Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
5/5/2010 5:51:11 AM
mbam-log-2010-05-05 (05-51-11).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 166991
Time elapsed: 31 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 38
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> No action taken.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaylprxerxnt (Trojan.DNSChanger) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.16,93.188.161.200 -> No action taken.
Folders Infected:
D:\WINDOWS\PRAGMAylprxerxnt (Trojan.DNSChanger) -> No action taken.
Files Infected:
D:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> No action taken.
D:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1221964676.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1615714698.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1873985010.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\238850592.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\3795849116.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\4273650700.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\PRAGMAf73d.tmp (Trojan.Agent) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\avp.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\cmd.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\csrss.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\debug.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\iexplarer.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\lsass.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\mdm.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\pragmamainqt.dll (Rootkit.TDSS) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\services.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\setup.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\smss.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\svchost.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\system.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\taskmgr.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\user.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win16.exe (Trojan.Clicker) -> No action taken.
D:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> No action taken.
D:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> No action taken.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAc.dll (Trojan.DNSChanger) -> No action taken.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAcfg.ini (Trojan.DNSChanger) -> No action taken.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAd.sys (Trojan.DNSChanger) -> No action taken.
D:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> No action taken.
D:\WINDOWS\system32\drivers\ftashq.sys (Rootkit.Agent) -> No action taken.
D:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
D:\WINDOWS\system32\spool\prtprocs\w32x86\b00002db8.dll (Rootkit.Dropper) -> No action taken.
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> No action taken.
I am now currently getting wierd pop ups I think there was also a DNS changer in one of those and it messed my connection up cause i can conenct to websites or program i use ventrilo for gaming or even worldofwarcraft or warcraft 3 sometimes will not connect but then will very shortly after its soo annoying i keep getting click sounds to like im searching the web, also you know when those random pop ups go where they say YOU HAVE WON well it does that to but nothing even is popping up lol. Here is my HIJACK THIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:20 PM, on 5/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
C:\System Volume Information\Whistler\smss.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Program Files\Ventrilo\Ventrilo.exe
C:\System Volume Information\Whistler\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.movies-links.tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - D:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6342352765
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9072450140
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS4\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
--
End of file - 5493 bytes