGR.EX_
MSConfigStartUp-51478563 - c:\windows\system32\rmpmjyeb.dll
MSConfigStartUp-SpeedRunner - c:\documents and settings\cyfair2\Application Data\SpeedRunner\SpeedRunner.exe
MSConfigStartUp-uodhbiiqudvkbp - c:\windows\system32\oewknkyiyev.dll
MSConfigStartUp-webHancer Agent - c:\program files\webHancer\Programs\whagent.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 22:10:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PayClockServer]
"ImagePath"="c:\payclock\BTENG32M.EXE /SCN:PayClockServer"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PayClockTerminalServer]
"ImagePath"="c:\payclock\TOUCHS~1\BTENG32M.EXE /SCN:PayClockTerminalServer"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)
c:\program files\HPQ\IAM\Bin\AsWlnPkg.dll
c:\windows\system32\IfxWlxEN.dll

- - - - - - - > 'lsass.exe'(1196)
c:\program files\HPQ\IAM\bin\AsWlnPkg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\DigitalPersona\Bin\DpHost.exe
c:\windows\system32\IFXSPMGT.exe
c:\windows\system32\IFXTCS.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\ProtectTools\Embedded Security Software\PSDsrvc.EXE
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\HPQ\IAM\Bin\asghost.exe
c:\program files\ProtectTools\Embedded Security Software\PSDrt.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-12-04 22:12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 04:12:52

Pre-Run: 58,960,220,160 bytes free
Post-Run: 59,480,363,008 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

248 --- E O F --- 2008-11-13 09:01:53

Hello.
Just a few leftovers to get.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\chg.exe
c:\windows\system32\TDSSxbqe.dll
c:\windows\winstart.bat
c:\windows\system32\g80.exe
c:\documents and settings\cyfair2\Start Menu\Programs\Startup\netuse.bat

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.

Due to lack of feedback, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.