Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Google Redirect

  • This topic is locked This topic is locked
7 replies to this topic

#1 greenpineapple


  • Members
  • 4 posts
  • Local time:04:12 PM

Posted 15 February 2012 - 01:28 PM


I'm running windows 7 (64 bit) home premium. I started having google redirect problems on firefox. I switched to chrome and started having the same problems.

I use F-Secure. It didn't pick anything up.

I checked the host file, and per some online instructions - it looked normal. I checked to make sure my DNS settings were correct (they were).

I ran combofix. It didn't make any difference, so I loaded a system backup. (Redirect still there after loading backup - even though I hadn't had this problem at time of backup.)

I read somewhere that disabling java would stop it. It did, but of course I couldn't use like 90% of the internet. So I updated java. Didn't make a difference.

I ran regsofts registry repair. (I realized this probably wouldn't do anything, but I was desperate.)

And lastly, I installed hijackthis and ran it, but didn't change anything. That's what brought me here.

(Also- on a side note that may or may not be related: I am unable to update windows. I ran the windows tool that's supposed to fix updater problems and it didn't make a difference. I also turned off f-secure while doing it, and still no difference.)

I'll appreciate any help. Thanks in advance!

GMER program is not letting me select all of the needed options. See image: http://i43.tinypic.com/2up4eqg.jpg

DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31
Run by lesliedawn at 10:42:59 on 2012-02-15
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3037.1065 [GMT -8:00]
AV: F-Secure PC Protection Plus 9.01 *Enabled/Updated* {15414183-282E-D62C-CA37-EF24860A2F17}
SP: F-Secure PC Protection Plus 9.01 *Enabled/Updated* {AE20A067-0E14-D9A2-F087-D456FD8D65AA}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: F-Secure PC Protection Plus 9.01 *Enabled* {2D7AC0A6-6241-D774-E168-461178D9686C}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\ASUS\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\fsgk32st.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\Common\FSMA32.EXE
C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\FSGK32.EXE
C:\Windows\system32\svchost.exe -k imgsvc
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\F-Secure PC Protection Plus\Common\FSHDLL32.EXE
C:\Program Files (x86)\F-Secure PC Protection Plus\Common\FSHDLL64.EXE
C:\Program Files (x86)\ASUS\ASUS CopyProtect\aspg.exe
C:\Program Files (x86)\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files (x86)\ASUS\Wireless Console 3\wcourier.exe
C:\Program Files (x86)\ASUS\ControlDeck\ControlDeckStartUp.exe
C:\Program Files (x86)\ASUS\ASUS Live Update\ALU.exe
c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\ASUS\Splendid\ACMON.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\HControl.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\Atouch64.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\FWES\Program\fsdfwd.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\ORSP Client\fsorsp.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\fssm32.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\ASUS\ATK Hotkey\ATKOSD.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\KBFiltr.exe
C:\Program Files (x86)\ASUS\ATK Hotkey\WDC.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\Common\FSM32.EXE
C:\Program Files\SRS Labs\SRS Premium Sound Control Panel\SRSPremiumPanel_64.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\Spam Control\fsscoepl_x64.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\fsav32.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Program Files (x86)\ASUS\ASUS Data Security Manager\ADSMSrv.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
============== Pseudo HJT Report ===============
mWinlogon: Userinit=userinit.exe
BHO: ALOT Toolbar Helper: {14ceeaff-96dd-4101-ae37-d5ecdc23c3f6} - C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Browsing Protection Class: {c6867eb7-8350-4856-877f-93cf8ae3dc9c} - C:\Program Files (x86)\F-Secure PC Protection Plus\NRS\iescript\baselitmus.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - C:\Program Files (x86)\alot\bin\alot.dll
TB: Browsing Protection Toolbar: {265eee8e-3228-44d3-aea5-f7fdf5860049} - C:\Program Files (x86)\F-Secure PC Protection Plus\NRS\iescript\baselitmus.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
mRun: [AT&T Communication Manager] "C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe" -a
mRun: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [F-Secure Manager] "C:\Program Files (x86)\F-Secure PC Protection Plus\Common\FSM32.EXE" /splash
mRun: [F-Secure TNB] "C:\Program Files (x86)\F-Secure PC Protection Plus\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\LESLIE~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\MRI_DI~1\BESTBU~1.LNK - C:\Program Files (x86)\Best Buy Software Installer\Best Buy Software Installer.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\FANCYS~1.LNK - C:\Windows\Installer\{2B81872B-A054-48DA-BE3B-FA5C164C303A}\_C4A2FC3E3722966204FDD8.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\SRSPRE~1.LNK - C:\Windows\Installer\{E5CF6B9C-3ABE-43C9-9413-AD5FFC98F049}\NewShortcut5_21C7B668029A47458B27645FE6E4A715.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - C:\Windows\system32\GPhotos.scr/200
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
LSP: C:\Program Files (x86)\F-Secure PC Protection Plus\FSPS\program\FSLSP.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer =
TCP: Interfaces\{02FEF28C-7316-46F9-8131-5EF761D1DE74} : DhcpNameServer =
TCP: Interfaces\{1C483BF4-C157-4190-B1BD-CD82F8F233A8} : DhcpNameServer =
TCP: Interfaces\{3C65C595-8402-41EE-A1B0-49DD23453084} : DhcpNameServer =
TCP: Interfaces\{3C65C595-8402-41EE-A1B0-49DD23453084}\05567616375737020596A7A716 : DhcpNameServer =
TCP: Interfaces\{3C65C595-8402-41EE-A1B0-49DD23453084}\354727963647C69702F4277616E696360223 : DhcpNameServer =
TCP: Interfaces\{3C65C595-8402-41EE-A1B0-49DD23453084}\455616D67427160756140756 : DhcpNameServer =
TCP: Interfaces\{482CD9C0-3645-401C-B6DF-BEFC60323406} : DhcpNameServer =
mASetup: {44BBA844-CC51-11CF-AAFA-00AA00B6015C} - rundll32.exe advpack.dll,LaunchINFSection C:\Windows\INF\CChat25.inf,PerUserAdd.NT
BHO-X64: ALOT Toolbar Helper: {14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} - C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll
BHO-X64: ALOT Toolbar Helper - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Browsing Protection Class: {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files (x86)\F-Secure PC Protection Plus\NRS\iescript\baselitmus.dll
BHO-X64: LitmusBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: ALOT Toolbar: {5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} - C:\Program Files (x86)\alot\bin\alot.dll
TB-X64: Browsing Protection Toolbar: {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files (x86)\F-Secure PC Protection Plus\NRS\iescript\baselitmus.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [AT&T Communication Manager] "C:\Program Files (x86)\AT&T\Communication Manager\ATTCM.exe" -a
mRun-x64: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [F-Secure Manager] "C:\Program Files (x86)\F-Secure PC Protection Plus\Common\FSM32.EXE" /splash
mRun-x64: [F-Secure TNB] "C:\Program Files (x86)\F-Secure PC Protection Plus\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
================= FIREFOX ===================
FF - ProfilePath - C:\Users\lesliedawn\AppData\Roaming\Mozilla\Firefox\Profiles\8oeq32p2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Microsoft\Office Live\npOLW.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
============= SERVICES / DRIVERS ===============
R0 lullaby;lullaby;C:\Windows\system32\DRIVERS\lullaby.sys --> C:\Windows\system32\DRIVERS\lullaby.sys [?]
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 F-Secure HIPS;F-Secure HIPS Driver;C:\Program Files (x86)\F-Secure PC Protection Plus\HIPS\drivers\fshs.sys [2012-2-8 57920]
R1 FSES;F-Secure Email Scanning Driver;C:\Windows\system32\drivers\fses.sys --> C:\Windows\system32\drivers\fses.sys [?]
R1 FSFW;F-Secure Firewall Driver;C:\Windows\system32\drivers\fsdfw.sys --> C:\Windows\system32\drivers\fsdfw.sys [?]
R1 fsvista;F-Secure Vista Support Driver;C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\minifilter\fsvista.sys [2012-2-8 14904]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AFBAgent;AFBAgent;"C:\Windows\system32\FBAgent.exe" --> C:\Windows\system32\FBAgent.exe [?]
R2 ASMMAP64;ASMMAP64;C:\Program Files\ATKGFNEX\ASMMAP64.sys [2010-4-16 14904]
R2 F-Secure Gatekeeper Handler Starter;FSGKHS;C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\fsgk32st.exe [2012-2-8 215648]
R3 ETD;ELAN PS/2 Port Input Device;C:\Windows\system32\DRIVERS\ETD.sys --> C:\Windows\system32\DRIVERS\ETD.sys [?]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\minifilter\fsgk.sys [2012-2-8 198808]
R3 FSORSPClient;F-Secure ORSP Client;C:\Program Files (x86)\F-Secure PC Protection Plus\ORSP Client\fsorsp.exe [2012-2-8 61088]
R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;C:\Windows\system32\drivers\viahduaa.sys --> C:\Windows\system32\drivers\viahduaa.sys [?]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;C:\Windows\system32\DRIVERS\vwifimp.sys --> C:\Windows\system32\DRIVERS\vwifimp.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
S3 AmUStor;AM USB Stroage Driver;C:\Windows\system32\drivers\AmUStor.SYS --> C:\Windows\system32\drivers\AmUStor.SYS [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;C:\Program Files (x86)\AT&T\Communication Manager\RcAppSvc.exe [2010-1-25 121416]
S3 BVRPMPR5a64;BVRPMPR5a64 NDIS Protocol Driver;\??\C:\Windows\system32\drivers\BVRPMPR5a64.SYS --> C:\Windows\system32\drivers\BVRPMPR5a64.SYS [?]
S3 CAATT;AT&T Con App Svc;C:\Program Files (x86)\AT&T\Communication Manager\ConAppsSvc.exe [2010-1-25 125512]
S3 cdc_ecm;LGE WirelessSA USB NDIS REVD Device Driver;C:\Windows\system32\DRIVERS\cdc_ecm.sys --> C:\Windows\system32\DRIVERS\cdc_ecm.sys [?]
S3 fssfltr;fssfltr;C:\Windows\system32\DRIVERS\fssfltr.sys --> C:\Windows\system32\DRIVERS\fssfltr.sys [?]
S3 fsssvc;Windows Live Family Safety;C:\Program Files (x86)\Windows Live\Family Safety\fsssvc.exe [2008-12-8 533344]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2010-12-26 136176]
S3 lgcpo;LGE Configuration Policy Owner Service Install;C:\Windows\system32\DRIVERS\lgcpo.sys --> C:\Windows\system32\DRIVERS\lgcpo.sys [?]
S3 PCTINDIS5X64;PCTINDIS5X64 NDIS Protocol Driver;\??\C:\Windows\system32\PCTINDIS5X64.SYS --> C:\Windows\system32\PCTINDIS5X64.SYS [?]
S3 SiSGbeLH;SiS191/SiS190 Ethernet Device NDIS 6.0 Driver;C:\Windows\system32\DRIVERS\SiSG664.sys --> C:\Windows\system32\DRIVERS\SiSG664.sys [?]
S3 UsbSADDiag;LGE WirelessSA USB Serial01 REVD Device;C:\Windows\system32\DRIVERS\lgusbd64diag.sys --> C:\Windows\system32\DRIVERS\lgusbd64diag.sys [?]
S3 USBSADModem;LGE WirelessSA USB REVD Modem;C:\Windows\system32\DRIVERS\lgusbd64modem.sys --> C:\Windows\system32\DRIVERS\lgusbd64modem.sys [?]
S3 UsbSADObex;LGE WirelessSA USB Serial02 REVD Device;C:\Windows\system32\DRIVERS\lgusbd64obex.sys --> C:\Windows\system32\DRIVERS\lgusbd64obex.sys [?]
S3 USBSANDIS;LGE WirelessSA USB NDIS Device Enumerator REVD Service;C:\Windows\system32\DRIVERS\dc_enum.sys --> C:\Windows\system32\DRIVERS\dc_enum.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\win2k\fsfilter.sys [2012-2-8 39776]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files (x86)\F-Secure PC Protection Plus\Anti-Virus\win2k\fsrec.sys [2012-2-8 25184]
=============== Created Last 30 ================
2012-02-15 17:45:19 388096 ----a-r- C:\Users\lesliedawn\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-02-15 17:45:19 -------- d-----w- C:\Program Files (x86)\Trend Micro
2012-02-15 08:34:41 8602168 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{54B15A1F-19F4-4CB4-9D30-E91752D7C93C}\mpengine.dll
2012-02-15 06:37:27 -------- d-----w- C:\ComboFix
2012-02-08 23:28:29 42672 ----a-w- C:\Windows\SysWow64\drivers\fsbts.sys
2012-02-08 23:27:30 45624 ----a-w- C:\Windows\System32\drivers\fses.sys
2012-02-08 23:27:28 94280 ----a-w- C:\Windows\System32\drivers\fsdfw.sys
2012-02-08 23:26:10 -------- d-----w- C:\Program Files (x86)\F-Secure PC Protection Plus
2012-02-08 23:25:08 -------- d-----w- C:\ProgramData\fssg
2012-02-08 23:23:51 -------- d-----w- C:\ProgramData\f-secure
2012-02-08 17:03:10 -------- d-----w- C:\Windows\System32\SPReview
2012-02-08 13:23:30 -------- d-----w- C:\Windows\CheckSur
==================== Find3M ====================
2012-02-15 16:40:33 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-01-29 13:10:42 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-12 00:19:16 4448256 ----a-w- C:\Windows\SysWow64\GPhotos.scr
2011-11-24 05:00:47 3141632 ----a-w- C:\Windows\System32\win32k.sys
2011-11-19 15:07:41 77312 ----a-w- C:\Windows\System32\packager.dll
2011-11-19 14:06:13 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2009-04-08 17:31:56 106496 ----a-w- C:\Program Files (x86)\Common Files\CPInstallAction.dll
2008-08-12 04:45:20 155648 ----a-w- C:\Program Files (x86)\Common Files\MSIactionall.dll
============= FINISH: 10:52:03.63 ===============

Edited by greenpineapple, 15 February 2012 - 01:54 PM.

BC AdBot (Login to Remove)


#2 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:12 AM

Posted 15 February 2012 - 03:44 PM

Good evening. :)

As this issue can be caused by a number of nasties and/or variations it's a good idea to gather extra information before we start attacking things. Do you have access to a flashdrive of at least 128 Mb that you can wipe clean to use to house a couple of tools?

So long, and thanks for all the fish.



#3 greenpineapple

  • Topic Starter

  • Members
  • 4 posts
  • Local time:04:12 PM

Posted 15 February 2012 - 08:09 PM

Yes, I do!

#4 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:12 AM

Posted 16 February 2012 - 04:11 PM

Good evening. :)

Grand. Please read through all the instructions BEFORE you begin and ask any questions that you may have first. Be aware that an active infection may interfere with the first part of this procedure. If it doesn't go according to instructions, you may have to use a different PC to write the software to the flash drive.

  • Download both this file and this file and save them to your Desktop.
  • Insert your USB flash drive into your PC.
  • Click Start > My Computer, right click your flash drive's icon and select Format > Quick format - this will wipe the contents of the flash drive, so make sure there is nothing of value on there!
  • Double click unetbootin-xpud-windows-version number.exe that you just downloaded and OK any Security Warning that Windows may offer.
  • Select the Diskimage radio button and then click the browse button (the one with three dots on) located on the right side of the textbox field.
  • Browse to, and select, the xpud-0.9.2.iso file you downloaded above by double clicking it.
  • Verify the correct drive letter is selected for your USB device at the bottom and then click OK.
  • The program will install a little bootable OS onto your flash drive.
  • Once the files have been written to the drive you will be prompted to reboot - this isn't necessary, so just click Exit.
  • Next download http://noahdfear.net/downloads/driver.sh to your USB - directly or drag it there when it's downloaded.
  • Finally, for this part at least, download the following file: dumpit and save it to the flashdrive you've just played with.

The next part is somewhat tricky as it differs on different machines. If you are lucky, then the following will work - if it doesn't, let me know and we'll go for a different angle.
  • If it isn't already there, insert the flash drive into the sick PC and then reboot it.
  • You need to select the OS that is on the stick rather than let Windows take charge, so press F12 and choose to boot from the USB drive before Windows starts loading.
  • Follow the prompts and eventually a Welcome to xPUD screen will appear.
  • Click the File icon on the left.
  • Open the mnt folder by clicking it, just as you do in Windows.
  • You are going to identify the folder that represents to your flash drive.
  • sda1, sda2 etc... will usually be your hard drive(s); sdb1 is likely to be your flash drive.
  • Double click on the flash drive folder, locate the dumpit file you downloaded previously and double click it.
  • A black Terminal window should open and the text therein should contain the legend: Press Enter to exit: - please do so.
  • Make sure that you can still see the contents of the flashdrive folder and do the following:
  • Click Tool at the top.
  • Choose Open Terminal - this will open the Linux equivalent of a Command Window in all it's fashionable black livery.
  • Type bash driver.sh and then <ENTER>
  • You now get to sit and watch some text scroll down the Terminal window until it reports Done - which doesn't need any explanation, hopefully!
  • A report will be located on your flash drive called report.txt (an uninspired choice of name I know!), which is the purpose of this little adventure.
  • Click the Home icon on the left and Power off the machine
  • Remove the USB drive and insert back in your working computer and locate the folder mbr.zip that it should now contain.
  • Please attach this folder in your next reply, you will need to put it in a compressed/zipped folder, or let me know if you had any problems.

So long, and thanks for all the fish.



#5 greenpineapple

  • Topic Starter

  • Members
  • 4 posts
  • Local time:04:12 PM

Posted 16 February 2012 - 05:18 PM

Alright, I got up to the point of downloading the dumpit file and when I click that link I'm directed to a a page full of gibberish. Is it just me or is that link not working?

Again, thank you, thank you a thousand times thank you.

#6 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:12 AM

Posted 16 February 2012 - 07:28 PM

You were perhaps using IE, which doesn't play nicely with this sort of download - i've attached a copy that you can use instead.

So long, and thanks for all the fish.



#7 greenpineapple

  • Topic Starter

  • Members
  • 4 posts
  • Local time:04:12 PM

Posted 16 February 2012 - 10:46 PM

It was chrome. They must also do something weird. I'll let you know by tomorrow how this works out. :)

#8 Noviciate


  • Malware Response Team
  • 5,277 posts
  • Gender:Male
  • Location:Numpty HQ
  • Local time:12:12 AM

Posted 24 February 2012 - 05:03 PM

Helpers are limited in the number of logs they can take by the time they have available and having threads sit idle means that somebody else who could be being helped has to wait.
Given that there has been no response for at least five days, and I have no way of knowing when there will be one, this thread is now closed.

So long, and thanks for all the fish.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users