Google redirection after windows 7 home security infection!

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Page 1 of 1

You cannot start a new topic
This topic is locked

Google redirection after windows 7 home security infection! How to freakin remove it!

#1 m.alkhalel

New Member

Group: Members
Posts: 2
Joined: 16-June 11

Posted 16 June 2011 - 05:49 PM

Hello all,
I've heard alot about this forum and wanted to give it a try and post my problem.

I've never intstalled any anti-virus or malware removal be4 (usually i remove them my own), until 2 days ago, i opened a web page and i got infected with the bloody Windows 7 Home Security, it took me more than an hour to "fully" remove it. ( no ati-virus/malware used so far)
after i was done .exe's started to work normally and the pop ups didnt reappear again.... so far so good.

i started up firefox and worked online without any problem for sometime. i closed it and opened it again and BOOM every time i google something it redirect me to another search engine called "gomeo"...
i closed firefox and removed the malware (gomeo) files. started firefox again and it seemed it works perfect...
in the next day i started up my laptop and it took TOO much time to start up (+40s) (usualy it takes less than 18s) and when i started firefox and used google, it redirected me again but this to another search engine and some times it redirected me to random web sites and thats when i installed Malwarebytes' Anti-Malware and did a full system scan and it found more than 30 infections and deleted them and the problem seemed to be solved...
BUT after sometime the problem reappeared again so i figured out that maybe theres some kind of a program installing these things so i installed NORTON 360 and did a FULL system scan it found many unwanted cookies and 2 trojans(crack softwares), i restarted windows and tried firefox again but the freaking malwares still there nothing changed it just dis- and re-appear... x(
I tried my already installed IE and google chrome and they r sick as well.
THIS IS DRIVING ME CRAZY......I NEED UR HELP!

EDIT: The problem with with redirecting is GONE now, all i had to do is delete some entries from the hosts file ( entries with random IP and google/yahoo/ping as a host ). But still the start up is much slower than be4...
_______________________________________________________________________________________________________________________________________

DDS (Ver_2011-06-12.02) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_23
Run by mo at 0:10:24 on 2011-06-17
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2815.1865 [GMT 2:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\UnsignedThemesSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\spoolsv.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\ccSvcHst.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\SmartCam\SmartCam.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uSearch Bar = Preserve
uInternet Settings,ProxyOverride = local
mSearchAssistant = hxxp://start.facemoods.com/?a=mtz&s={searchTerms}&f=4
mWinlogon: Userinit=userinit.exe,
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\IPSBHO.DLL
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: NuSphere ToolBar: {0f62d223-9206-4ea3-9ea8-d0f3c7c82aca} - C:\Program Files (x86)\NuSphere\PhpED\NuSphereIEBar.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\coIEPlg.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [<NO NAME>]
uRun: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-explorer: HideSCAHealth = 1 (0x1)
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E6BB2089-163F-466B-812A-748096614DFD} - hxxp://cainternetsecurity.net/scanner/cascanner.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{4AB6203D-8998-43BB-A14A-891A4EF466EB} : DhcpNameServer = 86.51.35.18 86.51.34.18
TCP: Interfaces\{52CBDD50-E886-41B4-BED3-E4D037925AA7} : NameServer = 141.30.29.1
TCP: Interfaces\{5D5F07C3-9DB6-40BE-8F88-B39FA66877D0} : NameServer = 94.252.191.130 94.252.191.131
TCP: Interfaces\{794F036E-4526-48D9-8010-5BC6A4F9DC22} : NameServer = 94.252.191.130 94.252.191.131
TCP: Interfaces\{AF82C09D-B172-4D96-97DA-B2B4E3CA291C} : NameServer = 141.30.29.1
TCP: Interfaces\{BB6F3B09-99F6-4B59-A563-7FA1CA618ED3} : DhcpNameServer = 192.168.2.1
TCP: Interfaces\{CF5C4B1E-FFDC-4905-A61F-BD6D1715FE1A} : NameServer = 94.252.191.130 94.252.191.131
TCP: Interfaces\{E07D4B43-9F78-448B-803F-263ABEA240EE} : NameServer = 94.252.191.130 94.252.191.131
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
BHO-X64: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO-X64: 0x1 - No File
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: NuSphere ToolBar: {0F62D223-9206-4EA3-9EA8-D0F3C7C82ACA} - C:\Program Files (x86)\NuSphere\PhpED\NuSphereIEBar.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton 360\Engine\4.0.0.127\coIEPlg.dll
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Hosts: 67.205.118.185 www.google.com
Hosts: 67.205.118.186 search.yahoo.com
Hosts: 67.205.118.186 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\mo\AppData\Roaming\Mozilla\Firefox\Profiles\k9aagomz.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=17770
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.questscan.com/?tmp=nemo_results_removelink&prt=QstscanPB&keywords=
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.51204.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npclntax_ClickPotatoLiteSA.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Users\mo\AppData\Local\Google\Update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: C:\Users\mo\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll
FF - plugin: C:\Users\mo\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Users\mo\AppData\Roaming\Move Networks\plugins\npqmp071700000016.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
.
R0 BtHidBus;Bluetooth HID Bus Service;C:\Windows\system32\Drivers\BtHidBus.sys --> C:\Windows\system32\Drivers\BtHidBus.sys [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\BASHDefs\20110519.002\BHDrvx64.sys [2011-5-19 1143416]
R1 ccHP;Symantec Hash Provider;C:\Windows\system32\drivers\N360x64\0402000.00C\ccHPx64.sys --> C:\Windows\system32\drivers\N360x64\0402000.00C\ccHPx64.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_4.0.0.127\Definitions\IPSDefs\20110615.001\IDSviA64.sys [2011-6-16 488056]
R3 azvusb;Virtual USB Hub;C:\Windows\system32\DRIVERS\azvusb.sys --> C:\Windows\system32\DRIVERS\azvusb.sys [?]
R3 BTCOMBUS;Bluetooth Serial Port Bus Service;C:\Windows\system32\Drivers\btcombus.sys --> C:\Windows\system32\Drivers\btcombus.sys [?]
R3 btnetBUs;Bluetooth PAN Bus Service;C:\Windows\system32\Drivers\btnetBus.sys --> C:\Windows\system32\Drivers\btnetBus.sys [?]
S3 BTCOM;Bluetooth Serial port driver;C:\Windows\system32\DRIVERS\btcomport.sys --> C:\Windows\system32\DRIVERS\btcomport.sys [?]
S3 dgderdrv;dgderdrv;C:\Windows\system32\drivers\dgderdrv.sys --> C:\Windows\system32\drivers\dgderdrv.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;C:\Windows\system32\DRIVERS\ewusbnet.sys --> C:\Windows\system32\DRIVERS\ewusbnet.sys [?]
S3 hwusbdev;Huawei DataCard USB PNP Device;C:\Windows\system32\DRIVERS\ewusbdev.sys --> C:\Windows\system32\DRIVERS\ewusbdev.sys [?]
.
=============== Created Last 30 ================
.
2011-06-16 21:38:46 -------- d-----w- C:\Windows\SysWow64\Adobe
2011-06-16 18:06:15 451120 ----a-w- C:\Windows\System32\drivers\N360x64\0402000.00C\symtdiv.sys
2011-06-16 18:06:15 433200 ----a-r- C:\Windows\System32\drivers\N360x64\0402000.00C\symds64.sys
2011-06-16 18:06:15 221232 ----a-w- C:\Windows\System32\drivers\N360x64\0402000.00C\symefa64.sys
2011-06-16 18:06:14 615040 ----a-w- C:\Windows\System32\drivers\N360x64\0402000.00C\cchpx64.sys
2011-06-16 18:06:14 505392 ----a-w- C:\Windows\System32\drivers\N360x64\0402000.00C\srtsp64.sys
2011-06-16 18:06:14 32304 ----a-w- C:\Windows\System32\drivers\N360x64\0402000.00C\srtspx64.sys
2011-06-16 18:06:14 150064 ----a-w- C:\Windows\System32\drivers\N360x64\0402000.00C\ironx64.sys
2011-06-16 18:05:39 -------- d-----w- C:\Windows\System32\drivers\N360x64\0402000.00C
2011-06-16 17:51:42 34152 ----a-r- C:\Windows\System32\drivers\GEARAspiWDM.sys
2011-06-16 17:51:42 126312 ----a-r- C:\Windows\System32\GEARAspi64.dll
2011-06-16 17:51:42 107368 ----a-r- C:\Windows\SysWow64\GEARAspi.dll
2011-06-16 17:51:38 173104 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2011-06-16 17:51:29 -------- d-----w- C:\Program Files\Symantec
2011-06-16 17:51:29 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2011-06-16 17:50:52 504880 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\srtsp64.sys
2011-06-16 17:50:52 451120 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\symtdiv.sys
2011-06-16 17:50:52 433200 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\SymDS64.sys
2011-06-16 17:50:52 32304 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\srtspx64.sys
2011-06-16 17:50:52 221232 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\SymEFA64.sys
2011-06-16 17:50:52 148528 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\Ironx64.sys
2011-06-16 17:50:51 615040 ----a-r- C:\Windows\System32\drivers\N360x64\0400000.07F\cchpx64.sys
2011-06-16 17:50:21 -------- d-----w- C:\Windows\System32\drivers\N360x64\0400000.07F
2011-06-16 17:50:21 -------- d-----w- C:\Windows\System32\drivers\N360x64
2011-06-16 17:50:17 -------- d-----w- C:\Program Files (x86)\Norton 360
2011-06-16 17:50:03 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2011-06-16 07:36:36 12872 ----a-w- C:\Windows\System32\bootdelete.exe
2011-06-16 07:29:08 -------- d-----w- C:\Users\mo\AppData\Local\{E7B217C7-65AC-40C2-ABC9-3C4D6FC18694}
2011-06-16 07:24:53 20040 ----a-w- C:\Windows\System32\drivers\hitmanpro35.sys
2011-06-16 07:24:50 -------- d-----w- C:\Program Files\Hitman Pro 3.5
2011-06-16 07:24:28 -------- d-----w- C:\ProgramData\Hitman Pro
2011-06-15 21:04:01 -------- d-----w- C:\Users\mo\AppData\Local\{024E5B3C-C87A-4855-9A3B-63E007C3935E}
2011-06-15 20:54:14 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-06-15 20:54:14 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-06-14 21:34:20 -------- d-----w- C:\Users\mo\AppData\Local\{DDE2A191-EA24-43B7-B9E7-2863712C5786}
2011-06-14 19:22:25 -------- d-----w- C:\Users\mo\AppData\Roaming\Tific
2011-06-14 19:21:59 -------- d-----w- C:\Users\mo\AppData\Local\Symantec
2011-06-14 19:10:30 -------- d-----w- C:\Users\mo\AppData\Roaming\Malwarebytes
2011-06-14 19:10:00 38224 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-06-14 19:09:59 -------- d-----w- C:\ProgramData\Malwarebytes
2011-06-14 19:09:55 24152 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-06-14 19:09:55 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-06-14 17:53:52 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2011-06-14 17:49:13 -------- d-----w- C:\ProgramData\Norton
2011-06-14 17:36:53 -------- d-----w- C:\ProgramData\NortonInstaller
2011-06-14 17:30:04 16384 --sha-w- C:\Users\mo\AppData\Local\cleanddm.dll
2011-06-13 10:34:26 -------- d-----w- C:\Users\mo\AppData\Local\{43C2F6CB-5D0F-4545-8DBF-8FFF2B727E42}
2011-06-11 13:08:34 -------- d-----w- C:\Program Files (x86)\GnuWin32
2011-06-11 11:22:20 -------- d-----w- C:\Users\mo\AppData\Local\{00147343-76DB-4D09-8B99-6A4CBDA9F5FA}
2011-06-07 14:49:39 1816 ----a-w- C:\Windows\System32\ASOROSet.bin
2011-06-07 14:46:00 -------- d-----w- C:\Program Files (x86)\WinPcap
2011-06-07 14:42:33 -------- d-----w- C:\Users\mo\AppData\Roaming\Thinstall
2011-06-07 14:42:33 -------- d-----w- C:\Users\mo\AppData\Local\Thinstall
2011-06-07 14:37:56 431936 ----a-w- C:\Windows\SysWow64\msvcp100.dll
2011-06-07 14:27:49 17128 ----a-w- C:\Windows\System32\roboot64.exe
2011-06-06 19:19:44 -------- d-----w- C:\Program Files (x86)\NetRatingsNetSight
2011-06-06 10:55:30 183696 ----a-w- C:\Program Files (x86)\Mozilla Firefox\plugins\nppdf32.dll
2011-06-06 10:55:30 183696 ----a-w- C:\Program Files (x86)\Internet Explorer\Plugins\nppdf32.dll
2011-06-05 20:17:58 -------- d-----w- C:\Users\mo\AppData\Local\{6578A933-295D-44C5-B076-6599C96C5CBA}
2011-06-04 21:02:44 -------- d-----w- C:\Users\mo\AppData\Roaming\IMVU
2011-06-02 05:40:40 389120 ----a-w- C:\Windows\SysWow64\actskn43.ocx
2011-06-02 05:40:40 -------- d-----w- C:\Program Files (x86)\netcut
2011-06-02 05:40:30 -------- d-----w- C:\Users\mo\AppData\Local\_Rar$EX00.752
2011-06-01 16:47:47 -------- d-----w- C:\Users\mo\AppData\Local\{425B54BF-5A9B-4D2A-8903-AA73E0F2AA99}
2011-05-30 13:17:49 -------- d-----w- C:\Users\mo\AppData\Local\{2DF0434A-4DD8-4E1E-8DC4-EB19D32F2020}
2011-05-29 22:26:37 -------- d-----w- C:\Windows\System32\SPReview
2011-05-29 22:24:43 -------- d-----w- C:\Windows\System32\EventProviders
2011-05-29 22:20:59 3205120 ----a-w- C:\Windows\System32\mmcndmgr.dll
2011-05-29 22:19:59 341504 ----a-w- C:\Windows\SysWow64\msdrm.dll
2011-05-29 22:18:56 625664 ----a-w- C:\Windows\System32\usercpl.dll
2011-05-29 22:17:59 60928 ----a-w- C:\Program Files\Windows Defender\MsMpCom.dll
2011-05-29 22:14:33 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2011-05-29 22:14:33 524288 ----a-w- C:\Windows\System32\wmicmiplugin.dll
2011-05-29 22:14:33 1225216 ----a-w- C:\Windows\System32\wbem\wbemcore.dll
2011-05-29 22:14:26 933376 ----a-w- C:\Windows\System32\SmiEngine.dll
2011-05-29 22:14:21 199168 ----a-w- C:\Windows\System32\PkgMgr.exe
2011-05-29 22:13:42 422912 ----a-w- C:\Windows\System32\drvstore.dll
2011-05-29 22:13:41 399872 ----a-w- C:\Windows\System32\dpx.dll
2011-05-29 18:19:56 -------- d-----w- C:\Users\mo\AppData\Roaming\go
2011-05-29 18:19:55 -------- d-----w- C:\ProgramData\Easybits GO
2011-05-29 15:17:08 -------- d-----w- C:\Users\mo\AppData\Roaming\TS3Client
2011-05-29 15:16:46 -------- d-----w- C:\Program Files (x86)\TeamSpeak 3 Client
2011-05-25 10:50:17 27520 ----a-w- C:\Windows\System32\drivers\Diskdump.sys
2011-05-19 19:41:30 -------- d-----w- C:\Users\mo\AppData\Roaming\Adobe Mini Bridge CS5
2011-05-18 15:53:14 -------- d-----w- C:\Users\mo\AppData\Local\{9CB03D9D-B17E-49F4-A83D-D52694836DED}
.
==================== Find3M ====================
.
2011-05-29 22:40:31 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-05-29 22:40:30 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-05-28 03:06:58 3135488 ----a-w- C:\Windows\System32\win32k.sys
2011-05-16 10:34:01 404640 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2011-04-29 03:06:10 467456 ----a-w- C:\Windows\System32\drivers\srv.sys
2011-04-29 03:05:49 410112 ----a-w- C:\Windows\System32\drivers\srv2.sys
2011-04-29 03:05:37 168448 ----a-w- C:\Windows\System32\drivers\srvnet.sys
2011-04-27 02:40:40 158208 ----a-w- C:\Windows\System32\drivers\mrxsmb.sys
2011-04-27 02:39:40 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-04-27 02:39:37 128000 ----a-w- C:\Windows\System32\drivers\mrxsmb20.sys
2011-04-25 05:33:51 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-04-25 02:34:03 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-04-23 01:29:25 2303488 ----a-w- C:\Windows\System32\jscript9.dll
2011-04-23 01:19:19 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-04-22 23:35:56 1797632 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-04-22 23:25:54 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-04-09 07:02:55 5562240 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-04-09 06:58:56 142336 ----a-w- C:\Windows\System32\poqexec.exe
2011-04-09 06:02:25 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-04-09 06:02:25 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-04-09 05:56:38 123904 ----a-w- C:\Windows\SysWow64\poqexec.exe
2011-03-25 03:29:26 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-03-25 03:29:14 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-03-25 03:29:14 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-03-25 03:29:04 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-03-25 03:29:04 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2011-03-25 03:29:03 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-03-25 03:28:59 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2006-05-03 09:06:54 163328 --sha-r- C:\Windows\SysWOW64\flvDX.dll
2007-02-21 10:47:16 31232 --sha-r- C:\Windows\SysWOW64\msfDX.dll
2008-03-16 12:30:52 216064 --sha-r- C:\Windows\SysWOW64\nbDX.dll
.
============= FINISH: 0:11:58,73 ===============

Attached File(s)

df.txt (31bytes)
Number of downloads: 0

This post has been edited by m.alkhalel: 17 June 2011 - 10:23 AM

#2 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 24 June 2011 - 11:56 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Running OTL

We need to create a FULL OTL Report

Please download OTL from here:
- Main Mirror
- Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Change the "Extra Registry" option to "SafeList"
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extras.txt <-- Will be minimized

NEXT:

Please provide an update on how things are running in your next reply.

Have I helped you? If you'd like to assist in the fight against malware, click here

The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.

#3 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 24 June 2011 - 11:56 AM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you.

Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated fairly regularly.
Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
Because of this, you must reply within three days failure to reply will result in the topic being closed!
Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Running OTL

We need to create a FULL OTL Report

Please download OTL from here:
- Main Mirror
- Mirror
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Change the "Extra Registry" option to "SafeList"
Push the button.
Two reports will open, copy and paste them in a reply here:
- OTL.txt <-- Will be opened
- Extras.txt <-- Will be minimized

NEXT:

Please provide an update on how things are running in your next reply.

#4 m.alkhalel

New Member

Group: Members
Posts: 2
Joined: 16-June 11

Posted 24 June 2011 - 12:28 PM

as i said under "edit" the problem is solved by editing the file hosts...
and now after removing some reg. files the slow booting is RESOLVED as well!
anyways many thanks for the response

#5 SweetTech

Agent ST

Group: Malware Response Team
Posts: 12,662
Joined: 15-March 09
Gender:Male
Location:Antarctica

Posted 24 June 2011 - 12:32 PM

Thanks for letting me know.

Please take care!

Kindest Regards,
SweetTech.

____________________________________________________

Since it appears that the issues you were experiencing with your computer have been resolved, I am going to close this thread. If you should need the thread re-opened please send me a Private Message (PM) with a request to re-open the thread, as well as the link to the thread in question, and I'd be happy to re-open the thread.