Hewre is the Malware file:
Malwarebytes' Anti-Malware 1.31
Database version: 1544
Windows 5.1.2600 Service Pack 3
12/25/2008 9:03:42 PM
mbam-log-2008-12-25 (21-03-42).txt
Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 359993
Time elapsed: 1 hour(s), 32 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.ARTWRIGHT\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\Program Files\videosoft\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxxjscbkoh.dll (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator.ARTWRIGHT\Start Menu\Programs\videosoft\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxhwriacsq.sys (Trojan.Agent) -> Quarantined and deleted successfully.
Here is the Combofix file:
ComboFix 08-12-25.02 - HP_Administrator 2008-12-25 21:11:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3111 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator.ARTWRIGHT\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\inst.exe
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
J:\Autorun.inf
J:\resycled
j:\resycled\boot.com
.
((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.
2008-12-25 19:25 . 2008-12-25 21:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 19:25 . 2008-12-25 19:25 <DIR> d-------- c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Malwarebytes
2008-12-25 19:25 . 2008-12-25 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 19:25 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-25 19:25 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 11:54 . 2008-12-25 11:54 <DIR> d-------- c:\program files\CCleaner
2008-12-25 11:52 . 2008-12-25 11:52 <DIR> d-------- C:\!KillBox
2008-12-25 10:59 . 2008-12-25 10:59 <DIR> d-------- c:\windows\ERUNT
2008-12-25 10:59 . 2008-12-25 10:59 <DIR> d-------- C:\ERDNT
2008-12-25 10:59 . 2008-12-25 10:59 <DIR> d-------- C:\!FixIEDef
2008-12-25 10:58 . 2008-12-25 10:58 <DIR> d-------- C:\VundoFix Backups
2008-12-25 00:12 . 2008-12-25 00:12 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 00:07 . 2008-12-25 00:07 <DIR> d-------- c:\program files\AskBarDis
2008-12-25 00:07 . 2008-12-25 00:07 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2008-12-25 00:07 . 2008-12-25 00:07 <DIR> d-------- c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Sammsoft
2008-12-24 23:37 . 2008-12-24 23:45 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-24 22:21 . 2008-12-24 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-24 22:21 . 2008-12-24 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 19:11 . 2008-12-24 19:11 <DIR> d-------- c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Amazon
2008-12-24 19:07 . 2008-12-24 19:07 <DIR> d-------- c:\program files\Amazon
2008-12-23 22:23 . 2008-12-23 22:38 <DIR> d-------- c:\program files\iriver
2008-12-23 22:23 . 2004-06-27 16:45 278,528 --a------ c:\windows\system32\iFPSP.dll
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\N10.SYS
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\ifpusb.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp900.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp800.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp700.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp500.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\ifp300.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp1000.sys
2008-12-04 14:28 . 2008-12-04 14:28 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-03 11:39 . 2008-12-03 11:39 <DIR> d--h----- c:\windows\system32\GroupPolicy
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-25 04:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 04:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 03:57 --------- d-----w c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\WTablet
2008-12-25 03:56 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2008-12-24 03:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 22:28 --------- d-----w c:\program files\Norton Internet Security
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 08:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 00:12 --------- d-----w c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\CoreFTP
2008-11-02 22:27 --------- d-----w c:\program files\Caricature Software
2008-11-02 20:54 --------- d-----w c:\program files\Topaz Labs
2008-10-27 17:21 --------- d-----w c:\program files\Google
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-12 16:24 47,360 ----a-w c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\pcouffin.sys
2008-02-12 16:24 3,443,456 ----a-w c:\program files\1clickdvdcopysetupnt5.4.2.6.exe
2008-02-02 08:40 96,191,567 ----a-w c:\program files\upi12_esd_e.exe
2007-10-29 17:20 8,522,752 ----a-w c:\program files\RescuePROWIN-v33.msi
2007-04-02 08:31 8,190,626,890 ----a-w c:\program files\SH4 Zipped.zip
2007-03-17 06:00 35,979 ----a-w c:\program files\Photoshop CS3 Read Me.html
2006-12-04 16:57 35,232 ----a-w c:\windows\inf\WPN311\ME_INST.EXE
2006-12-04 16:57 26,112 ----a-w c:\windows\inf\WPN311\install.exe
2006-07-05 10:33 472,000 ----a-w c:\windows\inf\WPN311\WPN311.sys
2007-02-03 03:37 22 --sha-w c:\windows\SMINST\HPCD.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-17 05:41 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 11:00 90112 c:\windows\Updreg.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-20 19:06 1519616 c:\windows\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" []
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\DRIVERS\hpusbwdm.sys [2004-01-05 1080832]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2007-02-16 12288]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2007-02-14 14936]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-05-19 1373480]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7eea18-1305-11dd-91d0-001e2a39117a}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2007-03-22 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2008-04-14 04:42]
2008-12-22 c:\windows\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-RecordNow! - (no file)
HKLM-Run-PCDrProfiler - (no file)
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-CollagesSystray - c:\program files\Collages.net Inc\Collages.net
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-WPSched4 - c:\program files\WebPosition 4\WPSched4.exe
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Mozilla\Firefox\Profiles\pgcm7mov.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
ATTENTION: FIREFOX POLICES IS IN FORCE FF - user.js: yahoo.homepage.dontask - true.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-12-25 21:16:50
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxhwriacsq.sys"
.
Completion time: 2008-12-25 21:18:43
ComboFix-quarantined-files.txt 2008-12-26 02:17:32
Pre-Run: 241,512,513,536 bytes free
Post-Run: 242,918,682,624 bytes free
212 --- E O F --- 2008-12-18 08:00:42
I can't thank you enough, and there will be compensation.