Free Malware Removal Forum

[reaperofelement]

Hi my name Chris, I was searching around one day while I had warcraft 3 up waiting for this DoTa game to start then I tabbed back in then my computer had popped up this Anti Virus thing in a IE box along with something else ended up trying to D/L crap. CLosed immidiately then it made it so I couldnt run or open anything would say I cannot do that. So I ran Maleware Bytes in Safe Mode. This is the Log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

5/5/2010 5:51:11 AM
mbam-log-2010-05-05 (05-51-11).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 166991
Time elapsed: 31 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{31f3cf6e-a71a-4daa-852b-39ac230940b4} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{4e980492-027b-47f1-a7ab-ab086dacbb9e} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{5ead8321-fcbb-4c3f-888c-ac373d366c3f} (Rogue.Ascentive) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{497dddb6-6eee-4561-9621-b77dc82c1f84} (Rogue.Ascentive) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_CURRENT_USER\Software\avsuite (Rogue.AntivirusSuite) -> No action taken.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaylprxerxnt (Trojan.DNSChanger) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\nofolderoptions (Hijack.FolderOptions) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hsf87efjhdsf87f3jfsdi7fhsujfd (Trojan.Clicker) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{a2ba40a0-74f1-52bd-f411-00b15a2c8953} (Trojan.Ertfor) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.16,93.188.161.200 -> No action taken.

Folders Infected:
D:\WINDOWS\PRAGMAylprxerxnt (Trojan.DNSChanger) -> No action taken.

Files Infected:
D:\Documents and Settings\All Users\Application Data\pragmamfeklnmal.dll (Rootkit.TDSS) -> No action taken.
D:\Documents and Settings\All Users\Favorites\_favdata.dat (Malware.Trace) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1221964676.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1615714698.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\1873985010.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\238850592.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\3795849116.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\4273650700.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\PRAGMAf73d.tmp (Trojan.Agent) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\avp.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\cmd.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\csrss.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\debug.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\iexplarer.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\lsass.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\mdm.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\pragmamainqt.dll (Rootkit.TDSS) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\services.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\setup.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\smss.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\svchost.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\system.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\taskmgr.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\user.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win.exe (Trojan.Clicker) -> No action taken.
D:\Documents and Settings\Chris Jablonski\Local Settings\temp\win16.exe (Trojan.Clicker) -> No action taken.
D:\Program Files\Internet Explorer\js.mui (Trojan.Downloader) -> No action taken.
D:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> No action taken.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAc.dll (Trojan.DNSChanger) -> No action taken.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAcfg.ini (Trojan.DNSChanger) -> No action taken.
D:\WINDOWS\PRAGMAylprxerxnt\PRAGMAd.sys (Trojan.DNSChanger) -> No action taken.
D:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.
D:\WINDOWS\system32\SysRestore.dll (Rogue.Ascentive) -> No action taken.
D:\WINDOWS\system32\drivers\ftashq.sys (Rootkit.Agent) -> No action taken.
D:\WINDOWS\system32\net.net (Trojan.Downloader) -> No action taken.
D:\WINDOWS\system32\spool\prtprocs\w32x86\b00002db8.dll (Rootkit.Dropper) -> No action taken.
D:\WINDOWS\system32\yzodc5.dll (Trojan.Ertfor) -> No action taken.



I am now currently getting wierd pop ups I think there was also a DNS changer in one of those and it messed my connection up cause i can conenct to websites or program i use ventrilo for gaming or even worldofwarcraft or warcraft 3 sometimes will not connect but then will very shortly after its soo annoying i keep getting click sounds to like im searching the web, also you know when those random pop ups go where they say YOU HAVE WON well it does that to but nothing even is popping up lol. Here is my HIJACK THIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:20 PM, on 5/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
C:\System Volume Information\Whistler\smss.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Windows Live\Messenger\msnmsgr.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Windows Live\Contacts\wlcomm.exe
D:\Program Files\Ventrilo\Ventrilo.exe
C:\System Volume Information\Whistler\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.movies-links.tv/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: (no name) - {CA3EB689-8F09-4026-AA10-B9534C691CE0} - (no file)
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - D:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - D:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dll
O3 - Toolbar: (no name) - {0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - D:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (rootkit-scan)] "D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - D:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/pr01/re ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 6342352765
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9072450140
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS2\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS4\Services\Tcpip\..\{05A6128C-C0F4-4DEE-B3AC-485D775D3A7F}: NameServer = 208.67.222.222,208.67.220.220
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe

--
End of file - 5493 bytes

[reaperofelement]

now im getting alot of popups with the sound, so now its a popup also.

[NonSuch]

For your own sake as well as ours, please familiarize yourself with the forum rules:

viewtopic.php?p=491389#p491389

Bumping your topic

Helpers at this forum look for topics with ZERO REPLIES, any topic that does not have zero replies will be passed by.

If you reply to your topic or try to "bump" it, it will no longer have zero replies and you will not receive the help you are looking for.

Because of this ..... if we see that you have replied to your own topic, or tried to bump it, your topic will be closed and you will be asked to start a new one.

Accordingly, this topic will be closed and you will need to start a new topic. Please include everything in one post. If there is something you have forgotten, wait until you have received a response and then you can post the additional information.

This topic is now closed.