Odd Processes running on my computer...

SonicX8000 · Dec 13, 2009

I personally don't know these got there, and currently I am running Malwarebytes and AVG to see if that will remove it.

The Odd processes are...
d.exe
f.exe
msa.exe
msb.exe

Whenever d.exe runs, my computer goes very slow, and its CPU usage goes to about 170k+, maybe higher. (Most I seen was 210K.) I have seen a Registry Key for this, and I disabled it via msconfig, but that doesn't help, as the thing keeps coming back after I kill it.

Theres also msa.exe and msb.exe, however, I found those 2 files and removed them, but I don't think that fixes anything...

f.exe sometimes appears, but only happens if I kill d.exe's process, which I think does the same thing.

Any suggestions of what else I could do to get rid of these problems?

(Note : I don't know if this belongs here or in any forum.)

Mystic · Dec 13, 2009

Just Google the process name. That's what I do when I can't figure out what something does.

whoatefred · Dec 13, 2009

This does sound like Malware...
Are you sure your Anti-Virus and Anti-Malware are up to date and active? If they are, Google them as Mystic said.

Blitzzo · Dec 13, 2009

http://www.processlibrary.com/directory/files/d/

ProcessLibrary is a great resource. Just don't install their software...

Ezer'Arch · Dec 14, 2009

D:

http://www.processlibrary.com/directory/files/windows

....

Joking aside, seems my PC is safe.

LoganA · Dec 14, 2009

Use ComboFix to get rid of the malware, and pastebin the log after it's done

SonicX8000 · Dec 14, 2009

Ok, I manage to get rid of d.exe, along with f.exe, g.exe, a.exe, b.exe, c.exe, which was found in the Temp Folder, and msa.exe, and msb.exe.

However there's a Registry Key for d.exe that doesn't want to be removed. (Even though it's disabled.)

The ones with the Red Marks are the ones I want to remove off this list, even though they are disabled, but I don't want something to turn them back on...

I tried Regedit, but that didn't show me the Correct Keys for it.

Also... it appears Combo Fix is offline at the moment...

LoganA · Dec 14, 2009

bleepingcomputer is not down for me, the malware must be blocking access to the site, use this local mirror of the file
hxxp://logan.srb2.org/randomnameheretostopmalwarefromblockingit.exe

Fawfulfan · Dec 14, 2009

I Googled all those process names. They're all viruses, and they're all pretty dangerous to have on your machine. A slow computer might soon be the least of your worries, because some of those processes can automatically download harmful software or wreck your firewall.

Anyway, what you need is some good antivirus software. It can remove those threats and prevent future problems too. I recommend McAfee, and, while you're at it, you might also want to get Spybot.

SonicX8000 · Dec 14, 2009

Whenever I visit the one link above the bottom link, it gave me this.

*ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page.
DO NOT attempt to download ComboFix from sites other than BleepingComputer.com and Forospyware.com!
Other sites hosting ComboFix are not authorized mirrors and are hosting outdated copies of ComboFix that contain a bug that may render some machines unbootable. Using unauthorized mirrors of ComboFix puts your computer at risk of not booting again. Please wait for the official version to be fixed and released again.
We will also announce when ComboFix is available on our Twitter and Facebook pages.*

The other link under the one I clicked on allows me to download it, but then... it gave me the same message whenevr I click on the EXE File for it.

I also tried downloading to a school computer, and it gave me the same as the message above me.

I don't think any Malware blocked it, as it would of gave me a connection problem or something, and most of those odd EXE Files were removed and deleted. (I restarted the computer a few times, and checked to ensure that they didn't appear again, also none of it's processes ran upon startup.)

However, I will try the Secondray Link that LoganA put, after I get home from school.

SonicX8000 · Dec 14, 2009

Double Post, LoganA, your link gave me the EXE, and upon clicking it, it gave me this in Notepad.

-----
ComboFix is Offline.
Please visit http://download.bleepingcomputer.com/sUBs/ComboFix.html
-----

LoganA · Dec 14, 2009

SonicX8000 said:
Double Post, LoganA, your link gave me the EXE, and upon clicking it, it gave me this in Notepad.

-----
ComboFix is Offline.
Please visit http://download.bleepingcomputer.com/sUBs/ComboFix.html
-----

yea, I just tried it myself on a computer I was trying to fix and clean

Ultimate · Dec 14, 2009

Until you can get combofix working, this is a good temporary solution.

http://www.malwarebytes.org/

Make sure you update it before performing the scan. Quick scan first, then full scan afterwards.

SonicX8000 · Dec 15, 2009

Thanks, but I already used Malwarebytes to remove most of the malware.

Ultimate · Dec 15, 2009

Aha, woops, shoulda read the topic post more carefully ^^"

Autosaver · Dec 15, 2009

I just noticed Aim6 is installed on your computer.
Aim7 is out... just an FYI...

Try downloading CCleaner. It has a built in Registry fixer that you can use.

MasterJace · Dec 15, 2009

Just from a glance, until ComboFix is back up, you're in trouble. The files in the temp folder means that they're being generated at startup. ComboFix is specifically an anti-rootkit program, which is why many tech-savvy users recommend it's use as a last resort.

A few years ago, there was an instance where I ran ComboFix for the first time at the recommendation of a server admin and had to factory restore my drive because it deleted important bootup information.

LoganA · Dec 15, 2009

MasterJace said:
Just from a glance, until ComboFix is back up, you're in trouble. The files in the temp folder means that they're being generated at startup. ComboFix is specifically an anti-rootkit program, which is why many tech-savvy users recommend it's use as a last resort.

A few years ago, there was an instance where I ran ComboFix for the first time at the recommendation of a server admin and had to factory restore my drive because it deleted important bootup information.

Yea, that's why in the newer versions, it downloads and install the recovery console from microsoft.com before doing it's thing

SonicX8000 · Dec 15, 2009

Autosaver, thanks for the suggestion, I have downloaded CCleaner, and I was able to remove those issues in the screenshot that I posted, incluing d.

I had alot of broken/invaild/unused Registry Keys, (About 800+) which are now taken care of.

Never used Aim, only my sisters did, but they are hardly never home, so... I got rid of it.

Hopefully I won't be seeing these issues again.

SonicX8000 · Dec 30, 2009

Yes, bumping this Topic.

LoganA, if you still need the log of Combofix, I'll post it here, as soon as it's done making a log file.

*EDIT* Here's the Combofix Log.

Code:

ComboFix 09-12-29.05 - John Stanley Garcia 12/30/2009   4:40.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.128 [GMT -6:00]
Running from: c:\documents and settings\John Stanley Garcia\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 091230-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\JOHNST~1\APPLIC~1\Desktopicon
c:\documents and settings\Guest\Application Data\alot
c:\documents and settings\Leah  M Garcia\Application Data\alot
C:\LOG.TXT
c:\program files\Common
c:\program files\iMeshBar
c:\program files\iMeshBar\bar\History\search
c:\program files\IncrediFind
c:\program files\IncrediFind\BHO\date.txt
c:\windows\system32\2llpk0ja.dat
c:\windows\system32\im64.dll
c:\windows\system32\P2P Networking
c:\windows\system32\Status1.dll

c:\windows\system32\grpconv.exe was missing 
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF
-------\Service_NPF


(((((((((((((((((((((((((   Files Created from 2009-11-28 to 2009-12-30  )))))))))))))))))))))))))))))))
.

2009-12-30 10:14 . 2009-12-30 10:14    --------    d-----w-    c:\documents and settings\All Users\Application Data\TEMP
2009-12-30 10:12 . 2009-12-30 10:12    --------    d-----w-    c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-30 10:12 . 2009-12-30 10:12    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\Simply Super Software
2009-12-30 06:20 . 2009-12-30 06:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-12-30 06:19 . 2009-12-30 06:19    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\SUPERAntiSpyware.com
2009-12-17 13:58 . 2009-12-17 13:58    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\PC Tools
2009-12-14 04:02 . 2009-12-14 04:02    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\Registry Mechanic

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-30 10:13 . 2009-12-30 10:12    --------    d-----w-    c:\program files\Trojan Remover
2009-12-30 08:35 . 2007-03-18 02:53    --------    d-----w-    c:\program files\mIRC
2009-12-30 06:19 . 2009-12-30 06:19    --------    d-----w-    c:\program files\SUPERAntiSpyware
2009-12-30 06:18 . 2007-09-14 23:19    --------    d-----w-    c:\program files\Common Files\Wise Installation Wizard
2009-12-19 03:08 . 2009-11-06 04:59    235620    ----a-w-    c:\documents and settings\John Stanley Garcia\Local Settings\Application Data\prvlcl.dat
2009-12-18 02:28 . 2005-06-12 14:31    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\AOL
2009-12-17 22:15 . 2009-12-17 22:15    --------    d-----w-    c:\program files\Alwil Software
2009-12-17 22:11 . 2009-11-26 09:55    --------    d-----w-    c:\program files\Unlocker
2009-12-17 14:02 . 2009-12-17 13:58    --------    d-----w-    c:\program files\Common Files\PC Tools
2009-12-16 22:01 . 2005-08-24 05:10    --------    d-----w-    c:\program files\Microsoft AntiSpyware
2009-12-16 21:08 . 2009-09-08 14:49    --------    d-----w-    c:\documents and settings\Leah  M Garcia\Application Data\vlc
2009-12-16 01:28 . 2008-07-01 21:13    39    ----a-w-    c:\documents and settings\John Stanley Garcia\jagex_runescape_preferences.dat
2009-12-16 01:25 . 2009-09-02 13:15    69    ----a-w-    c:\documents and settings\John Stanley Garcia\jagex_runescape_preferences2.dat
2009-12-15 21:32 . 2009-12-15 21:32    --------    d-----w-    c:\program files\CCleaner
2009-12-14 21:48 . 2009-12-14 21:48    --------    d-----w-    c:\program files\Easy Video Splitter
2009-12-14 11:30 . 2008-07-11 02:57    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2009-12-14 11:30 . 2009-12-14 11:30    4844296    ----a-w-    c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-14 02:23 . 2009-12-14 02:23    --------    d-----w-    c:\program files\Enigma Software Group
2009-12-13 19:03 . 2008-08-17 06:24    --------    d-----w-    c:\program files\Solveig Multimedia
2009-12-13 19:03 . 2009-12-13 18:59    --------    d-----w-    c:\program files\Common Files\Elecard
2009-12-13 13:02 . 2005-06-09 17:33    --------    d-----w-    c:\program files\QuickTime
2009-12-13 12:56 . 2009-05-08 02:35    --------    d-----w-    c:\program files\Common Files\Apple
2009-12-10 16:33 . 2009-12-16 17:21    911168    ----a-w-    c:\documents and settings\Leah  M Garcia\Application Data\Mozilla\Firefox\Profiles\8517onda.default\extensions\{C2DCA7EB-22D2-4FD2-86A9-F99FCC8122BB}\mywebtattoo.exe
2009-12-09 11:11 . 2008-09-27 23:38    --------    d-----w-    c:\documents and settings\All Users\Application Data\Microsoft Help
2009-12-03 22:14 . 2009-10-11 03:25    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-03 22:13 . 2009-10-11 03:25    19160    ----a-w-    c:\windows\system32\drivers\mbam.sys
2009-12-02 03:16 . 2009-10-24 19:51    --------    d-----w-    c:\program files\Perfect Uninstaller
2009-12-02 02:36 . 2007-05-08 07:29    --------    d-----w-    c:\program files\Google
2009-11-24 23:54 . 2009-12-17 22:15    1280480    ----a-w-    c:\windows\system32\aswBoot.exe
2009-11-24 23:51 . 2009-12-17 22:16    93424    ----a-w-    c:\windows\system32\drivers\aswmon.sys
2009-11-24 23:50 . 2009-12-17 22:16    94160    ----a-w-    c:\windows\system32\drivers\aswmon2.sys
2009-11-24 23:50 . 2009-12-17 22:16    114768    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2009-11-24 23:50 . 2009-12-17 22:16    20560    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2009-11-24 23:49 . 2009-12-17 22:16    48560    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2009-11-24 23:48 . 2009-12-17 22:16    23120    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2009-11-24 23:47 . 2009-12-17 22:16    27408    ----a-w-    c:\windows\system32\drivers\aavmker4.sys
2009-11-24 23:47 . 2009-12-17 22:16    97480    ----a-w-    c:\windows\system32\AvastSS.scr
2009-11-21 23:50 . 2007-05-11 06:01    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\uTorrent
2009-11-19 14:31 . 2009-11-19 14:31    --------    d-----w-    c:\documents and settings\Leah  M Garcia\Application Data\Malwarebytes
2009-11-19 08:01 . 2009-11-08 00:09    --------    d-----w-    c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-11-11 15:31 . 2009-11-08 00:10    360584    ----a-w-    c:\windows\system32\drivers\avgtdix.sys
2009-11-09 17:20 . 2009-12-17 13:59    207792    ----a-w-    c:\windows\system32\drivers\PCTCore.sys
2009-11-08 06:02 . 2008-06-25 03:50    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\Hamachi
2009-11-08 00:10 . 2009-11-08 00:10    12464    ----a-w-    c:\windows\system32\avgrsstx.dll
2009-11-08 00:10 . 2009-11-08 00:10    333192    ----a-w-    c:\windows\system32\drivers\avgldx86.sys
2009-11-08 00:10 . 2009-11-08 00:10    28424    ----a-w-    c:\windows\system32\drivers\avgmfx86.sys
2009-11-08 00:09 . 2009-10-26 23:58    --------    d-----w-    c:\documents and settings\All Users\Application Data\avg9
2009-11-07 18:45 . 2009-11-07 18:45    --------    d-----w-    c:\docume~1\JOHNST~1\APPLIC~1\AVG9
2009-11-07 05:14 . 2009-11-07 05:13    1677    ----a-w-    c:\windows\system32\unins000.dat
2009-11-07 05:14 . 2009-11-07 05:13    695578    ----a-w-    c:\windows\system32\unins000.exe
2009-11-07 04:58 . 2008-12-09 04:36    --------    d-----w-    c:\program files\NCH Software
2009-11-05 03:30 . 2009-10-10 00:38    --------    d-----w-    c:\program files\Java
2009-10-30 17:11 . 2009-12-17 14:00    233136    ----a-w-    c:\windows\system32\drivers\pctgntdi.sys
2009-10-29 07:45 . 2004-08-04 10:00    916480    ----a-w-    c:\windows\system32\wininet.dll
2009-10-25 05:14 . 2007-07-08 06:29    127280    -c--a-w-    c:\documents and settings\John Stanley Garcia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-21 05:38 . 2004-08-04 10:00    75776    ----a-w-    c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2004-08-04 10:00    25088    ----a-w-    c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 10:00    265728    ----a-w-    c:\windows\system32\drivers\http.sys
2009-10-16 18:12 . 2009-11-19 08:01    1119488    ----a-w-    c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-10-13 10:30 . 2004-08-04 10:00    270336    ----a-w-    c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2004-08-04 10:00    149504    ----a-w-    c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2004-08-04 10:00    79872    ----a-w-    c:\windows\system32\raschap.dll
2009-10-11 10:17 . 2009-03-27 17:42    411368    ----a-w-    c:\windows\system32\deploytk.dll
2009-10-06 22:31 . 2009-12-17 13:59    87784    ----a-w-    c:\windows\system32\drivers\PCTAppEvent.sys
2005-03-02 04:19 . 2004-11-08 22:30    848    -csha-w-    c:\windows\SYSTEM32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2009-04-23 691656]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-12-16 2002160]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-18 1070984]

c:\documents and settings\Leah  M Garcia\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2007-8-16 147456]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\Hotsync.exe [2004-6-9 471040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21    548352    ----a-w-    c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-11-08 00:10    12464    ----a-w-    c:\windows\SYSTEM32\avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^John Stanley Garcia^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\John Stanley Garcia\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12    1695232    ----a-w-    c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"YahooAUService"=2 (0x2)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate"=2 (0x2)
"AresChatServer"=3 (0x3)
"AOL TopSpeedMonitor"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\John Stanley Garcia\\Desktop\\Skulltag\\IdeSE.exe"=
"c:\\Documents and Settings\\John Stanley Garcia\\Desktop\\Skulltag\\skulltag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Doomsday\\bin\\Doomsday.exe"=
"c:\\WINDOWS\\SYSTEM32\\DPLAYSVR.EXE"=
"c:\\Documents and Settings\\John Stanley Garcia\\Desktop\\GTA2\\gta2.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\John Stanley Garcia\\Desktop\\Sonic Robo Blast 2 V2.0\\srb2win.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5394:UDP"= 5394:UDP:KEGA

R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [12/17/2009 7:59 AM 207792]
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [8/4/2007 7:59 PM 721904]
R1 aswSP;avast! Self Protection;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [12/17/2009 4:16 PM 114768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [11/7/2009 6:10 PM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\SYSTEM32\DRIVERS\avgtdix.sys [11/7/2009 6:10 PM 360584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [12/16/2009 4:26 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/16/2009 4:26 PM 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [12/17/2009 4:16 PM 20560]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/16/2009 4:27 PM 7408]
S2 avg9wd;AVG Free WatchDog;"c:\program files\AVG\AVG9\avgwdsvc.exe" --> c:\program files\AVG\AVG9\avgwdsvc.exe [?]
S3 jbridgep;jbridgep;\??\c:\windows\TEMP\jbridgep.sys --> c:\windows\TEMP\jbridgep.sys [?]
S3 MR97310_VGA_DUAL_CAMERA;MR97310 VGA Dual Mode Camera;c:\windows\SYSTEM32\DRIVERS\MR97310v.sys [10/28/2004 11:37 AM 116686]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\SYSTEM32\DRIVERS\rt2500usb.sys [7/7/2007 11:15 PM 104320]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/1/2009 8:35 PM 135664]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32    128512    ----a-w-    c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 02:35]

2009-12-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-02 02:35]
.
.
------- Supplementary Scan -------
.
uStart Page = 
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&fr=yie7c
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/hamsterball/raptisoftgameloader.cab
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://ecampus.wintu.edu/secure/PhxStudent15.CAB
FF - ProfilePath - c:\docume~1\JOHNST~1\APPLIC~1\Mozilla\Firefox\Profiles\d0z01g96.default\
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-30 04:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys spot.sys hal.dll >>UNKNOWN [0x8378B938]<< 
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf86d2f28
\Driver\ACPI -> ACPI.sys @ 0xf848ccb8
\Driver\atapi -> atapi.sys @ 0xf8447b40
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf82dfbb0
 PacketIndicateHandler -> NDIS.sys @ 0xf82eca21
 SendHandler -> NDIS.sys @ 0xf82ca87b
user & kernel MBR OK 

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4190103899-3829903150-2597335994-1009\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS]
@DACL=(02 0000)
@=""
"infopath.exe"=dword:00000000
"msn6.exe"=dword:00000000
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"*"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL]
@DACL=(02 0000)
@=""
"SAPLOGON.exe"=dword:00000000
"SAPfewgsrv.exe"=dword:00000000
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"*"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"clview.exe"=dword:00000001
"SAPGUI.exe"=dword:00000000
"SAPGuiIT.exe"=dword:00000000
"SAPLgPad.exe"=dword:00000000
"Scale_for_R3.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_SQM_UPLOAD_FOR_APP]
@DACL=(02 0000)
"ieuser.exe"=dword:00000001
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK]
@DACL=(02 0000)
"YahooMusicEngine.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_SCRIPT_PASTE_URLACTION_IF_PROMPT]
@DACL=(02 0000)
"devenv.exe"=dword:00000001
"dexplore.exe"=dword:00000001
"helppane.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS]
@DACL=(02 0000)
"msfeedssync.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_XML_PROLOG]
@DACL=(02 0000)
"msiexec.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IMAGING_USE_ART]
@DACL=(02 0000)
@=""
"waol.exe"=dword:00000001
"cs.exe"=dword:00000001
"wm.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INTERNET_SHELL_FOLDERS]
@DACL=(02 0000)
"iexplore.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DISPPARAMS]
@DACL=(02 0000)
"helppane.exe"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LEGACY_DLCONTROL_BEHAVIORS]
@DACL=(02 0000)
"wlmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
@DACL=(02 0000)
"wmplayer.exe"=dword:00000001
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"waol.exe"=dword:00000001
"Groove.exe"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER]
@DACL=(02 0000)
"explorer.exe"=dword:00000004

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER]
@DACL=(02 0000)
"explorer.exe"=dword:00000002

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME]
@DACL=(02 0000)
"mshta.exe"=dword:00000001
"outlook.exe"=dword:00000001
"sidebar.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTECT_DECOMPRESSION_FILTER_FROM_ABORT_KB942367]
@DACL=(02 0000)
@=""
"*"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000000
"explorer.exe"=dword:00000000
"WMPlayer.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RELEASE_CALLBACK_ON_STOP_BINDING]
@DACL=(02 0000)
"communicator.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001
"msimn.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SUBDOWNLOAD_LOCKDOWN]
@DACL=(02 0000)
"msimn.exe"=dword:00000001
"outlook.exe"=dword:00000001
"winmail.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_WINDOWEDSELECTCONTROL]
@DACL=(02 0000)
"excel.exe"=dword:00000001
"infopath.exe"=dword:00000001
"powerpnt.exe"=dword:00000001
"winword.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL]
@DACL=(02 0000)
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD]
@DACL=(02 0000)
"msn.exe"=dword:00000001
"msn6.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XSSFILTER]
@DACL=(02 0000)
"iexplore.exe"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION]
@DACL=(02 0000)
@=""
"iexplore.exe"=dword:00000001
"explorer.exe"=dword:00000001
"msimn.exe"=dword:00000001
"WMPlayer.exe"=dword:00000001
"GROOVE.EXE"=dword:00000001
"OUTLOOK.EXE"=dword:00000001
"clview.exe"=dword:00000001
"PresentationHost.exe"=dword:00000001
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(664)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3060)
c:\windows\system32\WININET.dll
c:\program files\Unlocker\UnlockerHook.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Avi2Dvd\Programs\Filters\Haali media splitter\mmfinfo.dll
c:\program files\Avi2Dvd\Programs\Filters\Haali media splitter\mkunicode.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-12-30  05:12:01 - machine was rebooted
ComboFix-quarantined-files.txt  2009-12-30 11:11

Pre-Run: 54,605,885,440 bytes free
Post-Run: 54,546,419,712 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=6 Default=6 Failed=5 LastKnownGood=7 Sets=1,2,3,4,5,6,7
- - End Of File - - 41829EEA96466E39EB580D509992A9DC

Sorry if it's this big, personally I want to know if I need to do anything else to ensure that everything here is cleaned out.

*EDIT AGAIN*
It appears I no longer get redirects to odd sites anymore through Firefox, but I am 100% sure it will still keep giving me redirects sooner or later... >_>

Internet Explorer doesn't seem to have redirecting problems also.

Also, I should mention that after Combofix was making a log, I noticed a red shield with a X mark on it in my Icons Tab. (The lower right corner of my screen.) It was reminding me that I had my Windows Firewall Off. Now let me say this, this is the first time I seen this reminding me. (After Combofix saved the log, I enabled my Firewall, and then the Red X Shield Thingy went away.)

Did I FINALLY get rid of this annoying issue? Or is this just a hoax...?

Now that's out of the way, now I sleep.
-----
*Edit again!*
Upon restarting the Computer, I no longer get redirects now for both Firefox and Internet Explorer! Thanks to Combofix. (Thanks LoganA.)

Odd Processes running on my computer...

Graphic & Sprite Modder.

Member

Scout/N. Gin Ear in Netgame

It's Mr. Computer!

ArchPack 2.5 is on the way

Administrator

Graphic & Sprite Modder.

Administrator

The Tortured Planet guy

Graphic & Sprite Modder.

Graphic & Sprite Modder.

Administrator

a scar in time...

Graphic & Sprite Modder.

a scar in time...

Member

This is my real picture

Administrator

Graphic & Sprite Modder.

Graphic & Sprite Modder.

Who is viewing this thread (Total: 0, Members: 0, Guests: 0)