Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4052
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702
5/5/2010 5:51:44 AM
mbam-log-2010-05-05 (05-51-44).txt
Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 166991
Time elapsed: 31 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 38
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaylprxerxnt (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.16,93.188.161.200 -> Quarantined and deleted successfully.
Folders Infected:
D:\WINDOWS\PRAGMAylprxerxnt (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
D:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
D:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1221964676.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1615714698.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1873985010.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\238850592.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\3795849116.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\4273650700.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\PRAGMAf73d.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\avp.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\cmd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\csrss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\debug.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\iexplarer.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\lsass.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\mdm.exe (Trojan.Clicker) -> Delete on reboot.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\services.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\setup.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\smss.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\svchost.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\system.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\taskmgr.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\user.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win16.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
D:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
D:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\drivers\ftashq.sys (Rootkit.Agent) -> Delete on reboot.
D:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\spool\prtprocs\w32x86\b00002db8.dll (Rootkit.Dropper) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> Delete on reboot.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:17 PM, on 5/8/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
C:\System Volume Information\Whistler\smss.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\Program Files\Google\Update\GoogleUpdate.exe
D:\Program Files\a-squared Free\a2service.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\System Volume Information\Whistler\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.movies-links.tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - D:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [DivXUpdate] "D:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6342352765
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9072450140
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS4\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
--
End of file - 5629 bytes