Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Windows IE is started and redirected to sameshitasiteverwas

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 14th, 2009, 2:25 am

Hi there,

Since a couple of days windows IE is started (just about every 5 minutes). In the address box windows IE is trying to open the following page: hxxp://sameshitasiteverwas.com/traf/tds/default.cgi I then get a 404 error.
Furthermore I notice that each time I (re)start my PC the Windows Security Center is not able to start. Each time when I click the "diagnostics" I can see that the windows firewall is inactive.

Below please find my HJT log file.

Thanks a lot in advance for your help in this matter.

All the best.

- George -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:37, on 14-4-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Philippen\Desktop\Bankafschriften\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geenstijl.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: HP Clipboek - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Slim selecteren - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.92.190.132/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - AppInit_DLLs: C:\Windows\System32\Faultrep32.dll,C:\Windows\System32\dispci32.dll,C:\Windows\System32\bitsigd32.dll,C:\Windows\System32\COMMDLG32.dll
O20 - Winlogon Notify: fc6c362b565 - C:\Windows\System32\Faultrep32.dll
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 12296 bytes
Last edited by NonSuch on April 14th, 2009, 3:47 pm, edited 1 time in total.
Reason: Edited to disable live link.
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am
Advertisement
Register to Remove

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby MWR 3 day Mod » April 26th, 2009, 11:45 am

Hi, gphilipp.

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 27th, 2009, 2:28 pm

Hello and welcome to Malware Removal.

My name is peku006 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

Please observe these rules while we work:

  • I f you don't know or understand something please don't hesitate to ask
  • Please DO NOT run any other tools or scans whilst I am helping you.
  • It is important that you reply to this thread. Do not start a new topic.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
  • Absence of symptoms does not mean that everything is clear.

1 - Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

IMPORTANT: combofix.exe MUST be on your Desktop for us to proceed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
  • Double click on ComboFix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

NOTE: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Image
  • Click on Yes, to continue scanning for malware.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Combofix should never take more that 20 minutes including the reboot if malware is detected.

2 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

3 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 28th, 2009, 5:47 am

Hi peku006,

First of all thank you very much for yur support so far. This is very much appreciated.

As requested below please find the HJT log file and the ComboFix log file.

The original problem seems to be fixed as IE is no longer started but I have a new issue. When (re)booting my system windows tries to install Windows Messenger Live. However the installation fails with: Cannot open key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Drivers32.

I'm not sure whether I should log a new ticket for this or whether this issue can be included in this one.

Anyway thans again and below please find the required log files.

All the best.

- George -

HJT:
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:06, on 28-4-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\mspaint.exe
C:\Users\Philippen\Desktop\Bankafschriften\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geenstijl.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: HP Clipboek - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Slim selecteren - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.92.190.132/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - AppInit_DLLs: C:\Windows\System32\Faultrep32.dll C:\Windows\System32\dispci32.dll C:\Windows\System32\bitsigd32.dll C:\Windows\System32\COMMDLG32.dll,C:\Windows\System32\COMMDLG32.dll,C:\Windows\System32\Faultrep32.dll
O20 - Winlogon Notify: fc6c362b565 - C:\Windows\System32\Faultrep32.dll
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 11207 bytes

ComboFix:
========
ComboFix 09-04-27.02 - Philippen 27-04-2009 21:13.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.31.1043.18.2039.781 [GMT 2:00]
Gestart vanuit: c:\users\Philippen\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Nieuw herstelpunt werd aangemaakt
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Gast\AppData\Roaming\020000002d5c3c67565C.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67565O.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67565P.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67565S.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67573C.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67573O.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67573P.manifest
c:\users\Gast\AppData\Roaming\020000002d5c3c67573S.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67565C.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67565O.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67565P.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67565S.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67573C.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67573O.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67573P.manifest
c:\users\Philippen\AppData\Roaming\020000002d5c3c67573S.manifest
c:\users\Philippen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.dll
c:\users\Philippen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.lnk
c:\users\Philippen\protect.dll
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67565C.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67565O.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67565P.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67565S.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67573C.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67573O.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67573P.manifest
c:\users\Prinses Maud\AppData\Roaming\020000002d5c3c67573S.manifest
c:\windows\system32\AutoRun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Boonty Games


(((((((((((((((((((( Bestanden Gemaakt van 2009-05-27 to 2009-4-27 ))))))))))))))))))))))))))))))
.

2009-04-12 11:16 . 2009-04-12 11:16 -------- d-----w c:\users\Gast\AppData\Local\Google
2009-04-12 11:16 . 2009-04-12 11:16 -------- d-----w c:\users\Gast\AppData\Local\Winamp Toolbar
2009-04-12 11:15 . 2009-04-12 11:15 94344 ----a-w c:\users\Gast\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-12 11:15 . 2009-04-12 11:15 -------- d-----r c:\users\Gast\Searches
2009-04-10 15:25 . 2009-04-10 15:25 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-10 15:25 . 2008-11-12 14:44 27904 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-10 15:25 . 2008-11-12 14:44 17152 ----a-w c:\windows\system32\authuitu.dll
2009-04-10 15:24 . 2009-04-10 15:24 362240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\users\Philippen\AppData\Roaming\TuneUp Software
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\programdata\TuneUp Software
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\users\All Users\TuneUp Software
2009-04-10 15:23 . 2009-04-10 15:23 -------- d-sh--w c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-10 15:23 . 2009-04-10 15:23 -------- d-sh--w c:\users\All Users\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-08 18:19 . 2009-04-08 18:19 139264 ----a-w c:\windows\system32\COMMDLG32.dll
2009-04-08 18:19 . 2009-04-08 18:19 615 ----a-w c:\windows\system32\byuaMlTo8qXWD.vbs
2009-04-07 20:05 . 2009-04-07 20:05 139264 ----a-w c:\windows\system32\bitsigd32.dll
2009-04-04 16:21 . 2009-04-04 16:23 -------- d-----w C:\effe
2009-04-04 16:20 . 2009-04-04 16:20 139264 ----a-w c:\windows\system32\dispci32.dll
2009-04-03 21:54 . 2009-04-03 21:54 139264 ----a-w c:\windows\system32\Faultrep32.dll
2009-04-03 17:35 . 2009-04-03 17:35 -------- d-----w c:\program files\NetSpy Protector
2009-04-03 17:00 . 2009-04-05 17:50 -------- d-----w c:\users\Philippen\AppData\Roaming\LimeWire

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 10:13 . 2007-10-31 00:09 59362 ----a-w c:\windows\system32\perfc013.dat
2009-04-27 10:13 . 2007-10-31 00:09 210056 ----a-w c:\windows\system32\perfh013.dat
2009-04-19 16:04 . 2008-04-06 09:37 -------- d-----w c:\program files\Norton Security Scan
2009-04-17 17:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-03 17:34 . 2008-02-05 18:47 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-01 18:28 . 2009-03-24 06:33 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 18:06 . 2007-10-30 16:21 -------- d-----w c:\program files\Java
2009-03-20 20:00 . 2009-03-20 20:00 -------- d-----w c:\program files\iTunes
2009-03-20 20:00 . 2009-03-20 20:00 -------- d-----w c:\program files\iPod
2009-03-20 20:00 . 2008-09-13 10:24 -------- d-----w c:\program files\Common Files\Apple
2009-03-20 19:57 . 2008-02-16 13:43 -------- d-----w c:\program files\QuickTime
2009-03-20 19:54 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-03-20 19:54 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-03-20 19:54 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-03-17 03:38 . 2009-04-17 06:30 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-17 06:30 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 06:30 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-15 20:10 . 2009-03-15 20:09 -------- d-----w c:\program files\Winamp
2009-03-15 20:10 . 2009-03-15 20:10 -------- d-----w c:\program files\Winamp Toolbar
2009-03-15 20:09 . 2007-10-30 16:11 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-13 12:55 . 2009-03-13 12:55 -------- d-----w c:\program files\Zylom Games
2009-03-12 19:31 . 2009-03-12 19:31 -------- d-----w c:\program files\AskBarDis
2009-03-12 19:31 . 2009-03-12 19:30 -------- d-----w c:\program files\Vuze
2009-03-09 19:29 . 2009-03-09 19:29 -------- d-----w c:\program files\Common Files\Ambrasoft
2009-03-09 19:29 . 2009-03-09 19:29 -------- d-----w c:\program files\AmbraSoft
2009-03-09 04:19 . 2008-12-04 19:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 15:56 . 2008-05-19 16:56 -------- d-----w c:\program files\Safari
2009-03-03 04:46 . 2009-04-17 06:30 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 06:30 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 06:30 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 06:30 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 06:30 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 06:30 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 06:30 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 06:30 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 06:30 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 06:30 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 06:30 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 06:30 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 06:30 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-28 22:36 . 2008-12-04 19:26 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-27 15:27 . 2008-10-17 14:16 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-13 08:49 . 2009-04-17 06:30 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-17 06:30 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 07:05 2033152 ----a-w c:\windows\system32\win32k.sys
2008-12-12 22:31 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-10-31 00:32 . 2007-10-31 00:11 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-09 17:40 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-26 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-29 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-29 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-29 138008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-2-8 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fc6c362b565]
2009-04-03 21:54 139264 ----a-w c:\windows\System32\Faultrep32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\Faultrep32.dll c:\windows\System32\dispci32.dll c:\windows\System32\bitsigd32.dll c:\windows\System32\COMMDLG32.dll,c:\windows\System32\COMMDLG32.dll,c:\windows\System32\Faultrep32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-27 212280]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-12-09 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-09 234888]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-04-10 603904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-05-22 106808]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2007-01-09 38200]


--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de 'Gedeelde Taken' map

2009-04-27 c:\windows\Tasks\1-klik Onderhoud.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-03 15:48]

2008-04-01 c:\windows\Tasks\HPCeeScheduleForPrinses Maud.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-10-30 15:55]

2009-04-20 c:\windows\Tasks\Norton Internet Security - Volledige systeemscan - Philippen.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-13 18:09]

2009-04-24 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 02:08]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.geenstijl.nl/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game04.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\users\Philippen\AppData\Roaming\Mozilla\Firefox\Profiles\tq5cxaec.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geenstijl.nl/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\Philippen\AppData\Roaming\Mozilla\Firefox\Profiles\tq5cxaec.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 21:22
Windows 6.0.6001 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
------------------------ Andere Aktieve Processen ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\System32\PnkBstrA.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\conime.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\msiexec.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Symantec\LiveUpdate\LuComServer_3_2.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Voltooingstijd: 2009-04-27 21:24 - machine werd herstart
ComboFix-quarantined-files.txt 2009-04-27 19:24

Pre-Run: 184.422.596.608 bytes beschikbaar
Post-Run: 184.411.303.936 bytes beschikbaar

269 --- E O F --- 2009-04-24 07:54
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 28th, 2009, 8:41 am

Hi George

1 - Run CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\COMMDLG32.dll
c:\windows\system32\byuaMlTo8qXWD.vbs
c:\windows\system32\bitsigd32.dll
c:\windows\system32\dispci32.dll
c:\windows\system32\Faultrep32.dll

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fc6c362b565]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe

Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2 - Download and Run SystemLook

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code: Select all
    :reg
    HKLM\software\microsoft\windows nt\currentversion\drivers32
     

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the ComboFix log(C:\ComboFix.txt)
2. the SystemLook.txt
3. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 28th, 2009, 9:35 am

Hi peku006,

Again thanks for your very quick reply.

The issue of (re) installing Windows Live Messenger seems to be resolved. Below please find the required log files.

Again thank you very much for your support and all the best.

- George -

HJT:
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:29:16, on 28-4-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\Philippen\Desktop\Bankafschriften\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geenstijl.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: HP Clipboek - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Slim selecteren - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.92.190.132/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O20 - Winlogon Notify: fc6c362b565 - C:\Windows\
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 10892 bytes


ComboFix:
=======
ComboFix 09-04-27.02 - Philippen 28-04-2009 15:10.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.31.1043.18.2039.1262 [GMT 2:00]
Gestart vanuit: c:\users\Philippen\Desktop\ComboFix.exe
gebruikte Opdracht switches :: c:\users\Philippen\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Nieuw herstelpunt werd aangemaakt

FILE ::
c:\windows\system32\bitsigd32.dll
c:\windows\system32\byuaMlTo8qXWD.vbs
c:\windows\system32\COMMDLG32.dll
c:\windows\system32\dispci32.dll
c:\windows\system32\Faultrep32.dll
.

(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bitsigd32.dll
c:\windows\system32\byuaMlTo8qXWD.vbs
c:\windows\system32\COMMDLG32.dll
c:\windows\system32\dispci32.dll
c:\windows\system32\Faultrep32.dll

.
(((((((((((((((((((( Bestanden Gemaakt van 2009-05-28 to 2009-4-28 ))))))))))))))))))))))))))))))
.

2009-04-12 11:16 . 2009-04-12 11:16 -------- d-----w c:\users\Gast\AppData\Local\Google
2009-04-12 11:16 . 2009-04-12 11:16 -------- d-----w c:\users\Gast\AppData\Local\Winamp Toolbar
2009-04-12 11:15 . 2009-04-12 11:15 94344 ----a-w c:\users\Gast\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-12 11:15 . 2009-04-12 11:15 -------- d-----r c:\users\Gast\Searches
2009-04-10 15:25 . 2009-04-10 15:25 603904 ----a-w c:\windows\system32\TUProgSt.exe
2009-04-10 15:25 . 2008-11-12 14:44 27904 ----a-w c:\windows\system32\uxtuneup.dll
2009-04-10 15:25 . 2008-11-12 14:44 17152 ----a-w c:\windows\system32\authuitu.dll
2009-04-10 15:24 . 2009-04-10 15:24 362240 ----a-w c:\windows\system32\TuneUpDefragService.exe
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\users\Philippen\AppData\Roaming\TuneUp Software
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\program files\TuneUp Utilities 2009
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\programdata\TuneUp Software
2009-04-10 15:24 . 2009-04-10 15:24 -------- d-----w c:\users\All Users\TuneUp Software
2009-04-10 15:23 . 2009-04-10 15:23 -------- d-sh--w c:\programdata\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-10 15:23 . 2009-04-10 15:23 -------- d-sh--w c:\users\All Users\{55A29068-F2CE-456C-9148-C869879E2357}
2009-04-04 16:21 . 2009-04-04 16:23 -------- d-----w C:\effe
2009-04-03 17:35 . 2009-04-03 17:35 -------- d-----w c:\program files\NetSpy Protector
2009-04-03 17:00 . 2009-04-05 17:50 -------- d-----w c:\users\Philippen\AppData\Roaming\LimeWire

.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 09:36 . 2007-10-31 00:09 59362 ----a-w c:\windows\system32\perfc013.dat
2009-04-28 09:36 . 2007-10-31 00:09 210056 ----a-w c:\windows\system32\perfh013.dat
2009-04-19 16:04 . 2008-04-06 09:37 -------- d-----w c:\program files\Norton Security Scan
2009-04-17 17:15 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-03 17:34 . 2008-02-05 18:47 -------- d-----w c:\program files\K-Lite Codec Pack
2009-04-01 18:28 . 2009-03-24 06:33 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 18:06 . 2007-10-30 16:21 -------- d-----w c:\program files\Java
2009-03-20 20:00 . 2009-03-20 20:00 -------- d-----w c:\program files\iTunes
2009-03-20 20:00 . 2009-03-20 20:00 -------- d-----w c:\program files\iPod
2009-03-20 20:00 . 2008-09-13 10:24 -------- d-----w c:\program files\Common Files\Apple
2009-03-20 19:57 . 2008-02-16 13:43 -------- d-----w c:\program files\QuickTime
2009-03-20 19:54 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-03-20 19:54 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-03-20 19:54 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-03-17 03:38 . 2009-04-17 06:30 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-17 06:30 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-17 06:30 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-15 20:10 . 2009-03-15 20:09 -------- d-----w c:\program files\Winamp
2009-03-15 20:10 . 2009-03-15 20:10 -------- d-----w c:\program files\Winamp Toolbar
2009-03-15 20:09 . 2007-10-30 16:11 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-13 12:55 . 2009-03-13 12:55 -------- d-----w c:\program files\Zylom Games
2009-03-12 19:31 . 2009-03-12 19:31 -------- d-----w c:\program files\AskBarDis
2009-03-12 19:31 . 2009-03-12 19:30 -------- d-----w c:\program files\Vuze
2009-03-09 19:29 . 2009-03-09 19:29 -------- d-----w c:\program files\Common Files\Ambrasoft
2009-03-09 19:29 . 2009-03-09 19:29 -------- d-----w c:\program files\AmbraSoft
2009-03-09 04:19 . 2008-12-04 19:56 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 15:56 . 2008-05-19 16:56 -------- d-----w c:\program files\Safari
2009-03-03 04:46 . 2009-04-17 06:30 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-17 06:30 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-17 06:30 827392 ----a-w c:\windows\system32\wininet.dll
2009-03-03 04:39 . 2009-04-17 06:30 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-17 06:30 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-17 06:30 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-17 06:30 78336 ----a-w c:\windows\system32\ieencode.dll
2009-03-03 04:37 . 2009-04-17 06:30 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-17 06:30 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 04:37 . 2009-04-17 06:30 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-17 06:30 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-17 06:30 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-03 02:28 . 2009-04-17 06:30 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-02-28 22:36 . 2008-12-04 19:26 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-02-27 15:27 . 2008-10-17 14:16 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-13 08:49 . 2009-04-17 06:30 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-17 06:30 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 07:05 2033152 ----a-w c:\windows\system32\win32k.sys
2008-12-12 22:31 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2007-10-31 00:32 . 2007-10-31 00:11 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-27_19.21.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 15:59 . 2009-04-28 09:33 55028 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:05 . 2009-04-27 19:20 57636 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-04-28 09:33 57636 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-21 18:55 . 2009-04-28 09:03 11960 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2467585895-1174177222-1004756497-1001_UserData.bin
- 2008-02-02 14:05 . 2009-04-27 19:19 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-02-02 14:05 . 2009-04-28 09:31 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-02-02 14:05 . 2009-04-27 19:19 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-02-02 14:05 . 2009-04-28 09:31 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-04-28 09:31 . 2009-04-28 09:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-04-27 19:18 . 2009-04-27 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-28 09:31 . 2009-04-28 09:31 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-27 19:18 . 2009-04-27 19:18 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-02-02 16:59 . 2009-04-27 21:04 321236 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2006-11-02 10:33 . 2009-04-28 09:36 591476 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-27 10:13 591476 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-27 10:13 105356 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-04-28 09:36 105356 c:\windows\System32\perfc009.dat
+ 2008-02-02 14:05 . 2009-04-28 09:31 688128 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-12-09 17:40 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-26 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-29 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-29 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-29 138008]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2006-11-03 319488]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-02-25 37888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2008-2-8 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe"
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019

R3 PAC207;SoC PC-Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2006-12-05 507136]
S1 IDSvix86;Symantec Intrusion Prevention Driver;c:\progra~2\Symantec\DEFINI~1\SymcData\idsdefs\20070108.003\IDSvix86.sys [2006-12-27 212280]
S2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [2008-12-09 464264]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [2008-12-09 234888]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-04-10 603904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-05-22 106808]
S3 SYMNDISV;SYMNDISV;c:\windows\System32\Drivers\SYMNDISV.SYS [2007-01-09 38200]


--- Andere Services/Drivers In Geheugen ---

*NewlyCreated* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Inhoud van de 'Gedeelde Taken' map

2009-04-28 c:\windows\Tasks\1-klik Onderhoud.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-03 15:48]

2008-04-01 c:\windows\Tasks\HPCeeScheduleForPrinses Maud.job
- c:\program files\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2007-10-30 15:55]

2009-04-20 c:\windows\Tasks\Norton Internet Security - Volledige systeemscan - Philippen.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-01-13 18:09]

2009-04-24 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2008-01-09 02:08]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.geenstijl.nl/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
uInternet Settings,ProxyOverride = *.local
IE: &Winamp Search - c:\programdata\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game04.zylom.com/activex/zylomgamesplayer.cab
FF - ProfilePath - c:\users\Philippen\AppData\Roaming\Mozilla\Firefox\Profiles\tq5cxaec.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.geenstijl.nl/
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - component: c:\users\Philippen\AppData\Roaming\Mozilla\Firefox\Profiles\tq5cxaec.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\programdata\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 15:14
Windows 6.0.6001 Service Pack 1 NTFS

scannen van verborgen processen ...

scannen van verborgen autostart items ...

scannen van verborgen bestanden ...

Scan succesvol afgerond
verborgen bestanden: 0

**************************************************************************
.
Voltooingstijd: 2009-04-28 15:15
ComboFix-quarantined-files.txt 2009-04-28 13:15
ComboFix2.txt 2009-04-27 19:24

Pre-Run: 183.239.540.736 bytes beschikbaar
Post-Run: 183.212.625.920 bytes beschikbaar

236 --- E O F --- 2009-04-28 09:06

SystemLook.txt:
============
SystemLook v1.0 by jpshortstuff (24.04.09)
Log created at 15:19 on 28/04/2009 by Philippen (Administrator - Elevation successful)

========== reg ==========

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"="wdmaud.drv"
"midi"="wdmaud.drv"
"midimapper"="midimap.dll"
"mixer"="wdmaud.drv"
"msacm.at3"="atrac3.acm"
"msacm.divxa32"="divxa32.acm"
"msacm.imaadpcm"="imaadp32.acm"
"msacm.l3acm"="l3codeca.acm"
"msacm.l3codec"="l3codecp.acm"
"msacm.lhacm"="lhacm.acm"
"msacm.msadpcm"="msadp32.acm"
"msacm.msaudio1"="msaud32.acm"
"msacm.msg711"="msg711.acm"
"msacm.msgsm610"="msgsm32.acm"
"msacm.siren"="sirenacm.dll"
"MSVideo8"="VfWWDM32.dll"
"vidc.cvid"="iccvid.dll"
"vidc.DIV3"="DivXc32.dll"
"vidc.DIV4"="DivXc32f.dll"
"vidc.DIVX"="DivX.dll"
"VIDC.FPS1"="frapsvid.dll"
"VIDC.IV41"="IR41_32.AX"
"VIDC.IYUV"="iyuv_32.dll"
"vidc.mrle"="msrle32.dll"
"vidc.msvc"="msvidc32.dll"
"vidc.tscc"="tsccvid.dll"
"VIDC.UYVY"="msyuv.dll"
"VIDC.wmv3"="wmv9vcm.dll"
"VIDC.XFR1"="xfcodec.dll"
"vidc.XVID"="xvid.dll"
"VIDC.YUY2"="msyuv.dll"
"VIDC.YVU9"="tsbyuv.dll"
"VIDC.YVYU"="msyuv.dll"
"wave"="wdmaud.drv"
"wavemapper"="msacm32.drv"


-=End Of File=-
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 28th, 2009, 9:56 am

Hi George

1 - Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

      O20 - Winlogon Notify: fc6c362b565 - C:\Windows\
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

2 - Download and Run Malwarebytes' Anti-Malware
  1. Please download Malwarebytes' Anti-Malware and save it to a convenient location.
  2. Double click on mbam-setup.exe to install it.
  3. Before clicking the Finish button, make sure that these 2 boxes are checked (ticked):
      Update Malwarebytes' Anti-Malware
      Launch Malwarebytes' Anti-Malware
  4. Malwarebytes' Anti-Malware will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update Mirror, select one of the websites and click on Check for Updates.
  5. Select the Scanner tab. Click on Perform full scan, then click on Scan.
  6. Leave the default options as it is and click on Start Scan.
  7. When done, you will be prompted. Click OK, then click on Show Results.
  8. Checked (ticked) all items except items in the System Volume Information folder and click on Remove Selected.

    Image
  9. After it has removed the items, Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with


1. the Malwarebytes' Anti-Malware Log
2. a fresh HijackThis log
description of any problems you are having with your PC

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 28th, 2009, 1:21 pm

Hi peku006,

You could be a wizzard :bounce:

My PC is starting far much faster and internet is like it used to be (fast) If ever there will be a nomination for worl best "helpdesk support person" you will be on place no. one.

Below please find my latest log files.

Thanks again and all the best.

- George -

HJT:
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:17:35, on 28-4-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Philippen\Desktop\Bankafschriften\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geenstijl.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: HP Clipboek - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Slim selecteren - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.92.190.132/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 10888 bytes

Mbam:
=====
Malwarebytes' Anti-Malware 1.36
Database versie: 2053
Windows 6.0.6001 Service Pack 1

28-4-2009 18:50:23
mbam-log-2009-04-28 (18-50-23).txt

Scan type: Volledige Scan (C:\|D:\|)
Objecten gescand: 272572
Verstreken tijd: 1 hour(s), 44 minute(s), 7 second(s)

Geheugenprocessen geïnfecteerd: 0
Geheugenmodulen geïnfecteerd: 0
Registersleutels geïnfecteerd: 0
Registerwaarden geïnfecteerd: 0
Registerdata bestanden geïnfecteerd: 0
Mappen geïnfecteerd: 0
Bestanden geïnfecteerd: 6

Geheugenprocessen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Geheugenmodulen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registersleutels geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerwaarden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Registerdata bestanden geïnfecteerd:
(Geen kwaadaardige items gevonden)

Mappen geïnfecteerd:
(Geen kwaadaardige items gevonden)

Bestanden geïnfecteerd:
C:\effe\setup.exe (Worm.P2P) -> Quarantined and deleted successfully.
C:\effe\keygen_from_iFLUENCE\keygen.exe (Worm.P2P) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\bitsigd32.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\COMMDLG32.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\dispci32.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Windows\System32\Faultrep32.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 28th, 2009, 1:45 pm

Hi George

too much "rhetoric"......I blush :)

logs look better
we will run one online scan to be sure that there is nothing left.

1 - Clean temp files

    Download and Run ATF Cleaner
    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

    Under Main choose:
      Windows Temp
      Current User Temp
      All Users Temp
      Temporary Internet Files
      Prefetch
      Java Cache

      *The other boxes are optional*
      Then click the Empty Selected button.
    if you use Firefox:
      Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
    if you use Opera:
      Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program

2 - Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the Kaspersky online scanner report
2. a fresh HijackThis log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 29th, 2009, 8:02 am

Hi Peku006,

Thank you for testing my persistence. First it took me 3 hrs to download the Karspersky program after which it took me over three hours to scan my PC. :shock:

Anyway before examining my log files please accept my sincere thanks. I truly admire the work you and your collegeaus are doing and (of course) I will attribute (my WHOLE AMOUNT of my WEEKLY POCKET MONEY)

I'm a 100 times as glad that there are people like you :D as I'm angry on people who DELIBERETALY destroy your computer :cry:

Anyway below please find the required logfiles.

All the best.

- George -

HJT:
===
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:54:17, on 29-4-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Users\Philippen\Desktop\Bankafschriften\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.geenstijl.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Adobe PDF Reader Help bij koppelingen - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Winamp Search - C:\ProgramData\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: HP Clipboek - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Slim selecteren - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.92.190.132/activex/AxisCamControl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZI ... b56649.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game04.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab57176.cab
O23 - Service: Mobiel Apple apparaat (Apple Mobile Device) - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: Bonjour-service (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-service (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe

--
End of file - 10939 bytes


Kaspersky:
========
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, April 29, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 00:49:07
Records in database: 2088190
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 175921
Threat name: 9
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 03:36:46


File name / Threat name / Threats count
C:\Program Files\Circle Developement\Uninstall.exe Infected: Trojan-Dropper.Win32.Agent.lxl 1
C:\ProgramData\Bait cake roam slow\BIB WIPE.exe Infected: Trojan.Win32.Obfuscated.gen 1
C:\ProgramData\bash amen surf\ipwluinp.exe Infected: Trojan.Win32.Obfuscated.gen 1
C:\ProgramData\bash amen surf\Real base.exe Infected: Trojan.Win32.Swizzor.a 1
C:\ProgramData\bash amen surf\vnrtncnz.exe Infected: Trojan.Win32.Obfuscated.gen 1
C:\ProgramData\bash amen surf\Wait Send Wma Safe.exe Infected: Trojan.Win32.Swizzor.a 1
C:\Qoobox\Quarantine\C\Users\Philippen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ChkDisk.dll.vir Infected: Trojan-Spy.Win32.Agent.amjj 1
C:\Qoobox\Quarantine\C\Users\Philippen\protect.dll.vir Infected: Trojan-Spy.Win32.Agent.amjj 1
C:\Users\All Users\Bait cake roam slow\BIB WIPE.exe Infected: Trojan.Win32.Obfuscated.gen 1
C:\Users\All Users\bash amen surf\ipwluinp.exe Infected: Trojan.Win32.Obfuscated.gen 1
C:\Users\All Users\bash amen surf\Real base.exe Infected: Trojan.Win32.Swizzor.a 1
C:\Users\All Users\bash amen surf\vnrtncnz.exe Infected: Trojan.Win32.Obfuscated.gen 1
C:\Users\All Users\bash amen surf\Wait Send Wma Safe.exe Infected: Trojan.Win32.Swizzor.a 1
C:\Users\Philippen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Philippen\protect.dll Infected: Trojan-Spy.Win32.Agent.amjj 1
C:\Users\Philippen\Incomplete\Preview-T-5745425-money negativ.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Users\Philippen\Music\iTunes\Incomplete\Preview-T-4045425-herbert gronemeyer mensch (320k stereo).mp3 Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Users\Philippen\Music\iTunes\Incomplete\T-3431239-shemale - greatest hits.mp3 Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Users\Philippen\Music\iTunes\iTunes Music\blindfolded babe from colombia posing in thong [old women].avi Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Users\Philippen\Music\iTunes\iTunes Music\der weg herbert gronemeyer (hot new track).au Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Users\Philippen\Music\iTunes\iTunes Music\femdom incl keymaker by ROR.zip Infected: P2P-Worm.Win32.Nugg.an 3
C:\Users\Philippen\Music\iTunes\iTunes Music\femdom setup + keygen by iNFLUENCE.zip Infected: P2P-Worm.Win32.Nugg.an 2
C:\Users\Philippen\Music\iTunes\iTunes Music\governor of poker setup [keygen by iNFLUENCE].zip Infected: P2P-Worm.Win32.Nugg.an 2
C:\Users\Philippen\Music\iTunes\iTunes Music\shaved mature brunette toys with double dildo [facila compilation].mpg Infected: Trojan-Downloader.WMA.GetCodec.ab 1
C:\Users\Philippen\Music\iTunes\iTunes Music\shemale + keygen by team Black_X.zip Infected: P2P-Worm.Win32.Nugg.an 2
C:\Users\Philippen\Music\iTunes\iTunes Music\shemale plus crack by ORiON.zip Infected: P2P-Worm.Win32.Nugg.an 2
C:\Users\Philippen\Shared\money negativ.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1

The selected area was scanned.
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 29th, 2009, 8:53 am

Hi George
Thank you for your fine words......... :toothy7:
it is a "pleasure" to help users who have problems with malware (I simply love it)

Download and Run OTMoveIt3

Download OTMoveIt3 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt3.exe.
  • Copy the lines in the codebox below.
Code: Select all
:files
C:\Program Files\Circle Developement\Uninstall.exe 
C:\ProgramData\Bait cake roam slow\BIB WIPE.exe 
C:\ProgramData\bash amen surf\ipwluinp.exe
C:\ProgramData\bash amen surf\Real base.exe 
C:\ProgramData\bash amen surf\vnrtncnz.exe 
C:\ProgramData\bash amen surf\Wait Send Wma Safe.exe 
C:\Users\All Users\Bait cake roam slow\BIB WIPE.exe 
C:\Users\All Users\bash amen surf\ipwluinp.exe 
C:\Users\All Users\bash amen surf\Real base.exe 
C:\Users\All Users\bash amen surf\vnrtncnz.exe 
C:\Users\All Users\bash amen surf\Wait Send Wma Safe.exe 
C:\Users\Philippen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Philippen\protect.dll 
C:\Users\Philippen\Incomplete\Preview-T-5745425-money negativ.mp3 
C:\Users\Philippen\Music\iTunes\Incomplete\Preview-T-4045425-herbert gronemeyer mensch (320k stereo).mp3 
C:\Users\Philippen\Music\iTunes\Incomplete\T-3431239-shemale - greatest hits.mp3 
C:\Users\Philippen\Music\iTunes\iTunes Music\blindfolded babe from colombia posing in thong [old women].avi 
C:\Users\Philippen\Music\iTunes\iTunes Music\der weg herbert gronemeyer (hot new track).au 
C:\Users\Philippen\Music\iTunes\iTunes Music\femdom incl keymaker by ROR.zip 
C:\Users\Philippen\Music\iTunes\iTunes Music\femdom setup + keygen by iNFLUENCE.zip 
C:\Users\Philippen\Music\iTunes\iTunes Music\governor of poker setup [keygen by iNFLUENCE].zip
C:\Users\Philippen\Music\iTunes\iTunes Music\shaved mature brunette toys with double dildo [facila compilation].mpg 
C:\Users\Philippen\Music\iTunes\iTunes Music\shemale + keygen by team Black_X.zip 
C:\Users\Philippen\Music\iTunes\iTunes Music\shemale plus crack by ORiON.zip 
C:\Users\Philippen\Shared\money negativ.mp3 

  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

Please reply with

the OTMoveIt3.log

Thanks peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 29th, 2009, 1:52 pm

Hi Peku006,

This time things went a little bit faster ;)

Below please find the logfile before and after re-boot.

All the best.

- George -

Before:
=====
========== FILES ==========
File move failed. C:\Program Files\Circle Developement\Uninstall.exe scheduled to be moved on reboot.
File move failed. C:\ProgramData\Bait cake roam slow\BIB WIPE.exe scheduled to be moved on reboot.
File move failed. C:\ProgramData\bash amen surf\ipwluinp.exe scheduled to be moved on reboot.
File move failed. C:\ProgramData\bash amen surf\Real base.exe scheduled to be moved on reboot.
File move failed. C:\ProgramData\bash amen surf\vnrtncnz.exe scheduled to be moved on reboot.
File move failed. C:\ProgramData\bash amen surf\Wait Send Wma Safe.exe scheduled to be moved on reboot.
File move failed. C:\Users\All Users\Bait cake roam slow\BIB WIPE.exe scheduled to be moved on reboot.
File move failed. C:\Users\All Users\bash amen surf\ipwluinp.exe scheduled to be moved on reboot.
File move failed. C:\Users\All Users\bash amen surf\Real base.exe scheduled to be moved on reboot.
File move failed. C:\Users\All Users\bash amen surf\vnrtncnz.exe scheduled to be moved on reboot.
File move failed. C:\Users\All Users\bash amen surf\Wait Send Wma Safe.exe scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\Users\Philippen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Philippen\protect.dll
C:\Users\Philippen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Philippen\protect.dll NOT unregistered.
C:\Users\Philippen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Philippen\protect.dll moved successfully.
C:\Users\Philippen\Incomplete\Preview-T-5745425-money negativ.mp3 moved successfully.
C:\Users\Philippen\Music\iTunes\Incomplete\Preview-T-4045425-herbert gronemeyer mensch (320k stereo).mp3 moved successfully.
C:\Users\Philippen\Music\iTunes\Incomplete\T-3431239-shemale - greatest hits.mp3 moved successfully.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\blindfolded babe from colombia posing in thong [old women].avi not found.
C:\Users\Philippen\Music\iTunes\iTunes Music\der weg herbert gronemeyer (hot new track).au moved successfully.
C:\Users\Philippen\Music\iTunes\iTunes Music\femdom incl keymaker by ROR.zip moved successfully.
C:\Users\Philippen\Music\iTunes\iTunes Music\femdom setup + keygen by iNFLUENCE.zip moved successfully.
C:\Users\Philippen\Music\iTunes\iTunes Music\governor of poker setup [keygen by iNFLUENCE].zip moved successfully.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\shaved mature brunette toys with double dildo [facila compilation].mpg not found.
C:\Users\Philippen\Music\iTunes\iTunes Music\shemale + keygen by team Black_X.zip moved successfully.
C:\Users\Philippen\Music\iTunes\iTunes Music\shemale plus crack by ORiON.zip moved successfully.
C:\Users\Philippen\Shared\money negativ.mp3 moved successfully.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04292009_193615

After:
====
========== FILES ==========
C:\Program Files\Circle Developement\Uninstall.exe moved successfully.
C:\ProgramData\Bait cake roam slow\BIB WIPE.exe moved successfully.
C:\ProgramData\bash amen surf\ipwluinp.exe moved successfully.
C:\ProgramData\bash amen surf\Real base.exe moved successfully.
C:\ProgramData\bash amen surf\vnrtncnz.exe moved successfully.
C:\ProgramData\bash amen surf\Wait Send Wma Safe.exe moved successfully.
File/Folder C:\Users\All Users\Bait cake roam slow\BIB WIPE.exe not found.
File/Folder C:\Users\All Users\bash amen surf\ipwluinp.exe not found.
File/Folder C:\Users\All Users\bash amen surf\Real base.exe not found.
File/Folder C:\Users\All Users\bash amen surf\vnrtncnz.exe not found.
File/Folder C:\Users\All Users\bash amen surf\Wait Send Wma Safe.exe not found.
File/Folder C:\Users\Philippen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Philippen\protect.dll not found.
File/Folder C:\Users\Philippen\Incomplete\Preview-T-5745425-money negativ.mp3 not found.
File/Folder C:\Users\Philippen\Music\iTunes\Incomplete\Preview-T-4045425-herbert gronemeyer mensch (320k stereo).mp3 not found.
File/Folder C:\Users\Philippen\Music\iTunes\Incomplete\T-3431239-shemale - greatest hits.mp3 not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\blindfolded babe from colombia posing in thong [old women].avi not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\der weg herbert gronemeyer (hot new track).au not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\femdom incl keymaker by ROR.zip not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\femdom setup + keygen by iNFLUENCE.zip not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\governor of poker setup [keygen by iNFLUENCE].zip not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\shaved mature brunette toys with double dildo [facila compilation].mpg not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\shemale + keygen by team Black_X.zip not found.
File/Folder C:\Users\Philippen\Music\iTunes\iTunes Music\shemale plus crack by ORiON.zip not found.
File/Folder C:\Users\Philippen\Shared\money negativ.mp3 not found.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04292009_194514
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 29th, 2009, 2:28 pm

Hi George

Congratulations, your log looks clean! :)

To remove all of the tools we used and the files and folders they created do the following:

  • Double-click OTMoveIt3.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore-Vista
  • Click the Vista/Start icon.
  • Right Click >> Computer
  • Click Properties.
  • Click the System Protection tab.
  • Uncheck All drives
  • Click "Turn Off System Restore" at the prompt then click "Apply".
  • Restart your computer.
Turn ON System Restore-Vista
  • Click the Vista/Start icon
  • Right Click >> Computer
  • Click Properties.
  • Click the System Protection tab.
  • Checkmark All drives that were selected previously then click "Apply".
This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.
(Vista users must ensure that any programs are Vista compatible BEFORE installing)

Spybot Search and Destroy
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy surfing and stay clean! :thumbup:
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby gphilipp » April 29th, 2009, 5:44 pm

Puke006,

What can I say. :P

I'm so glad how you helped me out in this matter.

When I told my father about this his he told me he would double the amount to be donated. So 20$ (sorry I only get 10$ pocket money :shock: ) has been donated 5 minutes ago.

Thanks again for your very cooperative, quick and professional support. :bounce:

Although not appropriate by the lyrics (http://www.youtube.com/watch?v=5u5LZ-DN3iA)

All the best.

- George -
gphilipp
Regular Member
 
Posts: 18
Joined: April 14th, 2009, 1:48 am

Re: Windows IE is started and redirected to sameshitasiteverwas

Unread postby peku006 » April 30th, 2009, 4:01 am

George you are :angel13:

many thanks to you for your kind words, and it was very nicely done that you "donated all your pocket money".
both are very important to us........


best regards
peku006
User avatar
peku006
MRU Emeritus
MRU Emeritus
 
Posts: 3357
Joined: May 14th, 2007, 2:18 pm
Location: Norway
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 21 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware