Free Malware Removal Forum

[reaperofelement]

I have some Mlewre that I need help with removing cleaning my computer out. I usually sit here and play world of warcraft and warcraft 3 on my computer and use ventrilo. I search the web sometimes for movies and songs stuff like that or just research of stuff i life. Until recently whatever had gotten in my computer from a website I went to, is pretty much gone theres still something here tho. I keep having iexplore.exe pop up in my system in task manager started out with 1 then 2 now theres 3 running and thats not counting the username one, whihc would be the one i have open to be typing this to the forum. So I get ranomd pop ups and random voices from adds that are pop ups its kinda freaky and I cant figure out how to get rid of it, so I need help and I have came here once before and you guys did an awesome job helping me. Thank you for your time and consideration in helping me, here is my main Malewarbytes log that grabbed like everything I had on my computer. The next will be my Hijack this log which I ran right b4 I started this post.





Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/5/2010 5:51:44 AM
mbam-log-2010-05-05 (05-51-44).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 166991
Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaylprxerxnt (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.16,93.188.161.200 -> Quarantined and deleted successfully.

Folders Infected:
D:\WINDOWS\PRAGMAylprxerxnt (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
D:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1221964676.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1615714698.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1873985010.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\238850592.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\3795849116.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\4273650700.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\PRAGMAf73d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\avp.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\cmd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\csrss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\debug.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\iexplarer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\lsass.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\mdm.exe (Trojan.Clicker) -> Delete on reboot.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\services.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\setup.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\smss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\svchost.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\system.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\taskmgr.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\user.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win16.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\drivers\ftashq.sys (Rootkit.Agent) -> Delete on reboot.
D:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\spool\prtprocs\w32x86\b00002db8.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> Delete on reboot.










Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:17 PM, on 5/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
C:\System Volume Information\Whistler\smss.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\a-squared Free\a2service.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\System Volume Information\Whistler\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.movies-links.tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - D:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [DivXUpdate] "D:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6342352765
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9072450140
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS4\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

--
End of file - 5629 bytes

[MWR 3 day Mod]

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.

[xixo_12]

Hello and Welcome to Malware Removal Forums.

• My name is xixo_12 and I will guide you.
• Refrain from running self fixes as this will hinder the malware removal process.
• You may wish to print them off or copy the instruction into Notepad.
• If you have any question please don't hesitate to ask.
• The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
• If you are receiving help or have received help on this problem elsewhere, please let us know.
• Keep interact with me until your computer is clean.

Please make sure you have done your reading on this topic : How to get help at this forum
Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

First,
Analyze file(s).
Please visit Jotti.
Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

C:\System Volume Information\Whistler\smss.exe
C:\System Volume Information\Whistler\svchost.exe

• Press Submit file - this will submit the file for testing.
• Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Example of web address :


Next,
Uninstall List.

• Run the HiJack This.
• Click on Open the Misc Tools section button.
• Click on Misc Tools tab.
• Under the System tools, click on Open Uninstall Manager button.
• Find the Save list… button and save to the Desktop
• Copy the content and paste the uninstall list here.

Next,
Checklist.
Please post.

• Web links = 2
• Content of uninstall list.

[Gary R]

Due to lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.