[Art Wright]

I have run Norton, Spybot, Spyware etc. and still I have redirect virus problems. Windows update won't run, I can't access Yahoo mail. My attempts to access Malware sites leads me to Google searches for gay sex etc...

Here are my HJT results. Please help; I am a professional digital photographer and I have a wedding album to adress...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:14 AM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.mail.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\system32\astsrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Desktop Manager 5.8.809.23506 (GoogleDesktopManager-092308-165331) - Unknown owner - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

--
End of file - 3989 bytes

[Advertisements]

Happy Holidays and welcome to GTG.

If you have problems getting any of the below programs, you might have to try downloading it from another working computer and copy it over to this infected station.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

[greyknight17]

Happy Holidays and welcome to GTG.

If you have problems getting any of the below programs, you might have to try downloading it from another working computer and copy it over to this infected station.

Download Malwarebytes ' Anti-Malware at http://www.besttechi.../mbam-setup.exe or http://www.majorgeek...ware_d5756.html Double-click on mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform Full Scan, then click Scan.
* The scan may take some time to finish, so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to restart (see Extra Note below).
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & paste the entire report into your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.

[Art Wright]

Thank you so much! I am running Anti-Malware right now...

[Art Wright]

Hewre is the Malware file:

Malwarebytes' Anti-Malware 1.31
Database version: 1544
Windows 5.1.2600 Service Pack 3

12/25/2008 9:03:42 PM
mbam-log-2008-12-25 (21-03-42).txt

Scan type: Full Scan (C:\|D:\|J:\|)
Objects scanned: 359993
Time elapsed: 1 hour(s), 32 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{4897bba6-48d9-468c-8efa-846275d7701b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{4509d3cc-b642-4745-b030-645b79522c6d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7370f91f-6994-4595-9949-601fa2261c8d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator.ARTWRIGHT\Start Menu\Programs\videosoft (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\videosoft\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\components\iamfamous.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msqpdxxjscbkoh.dll (Trojan.TDSS) -> Delete on reboot.
C:\Documents and Settings\HP_Administrator.ARTWRIGHT\Start Menu\Programs\videosoft\Uninstall.lnk (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\msqpdxhwriacsq.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Here is the Combofix file:

ComboFix 08-12-25.02 - HP_Administrator 2008-12-25 21:11:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.3111 [GMT -5:00]
Running from: c:\documents and settings\HP_Administrator.ARTWRIGHT\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\inst.exe
D:\Autorun.inf
D:\resycled
d:\resycled\boot.com
J:\Autorun.inf
J:\resycled
j:\resycled\boot.com

.
((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-25 19:25 . 2008-12-25 21:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-25 19:25 . 2008-12-25 19:25 <DIR> d-------- c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Malwarebytes
2008-12-25 19:25 . 2008-12-25 19:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 19:25 . 2008-12-03 19:59 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-25 19:25 . 2008-12-03 19:59 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 11:54 . 2008-12-25 11:54 <DIR> d-------- c:\program files\CCleaner
2008-12-25 11:52 . 2008-12-25 11:52 <DIR> d-------- C:\!KillBox
2008-12-25 10:59 . 2008-12-25 10:59 <DIR> d-------- c:\windows\ERUNT
2008-12-25 10:59 . 2008-12-25 10:59 <DIR> d-------- C:\ERDNT
2008-12-25 10:59 . 2008-12-25 10:59 <DIR> d-------- C:\!FixIEDef
2008-12-25 10:58 . 2008-12-25 10:58 <DIR> d-------- C:\VundoFix Backups
2008-12-25 00:12 . 2008-12-25 00:12 <DIR> d-------- c:\program files\Trend Micro
2008-12-25 00:07 . 2008-12-25 00:07 <DIR> d-------- c:\program files\AskBarDis
2008-12-25 00:07 . 2008-12-25 00:07 <DIR> d-------- c:\program files\Advanced Registry Optimizer
2008-12-25 00:07 . 2008-12-25 00:07 <DIR> d-------- c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Sammsoft
2008-12-24 23:37 . 2008-12-24 23:45 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-24 22:21 . 2008-12-24 22:24 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-24 22:21 . 2008-12-24 22:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-24 19:11 . 2008-12-24 19:11 <DIR> d-------- c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Amazon
2008-12-24 19:07 . 2008-12-24 19:07 <DIR> d-------- c:\program files\Amazon
2008-12-23 22:23 . 2008-12-23 22:38 <DIR> d-------- c:\program files\iriver
2008-12-23 22:23 . 2004-06-27 16:45 278,528 --a------ c:\windows\system32\iFPSP.dll
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\N10.SYS
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\ifpusb.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp900.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp800.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp700.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp500.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\ifp300.sys
2008-12-23 22:23 . 2004-03-29 17:28 14,531 --a------ c:\windows\system32\drivers\Ifp1000.sys
2008-12-04 14:28 . 2008-12-04 14:28 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-03 11:39 . 2008-12-03 11:39 <DIR> d--h----- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-25 17:19 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-25 04:47 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 04:44 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-25 03:57 --------- d-----w c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\WTablet
2008-12-25 03:56 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet
2008-12-24 03:38 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-19 22:28 --------- d-----w c:\program files\Norton Internet Security
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-11 08:03 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 00:12 --------- d-----w c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\CoreFTP
2008-11-02 22:27 --------- d-----w c:\program files\Caricature Software
2008-11-02 20:54 --------- d-----w c:\program files\Topaz Labs
2008-10-27 17:21 --------- d-----w c:\program files\Google
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 13:11 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-10-16 13:11 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 07:06 633,632 ------w c:\windows\system32\dllcache\iexplore.exe
2008-10-15 07:04 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\dllcache\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-02-12 16:24 47,360 ----a-w c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\pcouffin.sys
2008-02-12 16:24 3,443,456 ----a-w c:\program files\1clickdvdcopysetupnt5.4.2.6.exe
2008-02-02 08:40 96,191,567 ----a-w c:\program files\upi12_esd_e.exe
2007-10-29 17:20 8,522,752 ----a-w c:\program files\RescuePROWIN-v33.msi
2007-04-02 08:31 8,190,626,890 ----a-w c:\program files\SH4 Zipped.zip
2007-03-17 06:00 35,979 ----a-w c:\program files\Photoshop CS3 Read Me.html
2006-12-04 16:57 35,232 ----a-w c:\windows\inf\WPN311\ME_INST.EXE
2006-12-04 16:57 26,112 ----a-w c:\windows\inf\WPN311\install.exe
2006-07-05 10:33 472,000 ----a-w c:\windows\inf\WPN311\WPN311.sys
2007-02-03 03:37 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-20 7622656]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates From HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates From HP.lnk
backup=c:\windows\pss\Updates From HP.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-16 23:11 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-10-01 17:57 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-07-12 04:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-10-17 05:41 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 11:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-20 19:06 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=3 (0x3)
"odserv"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 GoogleDesktopManager-092308-165331;Google Desktop Manager 5.8.809.23506;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" []
S3 hpusbwdm;HP DVD Movie Writer dc3000/dc4000;c:\windows\system32\DRIVERS\hpusbwdm.sys [2004-01-05 1080832]
S3 PDEXLOCK;Photodex Hardware Lock Driver;c:\windows\system32\Drivers\PDEXLOCK.sys [2007-02-16 12288]
S3 X-Rite;X-Rite USB Service;c:\windows\system32\DRIVERS\XrUsb.sys [2007-02-14 14936]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-05-19 1373480]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f7eea18-1305-11dd-91d0-001e2a39117a}]
\Shell\AutoRun\command - L:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-12-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2007-03-22 c:\windows\Tasks\Backup.job
- c:\windows\system32\ntbackup.exe [2008-04-14 04:42]

2008-12-22 c:\windows\Tasks\Norton AntiVirus - Scan my computer - HP_Administrator.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-RecordNow! - (no file)
HKLM-Run-PCDrProfiler - (no file)
MSConfigStartUp-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
MSConfigStartUp-CollagesSystray - c:\program files\Collages.net Inc\Collages.net
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-WPSched4 - c:\program files\WebPosition 4\WPSched4.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Mozilla\Firefox\Profiles\pgcm7mov.default\
FF - prefs.js: browser.startup.homepage - hxxps://login.yahoo.com/config/login_verify2?&.src=ym
FF - component: c:\program files\Mozilla Firefox\components\iamfamous.dll
FF - plugin: c:\documents and settings\HP_Administrator.ARTWRIGHT\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 21:16:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\msqpdxserv.sys]
"imagepath"="\systemroot\system32\drivers\msqpdxhwriacsq.sys"
.
Completion time: 2008-12-25 21:18:43
ComboFix-quarantined-files.txt 2008-12-26 02:17:32

Pre-Run: 241,512,513,536 bytes free
Post-Run: 242,918,682,624 bytes free

212 --- E O F --- 2008-12-18 08:00:42

I can't thank you enough, and there will be compensation.

[Art Wright]

I think I made things worse by deleting some registry items; now I can't even access Yahoo Mail, my website email, or Mozilla email...

[greyknight17]

What registry items did you delete? Did you use a registry cleaning program to do it? If so, see if you can restore those deleted entries.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

Driver::
msqpdxserv.sys
File::
c:\windows\system32\drivers\msqpdxhwriacsq.sys
Registry::
[-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\msqpdxserv.sys]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

[Art Wright]

I was lucky enough to have a nephew from my wife's family who is incredibly smart, and came over with disks that he had from a computer company friend's and he found the rest of the
virus's and fixed the registry. Thank you, Greynight for your efforts. Let's just say that I hope it doesn't happen again!! Merry Christmas!

[greyknight17]

No problem. Glad it worked out in the end.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.

[greyknight17]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.