Please help!

Question

samsplace86 0 Newbie Poster

18 Years Ago

Hey everyone, my name is Sam. I am in depserate need of people who know their stuff!
Please if you can help I would appreciate it. I own a hp nx6110 laptop which is running frustratingly slowly.
Here is my hijack report thingy, but I've no idea how to read it.
Logfile of HijackThis v1.99.1
Scan saved at 23:02:04, on 27/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142894343968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Any help i'd be SO thankful!
Thanks
Sam

windows-virus

3 Contributors
14 Replies
122 Views
6 Days Discussion Span
Latest Post 18 Years Ago Latest Post by samsplace86

All 14 Replies

tayspen 28 <Insert title here>

18 Years Ago

This line,

C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

Shows that HJt was run from an "Unsafe" location (Temporary Folder). It needs to be in its own folder. To do this follow these instructions.

Right click HERE (Or if your not using Internet Explorer, just click and save.) And Click "Save Target As...", When the dialog box comes up, select "Save", Then browse to your desktop, and press save. Exit out of internet explorer, double click on the folder. Then right Click on HiJackThis.exe And select "Cut". Then Right click on your Desktop And select New>Folder name that folder HJT. In that folder right click and click "Paste". Scan again.

Post a new log

tayspen 28 <Insert title here>

18 Years Ago

Well, it is still in a temp directory. Thats ok though, we are still going to proceed.

Ok, Run HJT again and put a check next to the following items.

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolba...arch.jhtml?p=ZN

O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab

Then if you dont want those items in your trusted zone, check off all the 015 items. Do that only if you dont reconize them.

Click fix checked

----------------------------------------------------

Go to Start>Control Panel>Add/Remove programs.

Remove anything having to do with:

mywebsearch

---------------------------------------------------

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds.

Post a new HJT log, and the ewido log

D3m3nt3d 1 Posting Whiz in Training

18 Years Ago

You are going to want to uninstall MessengerPlus 3! thru Add/Remove Programs.

Usually this comes with a Lop Infection.

Download ISeeYou
http://forum.networktechs.com/attachment.php?attachmentid=22563&d=1141266457
-Save to Desktop
-Reboot to Safe Mode
-Double Click ISeeYou.bat
-In 20-30 seconds a log will generate
-Save it for me and attach when you return

tayspen 28 <Insert title here>

18 Years Ago

Ok, I gotta remember about the Messenger3 Plus! seems to be in alot of these logs recently ;).

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

samsplace86 0 Newbie Poster · Answer 1 · 2006-03-29T05:01:33+00:00

Hey, did as was suggested. So here's the new scan. Thanks :)

Logfile of HijackThis v1.99.1
Scan saved at 00:00:57, on 29/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Sam\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/support/plugins/ebraryRdr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142894343968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

samsplace86 0 Newbie Poster · Answer 2 · 2006-03-30T20:36:58+00:00

samsplace86 0 Newbie Poster

18 Years Ago

Thank you SO SO SO very much!

D3m3nt3d 1 Posting Whiz in Training · Answer 3 · 2006-03-30T20:40:50+00:00

You're certainly welcome, would you mind running the ISeeYou and attaching the log for me?

tayspen 28 <Insert title here> Team Colleague · Answer 4 · 2006-03-30T20:42:40+00:00

That link has been bad for a while (the one to ISeeYou ). Maybe he downloaded it before it went bad, but i doubt it.

D3m3nt3d 1 Posting Whiz in Training · Answer 5 · 2006-03-30T23:29:11+00:00

Well I'll be!

Thanks for the heads up, PhilliePhan changes it a bit from time to time.

Anyway here is the link
http://forum.networktechs.com/attachment.php?attachmentid=22664&d=1143686508

samsplace86 0 Newbie Poster · Answer 6 · 2006-03-30T23:59:25+00:00

ok 1st things first, i've got a new hijack log, a ewido report and an iseeyou thingy too:

Logfile of HijackThis v1.99.1
Scan saved at 18:57:10, on 30/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142894343968
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------


+ Created on:           18:15:50, 30/03/2006
+ Report-Checksum:      BAEC0E73


+ Scan result:


No infected objects found.



::Report End


and iseeyou


****PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE  NOT  BADDIES!
****PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION.



Microsoft Windows XP [Version 5.1.2600]
30/03/2006
18:46



--------------------------------------------------------------------------
Items Found in ZoneMap\Domains:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click]
"https"=dword:00000002


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click]
"https"=dword:00000002


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect]
"https"=dword:00000002


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com]
@=""


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\related]
"http"=dword:00000004



--------------------------------------------------------------------------
STARTUP ITEMS DISABLED VIA MSCONFIG:
--------------------------------------------------------------------------



--------------------------------------------------------------------------
LOG for Microsoft® Windows® Malicious Software Removal Tool:
--------------------------------------------------------------------------


---------------------------------------------------------------------------------------


Microsoft Windows Malicious Software Removal Tool v1.12, January 2006
Started On Sat Jan 14 22:53:32 2006


Results Summary:
----------------
No infection found.


Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Jan 14 22:54:51 2006



---------------------------------------------------------------------------------------


Microsoft Windows Malicious Software Removal Tool v1.13, February 2006
Started On Fri Feb 17 13:06:50 2006


Results Summary:
----------------
No infection found.


Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Feb 17 13:07:27 2006



---------------------------------------------------------------------------------------


Microsoft Windows Malicious Software Removal Tool v1.14, March 2006
Started On Wed Mar 15 03:02:01 2006


Results Summary:
----------------
No infection found.


Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 15 03:03:07 2006



--------------------------------------------------------------------------
Select RunOnce Registry Key Items:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]



----------------------------------------------



--------------------------------------------------------------------------
Shared Task Scheduler Registry Items:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--------------------------------------------------------------------------
ENUMERATING SCHEDULED TASKS:
--------------------------------------------------------------------------


Volume in drive C has no label.
Volume Serial Number is 23EF-25C6


Directory of C:\WINDOWS\tasks


08/03/2006  22:38    <DIR>          .
08/03/2006  22:38    <DIR>          ..
30/03/2006  18:00               248 B221D81C973A4A54.job
04/08/2004  09:00                65 desktop.ini
30/03/2006  18:41                 6 SA.DAT
3 File(s)            319 bytes


Total Files Listed:
3 File(s)            319 bytes
2 Dir(s)  21,308,317,696 bytes free
A   H      C:\WINDOWS\tasks\B221D81C973A4A54.job
A   HR     C:\WINDOWS\tasks\desktop.ini
A   H      C:\WINDOWS\tasks\SA.DAT


--------------------------------------------------------------------------
CHECKING SELECT POLICIES KEYS:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091



----------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001



----------------------------------------------



--------------------------------------------------------------------------
ENUMERATING RECENT DOWNLOADED PROGRAM FILES:
--------------------------------------------------------------------------


C:\WINDOWS\DOWNLOADED PROGRAM FILES


30/03/2006  11:21    <DIR>          ..
30/03/2006  11:21    <DIR>          .
29/01/2006  01:04            59,556 Doremi.ttf
23/01/2006  18:19                65 desktop.ini
08/12/2005  13:46             1,271 erma.inf
02/12/2005  12:55             5,101 swflash.inf
14/10/2005  13:49               587 MSNPupld.inf
14/10/2005  12:02           372,736 MsnPUpld.dll
26/05/2005  05:19               293 muweb.inf


--------------------------------------------------------------------------
CHECKING RECENTLY ADDED DRIVERS:
--------------------------------------------------------------------------


C:\WINDOWS\system32\drivers


28/03/2006  19:21    <DIR>          ..
28/03/2006  19:21    <DIR>          .
08/03/2006  14:06    <DIR>          etc
22/01/2006  23:54             1,754 103C_HP_NTBK_HP Compaq nx6110 (PY496ET#ABU)_YN_0U_QCNU5491Y2M_E367837006_46_I3088_SHP_VKBC Version 39.1E_B68DTD Ver. F.0C_T051121_WXH2_L409_M248_J40_7Intel_8Celeron M_91.4_#051004_N14E4170C_(PY496ET#ABU)_XMOBILE.MRK
13/01/2006  03:28           359,808 tcpip.sys
12/01/2006  22:11           163,644 secdrv.sys
08/03/2006  14:06    <DIR>          ..
08/03/2006  14:06    <DIR>          .
05/10/2005  01:28            20,576 pxhelp20.sys
05/10/2005  01:06    <DIR>          disdn
20/06/2005  12:33           190,400 SynTP.sys
10/06/2005  05:09           139,528 rdpwd.sys
10/05/2005  01:17           332,544 srv.sys
02/05/2005  17:13         3,222,784 w29n51.sys
25/04/2005  11:56           889,628 ialmnt5.sys
14/04/2005  11:22            88,352 drvmcdb.sys
14/04/2005  11:15            55,448 btwusb.sys
10/03/2005  12:08           371,712 BCMWL5.SYS
24/02/2005  12:29           162,176 PFC027.sys
02/02/2005  02:21            14,408 GEARAspiWDM.sys
28/01/2005  14:44            18,944 wpdusb.sys
19/01/2005  05:26           451,584 mrxsmb.sys
05/10/2005  01:06    <DIR>          ..
05/10/2005  01:06    <DIR>          .


--------------------------------------------------------------------------
CHECKING SYSTEM.INI:
--------------------------------------------------------------------------


; for 16-bit app support


[drivers]
wave=mmdrv.dll
timer=timer.drv


[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


--------------------------------------------------------------------------
CHECKING WIN.INI:
--------------------------------------------------------------------------


; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[Software by Design]
Disk CleanUp for Windows 95/NT=v4.8


--------------------------------------------------------------------------
MISCELLANEOUS DETECTIONS:
--------------------------------------------------------------------------


*** i386p.* Stealthing Agent NOT Found by this tool! ***


*** erssdd.* (ErrorSafe) Stealthing Agent NOT Found by this tool! ***


*** DP.* (VUNDO?) Stealthing Agent NOT Found by this tool! ***


*** msctl32.dll SpamBot NOT Found by this tool! ***


*** ibm000*.* KeyLogger NOT Found by this tool! ***


--------------------------------------------------------------------------
CHECKING FOR SDBOT-TYPE WORMS:
--------------------------------------------------------------------------


**** LOOKING FOR W32/Sdbot-AMA Worm ****
*** W32/Sdbot-AMA Worm NOT Found by this tool! ***


--------------------------------------------------------------------------
CHECKING FOR VISIBLE ROOTKIT-TYPE REGISTRY KEYS:
--------------------------------------------------------------------------


**** LOOKING FOR AVPE Haxdoor Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** avpe Keys NOT Found by this tool! ***


**** LOOKING FOR MEMLOW Haxdoor Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** memlow Keys  NOT Found by this tool! ***


**** LOOKING FOR VDMT Haxdoor Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** vdmt Keys  NOT Found by this tool! ***


**** LOOKING FOR DP1112 Vundo Rootkit Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** DP1112 Keys  NOT Found by this tool! ***


**** LOOKING FOR SYSBUS32 Rootkit Driver Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** sysbus32 Keys  NOT Found by this tool! ***


**** LOOKING FOR I386P Rootkit Driver Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** i386p Keys  NOT Found by this tool! ***


**** LOOKING FOR ERSSDD (ErrorSafe) Rootkit Driver Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** erssdd Keys  NOT Found by this tool! ***


**** LOOKING FOR GencTurK RootKit Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** GencTurK Keys  NOT Found by this tool! ***



#####################################################################################################

-- All DONE! :)

~ PhilliePhan ~

fabulous - who will work wonders? :) thank you guys, I appreciate this.

D3m3nt3d 1 Posting Whiz in Training · Answer 7 · 2006-03-31T03:41:37+00:00

This right here is a Lop Infection

C:\WINDOWS\tasks\B221D81C973A4A54.job

Download Pocket Killbox
http://bleepingcomputer.com/files/spyware/KillBox.zip
-Unzip to its own folder

Open Killbox and check Delete on Reboot
-Copy and Paste the following into the box

C:\WINDOWS\tasks\B221D81C973A4A54.job

It will prompt you to reboot, please do so.

Afterwords attach one more ISeeYou log - your HijackThis log looks fine.

samsplace86 0 Newbie Poster · Answer 8 · 2006-03-31T07:20:52+00:00

last one - hurrah!

****PLEASE NOTE THAT MOST (if not ALL) OF THE ITEMS BELOW ARE  NOT  BADDIES!
****PLEASE CONSULT A KNOWLEDGEABLE PERSON BEFORE TAKING ANY ACTION.



Microsoft Windows XP [Version 5.1.2600]
31/03/2006
02:19



--------------------------------------------------------------------------
Items Found in ZoneMap\Domains:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
@=""


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click]
"https"=dword:00000002


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click]
"https"=dword:00000002


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect]
"https"=dword:00000002


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com]
@=""


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\related]
"http"=dword:00000004



--------------------------------------------------------------------------
STARTUP ITEMS DISABLED VIA MSCONFIG:
--------------------------------------------------------------------------



--------------------------------------------------------------------------
LOG for Microsoft® Windows® Malicious Software Removal Tool:
--------------------------------------------------------------------------


---------------------------------------------------------------------------------------


Microsoft Windows Malicious Software Removal Tool v1.12, January 2006
Started On Sat Jan 14 22:53:32 2006


Results Summary:
----------------
No infection found.


Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Jan 14 22:54:51 2006



---------------------------------------------------------------------------------------


Microsoft Windows Malicious Software Removal Tool v1.13, February 2006
Started On Fri Feb 17 13:06:50 2006


Results Summary:
----------------
No infection found.


Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Feb 17 13:07:27 2006



---------------------------------------------------------------------------------------


Microsoft Windows Malicious Software Removal Tool v1.14, March 2006
Started On Wed Mar 15 03:02:01 2006


Results Summary:
----------------
No infection found.


Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Mar 15 03:03:07 2006



--------------------------------------------------------------------------
Select RunOnce Registry Key Items:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]



----------------------------------------------



--------------------------------------------------------------------------
Shared Task Scheduler Registry Items:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--------------------------------------------------------------------------
ENUMERATING SCHEDULED TASKS:
--------------------------------------------------------------------------


Volume in drive C has no label.
Volume Serial Number is 23EF-25C6


Directory of C:\WINDOWS\tasks


31/03/2006  00:32    <DIR>          .
31/03/2006  00:32    <DIR>          ..
04/08/2004  09:00                65 desktop.ini
31/03/2006  00:33                 6 SA.DAT
2 File(s)             71 bytes


Total Files Listed:
2 File(s)             71 bytes
2 Dir(s)  21,472,952,320 bytes free
A   HR     C:\WINDOWS\tasks\desktop.ini
A   H      C:\WINDOWS\tasks\SA.DAT


--------------------------------------------------------------------------
CHECKING SELECT POLICIES KEYS:
--------------------------------------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091



----------------------------------------------


Windows Registry Editor Version 5.00


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001



----------------------------------------------



--------------------------------------------------------------------------
ENUMERATING RECENT DOWNLOADED PROGRAM FILES:
--------------------------------------------------------------------------


C:\WINDOWS\DOWNLOADED PROGRAM FILES


30/03/2006  11:21    <DIR>          ..
30/03/2006  11:21    <DIR>          .
29/01/2006  01:04            59,556 Doremi.ttf
23/01/2006  18:19                65 desktop.ini
08/12/2005  13:46             1,271 erma.inf
02/12/2005  12:55             5,101 swflash.inf
14/10/2005  13:49               587 MSNPupld.inf
14/10/2005  12:02           372,736 MsnPUpld.dll
26/05/2005  05:19               293 muweb.inf


--------------------------------------------------------------------------
CHECKING RECENTLY ADDED DRIVERS:
--------------------------------------------------------------------------


C:\WINDOWS\system32\drivers


28/03/2006  19:21    <DIR>          ..
28/03/2006  19:21    <DIR>          .
08/03/2006  14:06    <DIR>          etc
22/01/2006  23:54             1,754 103C_HP_NTBK_HP Compaq nx6110 (PY496ET#ABU)_YN_0U_QCNU5491Y2M_E367837006_46_I3088_SHP_VKBC Version 39.1E_B68DTD Ver. F.0C_T051121_WXH2_L409_M248_J40_7Intel_8Celeron M_91.4_#051004_N14E4170C_(PY496ET#ABU)_XMOBILE.MRK
13/01/2006  03:28           359,808 tcpip.sys
12/01/2006  22:11           163,644 secdrv.sys
08/03/2006  14:06    <DIR>          ..
08/03/2006  14:06    <DIR>          .
05/10/2005  01:28            20,576 pxhelp20.sys
05/10/2005  01:06    <DIR>          disdn
20/06/2005  12:33           190,400 SynTP.sys
10/06/2005  05:09           139,528 rdpwd.sys
10/05/2005  01:17           332,544 srv.sys
02/05/2005  17:13         3,222,784 w29n51.sys
25/04/2005  11:56           889,628 ialmnt5.sys
14/04/2005  11:22            88,352 drvmcdb.sys
14/04/2005  11:15            55,448 btwusb.sys
10/03/2005  12:08           371,712 BCMWL5.SYS
24/02/2005  12:29           162,176 PFC027.sys
02/02/2005  02:21            14,408 GEARAspiWDM.sys
28/01/2005  14:44            18,944 wpdusb.sys
19/01/2005  05:26           451,584 mrxsmb.sys
05/10/2005  01:06    <DIR>          ..
05/10/2005  01:06    <DIR>          .


--------------------------------------------------------------------------
CHECKING SYSTEM.INI:
--------------------------------------------------------------------------


; for 16-bit app support


[drivers]
wave=mmdrv.dll
timer=timer.drv


[mci]
[driver32]
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON


--------------------------------------------------------------------------
CHECKING WIN.INI:
--------------------------------------------------------------------------


; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
CMCDLLNAME32=mapi32.dll
CMCDLLNAME=mapi.dll
CMC=1
MAPIX=1
MAPIXVER=1.0.0.1
OLEMessaging=1
[MCI Extensions.BAK]
aif=MPEGVideo
aifc=MPEGVideo
aiff=MPEGVideo
asf=MPEGVideo
asx=MPEGVideo
au=MPEGVideo
m1v=MPEGVideo
m3u=MPEGVideo
mp2=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpa=MPEGVideo
mpe=MPEGVideo
mpeg=MPEGVideo
mpg=MPEGVideo
mpv2=MPEGVideo
snd=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wmx=MPEGVideo
wpl=MPEGVideo
wvx=MPEGVideo
[Software by Design]
Disk CleanUp for Windows 95/NT=v4.8


--------------------------------------------------------------------------
MISCELLANEOUS DETECTIONS:
--------------------------------------------------------------------------


*** i386p.* Stealthing Agent NOT Found by this tool! ***


*** erssdd.* (ErrorSafe) Stealthing Agent NOT Found by this tool! ***


*** DP.* (VUNDO?) Stealthing Agent NOT Found by this tool! ***


*** msctl32.dll SpamBot NOT Found by this tool! ***


*** ibm000*.* KeyLogger NOT Found by this tool! ***


--------------------------------------------------------------------------
CHECKING FOR SDBOT-TYPE WORMS:
--------------------------------------------------------------------------


**** LOOKING FOR W32/Sdbot-AMA Worm ****
*** W32/Sdbot-AMA Worm NOT Found by this tool! ***


--------------------------------------------------------------------------
CHECKING FOR VISIBLE ROOTKIT-TYPE REGISTRY KEYS:
--------------------------------------------------------------------------


**** LOOKING FOR AVPE Haxdoor Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** avpe Keys NOT Found by this tool! ***


**** LOOKING FOR MEMLOW Haxdoor Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** memlow Keys  NOT Found by this tool! ***


**** LOOKING FOR VDMT Haxdoor Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** vdmt Keys  NOT Found by this tool! ***


**** LOOKING FOR DP1112 Vundo Rootkit Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** DP1112 Keys  NOT Found by this tool! ***


**** LOOKING FOR SYSBUS32 Rootkit Driver Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** sysbus32 Keys  NOT Found by this tool! ***


**** LOOKING FOR I386P Rootkit Driver Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** i386p Keys  NOT Found by this tool! ***


**** LOOKING FOR ERSSDD (ErrorSafe) Rootkit Driver Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** erssdd Keys  NOT Found by this tool! ***


**** LOOKING FOR GencTurK RootKit Reg Keys ****


---------- HKLMSYSKEYS.TXT
*** GencTurK Keys  NOT Found by this tool! ***



#####################################################################################################

-- All DONE! :)

~ PhilliePhan ~

D3m3nt3d 1 Posting Whiz in Training · Answer 9 · 2006-03-31T07:58:05+00:00

Alright - Last thing to do.

Check Add/Remove Programs and verify mirarsearch is not listed.

NEXT
Copy the contents to notepad
-Save the file as fix.reg
-Double click the file and answer YES to merge into the registry

REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\redirect]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com\click]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\mirarsearch.com]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com\click]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getmirar.com]

After that you should flush your System Restore points and you're good to go. :)

Disable
1. Right click My Computer
2. Choose Properties>System Restore tab
3. Check Turn off System Restore or Turn off System Restore on all Drives
4. Click Apply and reboot

Enable
1. Right click My Computer
2. Choose Properties>System Restore tab
3. Uncheck Turn off System Restore or Turn off System Restore on all Drives
4. Click Apply and reboot

samsplace86 0 Newbie Poster · Answer 10 · 2006-04-03T21:12:42+00:00

That's alot faster! Fantastic!
Thank you everyone!! :cheesy:

Please help!

Recommended Answers Collapse Answers

All 14 Replies

Recommended Answers