Jump to content

Recommended Posts

Greetings,

I am quite new at how to handle trojan/virus infections. Although I had a free AVG Antivirus installed in my computer, my system got infected just before the new year and I have had little luck with getting it back to normal. I got a Free Trial Panda Global Protection subscription but that did not do much good "against" something called a trj/downloader.mdw. I kept running line scans with Panda's Scan Tool, but Panda did not do anything to the Trojan for close to a week and a half. Panda helped quite a bit with Ad-Ware but I feel there is little Panda can do now, especially since their Tech Support has requested that I call them over the Paid Phone Support Line that they have available. And to be honest, I rather upgrade to Malwarebytes Anti-Malware Real Time protection, then to try to continue seeking the help of Panda for the time being.

Just a few days ago, I finally lookup a "jasutudo.dll" message that I get every so often and came across the Malwarebytes Forum. I registered and have followed the "I'm infected, what do I do now" protocol, and thus I have put this message together.

My current problem parallels that of another member named "mukhi." This is what mukhi wrote:

"any program i am trying to open (Windows XP Home), for example, notepad, i am getting this error message:

NOTEPAD.EXE - Bad Image

The application or DLL C:\WINDOWS\system32\yepogofa.dll is not a valid Windows image. Please check this against your installation diskette.

since yesterday my firefox is opening on its own leading to unwanted sites. IE is unaffected. i am trying to describe what is happening:

if i click to open firefox to go to say, google.com, after a few seconds another firefox window is popping up leading to unwanted site. then another, then another!!! even if i click to open IE to go to say, google.com, after a few seconds a firefox window is popping up leading to unwanted site. then another, then another!!!"

End of mukhi's description of his problem, pretty much very similar to the problem I have.

****Here is an outline of the steps I have taken, as well as, my CURRENT PROBLEM****

The Steps I have taken:

1. Per the "I'm infected, what do I do now protocol", I launched Malwarebytes' Anti-Malware ran a quick scan and Malwarebytes took care of the following three trojans: trojan.vundo, trojan.vundo.H, and trojan.Agent.

2. The popping up of webpages that mukhi also described in his message, and which were also happening to me, stopped affecting my system after the initial scan of Malwarebytes nuked out the three trojans. In other words, I can surf the net with no more obnoxious pop-ups.

3. However, the very disturbing problem is that I keep getting a similar "Bad Image" message to that of mukhi. For instance, in the process of opening the most recent Malwarebytes log file I got the message

NOTEPAD.EXE - Bad Image

The application or DLL C:\WINDOWS\system32\bijonebe.dll is not a valid Windows image. Please check this against your installation diskette.

4. I went ahead and ran the TrendMicro HijackThis application, again, as instructed on the "I am infected...protocol", and obtained a HijackThis Log file, which I have included below, as number 6 of this outline.

5. As the last step, I am posting both my latest Malwarebytes log file, just below:

Malwarebytes' Anti-Malware 1.33

Database version: 1663

Windows 5.1.2600 Service Pack 3

1/17/2009 11:15:42 PM

mbam-log-2009-01-17 (23-15-42).txt

Scan type: Full Scan (C:\|)

Objects scanned: 99094

Time elapsed: 42 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

6. Moreover, I am also posting, below, the log file I got from the HijackThis app.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:16:30 PM, on 1/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2009\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE

c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\SRVLOAD.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavBckPT.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csusm.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {18142E76-36B3-4961-B951-C72F1661B750} - C:\WINDOWS\system32\byXNefda.dll (file missing)

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [funk] funk.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Security\Panda Global Protection 2009\Inicio.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKUS\S-1-5-20\..\Run: [japikebuma] Rundll32.exe "C:\WINDOWS\system32\sujetafa.dll",s (User 'NETWORK SERVICE')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\bijonebe.dll, njlned.dll

O20 - Winlogon Notify: ssqRIYsT - ssqRIYsT.dll (file missing)

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

--

End of file - 10965 bytes

7. Kindly review the logs I have posted above and offer me some invaluable feedback to address my current "BAD IMAGE. EXE" Problem. I will not install any other programs or take any other action until I am instructed to do so by Malwarebytes Anti-Malware staff.

Best regards,

esperanzaDeus

Link to post
Share on other sites

Hi.

Open HijackThis and put a check next to these:

O2 - BHO: (no name) - {18142E76-36B3-4961-B951-C72F1661B750} - C:\WINDOWS\system32\byXNefda.dll (file missing)

O4 - HKLM\..\Run: [funk] funk.exe

O4 - HKUS\S-1-5-20\..\Run: [japikebuma] Rundll32.exe "C:\WINDOWS\system32\sujetafa.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\WINDOWS\system32\bijonebe.dll, njlned.dll

O20 - Winlogon Notify: ssqRIYsT - ssqRIYsT.dll (file missing)

Click Fix Checked and close HJT.

----------------

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Hi.

Open HijackThis and put a check next to these:

O2 - BHO: (no name) - {18142E76-36B3-4961-B951-C72F1661B750} - C:\WINDOWS\system32\byXNefda.dll (file missing)

O4 - HKLM\..\Run: [funk] funk.exe

O4 - HKUS\S-1-5-20\..\Run: [japikebuma] Rundll32.exe "C:\WINDOWS\system32\sujetafa.dll",s (User 'NETWORK SERVICE')

O20 - AppInit_DLLs: C:\WINDOWS\system32\bijonebe.dll, njlned.dll

O20 - Winlogon Notify: ssqRIYsT - ssqRIYsT.dll (file missing)

Click Fix Checked and close HJT.

----------------

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Hello,

As instructed to me, I opened HJT. However, this time O4 - HKUS\S-1-5-20\..\Run: [japikebuma] Rundll32.exe "C:\WINDOWS\system32\sujetafa.dll",s (User 'NETWORK SERVICE') no longer came up on HJT. So, I only checked the other four remaining items and check "Fix Checked".

Now, I am just very CONFUSED because when I tried proceeding to Download ComboFix from links 1 and 2 from the three choices offered, the download could not complete. In both instances, as ComboFix was downloading, close to about 97% download, I get a message from Panda something like this, "Heuristic scan discovered a malicious file and has deleted". My interpretation of the event is that Panda, currently I have a Trial Panda Total Protection license, thinks ComboFix is a threat and it did not allow ComboFix to download. (FYI, MozillaFireFox's Download window has FAILED next to both instances of ComboFix attempts to download, also Panda's Event Log says "Suspicious Files Notified".)

May I please be informed if and how I need to make Panda allow me to download ComboFix. That is, will I need to adjust Panda's protection settings (i.e., turn off the firewall, and allow momentarily inbound connections from the Internet, Mozilla Firefox) so I can download ComboFix, Save it to my desktop and run the app.

I await your reply. In the meantime, below I have posted the most recent HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:15:11 PM, on 1/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2009\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE

c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\SRVLOAD.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PavBckPT.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\IFACE.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PAVJOBS.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csusm.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Security\Panda Global Protection 2009\Inicio.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

--

End of file - 10506 bytes

Thanks a million for your continued feedback and help.

esperanzaDeus

Link to post
Share on other sites

Yes, you will need to turn off Panda shortly to download Combofix and run it. Once done, be sure to turn it back on as soon as possible. I assume you, there is nothing wrong with Combofix.

Hello Tigger,

Disabling Panda allowed me to download "ComboFix", install it and run it. Here is the log; it's a bit lengthy. (Note: May you please tell me what each section of the log means, just want to become more informed, :0). Also, one thing that worried me a bit when reading the log is the WARNING. Just by chance I came across another user's problems, yes I like to learn a bit more every now and then, and there was some talk about installing a "Recovery Console", is that something recommended for anyone, in the event of an infection. Lastly, how is it possible that I may have the "Recovery Console" installed just to be more prepared for another incident and be more assured not to be caught off guard in the event of a more challenging circumstance.)

ComboFix 09-01-18.01 - Tony 2009-01-18 17:07:21.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.143 [GMT -8:00]

Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe

AV: Panda Global Protection 2009 *On-access scanning disabled* (Updated)

FW: Panda Personal Firewall 2009 *disabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\Tony\Application Data\install.dat

c:\documents and settings\Tony\Local Settings\Temporary Internet Files\fbk.sts

c:\windows\IE4 Error Log.txt

c:\windows\system32\amunojez.ini

c:\windows\system32\awujasek.ini

c:\windows\system32\biaybxkv.ini

c:\windows\system32\bijonebe.dll

c:\windows\system32\cadmqqjd.dll

c:\windows\system32\efelagiv.ini

c:\windows\system32\fdpbjuyf.ini

c:\windows\system32\gilareku.dll

c:\windows\system32\gizivami.dll

c:\windows\system32\ifihiyin.ini

c:\windows\system32\iturifan.ini

c:\windows\system32\labufibi.dll

c:\windows\system32\ledohefi.dll

c:\windows\system32\nomepume.dll

c:\windows\system32\novojona.dll

c:\windows\system32\obvampdq.dll

c:\windows\system32\oftphsec.dll

c:\windows\system32\ppfekcmk.dll

c:\windows\system32\uvoperow.ini

c:\windows\system32\vojonoku.dll

c:\windows\system32\zidepego.dll

c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://77.74.48.105

.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))

.

2009-01-17 05:35 . 2009-01-17 05:35 399,360 --a------ c:\windows\system32\dllcache\rpcss.dll

2009-01-13 23:36 . 2009-01-13 23:36 <DIR> d-------- c:\program files\Trend Micro

2009-01-12 00:10 . 2009-01-17 22:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-12 00:10 . 2009-01-12 00:10 <DIR> d-------- c:\documents and settings\Tony\Application Data\Malwarebytes

2009-01-12 00:10 . 2009-01-12 00:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 00:10 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-12 00:10 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-07 10:03 . 2009-01-07 10:03 2,713 ---hs---- c:\windows\system32\tuforihu.dll

2009-01-06 22:02 . 2009-01-06 22:02 2,713 ---hs---- c:\windows\system32\majegafu.dll

2009-01-02 21:37 . 2009-01-02 21:37 2,713 ---hs---- c:\windows\system32\togupiji

2009-01-02 09:39 . 2009-01-02 09:39 2,713 ---hs---- c:\windows\system32\jelihepe.dll

2008-12-31 11:05 . 2008-12-31 11:05 2,713 ---hs---- c:\windows\system32\gatosisu.dll

2008-12-28 03:30 . 2008-12-28 18:22 <DIR> d-------- C:\SysFolder

2008-12-28 02:29 . 2009-01-18 15:15 13,880 --a------ c:\windows\system32\drivers\COMFiltr.sys

2008-12-28 00:31 . 2008-12-28 00:31 <DIR> d-------- c:\documents and settings\Administrator

2008-12-27 22:26 . 2009-01-18 16:12 8,627 --a------ c:\windows\system32\PAV_FOG.OPC

2008-12-27 22:07 . 2008-04-28 17:35 84,024 --a------ c:\windows\system32\drivers\pavdrv51.sys

2008-12-27 22:07 . 2008-12-27 22:07 261 --a------ c:\windows\system32\PavCPL.dat

2008-12-27 22:06 . 2009-01-18 15:15 242,408 --a------ c:\windows\system32\drivers\APPFCONT.DAT.bck

2008-12-27 22:06 . 2009-01-18 15:15 242,408 --a------ c:\windows\system32\drivers\APPFCONT.DAT

2008-12-27 22:06 . 2008-06-18 16:06 193,792 --a------ c:\windows\system32\drivers\idsflt.sys

2008-12-27 22:06 . 2008-06-18 16:06 52,992 --a------ c:\windows\system32\drivers\dsaflt.sys

2008-12-27 22:06 . 2008-06-18 16:06 46,720 --a------ c:\windows\system32\drivers\wnmflt.sys

2008-12-27 22:06 . 2009-01-18 17:14 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG.bck

2008-12-27 22:06 . 2009-01-18 17:14 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG

2008-12-27 22:05 . 2008-12-27 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Backup

2008-12-27 22:05 . 2008-07-11 14:58 158,848 --a------ c:\windows\system32\drivers\NETFLTDI.SYS

2008-12-27 22:05 . 2008-06-25 15:42 73,728 --a------ c:\windows\system32\drivers\APPFLT.SYS

2008-12-27 22:05 . 2008-03-28 11:25 22,072 --a------ c:\windows\system32\drivers\fnetmon.sys

2008-12-27 22:04 . 2007-03-15 19:38 54,832 --a------ c:\windows\system32\pavcpl.cpl

2008-12-27 22:03 . 2003-10-22 18:23 446,464 --a------ c:\windows\system32\HHActiveX.dll

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\windows\system32\PAV

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\program files\Panda Security

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\documents and settings\Tony\Application Data\Panda Security

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Panda Security

2008-12-27 22:02 . 2008-06-18 18:03 520,448 --a------ c:\windows\system32\PavSHook.dll

2008-12-27 22:02 . 2008-06-26 11:25 197,888 --a------ c:\windows\system32\drivers\neti1634.sys

2008-12-27 22:02 . 2008-06-24 14:48 193,280 --a------ c:\windows\system32\TpUtil.dll

2008-12-27 22:02 . 2007-02-08 11:53 107,568 --a------ c:\windows\system32\SYSTOOLS.DLL

2008-12-27 22:02 . 2008-06-18 18:03 87,296 --a------ c:\windows\system32\PavLspHook.dll

2008-12-27 22:02 . 2008-03-18 16:58 58,672 --a------ c:\windows\system32\avldr.dll

2008-12-27 22:02 . 2008-06-18 18:03 55,552 --a------ c:\windows\system32\pavipc.dll

2008-12-27 21:59 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-27 21:57 . 2008-12-27 21:57 <DIR> d-------- c:\program files\Common Files\Panda Security

2008-12-27 21:57 . 2008-02-07 12:03 179,640 --a------ c:\windows\system32\drivers\PavProc.sys

2008-12-27 21:57 . 2008-03-04 15:59 41,144 --a------ c:\windows\system32\drivers\ShlDrv51.sys

2008-12-27 21:38 . 2008-12-27 21:38 <DIR> d-------- C:\kav

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-19 00:23 --------- d-----w c:\documents and settings\Tony\Application Data\Skype

2009-01-19 00:06 --------- d-----w c:\documents and settings\Tony\Application Data\skypePM

2008-12-28 06:02 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-28 03:17 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-28 03:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-27 21:24 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-11-23 20:46 --------- d-----w c:\documents and settings\Tony\Application Data\U3

2008-10-03 06:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100220081003\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]

"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-05 185896]

"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"APVXDWIN"="c:\program files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" [2008-12-03 869632]

"SCANINICIO"="c:\program files\Panda Security\Panda Global Protection 2009\Inicio.exe" [2008-07-07 50432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 180224]

KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2008-03-18 16:58 58672 c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Documents and Settings\\Tony\\Desktop\\setup.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\kav\\kav7\\setup.exe"=

"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2008-12-27 28544]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2008-12-27 73728]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2008-12-27 52992]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2008-12-27 22072]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2008-12-27 193792]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2008-12-27 22:05:15 158848]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2008-12-27 41144]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2008-12-27 46720]

R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\drivers\neti1634.sys [2008-12-27 197888]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

R4 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda --> c:\windows\system32\svchost -k Panda [?]

R4 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2008-12-27 179640]

R4 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Global Protection 2009\psksvc.exe [2008-12-27 28928]

S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2008-07-04 457856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

panda REG_MULTI_SZ Gwmsrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-28 c:\windows\Tasks\Basic clean-up.job

- c:\program files\Panda Security\Panda Global Protection 2009\PlaTasks.exe [2008-07-03 17:55]

2009-01-19 c:\windows\Tasks\seqjujpc.job

- c:\windows\system32\rundll32.exe [2008-04-13 16:12]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-UpgConfVer - (no file)

Notify-WgaLogon - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.csusm.edu/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\ltty772m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Creative Commons

FF - prefs.js: browser.startup.homepage - hxxp://www.csusm.edu/

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 17:14:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?7?2?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)

c:\windows\system32\avldr.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Panda Security\Panda Global Protection 2009\TPSrv.exe

c:\program files\Panda Security\Panda Global Protection 2009\WebProxy.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Panda Security\Panda Global Protection 2009\PsCtrlS.exe

c:\program files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

c:\program files\Common Files\Panda Security\PavShld\PavPrSrv.exe

c:\program files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

c:\program files\Panda Security\Panda Global Protection 2009\PAVSRV51.EXE

c:\program files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE

c:\program files\Panda Security\Panda Global Protection 2009\FIREWALL\PSHost.exe

c:\windows\system32\wscntfy.exe

c:\program files\Panda Security\Panda Global Protection 2009\SrvLoad.exe

c:\program files\Panda Security\Panda Global Protection 2009\PavBckPT.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Skype\Plugin Manager\skypePM.exe

c:\program files\Java\jre1.6.0_07\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2009-01-18 17:23:06 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-19 01:22:48

Pre-Run: 48,920,723,456 bytes free

Post-Run: 48,824,188,928 bytes free

249 --- E O F --- 2008-12-18 19:21:12

B. Note: ***Here is the most recent HJT log:***

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:38, on 1/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2009\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE

c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\ApvxdWin.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\SRVLOAD.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PavBckPT.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\IFACE.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csusm.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Security\Panda Global Protection 2009\Inicio.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

--

End of file - 10537 bytes

Again, THANK YOU for your continued help.

esperanzaDeus

Link to post
Share on other sites

Don't worry about the recovery console for now.

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

c:\windows\system32\dllcache\rpcss.dll

c:\windows\system32\tuforihu.dll

c:\windows\system32\majegafu.dll

c:\windows\system32\togupiji

c:\windows\system32\jelihepe.dll

c:\windows\system32\gatosisu.dll

c:\windows\Tasks\seqjujpc.job

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.
Link to post
Share on other sites

Don't worry about the recovery console for now.

1. Please open Notepad

  • Click Start , then Run

  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt

  • A new HijackThis log.

Hello again Tigger,

It was a long day at work and I have just turned on my computer to check my e-mails and continue looking into getting my laptop into top shape. I will try your next recommendation and will post the logs in a bit.

esperanzaDeus

Link to post
Share on other sites

Hello again Tigger,

It was a long day at work and I have just turned on my computer to check my e-mails and continue looking into getting my laptop into top shape. I will try your next recommendation and will post the logs in a bit.

esperanzaDeus

Hello Tigger,

I ran the procedure that you instructed me to do, dragging the CFScript.txt file into ComboFix. As you stated, ComboFix was started and it produced a log file. However, once the log file popped up on the screen, my computer seemed to go 'blank' as none of the Desktop ICONS appeared on the screen only the screensaver. I allowed about 5 minutes after the ComboFix log report appeared on the screen but nothing seemed to happen, and the computer DID NOT reboot on its own as it did yesterday, when I ran the first instance of ComboFix on my computer, per your instructions. Please note that I DID NOT TOUCH any of the keys or the mouse, touchpad. Because nothing seemed to be happening, I turned off the laptob by pressing down on the "POWER" button and unplugged it for about 2-3 minutes. Then I rebooted the computer manually.

Once the computer rebooted, and the Desktop icons had repopulated the computer screen, I did a bit of looking for the ComboFix log file using EXPLORE; the ComboFix log file is that which was produced per the CFScript.txt file. I posted that log below.

Now, here is a big question for you. May you please take a look at the ComboFix log file and tell me if everything went well? As I said above, the computer seemed to "froze" and I am affraid that the ComboFix scan did not go well. On the other hand, the fact that the ComboFix log was produced may very possibly mean that tonight's ComboFix Scan, per your codebox command entries, went well. Please let me know what you think.

*****Here is the ComboFix log*****

ComboFix 09-01-18.01 - Tony 2009-01-20 0:27:43.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.478.135 [GMT -8:00]

Running from: c:\documents and settings\Tony\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Tony\Desktop\CFScript.txt

AV: Panda Global Protection 2009 *On-access scanning disabled* (Updated)

FW: Panda Personal Firewall 2009 *disabled*

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

c:\windows\system32\dllcache\rpcss.dll

c:\windows\system32\gatosisu.dll

c:\windows\system32\jelihepe.dll

c:\windows\system32\majegafu.dll

c:\windows\system32\togupiji

c:\windows\system32\tuforihu.dll

c:\windows\Tasks\seqjujpc.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\dllcache\rpcss.dll

c:\windows\system32\gatosisu.dll

c:\windows\system32\jelihepe.dll

c:\windows\system32\majegafu.dll

c:\windows\system32\togupiji

c:\windows\system32\tuforihu.dll

c:\windows\Tasks\seqjujpc.job

.

((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))

.

2009-01-13 23:36 . 2009-01-13 23:36 <DIR> d-------- c:\program files\Trend Micro

2009-01-12 00:10 . 2009-01-17 22:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-12 00:10 . 2009-01-12 00:10 <DIR> d-------- c:\documents and settings\Tony\Application Data\Malwarebytes

2009-01-12 00:10 . 2009-01-12 00:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-01-12 00:10 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-12 00:10 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2008-12-28 03:30 . 2008-12-28 18:22 <DIR> d-------- C:\SysFolder

2008-12-28 02:29 . 2009-01-19 23:35 13,880 --a------ c:\windows\system32\drivers\COMFiltr.sys

2008-12-28 00:31 . 2008-12-28 00:31 <DIR> d-------- c:\documents and settings\Administrator

2008-12-27 22:26 . 2009-01-18 16:12 8,627 --a------ c:\windows\system32\PAV_FOG.OPC

2008-12-27 22:07 . 2008-04-28 17:35 84,024 --a------ c:\windows\system32\drivers\pavdrv51.sys

2008-12-27 22:07 . 2008-12-27 22:07 261 --a------ c:\windows\system32\PavCPL.dat

2008-12-27 22:06 . 2009-01-18 15:15 242,408 --a------ c:\windows\system32\drivers\APPFCONT.DAT.bck

2008-12-27 22:06 . 2009-01-18 15:15 242,408 --a------ c:\windows\system32\drivers\APPFCONT.DAT

2008-12-27 22:06 . 2008-06-18 16:06 193,792 --a------ c:\windows\system32\drivers\idsflt.sys

2008-12-27 22:06 . 2008-06-18 16:06 52,992 --a------ c:\windows\system32\drivers\dsaflt.sys

2008-12-27 22:06 . 2008-06-18 16:06 46,720 --a------ c:\windows\system32\drivers\wnmflt.sys

2008-12-27 22:06 . 2009-01-20 00:21 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG.bck

2008-12-27 22:06 . 2009-01-20 00:21 1,132 --a------ c:\windows\system32\drivers\APPFLTR.CFG

2008-12-27 22:05 . 2008-12-27 22:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Backup

2008-12-27 22:05 . 2008-07-11 14:58 158,848 --a------ c:\windows\system32\drivers\NETFLTDI.SYS

2008-12-27 22:05 . 2008-06-25 15:42 73,728 --a------ c:\windows\system32\drivers\APPFLT.SYS

2008-12-27 22:05 . 2008-03-28 11:25 22,072 --a------ c:\windows\system32\drivers\fnetmon.sys

2008-12-27 22:04 . 2007-03-15 19:38 54,832 --a------ c:\windows\system32\pavcpl.cpl

2008-12-27 22:03 . 2003-10-22 18:23 446,464 --a------ c:\windows\system32\HHActiveX.dll

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\windows\system32\PAV

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\program files\Panda Security

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\documents and settings\Tony\Application Data\Panda Security

2008-12-27 22:02 . 2008-12-27 22:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Panda Security

2008-12-27 22:02 . 2008-06-18 18:03 520,448 --a------ c:\windows\system32\PavSHook.dll

2008-12-27 22:02 . 2008-06-26 11:25 197,888 --a------ c:\windows\system32\drivers\neti1634.sys

2008-12-27 22:02 . 2008-06-24 14:48 193,280 --a------ c:\windows\system32\TpUtil.dll

2008-12-27 22:02 . 2007-02-08 11:53 107,568 --a------ c:\windows\system32\SYSTOOLS.DLL

2008-12-27 22:02 . 2008-06-18 18:03 87,296 --a------ c:\windows\system32\PavLspHook.dll

2008-12-27 22:02 . 2008-03-18 16:58 58,672 --a------ c:\windows\system32\avldr.dll

2008-12-27 22:02 . 2008-06-18 18:03 55,552 --a------ c:\windows\system32\pavipc.dll

2008-12-27 21:59 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys

2008-12-27 21:57 . 2008-12-27 21:57 <DIR> d-------- c:\program files\Common Files\Panda Security

2008-12-27 21:57 . 2008-02-07 12:03 179,640 --a------ c:\windows\system32\drivers\PavProc.sys

2008-12-27 21:57 . 2008-03-04 15:59 41,144 --a------ c:\windows\system32\drivers\ShlDrv51.sys

2008-12-27 21:38 . 2008-12-27 21:38 <DIR> d-------- C:\kav

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)

2008-12-27 18:10 . 2008-12-27 18:10 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-20 08:31 --------- d-----w c:\documents and settings\Tony\Application Data\Skype

2009-01-20 07:37 --------- d-----w c:\documents and settings\Tony\Application Data\skypePM

2008-12-28 06:02 --------- d--h--w c:\program files\InstallShield Installation Information

2008-12-28 03:17 --------- d-----w c:\program files\Spybot - Search & Destroy

2008-12-28 03:12 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2008-12-27 21:24 --------- d-----w c:\documents and settings\All Users\Application Data\avg8

2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys

2008-11-23 20:46 --------- d-----w c:\documents and settings\Tony\Application Data\U3

2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll

2008-10-03 06:28 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100220081003\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-18_17.20.50.62 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys

+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys

+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe

+ 2009-01-20 07:41:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_a84.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 68856]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-06-03 21718312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"HPHUPD05"="c:\program files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-05-22 49152]

"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]

"HPHmon05"="c:\windows\system32\hphmon05.exe" [2003-05-22 483328]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 98304]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 536576]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-06-17 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-06-17 118784]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-04-30 208958]

"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 286720]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-05-05 185896]

"PAC7302_Monitor"="c:\windows\PixArt\PAC7302\Monitor.exe" [2006-11-03 319488]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]

"APVXDWIN"="c:\program files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" [2008-12-03 869632]

"SCANINICIO"="c:\program files\Panda Security\Panda Global Protection 2009\Inicio.exe" [2008-07-07 50432]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 180224]

KODAK Software Updater.lnk - c:\program files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]

2008-03-18 16:58 58672 c:\windows\system32\avldr.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PskSvcRetail]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=

"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

"c:\\Documents and Settings\\Tony\\Desktop\\setup.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\kav\\kav7\\setup.exe"=

"c:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 pavboot;Panda boot driver;c:\windows\system32\drivers\pavboot.sys [2008-12-27 28544]

R1 APPFLT;App Filter Plugin;c:\windows\system32\drivers\APPFLT.SYS [2008-12-27 73728]

R1 DSAFLT;DSA Filter Plugin;c:\windows\system32\drivers\dsaflt.sys [2008-12-27 52992]

R1 FNETMON;NetMon Filter Plugin;c:\windows\system32\drivers\fnetmon.sys [2008-12-27 22072]

R1 IDSFLT;Ids Filter Plugin;c:\windows\system32\drivers\idsflt.sys [2008-12-27 193792]

R1 NETFLTDI;Panda Net Driver [TDI Layer];c:\windows\system32\drivers\NETFLTDI.SYS [2008-12-27 22:05:15 158848]

R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\ShlDrv51.sys [2008-12-27 41144]

R1 WNMFLT;Wifi Monitor Filter Plugin;c:\windows\system32\drivers\wnmflt.sys [2008-12-27 46720]

R3 NETIMFLT01060034;PANDA NDIS IM Filter Miniport v1.6.0.34;c:\windows\system32\drivers\neti1634.sys [2008-12-27 197888]

R3 PavTPK.sys;PavTPK.sys;\??\c:\windows\system32\PavTPK.sys --> c:\windows\system32\PavTPK.sys [?]

R4 Gwmsrv;Panda Goodware Cache Manager;c:\windows\system32\svchost -k Panda --> c:\windows\system32\svchost -k Panda [?]

R4 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2008-12-27 179640]

R4 PskSvcRetail;Panda PSK service;c:\program files\Panda Security\Panda Global Protection 2009\psksvc.exe [2008-12-27 28928]

S3 PAC7302;PAC7302 VGA USB Camera;c:\windows\system32\drivers\PAC7302.SYS [2008-07-04 457856]

--- Other Services/Drivers In Memory ---

*Deregistered* - ComFiltr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

panda REG_MULTI_SZ Gwmsrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\Shell\AutoRun\command - G:\LaunchU3.exe

.

Contents of the 'Scheduled Tasks' folder

2008-12-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2008-12-28 c:\windows\Tasks\Basic clean-up.job

- c:\program files\Panda Security\Panda Global Protection 2009\PlaTasks.exe [2008-07-03 17:55]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.csusm.edu/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Tony\Application Data\Mozilla\Firefox\Profiles\ltty772m.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Creative Commons

FF - prefs.js: browser.startup.homepage - hxxp://www.csusm.edu/

FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-20 00:31:16

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????2?7?2?8??????? ???B???????????????B? ??????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1192)

c:\windows\system32\avldr.dll

.

Completion time: 2009-01-20 0:34:30

ComboFix-quarantined-files.txt 2009-01-20 08:33:34

ComboFix2.txt 2009-01-19 01:23:09

Pre-Run: 48,752,283,648 bytes free

Post-Run: 48,747,999,232 bytes free

214 --- E O F --- 2009-01-19 08:18:21

*****Here is the HJT log file*****

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 01:03, on 1/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2009\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE

c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\SRVLOAD.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavBckPT.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csusm.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Security\Panda Global Protection 2009\Inicio.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

--

End of file - 10433 bytes

Sorry it took me a bit to read your post, and to proceed with your instructions. As I said, it was a bit of a long day at work.

Thanks a million!!!

esperanzaDeus

Link to post
Share on other sites

Go start -> run and type in combofix /u to remove Combofix.

Everything look good now. Do you still have any problems?

Hello Tigger,

I am just leaving work, around 7:00 p.m. PST. I will remove ComboFix when I get home in a couple of hours, and will give you an update on how things are running. Again, it may just take me a bit to reply to you b/c I have a few errands to run.

esperanzaDeus

Link to post
Share on other sites

Go start -> run and type in combofix /u to remove Combofix.

Everything look good now. Do you still have any problems?

Hello Tigger,

As part of giving you an update on any further problems or on any "lingering malware", I went ahead and ran a SCAN of my computer using Panda Global Protection. I went ahead and ran the SCAN just after my computer booted up. There was an update and I went ahead and updated the virus and threats definitions from Panda. So, I let the SCAN ran while I had dinner.

OK. So, I checked on my computer to see how the Panda SCAN was doing, and lo and behold the SCAN found a virus, something called Trj/CI.A. Here is the information on that:

Panda Global Protection 2009 incident report

Filter selected:Virus detected, Suspicious file, Dangerous file, Script execution, Phone connection, Connection attempt, Port scan attack, Denial of service attack, Spoofing, Attacking IP address blocked, Enabled, Disabled, Update, Scan started, Scan complete, Date: All

INCIDENT NOTIFIED BY DATE-TIME RESULT ADDITIONAL INFORMATION

----------------

Virus detected: Trj/CI.A On-demand antivirus scan 1/20/2009 20:46 Deleted Path: C:\Documents and Settings\Tony\Desktop\ComboFix.exe

Once the Panda SCAN ended I attempted to follow through your instructions to remove ComboFix. However, when I checked the screen and tried Start>Run>comboFix /u, the icon for ComboFix was gone and a message window comes up saying "Windows cannot find 'combofix'...."

My guess is that Panda removed the ComboFix.exe file when it detected the Virus Trj/CI.A somehow attached to ComboFix.

Ok. I have some concerns. I am not sure if this applies to what happened to me, but I understand that in some cases when something gets deleted, please note that I am not saying "uninstalled", some files that the application or file may have used and produced are left behind. So, my first concern is what if Panda in deleting the ComboFix.exe file DID NOT uninstall all of the temporary files that ComboFix may have created and filed in my system, somehow leaving those files behind in my hard drive.

So, how can I "uninstall" such any ComboFix related files that may have been left behind the moment Panda deleted the ComboFix.exe file. In other words, what do I do now?

FYI, using EXPLORE I ran into a FOLDER in the C drive that goes by the name of Qoobox. The file appears to have stuff related to ComboFix. For example, in that folder there are two addtl files called BankEnv and Quarantine, a ComboFix-Quarantined-files.txt file, the CFScript I may have used last night from your post yesterday, and two files called Snapshot...

All in all, is the Qoobox Folder something that I need to delete as well, now manually.

Overall, my computer is running better with no more "Bad Image" message popping up at startup or when opening up apps. My goal now is to please get your input on may I do to check that the Trj.CI.A is completely gone and will not come back. Also, can your help me by rechecking new MBAM and HJT logs. I will post the logs when the MBAM scan is over in a bit. Lastly, do I need to redownload ComboFix from the links you gave me earlier and ran a new ComboFix scan?

Again, your continued help and investment in my computer virus/ trojans related issues is very much appreciated.

Thanks,

esperanzaDeus

Link to post
Share on other sites

Hello Tigger,

Per my most recent message to you. Here are the latest logs for MBAM and HJT:

1. MBAM log,

Malwarebytes' Anti-Malware 1.33

Database version: 1673

Windows 5.1.2600 Service Pack 3

1/20/2009 11:12:27 PM

mbam-log-2009-01-20 (23-12-27).txt

Scan type: Full Scan (C:\|)

Objects scanned: 99533

Time elapsed: 35 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

2. HJT log,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:21, on 1/20/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

C:\PROGRAM FILES\PANDA SECURITY\PANDA GLOBAL PROTECTION 2009\WebProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\AVENGINE.EXE

c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\ApvxdWin.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

C:\WINDOWS\system32\hphmon05.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\PixArt\PAC7302\Monitor.exe

C:\Program Files\QuickTime\QTTask.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\SRVLOAD.EXE

C:\Program Files\Panda Security\Panda Global Protection 2009\PavBckPT.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Panda Security\Panda Global Protection 2009\IFACE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.csusm.edu/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start

O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [PAC7302_Monitor] C:\WINDOWS\PixArt\PAC7302\Monitor.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Global Protection 2009\APVXDWIN.EXE" /s

O4 - HKLM\..\Run: [sCANINICIO] "C:\Program Files\Panda Security\Panda Global Protection 2009\Inicio.exe"

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsCtrls.exe

O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PavFnSvr.exe

O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe

O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\pavsrv51.exe

O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda global protection 2009\firewall\PSHOST.EXE

O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PsImSvc.exe

O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\PskSvc.exe

O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Global Protection 2009\TPSrv.exe

--

End of file - 10505 bytes

Again, THANK YOU in advance for your continued help.

esperanzaDeus

Link to post
Share on other sites

Good morning Tigger,

Asked to come in to work a bit later to catch up with you.

Per your recommendations, I went ahead and looked for the QooBox and Combofix files in the C drive. Somehow, I was only able to find the Qoobox file and deleted it. On the other hand, I searched for any "combofix" files (using Explore, Search and Run) but nothing came up. So I am a bit at odds, :0(. I trust Combofix is gone completely.

On a more comprehensive update. Way way last night, because of how long it took, I went ahead and "went back to the basics" of running scans with more than one antivirus application to confirm the "purity" of a system. So, I went to Kaspersky and ran the Kaspersky Online Scan on my computer. Kaspersky found nothing ;) .

Ok. Just this morning I opted to run the very first malware scan app that identified part of the problem I started with, this app being SysClean by Trend Micro Systems. I did not uninstall the version that detected the virus when I fist picked them up before the end of the year, and although there are more newer releases for SysClean I am not sure how to uninstall it completely and download a newer release and also because I don't have much time right now, and I wanted to give you an update really bad.

So I ran the release of SysCleam that I have in my C drive and something a bit odd came up while the scan was performing. I noticed that there were several lines where SysClean reported something of an <Error 94> when scanning some dat and some ddt? files. I think the pathnames referenced included something like "chat message, user..." under NT. However, the only "chatting" I have done is posting messages to this forum. All in all, Micro Tren did not find any viruses either, ;) .

Here is the SysClean log file for this morning's scan

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2009-01-22, 07:47:31, Auto-clean mode specified.

2009-01-22, 07:47:32, Initialized Rootkit Driver version 2.2.0.1004.

2009-01-22, 07:47:32, Running scanner "C:\SysFolder\TSC.BIN"...

2009-01-22, 07:48:13, Scanner "C:\SysFolder\TSC.BIN" has finished running.

2009-01-22, 07:48:13, TSC Log:

Link to post
Share on other sites

Hello Tigger,

I just finished running a whole computer scan of my laptop using Panda Global Protection and "Neither viruses nor other malicious malware have been detected", :) . So I guess my laptop is pure now.

Lastly, before you take the step of closing off this thread, would you please let me know if you recommend running a diagnostic tool such as HJT and/or ComboFix periodically and having someone help me decipher such logs so as to maximize my laptop's performance. As I stated earlier, I know the bare bones basic of computers and once my trial license for Panda's Total Global Protection expires I plan to update MBAM to real time protection. Yet, I would like to know what other steps I may take to make sure that no unnecessary stuff gets filed away on my system.

So, please give me your input on a, or a few apps, that may help me keep my computer clean and "free" of unnecessary "temp" files and stuff like cookies. What about stuff like ccleaner, lately I also read of so "rootkit" check up apps, such as RootkitRevealer hosted by Microsoft. What do you think? Please do respond to this question on CCleaner and RootkitRevealer.

All in all, I understand all of your guidance and patience have paid off bountifully to my benefit. THANK YOU indeed.

Chirho!!!

esperanzaDeus

Link to post
Share on other sites

Lastly, before you take the step of closing off this thread, would you please let me know if you recommend running a diagnostic tool such as HJT and/or ComboFix periodically and having someone help me decipher such logs so as to maximize my laptop's performance.

You should absolutely not use them without help from an expert, especially Combofix. Only if you have malware problems should you seek help here, else you should ask in the PC help forum.

So, please give me your input on a, or a few apps, that may help me keep my computer clean and "free" of unnecessary "temp" files and stuff like cookies.

I recommend CCleaner.

What about stuff like ccleaner, lately I also read of so "rootkit" check up apps, such as RootkitRevealer hosted by Microsoft.

I've not a clue about RookiteRevealer, never used it.

Link to post
Share on other sites

Hello again Tigger,

Your "here is to reality-check advice" about how and what stuff to use, :) , is most welcome. To be sure, as I keep on repeating, not knowing prompts me "to ask" questions, get feedback and "become more educated". For example, your sound advice of reaching out to the PC Help Forum is a much welcome advice.

To be sure, I comitt to starting a new thread in this forum (rather than going at it blindly alone) in the event I encounter new/ additional malware problems.

Gracias (Thanx) Tigger!!!

esperanzaDeus

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.