angel561
2010-06-08, 21:23
How do you finally get rid of these Malware and Adware problems ?
I Tried using SPYBOT It detects the problem destroys it but when I scan again. There it is it never got deleted. Files are hiddden.
Thanks in advance. Please someone help.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-08 14:20:50
Windows 6.0.6002 Service Pack 2
Running: look.exe; Driver: C:\Windows\TEMP\kglyquod.sys
---- System - GMER 1.0.15 ----
Code 85379148 ZwEnumerateKey
Code 854DD388 ZwFlushInstructionCache
Code 85391CCD IofCallDriver
Code 859DF38E IofCompleteRequest
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Modules - GMER 1.0.15 ----
Module \systemroot\PRAGMAqewipylroe\PRAGMAd.sys (*** hidden *** ) 8B18A000-8B1AF000 (151552 bytes)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmaserf.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2652] 0x10000000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmaserf.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2808] 0x10000000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmabbr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2808] 0x02060000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmaserf.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3308] 0x10000000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmabbr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3308] 0x016B0000
---- Services - GMER 1.0.15 ----
Service C:\Windows\PRAGMAqewipylroe\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMAqewipylroe <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe@imagepath \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@PRAGMAd \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@PRAGMAc \systemroot\PRAGMAqewipylroe\PRAGMAc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@pragmaserf pragmaserf
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@pragmabbr pragmabbr
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe@imagepath \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@PRAGMAd \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@PRAGMAc \systemroot\PRAGMAqewipylroe\PRAGMAc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@pragmaserf pragmaserf
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@pragmabbr pragmabbr
---- Files - GMER 1.0.15 ----
File C:\ProgramData\pragmamfeklnmal.dll 1185 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\searchCAPZP8RM.htm 170 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\blank[1].htm 0 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\acCAD6N8ZS.htm 1234 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\acCA20R40N.htm 1393 bytes
File C:\Users\Christina\AppData\Local\Temp\PRAGMAba9f.tmp 679936 bytes executable
File C:\Users\Christina\AppData\Local\Temp\pragmamainqt.dll 10359 bytes
File C:\Users\Christina\AppData\Local\Temp\pragmapdconf.ini 34 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@advertise[4].txt 143 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@overstock[1].txt 281 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@www.overstock[1].txt 220 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@tt11.overstock[1].txt 202 bytes
File C:\Users\User 2\AppData\Local\Temp\pragmamainqt.dll 10359 bytes
File C:\Users\User 2\AppData\Local\Temp\pragmapdconf.ini 34 bytes
File C:\WINDOWS\PRAGMAqewipylroe 0 bytes
File C:\WINDOWS\PRAGMAqewipylroe\pragmabbr.dll 73728 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAc.dll 34816 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAcfg.ini 258 bytes
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAd.sys 53248 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\pragmaserf.dll 73728 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAsrcr.dat 147 bytes
File C:\WINDOWS\Temp\TMP000000798C4E5227603F2B6D 524288 bytes
File C:\WINDOWS\Temp\PRAGMAa7e2.tmp 147 bytes
File C:\WINDOWS\Temp\pragmamainqt.dll 10359 bytes
File C:\WINDOWS\Temp\pragmapdconf.ini 34 bytes
-----------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 16:35:29.42 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.331 [GMT -4:00]
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\windows\system32\svchost.exe -k dcomlaunch
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe -k secsvcs
c:\windows\system32\svchost.exe -k localservicenetworkrestricted
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k gpsvcgroup
C:\Windows\system32\SLsvc.exe
c:\windows\system32\svchost.exe -k localservice
c:\windows\system32\svchost.exe -k networkservice
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe -k localservicenonetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\svchost.exe -k hpz12
c:\windows\system32\svchost.exe -k hpz12
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted
c:\windows\system32\svchost.exe -k imgsvc
c:\windows\system32\svchost.exe -k wersvcgroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Christina\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-7 28552]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20091217.003\IDSvix86.sys [2009-12-18 286768]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-9 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-29 21504]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-7 1153368]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-6 1251720]
=============== Created Last 30 ================
2010-06-08 14:54:21 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-06-08 14:54:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 23:45:37 205 ----a-w- c:\windows\wininit.ini
2010-06-07 17:05:58 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 17:05:58 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 16:36:12 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-07 16:36:08 0 d-----w- c:\program files\Panda Security
2010-06-07 14:15:08 0 d-----w- C:\!KillBox
2010-06-05 23:26:04 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2010-06-05 23:26:04 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2010-06-05 23:26:04 10537 ----a-w- c:\windows\system32\drivers\COH_Mon.cat
2010-06-05 12:56:55 201515137 ----a-w- c:\windows\MEMORY.DMP
2010-05-28 12:47:34 0 d-----w- c:\users\christ~1\appdata\roaming\OpenOffice.org
2010-05-28 00:53:23 0 d-----w- c:\program files\JRE
2010-05-28 00:51:47 0 d-----w- c:\program files\OpenOffice.org 3
2010-05-28 00:49:44 0 d-----w- c:\programdata\Sun
2010-05-25 19:10:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 15:10:07 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM
2010-05-25 15:10:07 0 d-----w- c:\program files\EssentialPIM
2010-05-25 15:05:16 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM Pro
2010-05-25 14:45:05 0 d-----w- C:\Alfresco
2010-05-12 08:25:10 738816 ----a-w- c:\windows\system32\inetcomm.dll
==================== Find3M ====================
2010-05-28 14:44:25 5518 ----a-w- c:\users\christ~1\appdata\roaming\wklnhst.dat
2010-05-25 13:41:33 22632 ----a-w- c:\windows\fonts\medicine.ttf
2010-05-24 12:47:37 52816 ----a-w- c:\windows\fonts\Glassblocks.ttf
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-19 11:51:32 259128 ----a-w- c:\windows\fonts\MASTERPLAN__.otf
2009-11-18 08:24:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:24:09 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:24:08 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 08:24:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 15:46:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-04 16:19:43 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-25 13:59:04 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-10-25 13:59:04 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-10-25 13:59:04 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 16:37:52.91 ===============
OK I fixed it with malwarebytes. No more redirecting. No more rootkit detections. No malware,Trojans,Pragma,Paladin, or ADWARE Detected.
ONLY PROBLEM I HAVE LEFT IS JAVA NOT WORKING AND EXPLORER TEXT LOOKS FUNNY OUTDATED BUT ITS EXPLORER 8. CAN YOU HELP !
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org (http://www.malwarebytes.org)
Database version: 4052
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18904
6/9/2010 8:19:59 AM
mbam-log-2010-06-09 (08-19-59).txt
Scan type: Quick scan
Objects scanned: 127743
Time elapsed: 5 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaqewipylroe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$RQEH3L6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$RTM9S2S.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$R50V3P0\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$RIZCPLJ\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\User 2\AppData\Local\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Christina\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org (http://www.malwarebytes.org)
Database version: 4052
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
6/9/2010 8:32:58 AM
mbam-log-2010-06-09 (08-32-58).txt
Scan type: Quick scan
Objects scanned: 128848
Time elapsed: 5 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
NEW DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 10:59:41.85 on Wed 06/09/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.295 [GMT -4:00]
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\MediaCataloger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Christina\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.java.com/en/download/installed.jsp?detect=jre&try=1
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
================= FIREFOX ===================
FF - ProfilePath - c:\users\christ~1\appdata\roaming\mozilla\firefox\profiles\qkujir98.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-7 28552]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20091217.003\IDSvix86.sys [2009-12-18 286768]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-9 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-29 21504]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-7 1153368]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-6 1251720]
S4 yehaf;yehaf;c:\windows\system32\drivers\lkke.sys [2010-6-9 54016]
=============== Created Last 30 ================
2010-06-09 12:08:37 54016 ----a-w- c:\windows\system32\drivers\lkke.sys
2010-06-09 11:54:02 0 d-----w- c:\users\christ~1\appdata\roaming\Malwarebytes
2010-06-09 11:53:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-09 11:53:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-09 11:53:51 0 d-----w- c:\programdata\Malwarebytes
2010-06-09 11:53:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 14:54:21 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-06-08 14:54:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 23:45:37 205 ----a-w- c:\windows\wininit.ini
2010-06-07 17:05:58 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 17:05:58 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 16:36:12 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-07 16:36:08 0 d-----w- c:\program files\Panda Security
2010-06-07 14:15:08 0 d-----w- C:\!KillBox
2010-06-05 23:26:04 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2010-06-05 23:26:04 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2010-06-05 23:26:04 10537 ----a-w- c:\windows\system32\drivers\COH_Mon.cat
2010-06-05 12:56:55 201515137 ----a-w- c:\windows\MEMORY.DMP
2010-05-28 12:47:34 0 d-----w- c:\users\christ~1\appdata\roaming\OpenOffice.org
2010-05-28 00:53:23 0 d-----w- c:\program files\JRE
2010-05-28 00:51:47 0 d-----w- c:\program files\OpenOffice.org 3
2010-05-28 00:49:44 0 d-----w- c:\programdata\Sun
2010-05-25 19:10:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 15:10:07 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM
2010-05-25 15:10:07 0 d-----w- c:\program files\EssentialPIM
2010-05-25 15:05:16 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM Pro
2010-05-25 14:45:05 0 d-----w- C:\Alfresco
2010-05-12 08:25:10 738816 ----a-w- c:\windows\system32\inetcomm.dll
==================== Find3M ====================
2010-05-28 14:44:25 5518 ----a-w- c:\users\christ~1\appdata\roaming\wklnhst.dat
2010-05-25 13:41:33 22632 ----a-w- c:\windows\fonts\medicine.ttf
2010-05-24 12:47:37 52816 ----a-w- c:\windows\fonts\Glassblocks.ttf
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-19 11:51:32 259128 ----a-w- c:\windows\fonts\MASTERPLAN__.otf
2009-11-18 08:24:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:24:09 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:24:08 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 08:24:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 15:46:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-04 16:19:43 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 11:01:08.35 ===============
I Tried using SPYBOT It detects the problem destroys it but when I scan again. There it is it never got deleted. Files are hiddden.
Thanks in advance. Please someone help.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-08 14:20:50
Windows 6.0.6002 Service Pack 2
Running: look.exe; Driver: C:\Windows\TEMP\kglyquod.sys
---- System - GMER 1.0.15 ----
Code 85379148 ZwEnumerateKey
Code 854DD388 ZwFlushInstructionCache
Code 85391CCD IofCallDriver
Code 859DF38E IofCompleteRequest
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Modules - GMER 1.0.15 ----
Module \systemroot\PRAGMAqewipylroe\PRAGMAd.sys (*** hidden *** ) 8B18A000-8B1AF000 (151552 bytes)
---- Processes - GMER 1.0.15 ----
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmaserf.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2652] 0x10000000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmaserf.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2808] 0x10000000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmabbr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2808] 0x02060000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmaserf.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3308] 0x10000000
Library \\?\globalroot\systemroot\PRAGMAqewipylroe\pragmabbr.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3308] 0x016B0000
---- Services - GMER 1.0.15 ----
Service C:\Windows\PRAGMAqewipylroe\PRAGMAd.sys (*** hidden *** ) [SYSTEM] PRAGMAqewipylroe <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe@imagepath \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@PRAGMAd \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@PRAGMAc \systemroot\PRAGMAqewipylroe\PRAGMAc.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@pragmaserf pragmaserf
Reg HKLM\SYSTEM\CurrentControlSet\Services\PRAGMAqewipylroe\modules@pragmabbr pragmabbr
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe@imagepath \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@PRAGMAd \systemroot\PRAGMAqewipylroe\PRAGMAd.sys
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@PRAGMAc \systemroot\PRAGMAqewipylroe\PRAGMAc.dll
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@pragmaserf pragmaserf
Reg HKLM\SYSTEM\ControlSet003\Services\PRAGMAqewipylroe\modules@pragmabbr pragmabbr
---- Files - GMER 1.0.15 ----
File C:\ProgramData\pragmamfeklnmal.dll 1185 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\searchCAPZP8RM.htm 170 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\blank[1].htm 0 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\acCAD6N8ZS.htm 1234 bytes
File C:\Users\Christina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KCPPN6X0\acCA20R40N.htm 1393 bytes
File C:\Users\Christina\AppData\Local\Temp\PRAGMAba9f.tmp 679936 bytes executable
File C:\Users\Christina\AppData\Local\Temp\pragmamainqt.dll 10359 bytes
File C:\Users\Christina\AppData\Local\Temp\pragmapdconf.ini 34 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@advertise[4].txt 143 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@overstock[1].txt 281 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@www.overstock[1].txt 220 bytes
File C:\Users\Christina\AppData\Roaming\Microsoft\Windows\Cookies\christina@tt11.overstock[1].txt 202 bytes
File C:\Users\User 2\AppData\Local\Temp\pragmamainqt.dll 10359 bytes
File C:\Users\User 2\AppData\Local\Temp\pragmapdconf.ini 34 bytes
File C:\WINDOWS\PRAGMAqewipylroe 0 bytes
File C:\WINDOWS\PRAGMAqewipylroe\pragmabbr.dll 73728 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAc.dll 34816 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAcfg.ini 258 bytes
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAd.sys 53248 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\pragmaserf.dll 73728 bytes executable
File C:\WINDOWS\PRAGMAqewipylroe\PRAGMAsrcr.dat 147 bytes
File C:\WINDOWS\Temp\TMP000000798C4E5227603F2B6D 524288 bytes
File C:\WINDOWS\Temp\PRAGMAa7e2.tmp 147 bytes
File C:\WINDOWS\Temp\pragmamainqt.dll 10359 bytes
File C:\WINDOWS\Temp\pragmapdconf.ini 34 bytes
-----------------------------------
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 16:35:29.42 on Tue 06/08/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.331 [GMT -4:00]
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
c:\windows\system32\svchost.exe -k dcomlaunch
c:\windows\system32\svchost.exe -k rpcss
c:\windows\system32\svchost.exe -k secsvcs
c:\windows\system32\svchost.exe -k localservicenetworkrestricted
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted
c:\windows\system32\svchost.exe -k netsvcs
c:\windows\system32\svchost.exe -k gpsvcgroup
C:\Windows\system32\SLsvc.exe
c:\windows\system32\svchost.exe -k localservice
c:\windows\system32\svchost.exe -k networkservice
C:\Windows\System32\spoolsv.exe
c:\windows\system32\svchost.exe -k localservicenonetwork
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\svchost.exe -k hpz12
c:\windows\system32\svchost.exe -k hpz12
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted
c:\windows\system32\svchost.exe -k imgsvc
c:\windows\system32\svchost.exe -k wersvcgroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\wuauclt.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Christina\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0\bin\npjpi150.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-7 28552]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20091217.003\IDSvix86.sys [2009-12-18 286768]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-9 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-29 21504]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-7 1153368]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-6 1251720]
=============== Created Last 30 ================
2010-06-08 14:54:21 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-06-08 14:54:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 23:45:37 205 ----a-w- c:\windows\wininit.ini
2010-06-07 17:05:58 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 17:05:58 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 16:36:12 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-07 16:36:08 0 d-----w- c:\program files\Panda Security
2010-06-07 14:15:08 0 d-----w- C:\!KillBox
2010-06-05 23:26:04 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2010-06-05 23:26:04 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2010-06-05 23:26:04 10537 ----a-w- c:\windows\system32\drivers\COH_Mon.cat
2010-06-05 12:56:55 201515137 ----a-w- c:\windows\MEMORY.DMP
2010-05-28 12:47:34 0 d-----w- c:\users\christ~1\appdata\roaming\OpenOffice.org
2010-05-28 00:53:23 0 d-----w- c:\program files\JRE
2010-05-28 00:51:47 0 d-----w- c:\program files\OpenOffice.org 3
2010-05-28 00:49:44 0 d-----w- c:\programdata\Sun
2010-05-25 19:10:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 15:10:07 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM
2010-05-25 15:10:07 0 d-----w- c:\program files\EssentialPIM
2010-05-25 15:05:16 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM Pro
2010-05-25 14:45:05 0 d-----w- C:\Alfresco
2010-05-12 08:25:10 738816 ----a-w- c:\windows\system32\inetcomm.dll
==================== Find3M ====================
2010-05-28 14:44:25 5518 ----a-w- c:\users\christ~1\appdata\roaming\wklnhst.dat
2010-05-25 13:41:33 22632 ----a-w- c:\windows\fonts\medicine.ttf
2010-05-24 12:47:37 52816 ----a-w- c:\windows\fonts\Glassblocks.ttf
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-19 11:51:32 259128 ----a-w- c:\windows\fonts\MASTERPLAN__.otf
2009-11-18 08:24:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:24:09 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:24:08 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 08:24:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 15:46:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-04 16:19:43 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-10-25 13:59:04 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-10-25 13:59:04 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-10-25 13:59:04 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat
============= FINISH: 16:37:52.91 ===============
OK I fixed it with malwarebytes. No more redirecting. No more rootkit detections. No malware,Trojans,Pragma,Paladin, or ADWARE Detected.
ONLY PROBLEM I HAVE LEFT IS JAVA NOT WORKING AND EXPLORER TEXT LOOKS FUNNY OUTDATED BUT ITS EXPLORER 8. CAN YOU HELP !
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org (http://www.malwarebytes.org)
Database version: 4052
Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18904
6/9/2010 8:19:59 AM
mbam-log-2010-06-09 (08-19-59).txt
Scan type: Quick scan
Objects scanned: 127743
Time elapsed: 5 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 5
Files Infected: 14
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pragmaqewipylroe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\pragma (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PRAGMA (Rootkit.TDSS) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Paladin Antivirus (Rogue.PaladinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\Program Files\ezLife\ezLife (Adware.EzLife) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe (Trojan.DNSChanger) -> Quarantined and deleted successfully.
Files Infected:
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$RQEH3L6.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$RTM9S2S.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$R50V3P0\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\$Recycle.Bin\S-1-5-21-2010871483-1569493574-4283205744-1000\$RIZCPLJ\crack.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\pragmabbr.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAc.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAcfg.ini (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAd.sys (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\pragmaserf.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\PRAGMAqewipylroe\PRAGMAsrcr.dat (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\ProgramData\pragmamfeklnmal.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\User 2\AppData\Local\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\pragmamainqt.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Users\Christina\Favorites\_favdata.dat (Malware.Trace) -> Quarantined and deleted successfully.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org (http://www.malwarebytes.org)
Database version: 4052
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904
6/9/2010 8:32:58 AM
mbam-log-2010-06-09 (08-32-58).txt
Scan type: Quick scan
Objects scanned: 128848
Time elapsed: 5 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
NEW DDS
DDS (Ver_10-03-17.01) - NTFSx86
Run by Christina at 10:59:41.85 on Wed 06/09/2010
Internet Explorer: 8.0.6001.18904
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.894.295 [GMT -4:00]
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
FW: Norton Internet Security *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP Connections\6811507\Program\HP Connections.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\Corel Paint Shop Pro Photo.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\MediaCataloger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Christina\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.java.com/en/download/installed.jsp?detect=jre&try=1
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=71&bd=Pavilion&pf=desktop
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.0\NppBho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.0\UIBHO.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Corel Photo Downloader] "c:\program files\common files\corel\corel photodownloader\Corel Photo Downloader.exe" -startup
mRun: [Corel File Shell Monitor] c:\program files\corel\corel paint shop pro photo x2\CorelIOMonitor.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes Anti-Malware (rootkit-scan)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpconn~1.lnk - c:\program files\hp connections\6811507\program\HP Connections.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {26522409-8BBF-4C5B-A4D3-CF4B1D6F255B} - hxxp://www.umediaserver.net/bin/UMediaControl5.cab
DPF: {38AB0814-B09B-4378-9940-14A19638C3C2} - hxxp://www.auctiva.com/Aurigma/ImageUploader57.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
================= FIREFOX ===================
FF - ProfilePath - c:\users\christ~1\appdata\roaming\mozilla\firefox\profiles\qkujir98.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2010-6-7 28552]
R1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\symantec\defini~1\symcdata\idsdefs\20091217.003\IDSvix86.sys [2009-12-18 286768]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\symndisv.sys [2009-8-3 38448]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-12-9 102448]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2009-10-29 21504]
S4 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-6-7 1153368]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-2-6 1251720]
S4 yehaf;yehaf;c:\windows\system32\drivers\lkke.sys [2010-6-9 54016]
=============== Created Last 30 ================
2010-06-09 12:08:37 54016 ----a-w- c:\windows\system32\drivers\lkke.sys
2010-06-09 11:54:02 0 d-----w- c:\users\christ~1\appdata\roaming\Malwarebytes
2010-06-09 11:53:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-09 11:53:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-09 11:53:51 0 d-----w- c:\programdata\Malwarebytes
2010-06-09 11:53:51 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-08 14:54:21 0 d-sh--w- c:\windows\system32\%APPDATA%
2010-06-08 14:54:08 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-07 23:45:37 205 ----a-w- c:\windows\wininit.ini
2010-06-07 17:05:58 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-06-07 17:05:58 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-06-07 16:36:12 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-06-07 16:36:08 0 d-----w- c:\program files\Panda Security
2010-06-07 14:15:08 0 d-----w- C:\!KillBox
2010-06-05 23:26:04 706 ----a-w- c:\windows\system32\drivers\COH_Mon.inf
2010-06-05 23:26:04 23888 ----a-w- c:\windows\system32\drivers\COH_Mon.sys
2010-06-05 23:26:04 10537 ----a-w- c:\windows\system32\drivers\COH_Mon.cat
2010-06-05 12:56:55 201515137 ----a-w- c:\windows\MEMORY.DMP
2010-05-28 12:47:34 0 d-----w- c:\users\christ~1\appdata\roaming\OpenOffice.org
2010-05-28 00:53:23 0 d-----w- c:\program files\JRE
2010-05-28 00:51:47 0 d-----w- c:\program files\OpenOffice.org 3
2010-05-28 00:49:44 0 d-----w- c:\programdata\Sun
2010-05-25 19:10:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-05-25 15:10:07 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM
2010-05-25 15:10:07 0 d-----w- c:\program files\EssentialPIM
2010-05-25 15:05:16 0 d-----w- c:\users\christ~1\appdata\roaming\EssentialPIM Pro
2010-05-25 14:45:05 0 d-----w- C:\Alfresco
2010-05-12 08:25:10 738816 ----a-w- c:\windows\system32\inetcomm.dll
==================== Find3M ====================
2010-05-28 14:44:25 5518 ----a-w- c:\users\christ~1\appdata\roaming\wklnhst.dat
2010-05-25 13:41:33 22632 ----a-w- c:\windows\fonts\medicine.ttf
2010-05-24 12:47:37 52816 ----a-w- c:\windows\fonts\Glassblocks.ttf
2010-05-12 15:21:16 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-03-19 11:51:32 259128 ----a-w- c:\windows\fonts\MASTERPLAN__.otf
2009-11-18 08:24:09 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 08:24:09 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 08:24:08 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 08:24:08 143360 ----a-w- c:\windows\inf\infstrng.dat
2009-11-03 15:46:16 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-11-04 16:19:43 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
============= FINISH: 11:01:08.35 ===============