Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with fsharproj Trojan & Google keeps redirecting in FF and IE, but not Chrome


  • This topic is locked This topic is locked
14 replies to this topic

#1 kaseyfs

kaseyfs

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 27 September 2011 - 12:09 PM

2 days ago I noticed that Google searches were being redirected to other sites when I searched in IE or FF. I don't have the problem searching with Google in Chrome. I ran Malwarebytes and discovered 6 trojans, including the fsharproj trojan. 5 of the trojans were removed, but the fsharproj trojan keeps returning. Malwarebytes will identify it and remove it each time I run a scan, but the trojan keeps coming back. The specific path is always the same: HKEY_CLASSES_ROOT\.fsharproj (Trojan.BHO). My computer seems to be running a bit slower as well. Thank you so much for any help you can offer!

DDS Log:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Kasey at 11:44:22 on 2011-09-27
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2939.1412 [GMT -4:00]
.
AV: Norton 360 *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
C:\Windows\system32\TODDSrv.exe
C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\CA\SharedComponents\TMEngine\UmxEngine.exe
C:\Windows\system32\WebUpdateSvc4.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\CA\CA Internet Security Suite\ccEvtMgr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Browny02\Brother\BrStMonW.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CA\CA Internet Security Suite\casc.exe
C:\Program Files\Toshiba\TOSCDSPD\TOSCDSPD.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\AccuWeather.com Stratus\AccuWeather.com Stratus.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Browny02\BrYNSvc.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\RoadRunner\SafeStorage\Online-Backup.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\explorer.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://mail.sbbcollege.edu/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.sbbcollege.edu%2fowa%2f
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local;<local>
uURLSearchHooks: H - No File
BHO: {01a9a0ab-83ed-4c6c-8e60-f5da51992999} - c:\users\kasey\appdata\local\TCPIPPTR.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CA Anti-Phishing Toolbar Helper: {45011cf5-e4a9-4f13-9093-f30a784eb9b2} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: CA Anti-Phishing Toolbar: {0123b506-0ad9-43aa-b0cf-916c122ad4c5} - c:\program files\ca\ca internet security suite\ca anti-phishing\toolbar\caIEToolbar.dll
TB: {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\TOSCDSPD.exe
uRun: [Messenger (Yahoo!)] "c:\progra~1\yahoo!\messen~1\YahooMessenger.exe" -quiet
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [Google Update] "c:\users\kasey\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\programdata\scansoft\paperport\11\config\ereg\Ereg.ini"
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [BrStsMon00] c:\program files\browny02\brother\BrStMonW.exe /AUTORUN
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TaskTray]
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRunOnce: [{1017A80C-6F09-4548-A84D-EDD6AC9525F0}] c:\windows\system32\cmd.exe /c rmdir /q /s "c:\program files\Lexmark Toolbar"
mRunOnce: [{10812DE7-2E57-4740-B226-6B3BE34AF9D7}] c:\windows\system32\cmd.exe /c rmdir /q /s "c:\program files\Lexmark Tools for Office"
StartupFolder: c:\users\kasey\appdata\roaming\micros~1\windows\startm~1\programs\startup\accuwe~1.lnk - c:\program files\accuweather.com stratus\AccuWeather.com Stratus.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\roadru~1.lnk - c:\windows\installer\{8c92f717-6af8-445c-a5ee-0570c864365e}\_4E67E20696D9AD37E90475.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: HideFastUserSwitching = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
TCP: Interfaces\{33A008A6-E696-464A-8C85-F41BB59A2309} : DhcpNameServer = 209.18.47.61 209.18.47.62
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: UmxSbxExw.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\kasey\appdata\roaming\mozilla\firefox\profiles\8gvls9h4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60531.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\kasey\appdata\local\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\users\kasey\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\kasey\appdata\roaming\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\users\kasey\appdata\roaming\move networks\plugins\npqmp071701000002.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
============= SERVICES / DRIVERS ===============
.
R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2011-5-10 164944]
R0 KmxFw;KmxFw;c:\windows\system32\drivers\KmxFw.sys [2011-4-24 107088]
R1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\drivers\jswpslwf.sys [2009-4-26 20384]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2011-3-23 83536]
R1 KmxFile;KmxFile;c:\windows\system32\drivers\KmxFile.sys [2011-3-23 63056]
R1 KmxFilter;HIPS Core Filter Driver;c:\windows\system32\drivers\KmxFilter.sys [2011-5-2 66128]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\caamsvc.exe [2011-9-26 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2011-9-26 222544]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2011-9-26 206160]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2008-4-17 40960]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 KmxCF;KmxCF;c:\windows\system32\drivers\KmxCF.sys [2011-5-12 152656]
R2 KmxSbx;KmxSbx;c:\windows\system32\drivers\KmxSbx.sys [2011-2-24 82000]
R2 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2008-9-30 46392]
R2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\toshiba\smartlogservice\TosIPCSrv.exe [2007-12-3 126976]
R2 UmxEngine;TM Engine;c:\program files\ca\sharedcomponents\tmengine\UmxEngine.exe [2011-4-4 662096]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
R2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-5-18 229856]
R3 BrYNSvc;BrYNSvc;c:\program files\browny02\BrYNSvc.exe [2011-5-23 245760]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2008-9-30 7168]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2011-5-12 331344]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\drivers\ATTchDrv.sys [2007-6-21 88064]
S3 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr.sys [2011-1-26 39272]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2011-5-13 1492840]
S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\jumpstart\jswpsapi.exe --> c:\program files\jumpstart\jswpsapi.exe [?]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2010-7-8 20480]
S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [2010-7-8 176384]
S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [2010-7-8 176384]
S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [2010-7-8 176384]
S3 ovt530;Dual Mode USB Camera OV530;c:\windows\system32\drivers\ov530v.sys [2007-9-12 172544]
S3 SVRPEDRV;SVRPEDRV;c:\windows\system32\sysprep\PEDRV.SYS [2008-9-30 9216]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2011-09-27 15:32:08 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-09-27 14:00:28 -------- d-----w- c:\users\kasey\appdata\roaming\RoadRunner
2011-09-27 14:00:18 -------- d-----w- c:\program files\RoadRunner
2011-09-27 01:05:29 1422672 ----a-w- c:\windows\system32\cfgmig32.dll
2011-09-27 01:05:17 95568 ----a-w- c:\windows\system32\Vetredir.dll
2011-09-27 01:05:17 206160 ----a-w- c:\windows\system32\Isafprod.dll
2011-09-27 01:05:17 128336 ----a-w- c:\windows\system32\Isafeif.dll
2011-09-27 01:05:00 -------- d-----w- c:\program files\common files\Scanner
2011-09-27 01:04:40 2760720 ----a-w- c:\windows\system32\svcprs32.exe
2011-09-27 01:04:39 98320 ----a-w- c:\windows\system32\winsfinst.exe
2011-09-27 01:04:39 4108304 ----a-w- c:\windows\system32\win32cpr.dll
2011-09-27 01:04:39 1744912 ----a-w- c:\windows\system32\winsflt.dll
2011-09-27 01:04:38 3207184 ----a-w- c:\windows\system32\mdmcls32.exe
2011-09-27 01:04:34 2990096 ----a-w- c:\windows\system32\winsflte.dll
2011-09-27 01:04:27 7440 ----a-w- c:\windows\system32\sporder.dll
2011-09-27 01:04:27 -------- d-----w- c:\windows\rnapxs
2011-09-27 01:04:17 -------- d-----w- c:\program files\ISSThirdParty
2011-09-27 01:01:25 -------- d-----w- c:\program files\CA
2011-09-27 00:58:12 -------- d-----w- c:\programdata\CA
2011-09-26 23:09:39 -------- d-----w- c:\program files\ESET
2011-09-26 16:41:42 -------- d-----w- c:\users\kasey\appdata\local\{E18B385A-A5B3-40CF-BD17-0CA986D12CC5}
2011-09-26 16:41:21 -------- d-----w- c:\users\kasey\appdata\local\{B525EE4D-CC6E-421E-B5B6-0B43A242AED5}
2011-09-26 15:45:35 262656 ----a-w- c:\users\kasey\appdata\local\TCPIPPTR.dll
2011-09-26 15:13:58 0 ---ha-w- c:\windows\system32\sowknkkuax.tmp
2011-09-24 17:58:33 265728 ----a-w- c:\users\kasey\appdata\local\NetworkWin32.dll
2011-09-22 15:56:24 -------- d-----w- c:\users\kasey\appdata\local\{73895C39-8E21-4456-8917-18651892AEAA}
2011-09-22 15:56:13 -------- d-----w- c:\users\kasey\appdata\local\{09B0F5F1-8D92-490C-8C31-AED75B2E77BB}
2011-09-21 14:50:56 -------- d-----w- c:\users\kasey\appdata\local\{7604E5C8-838D-4EF8-A712-70C92042A71D}
2011-09-21 14:50:32 -------- d-----w- c:\users\kasey\appdata\local\{69A96329-A81E-463B-8051-A2FDF2986E87}
2011-09-20 17:33:04 -------- d-----w- c:\users\kasey\appdata\local\{6E2D4121-67BE-407F-9FEC-A8EE7AF86393}
2011-09-20 17:32:43 -------- d-----w- c:\users\kasey\appdata\local\{EF1BB260-EE8C-4E3C-9D04-4186DBCA457B}
2011-09-19 16:12:31 -------- d-----w- c:\users\kasey\appdata\local\{BACB6ED5-284F-44EE-B97A-CC1C5EE992B4}
2011-09-19 16:12:07 -------- d-----w- c:\users\kasey\appdata\local\{358D4DC1-1EB5-42CD-B5CD-DDFE1FF145BC}
2011-09-15 14:08:00 -------- d-----w- c:\users\kasey\appdata\local\{9815981F-09E9-40FC-B55F-9036B292700A}
2011-09-15 14:07:38 -------- d-----w- c:\users\kasey\appdata\local\{611AB914-8539-468C-990D-898E0E05EC88}
2011-09-15 01:32:36 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2011-09-14 11:45:40 -------- d-----w- c:\users\kasey\appdata\local\{FA66B173-72CE-425B-B0ED-4B99D0DE5738}
2011-09-13 15:40:54 -------- d-----w- c:\users\kasey\appdata\local\{59D84B45-7EFB-4081-B409-BF4E69BF07E6}
2011-09-13 15:40:43 -------- d-----w- c:\users\kasey\appdata\local\{4AFBD398-EE95-4D71-923A-85C66CAC1953}
2011-09-12 17:51:55 -------- d-----w- c:\users\kasey\appdata\local\{FAFB841D-797B-4AC4-9A15-D177FF15F532}
2011-09-12 17:51:34 -------- d-----w- c:\users\kasey\appdata\local\{0C723544-E2BE-4FE6-B489-618A931B8F75}
2011-09-09 16:10:40 -------- d-----w- c:\users\kasey\appdata\local\{C8B286B2-1F32-4BA5-90FF-2D6F59953DAE}
2011-09-09 16:10:19 -------- d-----w- c:\users\kasey\appdata\local\{34DE0F1C-9F58-42AA-9F6D-DC911B928254}
2011-09-09 15:56:34 7152464 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e2dda702-542e-42af-b7cd-a427194a5231}\mpengine.dll
2011-09-08 15:36:28 -------- d-----w- c:\users\kasey\appdata\local\{77B30186-992E-497D-89EC-FC254679326E}
2011-09-08 15:36:07 -------- d-----w- c:\users\kasey\appdata\local\{83075DCC-1A22-4352-B675-44F29C9F71A7}
2011-09-08 01:39:54 -------- d-----w- c:\users\kasey\appdata\local\{4DB8418B-CE2D-40E2-85EF-90BE7A0D7738}
2011-09-07 13:35:26 -------- d-----w- c:\users\kasey\appdata\local\{F8C734A8-446A-4AFA-839C-678AF18CF7BD}
2011-09-07 13:35:13 -------- d-----w- c:\users\kasey\appdata\local\{EA2781AE-3845-4BE9-ABA7-BC11C090C397}
2011-09-06 15:36:39 -------- d-----w- c:\users\kasey\appdata\local\{CE02EC88-F3A5-493B-B330-C1969D3FEE8E}
2011-09-06 15:36:18 -------- d-----w- c:\users\kasey\appdata\local\{64C05463-6F0D-4EF6-B034-D6F5BED59845}
2011-09-03 19:04:49 -------- d-----w- c:\programdata\TomTom
2011-09-03 19:01:47 -------- d-----w- c:\users\kasey\appdata\roaming\TomTom
2011-09-03 19:01:47 -------- d-----w- c:\users\kasey\appdata\local\TomTom
2011-09-02 20:03:11 -------- d-----w- c:\users\kasey\appdata\local\{C8FB4AAB-8171-4129-B634-AC615921A3D6}
2011-09-02 20:02:48 -------- d-----w- c:\users\kasey\appdata\local\{F1B54D4C-D629-448B-9B1B-64082C0CA347}
2011-09-01 18:08:03 -------- d-----w- c:\users\kasey\appdata\local\{B5648670-F001-4F95-9219-B6BE5F410932}
2011-09-01 18:07:41 -------- d-----w- c:\users\kasey\appdata\local\{3AEEB30F-9F47-4447-9A4D-F9490E364BEE}
2011-08-31 16:29:10 -------- d-----w- c:\users\kasey\appdata\local\{CEF4B682-3EF2-4F9C-B57A-A2B9A12E55AA}
2011-08-31 16:28:48 -------- d-----w- c:\users\kasey\appdata\local\{3E1E7F4E-ECBD-4A2F-8EE5-CBDEF1D0AB27}
2011-08-30 16:07:55 -------- d-----w- c:\users\kasey\appdata\local\{3AEA7294-6EF4-4550-BF9D-AA5C7D3A46E7}
2011-08-30 16:07:20 -------- d-----w- c:\users\kasey\appdata\local\{8E76C099-544B-4587-9802-CF07D0551B51}
2011-08-29 15:43:11 -------- d-----w- c:\users\kasey\appdata\local\{A340F5FA-FCEF-450A-B508-4EDA9F703269}
2011-08-29 15:42:49 -------- d-----w- c:\users\kasey\appdata\local\{A70930E9-5E87-4B57-A5DD-E881D33F59E6}
.
==================== Find3M ====================
.
2011-09-26 17:48:08 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-22 02:54:43 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48:26 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44:36 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25:35 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31:47 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
.
============= FINISH: 11:46:14.70 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 27 September 2011 - 12:44 PM

I forgot to mention that I had been running Norton Antivirus and it expired about 2 weeks ago. After I ran Malwarebytes and it was not successful at removing the fsharproj trojan, I downloaded the CA Internet Security suite through Roadrunner and ran a scan that picked up quite a few more problems that it then fixed. But to install CA, it uninstalled Malwarebytes. Please let me know if I should reinstall Malwarebytes. Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 02 October 2011 - 09:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs and let me know what problem persists.

#4 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 03 October 2011 - 08:06 AM

Thank you for your reply. I tried snoozing my CA Security program, but it kept restarting itself when I tried to run the ComboFix. I ended up uninstalling it just to get ComboFix to run. But then another problem arose. When I tried running ComboFix again, a warning box popped up stating that ComboFix has detected the following real time scanners to be active: antivirus: Norton 360 and antispyware: Norton 360.

It told me to disable these scanners before continuing. I uninstalled Norton 360 when it expired about 3 weeks ago. After getting the ComboFix warning, I looked in my program folders and couldn't find Norton 360. I did a search for Norton 360 and it didn't turn up in the search. Finally, I went to the add/install feature in my control panel and Norton 360 isn't there. If it is indeed still running on my computer, I can't find it to disable it.

Any suggestions? Thanks!

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 03 October 2011 - 08:31 AM

Norton does not give up that easy.

Try the removal tool for your 360 program.

Download and run the Norton Removal Tool FOR YOUR CURRENT PROGRAM.
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2001092114452606&nsf=nav.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=

#6 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 03 October 2011 - 08:52 AM

Thank you. I ran the removal tool for Norton 360 and it completed successfully. I restarted my computer, tried to run ComboFix, and got the exact same warning message that it still detects Norton 360 is running.

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 04 October 2011 - 08:16 AM

Ignore the notice and continue to run ComboFix.

Post the log if you can.

#8 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 04 October 2011 - 09:11 AM

Okay, I ignored the notice and ran ComboFix. Here is the log:

ComboFix 11-10-04.03 - Kasey 10/04/2011 9:27.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2939.1817 [GMT -4:00]
Running from: c:\users\Kasey\Desktop\ComboFix.exe
AV: Norton 360 *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
FW: Norton 360 *Enabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
SP: Norton 360 *Enabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Tarma Installer
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\_Setup.dll
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.dat
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.exe
c:\programdata\Tarma Installer\{889DF117-14D1-44EE-9F31-C5FB5D47F68B}\Setup.ico
c:\users\Kasey\AppData\Local\Apple\AppleUpdate\Appleupdt32.dll
c:\users\Kasey\AppData\Local\NetworkWin32.dll
c:\users\Kasey\AppData\Local\TCPIPPTR.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\srcr.dat
.
.
((((((((((((((((((((((((( Files Created from 2011-09-04 to 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-04 13:33 . 2011-10-04 13:33 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-27 15:32 . 2011-09-27 15:32 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-09-27 14:00 . 2011-09-27 14:00 -------- d-----w- c:\users\Kasey\AppData\Roaming\RoadRunner
2011-09-27 14:00 . 2011-09-27 14:00 -------- d-----w- c:\program files\RoadRunner
2011-09-27 01:05 . 2011-05-30 08:01 206160 ----a-w- c:\windows\system32\Isafprod.dll
2011-09-27 01:05 . 2011-05-30 08:01 95568 ----a-w- c:\windows\system32\Vetredir.dll
2011-09-27 01:05 . 2011-05-30 08:01 128336 ----a-w- c:\windows\system32\Isafeif.dll
2011-09-27 01:05 . 2011-09-27 01:05 -------- d-----w- c:\program files\Common Files\Scanner
2011-09-27 01:04 . 2011-10-03 12:45 -------- d-----w- c:\windows\rnapxs
2011-09-26 23:09 . 2011-09-26 23:09 -------- d-----w- c:\program files\ESET
2011-09-26 15:13 . 2011-09-26 15:13 0 ---ha-w- c:\windows\system32\sowknkkuax.tmp
2011-09-15 01:32 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-09-09 15:56 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2DDA702-542E-42AF-B7CD-A427194A5231}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 17:48 . 2011-05-17 18:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-16 16:01 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-22 02:54 . 2011-08-11 16:08 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-11 16:08 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-11 16:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25 . 2011-08-24 12:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31 . 2011-08-10 21:37 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-07 00:48 . 2011-03-25 10:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"NDSTray.exe"="NDSTray.exe" [BU]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Kasey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AccuWeather.lnk - c:\program files\AccuWeather.com Stratus\AccuWeather.com Stratus.exe [2010-2-28 95232]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Road Runner Safe Storage.lnk - c:\windows\Installer\{8C92F717-6AF8-445C-A5EE-0570C864365E}\_4E67E20696D9AD37E90475.exe [2011-9-27 3774]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^Kasey^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 21:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4229604500-3487303875-4101604920-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchDrv.sys [2007-06-21 88064]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2010-07-08 20480]
R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [2010-07-08 176384]
R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [2010-07-08 176384]
R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [2010-07-08 176384]
R3 ovt530;Dual Mode USB Camera OV530;c:\windows\system32\Drivers\ov530v.sys [2007-09-12 172544]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-05-06 583360]
S2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-05-18 229856]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [2010-01-25 245760]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-05-24 21:24]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229604500-3487303875-4101604920-1000Core.job
- c:\users\Kasey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-26 13:05]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229604500-3487303875-4101604920-1000UA.job
- c:\users\Kasey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-26 13:05]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.sbbcollege.edu/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.sbbcollege.edu%2fowa%2f
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Kasey\AppData\Roaming\Mozilla\Firefox\Profiles\8gvls9h4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{8bdea9d6-6f62-45eb-8ee9-8a81af0d2f94} - (no file)
HKCU-Run-TomTomHOME.exe - c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
HKLM-Run-TaskTray - (no file)
Notify-PFW - (no file)
MSConfigStartUp-Logitech Vid - c:\program files\Logitech\Logitech Vid\vid.exe
MSConfigStartUp-lxduamon - c:\program files\Lexmark 5600-6600 Series\lxduamon.exe
MSConfigStartUp-lxdumon - c:\program files\Lexmark 5600-6600 Series\lxdumon.exe
AddRemove-{889DF117-14D1-44EE-9F31-C5FB5D47F68B} - c:\progra~2\TARMAI~1\{889DF~1\Setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 09:33
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-04 09:36:23
ComboFix-quarantined-files.txt 2011-10-04 13:36
.
Pre-Run: 79,618,244,608 bytes free
Post-Run: 81,438,064,640 bytes free
.
- - End Of File - - 97054808AFA524EA797B191E11D394F2



I then ran the Security Check. Here is a copy of the log:

Results of screen317's Security Check version 0.99.20
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
ESET Online Scanner v3
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 26
Java™ 6 Update 6
Out of date Java installed!
Adobe Flash Player 10.3.183.10
Mozilla Firefox (6.0.2) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

RoadRunner SafeStorage Online-Backup.exe
``````````End of Log````````````


Thank you for your assistance. After running the scans, I tested Google searches in IE and FF and was NOT redirected! Yay!

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 04 October 2011 - 10:12 AM

Open notepad and copy/paste the text in the quote box below into it:

SecCenter::
{88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
{B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
{33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
Norton 360


Save this as CFScript on your desktop.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java SE Runtime Environment 6 Update 27.
  • In the box labeled "Java Platform, Standard Edition", click the "Download JRE" button to the right.
  • In the Window that opens, select Windows (or Windows x64), and check the "agree" box and click "Continue".
  • Click on the link to download Windows Offline Installation and save to your Desktop.
  • Then from your Desktop double-click on jre-6u27-windows-i586.exe that you have downloaded to install the newest version.

    For the x64 bit version download this on jre-6u27-windows-x64.exe). Make sure you download the corrent version.

    - Note: If you are running Vista or Windows 7, you may need to right-click on the installation file and select Run as Administrator.

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 26
Java™ 6 Update 6

===

Reinstall your CA Security program.

Post the ComboFix log and let me know if the problem persists.

#10 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 04 October 2011 - 10:49 AM

I copied & pasted the script into notepad, saved it, dragged it to ComboFix, and ran it again. I saved the log. However, now I can't get online at all through IE, FF, or Chrome. I get an error message "Illegal operation attempted on a registry key that has been marked for deletion". I had to send this reply through my cell phone. Please help!!!

#11 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 04 October 2011 - 10:54 AM

Now that I've checked further, I can't open ANYTHING. No files, no programs,nothing. I get the same error message with everything I click on.

#12 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 04 October 2011 - 11:50 AM

I restarted my computer and now I am able to click on files, folders, and apps, and I can now get online again. Whew.

Here is a log of the ComboFix after running your CF Script:


ComboFix 11-10-04.04 - Kasey 10/04/2011 11:20:59.2.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.2939.1713 [GMT -4:00]
Running from: c:\users\Kasey\Desktop\ComboFix.exe
Command switches used :: c:\users\Kasey\Desktop\CFScript.txt
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-09-04 to 2011-10-04 )))))))))))))))))))))))))))))))
.
.
2011-10-04 15:25 . 2011-10-04 15:25 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-09-27 15:32 . 2011-09-27 15:32 -------- d-----w- c:\windows\system32\CatRoot_bak
2011-09-27 14:00 . 2011-09-27 14:00 -------- d-----w- c:\users\Kasey\AppData\Roaming\RoadRunner
2011-09-27 14:00 . 2011-09-27 14:00 -------- d-----w- c:\program files\RoadRunner
2011-09-27 01:05 . 2011-05-30 08:01 206160 ----a-w- c:\windows\system32\Isafprod.dll
2011-09-27 01:05 . 2011-05-30 08:01 95568 ----a-w- c:\windows\system32\Vetredir.dll
2011-09-27 01:05 . 2011-05-30 08:01 128336 ----a-w- c:\windows\system32\Isafeif.dll
2011-09-27 01:05 . 2011-09-27 01:05 -------- d-----w- c:\program files\Common Files\Scanner
2011-09-27 01:04 . 2011-10-03 12:45 -------- d-----w- c:\windows\rnapxs
2011-09-26 23:09 . 2011-09-26 23:09 -------- d-----w- c:\program files\ESET
2011-09-26 15:13 . 2011-09-26 15:13 0 ---ha-w- c:\windows\system32\sowknkkuax.tmp
2011-09-15 01:32 . 2011-08-10 12:14 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-09-09 15:56 . 2011-08-12 02:44 7152464 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E2DDA702-542E-42AF-B7CD-A427194A5231}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-26 17:48 . 2011-05-17 18:12 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-08-16 16:01 . 2010-06-24 16:33 18328 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2011-07-22 02:54 . 2011-08-11 16:08 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-07-22 02:48 . 2011-08-11 16:08 1126912 ----a-w- c:\windows\system32\wininet.dll
2011-07-22 02:44 . 2011-08-11 16:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-07-11 13:25 . 2011-08-24 12:26 2048 ----a-w- c:\windows\system32\tzres.dll
2011-07-06 15:31 . 2011-08-10 21:37 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-09-07 00:48 . 2011-03-25 10:39 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe" [2008-04-24 430080]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-02-06 431456]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-02 505720]
"RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944]
"NDSTray.exe"="NDSTray.exe" [BU]
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-06-01 1468296]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-16 178712]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2008-07-10 29984]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2008-07-10 46368]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-08-31 328992]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"BrStsMon00"="c:\program files\Browny02\Brother\BrStMonW.exe" [2010-02-09 2621440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
.
c:\users\Kasey\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
AccuWeather.lnk - c:\program files\AccuWeather.com Stratus\AccuWeather.com Stratus.exe [2010-2-28 95232]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Road Runner Safe Storage.lnk - c:\windows\Installer\{8C92F717-6AF8-445C-A5EE-0570C864365E}\_4E67E20696D9AD37E90475.exe [2011-9-27 3774]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)
.
[HKLM\~\startupfolder\C:^Users^Kasey^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2008-10-15 02:38 623992 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-06-07 21:51 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-05-13 21:57 26192168 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-4229604500-3487303875-4101604920-1000]
"EnableNotificationsRef"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 FLMckUsb;AuthenTec TruePrint USB Driver for AES 3400, 3500, and 4000 Fingerprint Sensors;c:\windows\system32\DRIVERS\ATTchDrv.sys [2007-06-21 88064]
R3 IO_Memory;IO_Memory;c:\windows\SYSTEM32\SYSPREP\Drivers\ioport.sys [x]
R3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\Jumpstart\jswpsapi.exe [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2010-07-08 20480]
R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [2010-07-08 176384]
R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [2010-07-08 176384]
R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [2010-07-08 176384]
R3 ovt530;Dual Mode USB Camera OV530;c:\windows\system32\Drivers\ov530v.sys [2007-09-12 172544]
R3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDrv.sys [2008-01-18 9216]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 jswpslwf;JumpStart Wireless Filter Driver;c:\windows\system32\DRIVERS\jswpslwf.sys [2008-04-28 20384]
S2 ConfigFree Service;ConfigFree Service;c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe [2008-04-17 40960]
S2 TMachInfo;TMachInfo;c:\program files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe [2008-08-04 46392]
S2 TOSHIBA SMART Log Service;TOSHIBA SMART Log Service;c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe [2007-12-04 126976]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2010-05-06 583360]
S2 WebUpdate4;Web Update Wizard Service V4;c:\windows\system32\WebUpdateSvc4.exe [2007-05-18 229856]
S3 BrYNSvc;BrYNSvc;c:\program files\Browny02\BrYNSvc.exe [2010-01-25 245760]
S3 FwLnk;FwLnk Driver;c:\windows\system32\DRIVERS\FwLnk.sys [2006-11-20 7168]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-10-04 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2011-05-24 21:24]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229604500-3487303875-4101604920-1000Core.job
- c:\users\Kasey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-26 13:05]
.
2011-10-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4229604500-3487303875-4101604920-1000UA.job
- c:\users\Kasey\AppData\Local\Google\Update\GoogleUpdate.exe [2011-04-26 13:05]
.
.
------- Supplementary Scan -------
.
uStart Page = https://mail.sbbcollege.edu/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fmail.sbbcollege.edu%2fowa%2f
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSHB&bmod=TSHB
uInternet Settings,ProxyOverride = *.local;<local>
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 209.18.47.61 209.18.47.62
FF - ProfilePath - c:\users\Kasey\AppData\Roaming\Mozilla\Firefox\Profiles\8gvls9h4.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - user.js: yahoo.homepage.dontask - true);user_pref(yahoo.ytff.general.dontshowhpoffer, true
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-04 11:26
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
TOSCDSPD = c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe?/i??????g?R,$??h?????????????????
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-10-04 11:28:10
ComboFix-quarantined-files.txt 2011-10-04 15:28
ComboFix2.txt 2011-10-04 13:36
.
Pre-Run: 81,467,846,656 bytes free
Post-Run: 81,426,432,000 bytes free
.
- - End Of File - - DF4EFA49B3E544BABA4E38007F3C54C6


I also downloaded and installed Java SE Runtime Environment 6 Update 27 and uninstalled Java 6 Update 6 using Add/Remove programs in the control panel. Java 6 Update 26 did not appear in the list of programs for me to uninstall. (I noticed on the Java website that Java 7 is now available. Should I install that latest version?)

I am having problems reinstalling my CA Security suite because it says it is missing a token ID.

Thank you for your continued help.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 04 October 2011 - 01:12 PM

(I noticed on the Java website that Java 7 is now available. Should I install that latest version?)

No! It's for developers.


I am having problems reinstalling my CA Security suite because it says it is missing a token ID.

Can this help?

http://cainternetsecurity.net/KB/KD.aspx?KDId=1138
p.s. Download the fresh CA application from the same location you did the last time. Unless it was an unknown site and the file could be corrupted.

When all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used to clean this computer.

Surf Safely, and Think Prevention!
===

#14 kaseyfs

kaseyfs
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:14 AM

Posted 05 October 2011 - 03:10 PM

Thank you so much for your help! I was able to re-download the CA Security suite from my ISP and install it. I ran a full scan and it picked up 4 high-risk malware apps. I deleted those and all seems to be running fine now. No more redirects. I appreciate your time and assistance!

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,770 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:14 AM

Posted 06 October 2011 - 01:11 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users