HiJack Log

[jono428]

Thank you for your help in advance... I have run Malwarebytes, Combofix, SDFix, SuperAntiSpyware, and I'm still having trouble with Task Manager not opening and google-analytics popup... Not sure what else to do.. Here is my hijack log please tell me anything else you might need to further help me.. Thank You

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:07:18 PM, on 6/6/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\AVG\AVG9\avgcmgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup

O4 - Global Startup: Post-it

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

[jono428]

I updated MBAM ran ran the Quick Scan.. After removing the infected files upon restart I get the message

"Windows could not start because the following file is missing or corrupt: <Windows root>\system32\hal.dll Please re-install a copy of the above file.

My computer has no disc. It is built into the computer.

[jono428]

I obtained a Recovery CD and repaired the boot configuration from the recovery console...

Here is the MBAM log:

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4174

Windows 5.1.2600 Service Pack 3

Internet Explorer 6.0.2900.5512

6/6/2010 10:35:57 PM

mbam-log-2010-06-06 (22-35-57).txt

Scan type: Quick scan

Objects scanned: 131555

Time elapsed: 1 hour(s), 6 minute(s), 23 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Dropper) -> Data: c:\windows\system32\sdra64.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Dropper) -> Data: system32\sdra64.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (userinit.exe) -> No action taken.

Folders Infected:

C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:

C:\WINDOWS\system32\sdra64.exe (Trojan.Dropper) -> No action taken.

C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.

C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.

C:\Documents and Settings\Jonathan\Local Settings\Temp\services.exe (Password.Stealer) -> No action taken.

Here is the DDS log

DDS (Ver_10-03-17.01) - NTFSx86

Run by Jonathan at 11:25:15.43 on Mon 06/07/2010

Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.522 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

svchost.exe

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\ehome\ehtray.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\I8kfanGUI\I8kfanGUI.exe

C:\Program Files\3M\PSNLite\PsnLite.exe

C:\PROGRA~1\3M\PSNLite\PSNGive.exe

svchost.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Jonathan\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [i8kfangui] c:\program files\i8kfangui\I8kfanGUI.exe /startup

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [Apoint] c:\program files\apoint\Apoint.exe

mRun: [intelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\post-i~1.lnk - c:\program files\3m\psnlite\PsnLite.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jonathan\applic~1\mozilla\firefox\profiles\n0u9ep3x.default\

FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\jonathan\application data\move networks\plugins\npqmp071502000008.dll

FF - plugin: c:\documents and settings\jonathan\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);

c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);

c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-8 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-8 29584]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-8 242896]

R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2009-7-11 14464]

R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-3-16 308064]

S1 SASDIFSV;SASDIFSV;\??\c:\documents and settings\jonathan\desktop\sasdifsv.sys --> c:\documents and settings\jonathan\desktop\SASDIFSV.SYS [?]

S1 SASKUTIL;SASKUTIL;\??\c:\documents and settings\jonathan\desktop\saskutil.sys --> c:\documents and settings\jonathan\desktop\SASKUTIL.SYS [?]

S3 iComp;Hauppauge WinTV PVR USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2009-6-12 1438080]

=============== Created Last 30 ================

2010-06-06 17:32:39 0 d-s---w- C:\ComboFix

2010-06-06 15:43:56 0 d-sha-r- C:\cmdcons

2010-06-06 15:39:55 98816 ----a-w- c:\windows\sed.exe

2010-06-06 15:39:55 77312 ----a-w- c:\windows\MBR.exe

2010-06-06 15:39:55 256512 ----a-w- c:\windows\PEV.exe

2010-06-06 15:39:55 161792 ----a-w- c:\windows\SWREG.exe

2010-06-06 12:55:33 0 d-----w- c:\docume~1\jonathan\applic~1\SUPERAntiSpyware.com

2010-06-06 12:55:33 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2010-06-05 23:07:31 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-05 23:07:29 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-05 23:07:28 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-05 22:42:56 411368 ----a-w- c:\windows\system32\deployJava1.dll

2010-06-05 22:29:44 0 d-----w- c:\windows\system32\wbem\Repository

2010-06-05 19:04:59 0 d-----w- c:\windows\ERUNT

2010-06-05 18:56:52 664 ----a-w- c:\windows\system32\d3d9caps.dat

==================== Find3M ====================

2010-06-05 22:39:46 242896 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-24 03:40:23 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2010-03-17 03:22:53 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-10 04:33:41 1509888 ------w- c:\windows\system32\dllcache\shdocvw.dll

2010-03-10 04:33:38 1025024 ------w- c:\windows\system32\dllcache\browseui.dll

2010-01-01 18:49:54 88 --sh--r- c:\windows\system32\7E57C9B0D6.sys

============= FINISH: 11:26:19.73 ===============

Thank you for your help...

[screen317]

Hi,

Can you access the log (under the Logs tab in MBAM) of the scan that caused the hal.dll error??

I'm afraid I have bad news.

Your logs reveal that you had a keylogging trojan.

I would counsel you to disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC, or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. See the following information below before doing anything.

The keylogger itself has been deleted, and the following procedure will show you what data has been stolen.

Navigate to C:\WINDOWS\system32\lowsec

You will see one or more files; append a .txt extension to them and open them in Notepad to reveal what has been stolen.

From a known clean computer, change all of those passwords immediately.

[jono428]

Thank you for your help... I was impatient and decided to reformat my entire computer... I did not log onto any personal or password sites from the time that I was infected.. Could the passwords still be taken? Or since it is called a keylogging trojan i would have had to login for it to take the password.. Thanks again..

[screen317]

They could potentially be taken, since I'm not precisely sure when the passwords were stolen. To be safe, I would recommend changing all passwords.

Is there anything else I can help with?

[jono428]

If I was to check that WINDOWS folder on other computers that were infected would I be able to see what passwords were taken? Or does it change with every infection??

[screen317]

Depends on what infection specifically; it may be worth checking. How many computers were compromised!?

[screen317]

Still with us jono428?

[jono428]

I apologize I didn't know you replied back then. I just reformatted all my computer and put new

firewalls and and antivirus protection. Thank you

[screen317]

Thanks for letting us know.

[screen317]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!