Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Im being hijacked/using windows xp


  • Please log in to reply
1 reply to this topic

#1 randt

randt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:10 PM

Posted 07 July 2010 - 06:09 PM

Please let me apologize if my description is not very exact. I will do my best to be succint and not offer information that you do not need.thanks in advance for any help.
I am running windows xp. i am using malwarebytes and zone alarm for security. im using ie explorer for my browser.
I think my browser is being hijacked becasue frequently a malwarebytes dialogue pops up indicating that it has blacked access to a dagngerous site. Often but not always at the same time a new broVser window will pop up and run without connecting then time out.
Also, it seems like there is something running in the background as my as my cpu usage spikes often.

Thanks kindly for any help even its its only to school me on proper protochols for bleeping computer I may be violating.

my dds.txt log follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 17:34:10.46 on Tue 07/06/2010
Internet Explorer: 8.0.6001.18702
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcStd7_0_0 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PMA_ENT] c:\program files\antimalware pro\AntiMalwarePro.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [UDC Integration]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ADOBEA~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\ocr\PfuSsOrgOcr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://lakecounty.p3.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/DOCUME~1/Tom/LOCALS~1/Temp/IXP000.TMP/setup.cab
DPF: {63BE9F48-B516-11D1-87CD-00A02476EC4D} - hxxp://lakecounty.p3.fnismls.com/Paragon/Codebase/Mailing%20Labels/LabelSelector.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=13ab015b1806d65c7449e832ecdcc116&url=http%3A%2F%2Fd.66.155.171.162.downloads.estara.com.%2Fas%2FOneCCDM.php&template=489683&sessionid=580942478_66.155.171.162_60301&=&req=1268613573183OneCC.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {79D1DBE2-A317-4D67-891D-9849D17F0531} - hxxp://www.parcelquest.com/download/MapEdge.cab
DPF: {845A8B24-D89F-11D1-9DA4-0080C885B976} - hxxp://lakecounty.p3.fnismls.com/Paragon/Codebase/Galaxy%20Printing/Galaxy.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231458850876&h=10398499ae9312f95f4147fe45ef4d8c/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-27 16:58:06 0 d-----w- c:\program files\common files\HP
2010-06-27 16:28:25 1602 ------w- c:\windows\hppmdl03.dat
2010-06-27 16:28:25 130852 ----a-w- c:\windows\hppins03.dat
2010-06-26 23:50:40 74 ----a-w- c:\windows\hpntwksetup.ini
2010-06-26 21:14:55 0 d-----w- C:\hp_CLJ2605_Full_Solution
2010-06-26 17:35:23 188416 ----a-w- c:\windows\system32\hpmews01.dll
2010-06-26 17:35:08 0 ----a-w- c:\windows\HPMProp.INI
2010-06-26 17:33:15 79872 ----a-w- c:\windows\system32\hppccompio.dll
2010-06-26 17:33:15 223232 ----a-w- c:\windows\system32\hpmtp104.dll
2010-06-26 17:33:15 18944 ----a-w- c:\windows\system32\hppmopjl.dll
2010-06-26 17:33:15 179200 ----a-w- c:\windows\system32\hpmpw081.dll
2010-06-26 17:33:14 49252 ----a-w- c:\windows\system32\hpmnque.dll
2010-06-26 17:33:14 49250 ----a-w- c:\windows\system32\hpmnndps.dll
2010-06-26 17:33:14 326656 ----a-w- c:\windows\system32\hpmml104.dll
2010-06-26 17:33:14 275968 ----a-w- c:\windows\system32\hpmja104.dll
2010-06-26 17:33:14 243200 ----a-w- c:\windows\system32\hpmpm081.dll
2010-06-26 17:33:13 179200 ----a-w- c:\windows\system32\hpcpn104.dll
2010-06-26 17:30:40 0 d-----w- C:\HP Universal Print Driver v5.1 PCL6 32-bit Driver
2010-06-26 17:12:33 0 d-----w- c:\windows\system32\NtmsData
2010-06-18 19:31:07 1064 ---ha-r- c:\documents and settings\tom\XrxWm.ini
2010-06-18 19:31:06 483 ---ha-r- c:\documents and settings\tom\xw45cpdy.dyc
2010-06-07 13:58:52 3648 ----a-w- c:\windows\hpbvnstp.hi1
2010-06-07 13:58:52 1100 ----a-w- c:\windows\hpbvnstp.bu1
2010-06-07 13:57:50 327680 ----a-w- c:\windows\system32\hppepr02.dll

==================== Find3M ====================

2010-07-06 12:46:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-02 00:44:40 102912 ----a-w- c:\windows\system32\hpmco104.dll
2010-04-16 15:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-09 14:24:05 2516356 ----a-w- C:\wordpress-2.9.2.zip
2010-04-04 21:22:11 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-04 21:22:12 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-04 21:22:11 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:38:25.32 ===============


My DDS.txt Log Follows:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Tom at 17:34:10.46 on Tue 07/06/2010
Internet Explorer: 8.0.6001.18702
AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcStd7_0_0 -reboot 1
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PMA_ENT] c:\program files\antimalware pro\AntiMalwarePro.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [PfuSsSct.exe] c:\program files\pfu\scansnap\PfuSsSct.exe /Station
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [UDC Integration]
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ToolBoxFX] "c:\program files\hp\toolboxfx\bin\HPTLBXFX.exe" /enum:on /alerts:on /notifications:on /systrayIcon:on /fl:on /fr:on /appData:on
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ADOBEA~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\conver~1.lnk - c:\program files\pfu\scansnap\organizer\ocr\PfuSsOrgOcr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\windows\installer\{d8e363a7-88b7-446d-b2c0-e26ce4dc8e54}\_294823.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\scansn~1.lnk - c:\program files\pfu\scansnap\driver\PfuSsMon.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: doccentral.com
Trusted Zone: fnismls.com
Trusted Zone: getmedianow.com
Trusted Zone: rdesk.com
Trusted Zone: rexplorer.net
Trusted Zone: showingtime.com
Trusted Zone: sitexdata.com
Trusted Zone: spellchecker.net
Trusted Zone: transactionpoint.com
Trusted Zone: trpoint.com
Trusted Zone: virtualearth.net
Trusted Zone: xmlsweb.com
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {0854D220-A90A-466D-BC02-6683183802B7} - hxxp://lakecounty.p3.fnismls.com/Paragon/Codebase/FNISPrintControl.cab
DPF: {33415AC7-AFFA-4D55-B41C-C64C0D07DFCA} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/DOCUME~1/Tom/LOCALS~1/Temp/IXP000.TMP/setup.cab
DPF: {63BE9F48-B516-11D1-87CD-00A02476EC4D} - hxxp://lakecounty.p3.fnismls.com/Paragon/Codebase/Mailing%20Labels/LabelSelector.cab
DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxps://as00.estara.com/UI/proxyhttps.php?a=downloads.estara.com./&hash=13ab015b1806d65c7449e832ecdcc116&url=http%3A%2F%2Fd.66.155.171.162.downloads.estara.com.%2Fas%2FOneCCDM.php&template=489683&sessionid=580942478_66.155.171.162_60301&=&req=1268613573183OneCC.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {79D1DBE2-A317-4D67-891D-9849D17F0531} - hxxp://www.parcelquest.com/download/MapEdge.cab
DPF: {845A8B24-D89F-11D1-9DA4-0080C885B976} - hxxp://lakecounty.p3.fnismls.com/Paragon/Codebase/Galaxy%20Printing/Galaxy.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://dl8-cdn-01.sun.com/s/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?e=1231458850876&h=10398499ae9312f95f4147fe45ef4d8c/&filename=jinstall-6u11-windows-i586-jc.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-06-27 16:58:06 0 d-----w- c:\program files\common files\HP
2010-06-27 16:28:25 1602 ------w- c:\windows\hppmdl03.dat
2010-06-27 16:28:25 130852 ----a-w- c:\windows\hppins03.dat
2010-06-26 23:50:40 74 ----a-w- c:\windows\hpntwksetup.ini
2010-06-26 21:14:55 0 d-----w- C:\hp_CLJ2605_Full_Solution
2010-06-26 17:35:23 188416 ----a-w- c:\windows\system32\hpmews01.dll
2010-06-26 17:35:08 0 ----a-w- c:\windows\HPMProp.INI
2010-06-26 17:33:15 79872 ----a-w- c:\windows\system32\hppccompio.dll
2010-06-26 17:33:15 223232 ----a-w- c:\windows\system32\hpmtp104.dll
2010-06-26 17:33:15 18944 ----a-w- c:\windows\system32\hppmopjl.dll
2010-06-26 17:33:15 179200 ----a-w- c:\windows\system32\hpmpw081.dll
2010-06-26 17:33:14 49252 ----a-w- c:\windows\system32\hpmnque.dll
2010-06-26 17:33:14 49250 ----a-w- c:\windows\system32\hpmnndps.dll
2010-06-26 17:33:14 326656 ----a-w- c:\windows\system32\hpmml104.dll
2010-06-26 17:33:14 275968 ----a-w- c:\windows\system32\hpmja104.dll
2010-06-26 17:33:14 243200 ----a-w- c:\windows\system32\hpmpm081.dll
2010-06-26 17:33:13 179200 ----a-w- c:\windows\system32\hpcpn104.dll
2010-06-26 17:30:40 0 d-----w- C:\HP Universal Print Driver v5.1 PCL6 32-bit Driver
2010-06-26 17:12:33 0 d-----w- c:\windows\system32\NtmsData
2010-06-18 19:31:07 1064 ---ha-r- c:\documents and settings\tom\XrxWm.ini
2010-06-18 19:31:06 483 ---ha-r- c:\documents and settings\tom\xw45cpdy.dyc
2010-06-07 13:58:52 3648 ----a-w- c:\windows\hpbvnstp.hi1
2010-06-07 13:58:52 1100 ----a-w- c:\windows\hpbvnstp.bu1
2010-06-07 13:57:50 327680 ----a-w- c:\windows\system32\hppepr02.dll

==================== Find3M ====================

2010-07-06 12:46:18 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-02 00:44:40 102912 ----a-w- c:\windows\system32\hpmco104.dll
2010-04-16 15:33:36 3003680 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-04-09 14:24:05 2516356 ----a-w- C:\wordpress-2.9.2.zip
2010-04-04 21:22:11 16384 --sha-w- c:\windows\temp\cookies\index.dat
2010-04-04 21:22:12 32768 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2010-04-04 21:22:11 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:38:25.32 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:07:10 PM

Posted 11 July 2010 - 10:27 AM

Hello randt and welcome to BC forums,

You will want to print out or copy these instructions to Notepad for offline reference!

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Step 1
1. Open Internet Explorer.
2. Click "Tools," and then click "Internet Options."
3. Click "Connections," and then click "LAN Settings."
4. Make sure the check boxes for "Automatically detect settings" and "Use automatic configuration script" are not selected.
5. Apply changes & OK

Step 2
Go to Start button > Select RUN > type in
CODE
CMD
and press Enter-key

Copy and Paste or type the exact (entire) contents of Code box
CODE
ipconfig /flushdns
and press Enter-key
Close Command prompt window

Step 3
Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

Step 4
1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

Step 5
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall
  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy all the lines in Code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [CREATERESTOREPOINT]
    [EMPTYFLASH]
    [Reboot]

  • Return to OTL. Right click in the "Custom Scans/Fixes" window (under the aqua-blue bar) and choose Paste.
  • Close any browser(s) windows that may be open.
  • Using your mouse, click on the red-lettered button Run Fix.
  • Once you see a message box "Fix complete! Click OK to open the fix log."
    Click the OK button
  • The log will open in Notepad (your default text editor).
  • Save the log. Post a copy of that log in your next reply.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTL\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Step 6
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

Please download Rkill by Grinler and save it to your desktop.
    Link 2
    Link 3
    Link 4
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista, right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • If the tool does not run from any of the links provided, please let me know.
  • If your antivirus program gives a prompt message, respond positive to allow RKILL to run.
  • If a malware-rogue gives a message regarding RKILL, proceed forward to running RKILL

Step 7
Download this file & extract TDSSKiller.exe onto your Desktop

Then create this batch file to be placed next to TDSSKiller:

----

Start NOTEPAD and copy/paste the text in the quotebox below into it:


CODE
@ECHO OFF
START /WAIT TDSSKILLER.exe -l Logit.txt -v
START Logit.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run.

Please post back with the result.
Reply with copy of the OTL MovedFiles log
and Logit.txt

Do NOT use the attachment option to put your reports. Always Copy & Paste in-line with body of reply.
If needed, use separate replies.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users