jono428 Posted June 6, 2010 ID:262937 Share Posted June 6, 2010 Thank you for your help in advance... I have run Malwarebytes, Combofix, SDFix, SuperAntiSpyware, and I'm still having trouble with Task Manager not opening and google-analytics popup... Not sure what else to do.. Here is my hijack log please tell me anything else you might need to further help me.. Thank YouLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:07:18 PM, on 6/6/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\dllhost.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\WINDOWS\eHome\ehmsas.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\I8kfanGUI\I8kfanGUI.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.acC:\Program Files\3M\PSNLite\PsnLite.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\AVG\AVG9\avgcmgr.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/WirelessO4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startupO4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -startO4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbyloginO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startupO4 - Global Startup: Post-it Link to post Share on other sites More sharing options...
Staff screen317 Posted June 6, 2010 Staff ID:263096 Share Posted June 6, 2010 Hi and welcome to Malwarebytes.Please update MBAM, run a Quick Scan, and post its log.Next, download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized. Link to post Share on other sites More sharing options...
jono428 Posted June 7, 2010 Author ID:263177 Share Posted June 7, 2010 I updated MBAM ran ran the Quick Scan.. After removing the infected files upon restart I get the message"Windows could not start because the following file is missing or corrupt: <Windows root>\system32\hal.dll Please re-install a copy of the above file. My computer has no disc. It is built into the computer. Link to post Share on other sites More sharing options...
jono428 Posted June 7, 2010 Author ID:263488 Share Posted June 7, 2010 I obtained a Recovery CD and repaired the boot configuration from the recovery console...Here is the MBAM log: Malwarebytes' Anti-Malware 1.46www.malwarebytes.orgDatabase version: 4174Windows 5.1.2600 Service Pack 3Internet Explorer 6.0.2900.55126/6/2010 10:35:57 PMmbam-log-2010-06-06 (22-35-57).txtScan type: Quick scanObjects scanned: 131555Time elapsed: 1 hour(s), 6 minute(s), 23 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 4Registry Values Infected: 1Registry Data Items Infected: 3Folders Infected: 1Files Infected: 4Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Dropper) -> Data: c:\windows\system32\sdra64.exe -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Dropper) -> Data: system32\sdra64.exe -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> No action taken.Folders Infected:C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.Files Infected:C:\WINDOWS\system32\sdra64.exe (Trojan.Dropper) -> No action taken.C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.C:\Documents and Settings\Jonathan\Local Settings\Temp\services.exe (Password.Stealer) -> No action taken.Here is the DDS logDDS (Ver_10-03-17.01) - NTFSx86 Run by Jonathan at 11:25:15.43 on Mon 06/07/2010Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.522 [GMT -4:00]AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\Wireless\Bin\EvtEng.exeC:\Program Files\Intel\Wireless\Bin\S24EvMon.exeC:\Program Files\AVG\AVG9\avgchsvx.exeC:\Program Files\AVG\AVG9\avgrsx.exeC:\Program Files\Intel\Wireless\Bin\WLKeeper.exeC:\Program Files\AVG\AVG9\avgcsrvx.exeC:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exeC:\WINDOWS\system32\Ati2evxx.exesvchost.exeC:\WINDOWS\Explorer.EXEsvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\ehome\ehtray.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Intel\Wireless\Bin\ifrmewrk.exeC:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\Common Files\Java\Java Update\jusched.exeC:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\I8kfanGUI\I8kfanGUI.exeC:\Program Files\3M\PSNLite\PsnLite.exeC:\PROGRA~1\3M\PSNLite\PSNGive.exesvchost.exeC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\AVG\AVG9\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\eHome\ehRecvr.exeC:\WINDOWS\eHome\ehSched.exeC:\Program Files\AVG\AVG9\avgnsx.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exeC:\WINDOWS\system32\PSIService.exeC:\Program Files\Intel\Wireless\Bin\RegSrvc.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\system32\dllhost.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\eHome\ehmsas.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\Jonathan\Desktop\dds.scr============== Pseudo HJT Report ===============uStart Page = hxxp://www.google.com/uInternet Settings,ProxyOverride = *.localBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dllBHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dllBHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No FileTB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No FileuRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startupmRun: [ehTray] c:\windows\ehome\ehtray.exemRun: [Apoint] c:\program files\apoint\Apoint.exemRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/WirelessmRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exemRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"mRun: [dla] c:\windows\system32\dla\tfswctrl.exemRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startupmRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -startmRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbyloginmRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exemRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exeIE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeDPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabHandler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dllNotify: AtiExtEvent - Ati2evxx.dllNotify: avgrsstarter - avgrsstx.dllNotify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll================= FIREFOX ===================FF - ProfilePath - c:\docume~1\jonathan\applic~1\mozilla\firefox\profiles\n0u9ep3x.default\FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dllFF - plugin: c:\documents and settings\jonathan\application data\move networks\plugins\npqmp071502000008.dllFF - plugin: c:\documents and settings\jonathan\application data\move networks\plugins\npqmp071503000010.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dllFF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dllFF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}---- FIREFOX POLICIES ----FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);============= SERVICES / DRIVERS ===============R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-8 216200]R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-8 29584]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-8 242896]R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2009-7-11 14464]R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\jonathan\desktop\sasdifsv.sys --> c:\documents and settings\jonathan\desktop\SASDIFSV.SYS [?]S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\jonathan\desktop\saskutil.sys --> c:\documents and settings\jonathan\desktop\SASKUTIL.SYS [?]S3 iComp;Hauppauge WinTV PVR USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2009-6-12 1438080]=============== Created Last 30 ================2010-06-06 17:32:39 0 d-s---w- C:\ComboFix2010-06-06 15:43:56 0 d-sha-r- C:\cmdcons2010-06-06 15:39:55 98816 ----a-w- c:\windows\sed.exe2010-06-06 15:39:55 77312 ----a-w- c:\windows\MBR.exe2010-06-06 15:39:55 256512 ----a-w- c:\windows\PEV.exe2010-06-06 15:39:55 161792 ----a-w- c:\windows\SWREG.exe2010-06-06 12:55:33 0 d-----w- c:\docume~1\jonathan\applic~1\SUPERAntiSpyware.com2010-06-06 12:55:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com2010-06-05 23:07:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-06-05 23:07:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-06-05 23:07:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware2010-06-05 22:42:56 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-06-05 22:29:44 0 d-----w- c:\windows\system32\wbem\Repository2010-06-05 19:04:59 0 d-----w- c:\windows\ERUNT2010-06-05 18:56:52 664 ----a-w- c:\windows\system32\d3d9caps.dat==================== Find3M ====================2010-06-05 22:39:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys2010-03-24 03:40:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys2010-03-17 03:22:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll2010-01-01 18:49:54 88 --sh--r- c:\windows\system32\7E57C9B0D6.sys============= FINISH: 11:26:19.73 ===============Thank you for your help... Link to post Share on other sites More sharing options...
Staff screen317 Posted June 8, 2010 Staff ID:264230 Share Posted June 8, 2010 Hi,Can you access the log (under the Logs tab in MBAM) of the scan that caused the hal.dll error??I'm afraid I have bad news.Your logs reveal that you had a keylogging trojan.I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC, or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. See the following information below before doing anything.The keylogger itself has been deleted, and the following procedure will show you what data has been stolen.Navigate to C:\WINDOWS\system32\lowsecYou will see one or more files; append a .txt extension to them and open them in Notepad to reveal what has been stolen.From a known clean computer, change all of those passwords immediately. Link to post Share on other sites More sharing options...
jono428 Posted June 9, 2010 Author ID:264292 Share Posted June 9, 2010 Thank you for your help... I was impatient and decided to reformat my entire computer... I did not log onto any personal or password sites from the time that I was infected.. Could the passwords still be taken? Or since it is called a keylogging trojan i would have had to login for it to take the password.. Thanks again.. Link to post Share on other sites More sharing options...
Staff screen317 Posted June 10, 2010 Staff ID:265285 Share Posted June 10, 2010 They could potentially be taken, since I'm not precisely sure when the passwords were stolen. To be safe, I would recommend changing all passwords.Is there anything else I can help with? Link to post Share on other sites More sharing options...
jono428 Posted June 10, 2010 Author ID:265298 Share Posted June 10, 2010 If I was to check that WINDOWS folder on other computers that were infected would I be able to see what passwords were taken? Or does it change with every infection?? Link to post Share on other sites More sharing options...
Staff screen317 Posted June 10, 2010 Staff ID:265324 Share Posted June 10, 2010 Depends on what infection specifically; it may be worth checking. How many computers were compromised!? Link to post Share on other sites More sharing options...
Staff screen317 Posted June 17, 2010 Staff ID:268863 Share Posted June 17, 2010 Still with us jono428? Link to post Share on other sites More sharing options...
jono428 Posted June 17, 2010 Author ID:268983 Share Posted June 17, 2010 I apologize I didn't know you replied back then. I just reformatted all my computer and put newfirewalls and and antivirus protection. Thank you Link to post Share on other sites More sharing options...
Staff screen317 Posted June 17, 2010 Staff ID:269329 Share Posted June 17, 2010 Thanks for letting us know. Link to post Share on other sites More sharing options...
Staff screen317 Posted June 17, 2010 Staff ID:269330 Share Posted June 17, 2010 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts