45 pop-ups in 3 hours!!! (W/ HJT Log) [P]

MaXiMuS_N00BuS · 06-18-2008, 11:30 PM

I am using Firefox (don't like IE) and I left my computer for a while, with Firefox still open, and I come back, and there is 45 pop-ups all over the place. The funny thing is, is they are all pop-ups from IE.... But I'm using Firefox. What could be the cause of that. AVG says I have 0 Infections and 0 Threats. I also have Adblock Plus on Firefox, but of course it's not helping. I dont ever get pop-ups when browsers are closed (obviously) except about 5 minutes after I close the browser, i get about 2 pop-ups. Anyway, I can clearly see I need help. Oh ya, I'm running Vista Ultimate.

EDIT: Heres the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:24:46 PM, on 6/18/2008
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows svchost] C:\WINDOWS\system32\drivers\etc\LSASS.exe C:\WINDOWS\SYSTEM32\DRIVERS\etc\svchost.exe -b C:\WINDOWS\SYSTEM32\DRIVERS\etc\conf.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PCMM2007RT] "C:\Program Files\PC MightyMax 2007\pcmm2007.exe" /S
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/noc...tup1.0.1.0.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

MaXiMuS_N00BuS · 06-19-2008, 01:35 PM

please?

MaXiMuS_N00BuS · 06-19-2008, 03:07 PM

Most of the pop-ups were from wholesomerewards.com, smacchat.com, and some even had my I.P. in the address bar. The thing is, they come like every 5 minutes, perfect timing (almost). Also, when the pop-ups come, I can be idle on a website like google's homepage (that won't give you pop-ups) for, like the title says, 3 hours, and pop-ups come anyway. I want it to stop. Oh and before I forget, all of the running processes that were supposed to be in the HJT log weren't there.

EDIT: Forgot... I even get pop-ups leading me to different sites that say things like "your search for 'whatever' returned 0 results (when i didn't even do a search query in ANY website). And, if I search something in google, for instance, "visual studio tutorials", a pop-up says "your search for 'blah blah blah' returned so and so results". Was that easy to understand?

Saxon · 06-19-2008, 03:41 PM

Hi, tech-pro, osiris or Mak will read over your log soon.

Edit: This is for the security team only MaXiMuS_N00BuS an only do what they say as they are experts in this feild i am just learning but the ones that stand out to me, don't do anything without them saying so.

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - REMOVED LINK
O2 - BHO: (no name) - {1C3C4699-B285-475F-BE47-0B26088CE876} - (no file)

^ Must be fixed! ^
Unnecessary (deactivated) entry that can be fixed. iesplg.dll - Adware downloader, related to the notorious PS_Guard/SpywareQuake/WinAntivirus, ://sunbeltblog.blogspot.com/2006/03/ seen-in-wild-spyware-quake_25.html foistware - a member of the Trojan-Downloader.Zlob.Media-Codec, REMOVED LINK
Found that one via google.

Mak213 · 06-19-2008, 10:42 PM

Hello MaXiMuS_N00BuS,

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

Logs needed in Next Post:

ComboFix

Regards,
Mak213

MaXiMuS_N00BuS · 06-20-2008, 09:42 AM

ComboFix gives this error:

"The system cannot find message text for message number 0x8 in the message file for system.

Please Wait.
ComboFix is preparing to run.
The system cannot find message text for message number 0x8 in the message file for system."

^^-- Is that bad? Can I click yes on the disclaimer window that popped up after it gave the error?

MaXiMuS_N00BuS · 06-20-2008, 11:10 AM

Here's the ComboFix Log:

ComboFix 08-06-19.2 - Michele 2008-06-20 9:12:29.1 - NTFSx86
Running from: C:\Users\Michele\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\Users\Michele\FAVORI~1\Online Security Test.url
C:\Windows\system32\drivers\core.cache.dsk
C:\Windows\system32\drivers\core.sys
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CORE
-------\Legacy_FMTR
-------\Service_core

((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-06-17 20:43 --------- d-----w C:\Program Files\Process Explorer
2008-06-17 11:23 --------- d-----w C:\Program Files\Bonjour
2008-06-17 11:22 --------- d-----w C:\Program Files\QuickTime
2008-06-16 05:04 --------- d---a-w C:\ProgramData\TEMP
2008-06-16 05:04 --------- d-----w C:\Program Files\bfgclient
2008-06-12 00:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-05-21 13:42 --------- d-----w C:\ProgramData\Astar Games
2008-05-17 17:46 --------- d-----w C:\Program Files\SecondLife
2008-05-17 11:24 --------- d-----w C:\ProgramData\WLInstaller
2008-05-13 20:37 --------- d-----w C:\Program Files\HyCam2
2008-05-13 20:36 --------- d-----w C:\Program Files\The Weather Channel FW
2008-05-13 20:34 --------- d-----w C:\ProgramData\AOL
2008-05-11 22:11 --------- d-----w C:\Program Files\PC MightyMax 2007
2008-05-11 20:26 --------- d-----w C:\ProgramData\NVIDIA
2008-04-23 11:44 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-20 17:58 --------- d-----w C:\Program Files\Trend Micro
2008-04-20 17:13 --------- d-----w C:\Program Files\Apple Software Update
2007-10-23 23:00 85,584 ----a-w C:\Users\Michele\bigfishgames_p6137707_s1_l1.exe
2006-11-02 12:49 174 --sha-w C:\Program Files\desktop.ini
2006-04-03 18:04 577 ----a-w C:\Program Files\sfmsi.dat
2006-04-03 18:04 435 ----a-w C:\Program Files\sfxctrl.ach
2006-04-03 18:02 731,596 ----a-w C:\Program Files\atracplu.cab
2006-01-24 22:10 35,328 ------w C:\Program Files\dsetup.dll
2005-10-25 18:03 1,822,520 ----a-w C:\Program Files\InstMsi-x86w.exe
2005-10-25 18:03 1,708,856 ----a-w C:\Program Files\InstMsi-x86a.exe
2005-10-25 18:02 509,984 ----a-w C:\Program Files\50comupd.exe
2005-10-25 18:02 471,840 ----a-w C:\Program Files\hhupd.exe
2008-01-26 01:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\History\History.IE5\index.da t
2008-01-26 01:59 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Lo cal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2008-01-26 01:59 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Ro aming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1C3C4699-B285-475F-BE47-0B26088CE876}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 07:34 125440]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-01 18:11 4670968]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 07:33 201728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-14 15:50 4399104 C:\Windows\RtHDVCpl.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-16 09:15 579584]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"Windows svchost"="C:\WINDOWS\system32\drivers\etc\LSASS.ex e C:\WINDOWS\SYSTEM32\DRIVERS\etc\svchost.exe" [ ]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-11 18:06 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-11 18:06 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray. dll" [2007-12-11 18:06 81920]
"PCMM2007RT"="C:\Program Files\PC MightyMax 2007\pcmm2007.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-24 10:42 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2008-01-24 10:42 9216 C:\Windows\System32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.JDCT"= jl_jdct.drv
"SENTINEL"= snti386.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"TCP Query User{5BBF3A4C-3408-476A-8F0F-BEF149D61006}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A25AC25A-EEF5-474F-B691-1084448750FA}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{4E1D61ED-B9DD-41FE-9C60-84FA15AAD0D0}"= UDP:E:\FrostWire\FrostWire.exe:LimeWire
"{286685EC-2912-41EB-B925-A7D9B833D0D9}"= TCP:E:\FrostWire\FrostWire.exe:LimeWire
"{8F21EAA8-D866-4698-B61B-769C1D14CE84}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{9BD5D9EC-6073-4004-807C-4DA1301820DC}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{B5247C10-AA9C-46EE-AA21-230B91C5D481}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9FC874AB-BE91-4B8F-9026-A1BCE0B0D053}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{47E54D14-101F-4F44-B292-92637C536E6A}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{687722B2-0B26-47F7-8893-70236B536301}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{A8DFC478-76A5-4688-BE54-38741C9ECD5C}"= UDP:C:\Users\Michele\Desktop\FrostWire\FrostWire.e xe:LimeWire
"{59851474-2D95-43B6-8EE9-71D201114215}"= TCP:C:\Users\Michele\Desktop\FrostWire\FrostWire.e xe:LimeWire
"{810687B1-7B79-4BC8-9503-C6BCE2FBA21F}"= UDP:4000:Bittorrent
"{74196F4C-F970-49CD-AB4C-E81C9911383C}"= UDP:4001:Bittorrent
"{E90826F6-8E65-40E5-81AF-64A2ABA8058F}"= UDP:4002:Bittorrent
"{CA18CF64-F33F-4F38-B342-AE2DEFC28C90}"= UDP:4003:Bittorrent
"{E7B4C76D-3B94-4F11-8439-590E9071C3B1}"= UDP:4004:Bittorrent
"{7CD9F93B-BAF4-4BF3-ABCF-0080977D23F2}"= UDP:4005:Bittorrent
"{E4E69D7D-23D5-4C57-B1AE-E7092014247A}"= UDP:50021:Bittorrent
"TCP Query User{34893D79-0ADE-4F65-840D-EF3ED29945D9}C:\\program files\\small rockets\\mad - global thermonuclear warfare\\mad.exe"= UDP:C:\program files\small rockets\mad - global thermonuclear warfare\mad.exe:M.A.D.
"UDP Query User{AAC54FEB-472A-4213-9F0A-2EB31467607D}C:\\program files\\small rockets\\mad - global thermonuclear warfare\\mad.exe"= TCP:C:\program files\small rockets\mad - global thermonuclear warfare\mad.exe:M.A.D.
"TCP Query User{EAE5D9F3-F87A-4BE0-914C-799B7530ABAF}C:\\windows\\system32\\drivers\\servi ces.exe"= UDP:C:\windows\system32\drivers\services.exe:servi ces
"UDP Query User{70480DB9-FAF7-4CEC-A804-05E32B90A909}C:\\windows\\system32\\drivers\\servi ces.exe"= TCP:C:\windows\system32\drivers\services.exe:servi ces
"TCP Query User{18B42877-567D-48B2-9673-2B189A963EBF}C:\\program files\\bittyrant\\azureus.exe"= UDP:C:\program files\bittyrant\azureus.exe:Azureus
"UDP Query User{8C92A8A8-022D-40B8-8275-6E065048C7EF}C:\\program files\\bittyrant\\azureus.exe"= TCP:C:\program files\bittyrant\azureus.exe:Azureus
"TCP Query User{57D46F7F-B598-435F-AD10-6DEBF1FC58A3}C:\\windows\\system32\\ftp.exe"= UDP:C:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{68763583-1FC9-40E5-A1C7-9AD1207B9778}C:\\windows\\system32\\ftp.exe"= TCP:C:\windows\system32\ftp.exe:File Transfer Program
"TCP Query User{77356155-8439-4BFF-BD0C-149D3CD3901C}C:\\program files\\counter-strike source\\hl2.exe"= UDP:C:\program files\counter-strike source\hl2.exe:hl2
"UDP Query User{D89ADA91-3B77-42F2-8AD7-DD847F18FBF6}C:\\program files\\counter-strike source\\hl2.exe"= TCP:C:\program files\counter-strike source\hl2.exe:hl2
"TCP Query User{2FCD2674-B0C0-4C4E-8225-5F3EF7A88F3E}C:\\program files\\skype\\phone\\skype.exe"= UDP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{E8C42E51-9310-424E-9300-1DA65D428075}C:\\program files\\skype\\phone\\skype.exe"= TCP:C:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"{2B98AB20-0BF1-4698-A695-2E4699BEC9F0}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{43943A78-2577-4F1F-A909-5ACF3CCA2F69}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{F5D6B295-D255-4554-9684-34E2C075E604}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{871C0F14-2632-44D8-A584-73A34D4C8B1A}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{213453AD-E4CA-44F4-A6D9-8AB148173C9F}"= UDP:C:\Users\Michele\Desktop\FrostWire\FrostWire.e xe:LimeWire
"{15EF3132-EEF0-444F-89B9-2CB9AF9EC13B}"= TCP:C:\Users\Michele\Desktop\FrostWire\FrostWire.e xe:LimeWire
"{4F19D593-76F0-4501-B5A9-DF25A3E0C53B}"= UDP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{CD24EF7A-932B-4ECD-85B4-8F1D3D7C14BC}"= TCP:C:\Program Files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{E699ACCA-EF71-41D9-84B2-D3E707183B53}"= Disabled:UDP:443:ooVoo TCP port 443
"{2424BF7B-9A43-4C80-AC1A-D81D8244DBCB}"= Disabled:TCP:443:ooVoo UDP port 443
"{931C6F44-AFCF-4BDC-BC21-D2A8EF379454}"= Disabled:UDP:37674:ooVoo TCP port 37674
"{91A6D619-50AB-449D-9772-ECB3290F5D44}"= Disabled:TCP:37674:ooVoo UDP port 37674
"{B701C275-4579-44D3-AA1A-20A456477292}"= Disabled:TCP:37675:ooVoo UDP port 37675
"{65CC883C-2589-4C38-8268-1F9260E581A4}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{2C3BDC47-379C-4A25-9265-C306C5E289B4}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{E512B4EF-1CF8-481E-BB69-19BBD7EC3595}"= UDP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{7CFC282A-1C06-4F21-A5E0-3EFFA66F4604}"= TCP:C:\Program Files\FrostWire\FrostWire.exe:LimeWire
"{D466E740-15AA-4724-91F0-C61E1C18BE06}"= Disabled:UDP:3724:Blizzard Downloader
"{B9558B40-2FE9-4E96-97D0-5DECA9C0EA39}"= Disabled:UDP:6112:Blizzard Downloader
"TCP Query User{6C92FB7D-2B03-4FF6-A079-53C4E7E2E19F}C:\\program files\\secondlife\\slvoice.exe"= UDP:C:\program files\secondlife\slvoice.exe:SLVoice
"UDP Query User{EA30FCD4-EECA-4F49-9CF2-4B4A8461ADA7}C:\\program files\\secondlife\\slvoice.exe"= TCP:C:\program files\secondlife\slvoice.exe:SLVoice
"TCP Query User{BA20A79D-54A0-4AF4-BF70-DA0FEE24499B}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{D3346B0E-14D1-42E0-96DB-C81EA0AA8984}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{6A69454E-0358-4DFC-8E13-7E5A7CC43BB2}C:\\program files\\secondlifewindlight\\slvoice.exe"= UDP:C:\program files\secondlifewindlight\slvoice.exe:SLVoice
"UDP Query User{C96E547E-1A7C-4A5A-A5EF-4DCE1AB10B4E}C:\\program files\\secondlifewindlight\\slvoice.exe"= TCP:C:\program files\secondlifewindlight\slvoice.exe:SLVoice
"TCP Query User{B3BA1577-D1F2-424B-B225-BA252BEE8075}C:\\program files\\dc++\\dcplusplus.exe"= UDP:C:\program files\dc++\dcplusplus.exe

C++
"UDP Query User{1B6C45F4-E909-4CE1-B8EC-1A73D20C168D}C:\\program files\\dc++\\dcplusplus.exe"= TCP:C:\program files\dc++\dcplusplus.exe

C++
"{212F94BD-6399-44CA-A85C-15E5929DA246}"= UDP:2869:LocalSubnet:LocalSubnet:WORKGROUP port
"{E224C35D-4744-4B3D-98BB-F65465F0EFFE}"= TCP:1900:LocalSubnet:LocalSubnet:WORKGROUP port
"{4D2E2C05-43E2-47D0-8478-DD5E8FD95DBD}"= UDP:C:\Program Files\Axence\NetTools\3.1\nVision.exe:nVision
"{76765CF0-D33B-465C-A3C1-A2950A250749}"= TCP:C:\Program Files\Axence\NetTools\3.1\nVision.exe:nVision
"{95ED0C09-0AD8-47A9-A6C6-5C8561B1B7D5}"= UDP:C:\Program Files\Axence\NetTools\3.1\nVision.exe:nVision
"{256BEC83-B0C7-4DE4-9206-C5CB86C275F5}"= TCP:C:\Program Files\Axence\NetTools\3.1\nVision.exe:nVision
"{9946E481-BD3B-44C8-94E3-711614B3126D}"= UDP:4434:nVision Agent Data Server
"{7FAF259A-242A-407A-A483-005C70CFFC4C}"= UDP:4434:nVision Agent Data Server
"TCP Query User{E154C283-4EB4-43C2-9575-51472BD47ED8}C:\\program files\\axence\\nettools\\3.1\\nettools.exe"= UDP:C:\program files\axence\nettools\3.1\nettools.exe:Axence NetTools 3.1
"UDP Query User{3F316880-2F97-4F74-B99C-8CD94EEB5238}C:\\program files\\axence\\nettools\\3.1\\nettools.exe"= TCP:C:\program files\axence\nettools\3.1\nettools.exe:Axence NetTools 3.1
"TCP Query User{923651A1-3CDC-425A-81CE-7EE17C60AFDD}C:\\program files\\secondlifewindlight\\secondlifewindlight.ex e"= UDP:C:\program files\secondlifewindlight\secondlifewindlight.exe: Second Life
"UDP Query User{74244860-8173-4327-96AF-EC099866B04A}C:\\program files\\secondlifewindlight\\secondlifewindlight.ex e"= TCP:C:\program files\secondlifewindlight\secondlifewindlight.exe: Second Life
"TCP Query User{10C36F74-0A08-4523-9491-83F4CAE60792}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= UDP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"UDP Query User{BD1B2ED3-055F-4009-AB48-C1A38748D0E4}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= TCP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"TCP Query User{DDA5A9E7-A7AD-4B5E-AE6F-0D5C4CE7DB2F}C:\\program files\\free download manager\\fdm.exe"= UDP:C:\program files\free download manager\fdm.exe:Free Download Manager
"UDP Query User{5207637E-FC31-4DD5-A788-FB73C2039D2C}C:\\program files\\free download manager\\fdm.exe"= TCP:C:\program files\free download manager\fdm.exe:Free Download Manager
"TCP Query User{150481B0-8D98-46A1-864F-CFF6B808F73E}C:\\program files\\myspace\\im\\myspaceim.exe"= Disabled:UDP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"UDP Query User{F03545A1-710E-4ECD-8927-FF2009051107}C:\\program files\\myspace\\im\\myspaceim.exe"= Disabled:TCP:C:\program files\myspace\im\myspaceim.exe:MySpace Instant Messenger
"{C2209F47-2205-4982-85CE-045EB1995EA8}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{9D2C9C93-856C-4433-AEA3-24A8898C2E98}C:\\program files\\secondlifereleasecandidate\\slvoice.exe"= UDP:C:\program files\secondlifereleasecandidate\slvoice.exe:SLVoi ce
"UDP Query User{ED134ABB-E427-424A-ACB2-141A69E42D37}C:\\program files\\secondlifereleasecandidate\\slvoice.exe"= TCP:C:\program files\secondlifereleasecandidate\slvoice.exe:SLVoi ce
"TCP Query User{06D73235-F397-4D12-82A0-BED56DC05815}C:\\program files\\secondlifereleasecandidate\\secondliferelea secandidate.exe"= UDP:C:\program files\secondlifereleasecandidate\secondliferelease candidate.exe:Second Life
"UDP Query User{A8165BE5-27A6-43E8-B7FA-2623DCEFD5DA}C:\\program files\\secondlifereleasecandidate\\secondliferelea secandidate.exe"= TCP:C:\program files\secondlifereleasecandidate\secondliferelease candidate.exe:Second Life
"TCP Query User{D4126A17-2E3E-4007-A687-22985B5C2A11}C:\\program files\\secondlife\\secondlife.exe"= UDP:C:\program files\secondlife\secondlife.exe:Second Life
"UDP Query User{A13E5436-F8B6-4A72-847F-16C06F96302D}C:\\program files\\secondlife\\secondlife.exe"= TCP:C:\program files\secondlife\secondlife.exe:Second Life
"TCP Query User{DB5B9154-4762-4E3F-AEAE-7F19C1700D0E}C:\\program files\\bittyrant\\azureus.exe"= Disabled:UDP:C:\program files\bittyrant\azureus.exe:Azureus
"UDP Query User{698FB69A-317E-48CF-A582-06A22E6B4E1D}C:\\program files\\bittyrant\\azureus.exe"= Disabled:TCP:C:\program files\bittyrant\azureus.exe:Azureus
"TCP Query User{728768C5-EF2F-4FDB-8DAD-309635918C83}C:\\program files\\azureus\\azureus.exe"= Disabled:UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{7A272EF4-978E-42E2-9394-E168D8F52BFF}C:\\program files\\azureus\\azureus.exe"= Disabled:TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{A3A98F32-AE34-4A5E-9935-86F22CB5CDEA}C:\\program files\\net tools\\nettools4.exe"= Disabled:UDP:C:\program files\net tools\nettools4.exe:Net Tools by M.A.B.
"UDP Query User{9755135A-4B73-48FA-8BA3-F87FFB25FE84}C:\\program files\\net tools\\nettools4.exe"= Disabled:TCP:C:\program files\net tools\nettools4.exe:Net Tools by M.A.B.
"TCP Query User{4948B71F-92E9-4D51-AE90-E6839C695E82}C:\\windows\\system32\\drivers\\servi ces.exe"= UDP:C:\windows\system32\drivers\services.exe:servi ces
"UDP Query User{19992B03-28CD-4754-A308-4541F2CD4775}C:\\windows\\system32\\drivers\\servi ces.exe"= TCP:C:\windows\system32\drivers\services.exe:servi ces
"{61C5CB31-BACE-420D-A6A4-D62381A1CF10}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{D43FAC65-873D-47FA-A18B-9AF65477AC8C}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7723103F-A9E8-4C2B-8936-9442343CD7AC}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{C36ADB6A-017B-4F74-B49D-8EE821BB7A06}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{481B30CC-9DB9-424F-9B5B-4F4E67AB9985}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{6D933C3E-7E9F-4253-88E1-DF66C4D43E6B}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|S vc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
"DefaultOutboundAction"= 0 (0x0)
"DefaultInboundAction"= 1 (0x1)

R3 AvgWFP;AVG7 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfp.sys [2008-03-13 09:14]
R3 CLEDX;Team H2O CLEDX service;C:\Windows\system32\DRIVERS\cledx.sys [2005-05-09 20:08]
S3 NPF;NetGroup Packet Filter Driver;C:\Windows\system32\drivers\npf.sys [2007-01-25 12:31]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 17:47:55 C:\Windows\Tasks\At1.job"
"2008-06-19 23:44:08 C:\Windows\Tasks\User_Feed_Synchronization-{BFB375D6-306D-4754-AFC7-9EFAF334C5AA}.job"
- C:\Windows\system32\msfeedssync.exe
.
************************************************** ************************

MaXiMuS_N00BuS · 06-20-2008, 11:11 AM

***CONTINUED***

************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 09:32:29
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\conime.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\iPod\bin\iPodService.exe
.
************************************************** ************************
.
Completion time: 2008-06-20 9:58:19 - machine was rebooted [Michele]
ComboFix-quarantined-files.txt 2008-06-20 14:57:12

The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.

237 --- E O F --- 2008-06-19 12:43:52

Mak213 · 06-20-2008, 01:52 PM

Helo MaXiMuS_N00BuS,

Step1 | Kaspersky Webscanner

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Step2 | MBAM

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Logs needed in next post:

ComboFix
MBAM

Regards,
Mak

MaXiMuS_N00BuS · 06-20-2008, 02:50 PM

Kapersky online scan error:

"Starting Java applet has failed! Please go online to use this program"

Member Login