Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Brave Sentry nightmare rundll w238c0f8.dll error help


  • This topic is locked This topic is locked

#1
androids

androids

    Member

  • Member
  • PipPip
  • 14 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:14:22 PM, on 10/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\mmputt.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\tcpip.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\services.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[2].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R3 - URLSearchHook: (no name) - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hasbkyo.exe
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [iog4dbc8] RUNDLL32.EXE w238c0f8.dll,n 0064dbc20000000a238c0f8
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [{84-4E-E8-85-ZN}] C:\windows\system32\osdsregk.exe ELT001
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [zscwqosA] C:\WINDOWS\zscwqosA.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [fnykar] C:\WINDOWS\System32\fvusat.exe reg_run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [WinMedia] C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\19E3584.exe
O4 - HKCU\..\Run: [bjgmb] C:\WINDOWS\System32\fvusat.exe reg_run
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Update ThinkPad Software - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160698891503
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160698870963
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nu...ATES/winwcd.cab
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file)
O21 - SSODL: MaNwFWoEZk - {5CB84E86-F612-E42C-B851-75EC77F22A15} - C:\WINDOWS\System32\wc.dll (file missing)
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\xivar.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :whistling:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • 0

#3
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
hi Sam thank you so much for responding here is my combofix log
I am a bit of a novice so please have patience deb






Thinkpad - 06-10-27 23:58:21.14 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Thinkpad"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{FBEC9C9F-40B2-4A89-BF0C-13B99CFB0569}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FBEC9C9F-40B2-4A89-BF0C-13B99CFB0569}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{FBEC9C9F-40B2-4A89-BF0C-13B99CFB0569}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{FBEC9C9F-40B2-4A89-BF0C-13B99CFB0569}\InprocServer32]
@="C:\\WINDOWS\\system32\\wqvcore.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{BC25BE1C-4850-45A0-9716-3084DA3113C5}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BC25BE1C-4850-45A0-9716-3084DA3113C5}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{BC25BE1C-4850-45A0-9716-3084DA3113C5}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{BC25BE1C-4850-45A0-9716-3084DA3113C5}\InprocServer32]
@="C:\\WINDOWS\\system32\\dnskperf.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-10-25 11:31 288 eqbaq.dll.qoo
06-10-24 14:38 53 vllllw.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar_e37.exe
C:\nwnmff_e36.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\maxd641.exe
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\winupdate
C:\Program Files\Common Files\{5CB84E85-0256-1033-0329-050410060001}


((((((((((((((((((((((((((((((( Files Created from 2006-09-27 to 2006-10-27 ))))))))))))))))))))))))))))))))))


2006-10-27 23:42 217,346 --a------ C:\WINDOWS\srvmqaxela.exe
2006-10-27 15:30 217,346 --a------ C:\WINDOWS\srvlrhwfka.exe
2006-10-26 17:43 217,346 --a------ C:\WINDOWS\srvjzlsllb.exe
2006-10-26 17:41 217,346 --a------ C:\WINDOWS\srvoxhufed.exe
2006-10-26 17:36 217,346 --a------ C:\WINDOWS\srvrozzwhx.exe
2006-10-26 17:31 303,104 --a------ C:\WINDOWS\system32\WinNB57.dll
2006-10-26 17:31 217,346 --a------ C:\WINDOWS\srvmxueatm.exe
2006-10-26 15:58 49,428 --a------ C:\WINDOWS\system32\iawqplwf.dll
2006-10-26 14:09 217,346 --a------ C:\WINDOWS\srvrsoxbhq.exe
2006-10-26 10:37 217,346 --a------ C:\WINDOWS\srvqnbhuel.exe
2006-10-26 09:38 217,346 --a------ C:\WINDOWS\srvzaufcwt.exe
2006-10-25 20:51 816,288 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-25 20:51 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-25 20:51 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-25 20:51 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-25 20:51 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-10-25 20:51 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-25 20:51 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-25 17:26 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-25 15:58 122,900 --a------ C:\WINDOWS\system32\ybmxnegg.dll
2006-10-25 15:57 217,346 --a------ C:\WINDOWS\srvmwgpzud.exe
2006-10-25 15:56 53,248 --a------ C:\WINDOWS\ab_02.exe
2006-10-25 11:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-25 11:06 217,346 --a------ C:\WINDOWS\srvpgrzceu.exe
2006-10-25 07:37 217,346 --a------ C:\WINDOWS\srvotvqxoh.exe
2006-10-25 07:36 16,384 --a------ C:\mc44a37.exe
2006-10-24 20:00 160,768 --a------ C:\WINDOWS\system32\xivar.dll
2006-10-24 19:51 217,346 --a------ C:\WINDOWS\srvnkmbpqk.exe
2006-10-24 19:50 217,346 --a------ C:\WINDOWS\srvgpqoubd.exe
2006-10-24 14:40 49,664 --a------ C:\WINDOWS\system32\instcat.dll
2006-10-24 14:40 40,960 --a------ C:\WINDOWS\mmputt.exe
2006-10-24 14:40 277,505 --a------ C:\WINDOWS\system32\durvil1.exe
2006-10-24 14:40 160,256 --a------ C:\WINDOWS\system32\udso.dll
2006-10-24 14:40 151,040 --a------ C:\WINDOWS\system32\durvil1.dll
2006-10-24 14:39 215,308 --a------ C:\WINDOWS\Setup99.exe
2006-10-24 14:38 969 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-24 14:38 913,576 --a------ C:\WINDOWS\system32\WinNB66.dll
2006-10-24 14:38 26,624 --a------ C:\WINDOWS\system32\rpcc.dll
2006-10-24 14:38 217,346 --a------ C:\WINDOWS\srvturfzxm.exe
2006-10-24 14:37 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-24 14:37 217,346 --a------ C:\WINDOWS\Setup90.exe
2006-10-24 14:37 217,276 --a------ C:\WINDOWS\srvpcpeojg.exe
2006-10-24 14:37 17,920 --a------ C:\WINDOWS\system32\tcpip.exe
2006-10-24 14:37 1,259 --a------ C:\WINDOWS\system32\iog4dbc8.sys
2006-10-17 10:52 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2006-10-14 18:39 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-10-13 20:24 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-12 20:51 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-10-12 20:51 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-10-12 20:51 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-10-12 20:49 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-10-12 20:49 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-10-12 20:49 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-10-12 20:49 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-12 20:49 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-10-12 20:49 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-10-12 20:49 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-10-12 20:49 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-10-12 20:49 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-10-12 20:49 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-10-12 20:49 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-10-12 20:49 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-10-12 20:49 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-10-12 20:49 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-10-12 20:49 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-10-12 20:49 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-10-12 20:49 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-10-12 20:44 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2006-10-12 20:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-12 20:24 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-10-12 20:24 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-10-12 20:24 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-12 20:24 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-12 20:21 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-12 20:21 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-12 20:21 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-12 20:21 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-10-12 20:21 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-12 20:21 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-10-06 18:11 65,536 --a------ C:\WINDOWS\system32\Winwcd.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-10-28 00:04 5540 --ahs---- C:\Documents and Settings\Thinkpad\Application Data\F873E073A50F40A2B71BA6964213C7D4.sta
2006-10-28 00:04 17414 --ahs---- C:\Documents and Settings\Thinkpad\Application Data\F873E073A50F40A2B71BA6964213C7D4.rul
2006-10-27 23:58 -------- d-------- C:\Program Files\Common Files
2006-10-27 23:53 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 23:41 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 12:59 -------- d-------- C:\Program Files\Common Files\Real
2006-10-27 12:57 -------- d-------- C:\Program Files\GameFiesta
2006-10-27 12:10 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\AVG7
2006-10-27 02:19 -------- d-------- C:\Program Files\Real
2006-10-26 23:58 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-10-26 22:50 -------- d-------- C:\Program Files\BFG
2006-10-26 17:52 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 17:52 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 07:27 -------- d-------- C:\Program Files\TryMedia
2006-10-26 06:24 -------- d-------- C:\Program Files\Windows Defender
2006-10-26 06:24 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-26 06:22 -------- d---s---- C:\Documents and Settings\Thinkpad\Application Data\Microsoft
2006-10-25 20:51 -------- d-------- C:\Program Files\Grisoft
2006-10-25 20:38 -------- d-------- C:\Program Files\Messenger
2006-10-25 20:38 -------- d-------- C:\Program Files\Internet Explorer
2006-10-25 17:26 -------- d-------- C:\Program Files\Windows Media Player
2006-10-25 17:23 -------- d-------- C:\Program Files\Movie Maker
2006-10-25 17:20 -------- d-------- C:\Program Files\NetMeeting
2006-10-25 17:19 -------- d-------- C:\Program Files\Windows NT
2006-10-25 14:13 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-25 12:12 -------- d-------- C:\Program Files\PCFriendly
2006-10-25 12:09 -------- d-------- C:\Program Files\Ares
2006-10-25 11:13 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\MSN6
2006-10-24 20:28 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Mozilla
2006-10-24 20:07 -------- d-------- C:\Program Files\XoftSpySE
2006-10-24 14:46 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-24 14:37 -------- d-------- C:\Program Files\em
2006-10-22 09:16 -------- d-------- C:\Program Files\ReflexiveArcade
2006-10-18 17:21 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-18 17:20 -------- d-------- C:\Program Files\Adobe
2006-10-18 17:20 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\InterTrust
2006-10-18 17:20 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Adobe
2006-10-18 17:14 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Sun
2006-10-17 11:05 -------- d-------- C:\Program Files\iTunes
2006-10-17 11:05 -------- d-------- C:\Program Files\iPod
2006-10-17 11:03 -------- d-------- C:\Program Files\QuickTime
2006-10-17 11:02 -------- d-------- C:\Program Files\Apple Software Update
2006-10-17 10:54 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Apple Computer
2006-10-14 17:56 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Goodsol
2006-10-14 17:55 -------- d-------- C:\Program Files\Spider Wizard
2006-10-13 20:04 -------- d-------- C:\Program Files\LimeWire
2006-10-13 19:57 -------- d-------- C:\Program Files\Java
2006-10-13 19:55 -------- d-------- C:\Program Files\Common Files\Java
2006-10-11 18:04 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Lavasoft
2006-10-11 18:03 -------- d-------- C:\Program Files\Lavasoft
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"tgcmd"=""
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UC_SMB"=""
"tgcmd"=""
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"StorageGuard"="\"c:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"QCTRAY"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
@=""
"Alogserv"="C:\\Program Files\\McAfee\\McAfee VirusScan\\alogserv.exe"
"McAfee.InstantUpdate.Monitor"="\"C:\\Program Files\\McAfee\\McAfee Shared Components\\Instant Updater\\RuLaunch.exe\" /startmonitor"
"McAfee Guardian"="\"C:\\Program Files\\McAfee\\McAfee Shared Components\\Guardian\\CMGrdian.exe\" /SU"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"iog4dbc8"="RUNDLL32.EXE w238c0f8.dll,n 0064dbc20000000a238c0f8"
"mmcrat06"="C:\\WINDOWS\\mmputt.exe"
"{84-4E-E8-85-ZN}"="C:\\windows\\system32\\osdsregk.exe ELT001"
"loaddr"="C:\\DOCUME~1\\Thinkpad\\LOCALS~1\\Temp\\fred.exe"
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"
"zscwqosA"="C:\\WINDOWS\\zscwqosA.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ToolbarInstall"="C:\\DOCUME~1\\Thinkpad\\LOCALS~1\\Temp\\MirarSetup_876085.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\pokof.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows NT\\mehecyw.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"="DCOM Server 2234"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"DCOM Server 2236"="{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"
"MaNwFWoEZk"="{5CB84E86-F612-E42C-B851-75EC77F22A15}"
"DCOM Server 2234"="{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wavecr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 06-10-28 0:06:10.98
C:\ComboFix.txt ... 06-10-28 00:06
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
No worries. :whistling: We'll plug away at it until we have you fixed up.
You've got a badly infected computer, so this will probably take a few steps though.

Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it to the desktop and start GMER.exe
Click the Rootkit tab and click the Scan button.

Warning! Please do not select the "Show all" checkbox during the scan.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results here in your next reply.
  • 0

#5
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-29 08:30:51
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.11 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess <-- ROOTKIT !!!
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess <-- ROOTKIT !!!

SYSENTER ? BAF7AE91

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ADD85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ADD85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ADD85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ADD85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F8ADD85A] avgtdi.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAE9144C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAE9144C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAE9144C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAE9144C] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [BAE9144C] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [BAE9164C] tfsnifs.sys

---- Modules - GMER 1.0.11 ----

Module (noname) (*** hidden *** ) BAF76000

---- Threads - GMER 1.0.11 ----

Thread 4:1212 BAF78F6C

---- Services - GMER 1.0.11 ----

Service C:\WINDOWS\System32:lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!

---- Registry - GMER 1.0.11 ----

Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\ControlSet004\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] \??\C:\WINDOWS\System32:lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 0x55 0xCE 0xAB 0x0F ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\[email protected] 1

---- Files - GMER 1.0.11 ----

ADS C:\WINDOWS\system32:lzx32.sys <-- ROOTKIT !!!

---- EOF - GMER 1.0.11 ----
  • 0

#6
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi sorry I could not type anything other than the log. Took me hours to do this, very difficult to use this computer sa it is constanly crashing. Hope i did the log right... :whistling: :blink:
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
You did great! That's the info I needed to see. :whistling:
This next step should help a lot.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to unload:
pe386

Files to delete:

C:\WINDOWS\System32\lzx32.sys
 C:\mc44a37.exe
 C:\WINDOWS\ab_02.exe
 C:\WINDOWS\hancerdoem.exe
 C:\WINDOWS\mmputt.exe
 C:\WINDOWS\Setup90.exe
 C:\WINDOWS\Setup99.exe
 C:\WINDOWS\srvgpqoubd.exe
 C:\WINDOWS\srvjzlsllb.exe
 C:\WINDOWS\srvlrhwfka.exe
 C:\WINDOWS\srvmwgpzud.exe
 C:\WINDOWS\srvmxueatm.exe
 C:\WINDOWS\srvnkmbpqk.exe
 C:\WINDOWS\srvotvqxoh.exe
 C:\WINDOWS\srvoxhufed.exe
 C:\WINDOWS\srvpcpeojg.exe
 C:\WINDOWS\srvpgrzceu.exe
 C:\WINDOWS\srvqnbhuel.exe
 C:\WINDOWS\srvrozzwhx.exe
 C:\WINDOWS\srvrsoxbhq.exe
 C:\WINDOWS\srvturfzxm.exe
 C:\WINDOWS\srvzaufcwt.exe
 C:\WINDOWS\system32\durvil1.dll
 C:\WINDOWS\system32\durvil1.exe
 C:\WINDOWS\system32\iawqplwf.dll
 C:\WINDOWS\system32\instcat.dll
 C:\WINDOWS\system32\rpcc.dll
 C:\WINDOWS\system32\udso.dll
 C:\WINDOWS\system32\WinNB57.dll
 C:\WINDOWS\system32\WinNB66.dll
 C:\WINDOWS\system32\winpfg32.sys
 C:\WINDOWS\system32\wmpns.dll
 C:\WINDOWS\system32\xivar.dll
 C:\WINDOWS\system32\ybmxnegg.dll
C:\WINDOWS\srvmqaxela.exe





Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
  • 0

#8
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here are those logs.....thanks again

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\yoc^adpy

*******************

Script file located at: \??\C:\WINDOWS\pqyjshrw.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.


File C:\WINDOWS\System32\lzx32.sys not found!
Deletion of file C:\WINDOWS\System32\lzx32.sys failed!

Could not process line:
C:\WINDOWS\System32\lzx32.sys
Status: 0xc0000034

File C:\mc44a37.exe deleted successfully.
File C:\WINDOWS\ab_02.exe deleted successfully.
File C:\WINDOWS\hancerdoem.exe deleted successfully.
File C:\WINDOWS\mmputt.exe deleted successfully.
File C:\WINDOWS\Setup90.exe deleted successfully.
File C:\WINDOWS\Setup99.exe deleted successfully.
File C:\WINDOWS\srvgpqoubd.exe deleted successfully.
File C:\WINDOWS\srvjzlsllb.exe deleted successfully.
File C:\WINDOWS\srvlrhwfka.exe deleted successfully.
File C:\WINDOWS\srvmwgpzud.exe deleted successfully.
File C:\WINDOWS\srvmxueatm.exe deleted successfully.
File C:\WINDOWS\srvnkmbpqk.exe deleted successfully.
File C:\WINDOWS\srvotvqxoh.exe deleted successfully.
File C:\WINDOWS\srvoxhufed.exe deleted successfully.
File C:\WINDOWS\srvpcpeojg.exe deleted successfully.
File C:\WINDOWS\srvpgrzceu.exe deleted successfully.
File C:\WINDOWS\srvqnbhuel.exe deleted successfully.
File C:\WINDOWS\srvrozzwhx.exe deleted successfully.
File C:\WINDOWS\srvrsoxbhq.exe deleted successfully.
File C:\WINDOWS\srvturfzxm.exe deleted successfully.
File C:\WINDOWS\srvzaufcwt.exe deleted successfully.
File C:\WINDOWS\system32\durvil1.dll deleted successfully.
File C:\WINDOWS\system32\durvil1.exe deleted successfully.
File C:\WINDOWS\system32\iawqplwf.dll deleted successfully.
File C:\WINDOWS\system32\instcat.dll deleted successfully.
File C:\WINDOWS\system32\rpcc.dll deleted successfully.
File C:\WINDOWS\system32\udso.dll deleted successfully.
File C:\WINDOWS\system32\WinNB57.dll deleted successfully.
File C:\WINDOWS\system32\WinNB66.dll deleted successfully.
File C:\WINDOWS\system32\winpfg32.sys deleted successfully.
File C:\WINDOWS\system32\wmpns.dll deleted successfully.
File C:\WINDOWS\system32\xivar.dll deleted successfully.
File C:\WINDOWS\system32\ybmxnegg.dll deleted successfully.
File C:\WINDOWS\srvmqaxela.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 5:49:39 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\tcpip.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Webscanx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\kernels8.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ThinkPad\UltraNav Wizard\UNavTray.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Thinkpad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [iog4dbc8] RUNDLL32.EXE w238c0f8.dll,n 0064dbc20000000a238c0f8
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [{84-4E-E8-85-ZN}] C:\windows\system32\osdsregk.exe ELT001
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [zscwqosA] C:\WINDOWS\zscwqosA.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Update ThinkPad Software - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160698891503
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160698870963
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nu...ATES/winwcd.cab
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\mkhrq.dll
O21 - SSODL: MaNwFWoEZk - {5CB84E86-F612-E42C-B851-75EC77F22A15} - C:\WINDOWS\System32\wc.dll (file missing)
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\xivar.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's a big step in the right direction.

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [iog4dbc8] RUNDLL32.EXE w238c0f8.dll,n 0064dbc20000000a238c0f8
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [{84-4E-E8-85-ZN}] C:\windows\system32\osdsregk.exe ELT001
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKLM\..\Run: [zscwqosA] C:\WINDOWS\zscwqosA.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels8.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\kernels8.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {E4C29FDC-F547-4219-ACFD-571F2A7A564A} (WebCamTest Class) - http://awbeta.net-nu...ATES/winwcd.cab
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - C:\WINDOWS\system32\mkhrq.dll
O21 - SSODL: MaNwFWoEZk - {5CB84E86-F612-E42C-B851-75EC77F22A15} - C:\WINDOWS\System32\wc.dll (file missing)
O21 - SSODL: DCOM Server 2234 - {2C1CD3D7-86AC-4068-93BC-A02304BB2234} - C:\WINDOWS\System32\xivar.dll (file missing)



===============


I see you are running two antivirus programs - AVG and Mcafee. This will cause problems. Please uninstall one of these two programs.


===============


Reboot your computer.
Please post a new hijackthis log and a new log from Combofix.
  • 0

#10
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hi here are those two logs..... :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 7:48:24 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\tcpip.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Thinkpad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Update ThinkPad Software - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160698891503
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160698870963
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

Thinkpad - 06-10-29 19:48:53.32 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Thinkpad\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-29 to 2006-10-29 ))))))))))))))))))))))))))))))))))


2006-10-29 07:59 7,105 --a------ C:\WINDOWS\system32\dlh9jkdq7.exe
2006-10-29 07:59 6,593 --a------ C:\WINDOWS\system32\dlh9jkdq6.exe
2006-10-29 07:59 18,369 --a------ C:\WINDOWS\system32\dlh9jkdq2.exe
2006-10-29 07:50 15 --a------ C:\WINDOWS\system32\dlh9jkdq8.exe
2006-10-28 10:24 160,768 --a------ C:\WINDOWS\system32\mkhrq.dll
2006-10-27 23:10 217,346 --a------ C:\WINDOWS\srvfdbgoww.exe
2006-10-25 19:51 816,288 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-10-25 19:51 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-10-25 19:51 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-10-25 19:51 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-10-25 19:51 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-10-25 19:51 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-10-25 19:51 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-25 10:12 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-24 13:37 17,920 --a------ C:\WINDOWS\system32\tcpip.exe
2006-10-24 13:37 1,259 --a------ C:\WINDOWS\system32\iog4dbc8.sys
2006-10-17 09:52 38,229 --------- C:\WINDOWS\system32\drivers\StMp3Rec.sys
2006-10-14 17:39 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2006-10-13 19:24 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2006-10-12 19:51 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2006-10-12 19:51 39,936 --a------ C:\WINDOWS\system32\mf3216.dll
2006-10-12 19:51 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-10-12 19:49 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2006-10-12 19:49 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-10-12 19:49 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2006-10-12 19:49 46,352 --a------ C:\WINDOWS\setdebug.exe
2006-10-12 19:49 404,752 --a------ C:\WINDOWS\system32\javart.dll
2006-10-12 19:49 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-10-12 19:49 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-10-12 19:49 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-10-12 19:49 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2006-10-12 19:49 172,304 --a------ C:\WINDOWS\system32\jview.exe
2006-10-12 19:49 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2006-10-12 19:49 171,280 --a------ C:\WINDOWS\system32\jit.dll
2006-10-12 19:49 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2006-10-12 19:49 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-10-12 19:49 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2006-10-12 19:49 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-10-12 19:49 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-10-12 19:44 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2006-10-12 19:27 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-12 19:24 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2006-10-12 19:24 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2006-10-12 19:24 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2006-10-12 19:24 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-10-12 19:21 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-10-12 19:21 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-10-12 19:21 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-10-12 19:21 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-10-12 19:21 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-10-12 19:21 127,256 --a------ C:\WINDOWS\system32\wucltui.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-29 19:43 7371 --ahs---- C:\Documents and Settings\Thinkpad\Application Data\F873E073A50F40A2B71BA6964213C7D4.sta
2006-10-29 19:43 17414 --ahs---- C:\Documents and Settings\Thinkpad\Application Data\F873E073A50F40A2B71BA6964213C7D4.rul
2006-10-29 19:41 -------- d-------- C:\Program Files\Common Files
2006-10-29 19:37 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-29 08:00 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\AVG7
2006-10-28 19:34 -------- d-------- C:\Program Files\Spider Wizard
2006-10-27 22:41 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 11:59 -------- d-------- C:\Program Files\Common Files\Real
2006-10-27 11:57 -------- d-------- C:\Program Files\GameFiesta
2006-10-27 01:19 -------- d-------- C:\Program Files\Real
2006-10-26 22:58 774144 --a------ C:\Program Files\RngInterstitial.dll
2006-10-26 21:50 -------- d-------- C:\Program Files\BFG
2006-10-26 16:52 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 16:52 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 06:27 -------- d-------- C:\Program Files\TryMedia
2006-10-26 05:24 -------- d-------- C:\Program Files\Windows Defender
2006-10-26 05:24 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-26 05:22 -------- d---s---- C:\Documents and Settings\Thinkpad\Application Data\Microsoft
2006-10-25 19:51 -------- d-------- C:\Program Files\Grisoft
2006-10-25 19:38 -------- d-------- C:\Program Files\Messenger
2006-10-25 19:38 -------- d-------- C:\Program Files\Internet Explorer
2006-10-25 16:26 -------- d-------- C:\Program Files\Windows Media Player
2006-10-25 16:23 -------- d-------- C:\Program Files\Movie Maker
2006-10-25 16:20 -------- d-------- C:\Program Files\NetMeeting
2006-10-25 16:19 -------- d-------- C:\Program Files\Windows NT
2006-10-25 13:13 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-10-25 11:12 -------- d-------- C:\Program Files\PCFriendly
2006-10-25 11:09 -------- d-------- C:\Program Files\Ares
2006-10-25 10:13 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\MSN6
2006-10-24 19:28 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Mozilla
2006-10-24 19:07 -------- d-------- C:\Program Files\XoftSpySE
2006-10-24 13:46 -------- d--h----- C:\Program Files\WindowsUpdate
2006-10-24 13:37 -------- d-------- C:\Program Files\em
2006-10-22 08:16 -------- d-------- C:\Program Files\ReflexiveArcade
2006-10-18 16:21 -------- d-------- C:\Program Files\Common Files\Adobe
2006-10-18 16:20 -------- d-------- C:\Program Files\Adobe
2006-10-18 16:20 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\InterTrust
2006-10-18 16:20 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Adobe
2006-10-18 16:14 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Sun
2006-10-17 10:05 -------- d-------- C:\Program Files\iTunes
2006-10-17 10:05 -------- d-------- C:\Program Files\iPod
2006-10-17 10:03 -------- d-------- C:\Program Files\QuickTime
2006-10-17 10:02 -------- d-------- C:\Program Files\Apple Software Update
2006-10-17 09:54 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Apple Computer
2006-10-14 16:56 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Goodsol
2006-10-13 19:04 -------- d-------- C:\Program Files\LimeWire
2006-10-13 18:57 -------- d-------- C:\Program Files\Java
2006-10-13 18:55 -------- d-------- C:\Program Files\Common Files\Java
2006-10-11 17:04 -------- d-------- C:\Documents and Settings\Thinkpad\Application Data\Lavasoft
2006-10-11 17:03 -------- d-------- C:\Program Files\Lavasoft
2006-09-15 16:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 00:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 10:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-16 06:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"tgcmd"=""
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"S3TRAY2"="S3Tray2.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"BluetoothAuthenticationAgent"="rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent"
"TPHOTKEY"="C:\\PROGRA~1\\ThinkPad\\PkgMgr\\HOTKEY\\TPHKMGR.exe"
"BMMGAG"="RunDll32 C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\pwrmonit.dll,StartPwrMonitor"
"BMMLREF"="C:\\Program Files\\ThinkPad\\Utilities\\BMMLREF.EXE"
"TPKMAPMN"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapMn.exe"
"TP4EX"="tp4ex.exe"
"EZEJMNAP"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\EzEjMnAp.Exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"UC_SMB"=""
"tgcmd"=""
"ibmmessages"="C:\\Program Files\\IBM\\Messages By IBM\\ibmmessages.exe"
"StorageGuard"="\"c:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"QCTRAY"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCTRAY.EXE"
"QCWLICON"="C:\\Program Files\\ThinkPad\\ConnectUtilities\\QCWLICON.EXE"
"AGRSMMSG"="AGRSMMSG.exe"
"TPKMAPHELPER"="C:\\Program Files\\ThinkPad\\Utilities\\TpKmapAp.exe -helper"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"PRONoMgrWired"="C:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PRONoMgr.exe"
"McAfee.InstantUpdate.Monitor"="\"C:\\Program Files\\McAfee\\McAfee Shared Components\\Instant Updater\\RuLaunch.exe\" /startmonitor"
"McAfee Guardian"="\"C:\\Program Files\\McAfee\\McAfee Shared Components\\Guardian\\CMGrdian.exe\" /SU"
"WorksFUD"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"Microsoft Works Portfolio"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"loaddr"="C:\\DOCUME~1\\Thinkpad\\LOCALS~1\\Temp\\fred.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\pokof.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows NT\\mehecyw.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,52,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"="DCOM Server 2236"
"{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"="DCOM Server 2234"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\instcat
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\QConGina
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wavecr
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BMMTask.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 06-10-29 19:50:20.66
C:\ComboFix.txt ... 06-10-29 19:50
C:\ComboFix2.txt ... 06-10-29 19:36
C:\ComboFix3.txt ... 06-10-27 23:07
  • 0

Advertisements


#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We're getting there.


Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2C1CD3D7-86AC-4068-93BC-A02304BB2236}"=-
"{2C1CD3D7-86AC-4068-93BC-A02304BB2234}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


=============


Run this script through Avenger just like you did before.

Files to delete:

C:\Program Files\MSN Gaming Zone\pokof.html
C:\WINDOWS\system32\dlh9jkdq7.exe
C:\WINDOWS\system32\dlh9jkdq6.exe
C:\WINDOWS\system32\dlh9jkdq2.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\mkhrq.dll
C:\WINDOWS\srvfdbgoww.exe
C:\WINDOWS\uni_e6h.exe


=============



Please open up AVG Anti-Spyware
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

You may want to print out these instructions as the rest of this fix will take place in safe mode.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
  • Clean out your Temporary Internet files.
    • Internet Explorer
      [list]
    • Close Internet Explorer and close any instances of Windows Explorer.
    • Click Start -> Control Panel and then double-click Internet Options.
    • On the General tab, click Delete Files under Temporary Internet Files.
    • In the Delete Files dialog box, tick the Delete all offline content check box , and then click OK.
    • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
    • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
    • Click OK.

  • Firefox (In case you also have Firefox installed)
    • Open Firefox and go to Tools -> Options.
    • Click Privacy in the menu on the left side of the Options window.
    • Click the Clear button located to the right of each option (History, Cookies, Cache).
    • Click OK to close the Options window.
      Alternatively, you can clear all information stored while browsing by clicking Clear All.
      A confirmation dialog box will be shown before clearing the information.
IMPORTANT: Close all windows and do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware scan report along with a new Hijackthis log.

  • 0

#12
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\fvsdwcsj

*******************

Script file located at: \??\C:\Documents and Settings\mreadsvu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\Program Files\MSN Gaming Zone\pokof.html not found!
Deletion of file C:\Program Files\MSN Gaming Zone\pokof.html failed!

Could not process line:
C:\Program Files\MSN Gaming Zone\pokof.html
Status: 0xc0000034

File C:\WINDOWS\system32\dlh9jkdq7.exe deleted successfully.
File C:\WINDOWS\system32\dlh9jkdq6.exe deleted successfully.
File C:\WINDOWS\system32\dlh9jkdq2.exe deleted successfully.
File C:\WINDOWS\system32\dlh9jkdq8.exe deleted successfully.
File C:\WINDOWS\system32\mkhrq.dll deleted successfully.
File C:\WINDOWS\srvfdbgoww.exe deleted successfully.
File C:\WINDOWS\uni_e6h.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.
  • 0

#13
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Were you able to run AVG Antispyware?
  • Click Start -> Control Panel -> Display
  • Go to the Desktop tab and click on the Customize Desktop button.
  • Go to the Web tab
  • Select anything except "My Current Homepage" and then click the Delete button.

  • 0

#14
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Sorry for the delay I was out of town for a few days...here is the spyware







---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:14:07 AM 10/31/2006

+ Scan result:



C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP211\A0024559.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP211\A0024625.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP212\A0024632.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP212\A0024640.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP219\A0030749.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP219\A0030759.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP229\A0038894.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\WINDOWS\elitesix.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP213\A0024643.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP220\A0030915.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP229\A0038893.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP230\A0039976.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\avenger\backup-Mon 10.30.2006-19.14.14.24.zip/avenger/WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\avenger\backup-Mon 10.30.2006-19.14.14.24.zip/avenger/mc44a37.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP233\A0040254.exe -> Downloader.Tibs.ir : Cleaned with backup (quarantined).
C:\Documents and Settings\Thinkpad\Desktop\Other Stuff\TagASaurus.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP211\A0024626.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP212\A0024642.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP219\A0030744.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP219\A0030748.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP219\A0030914.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP231\A0040153.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\tcpip.exe -> Hijacker.Small.ja : Cleaned with backup (quarantined).
C:\avenger\backup-Mon 10.30.2006-19.14.14.24.zip/avenger/mmputt.exe -> Hijacker.VB.qd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP230\A0039949.dll -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP230\A0039950.exe -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\avenger\backup-Mon 10.30.2006-19.14.14.24.zip/avenger/durvil1.dll -> Trojan.Kolweb.b : Cleaned with backup (quarantined).
C:\avenger\backup-Mon 10.30.2006-19.14.14.24.zip/avenger/durvil1.exe -> Trojan.Kolweb.b : Cleaned with backup (quarantined).


::Report end
  • 0

#15
androids

androids

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Here is my hijack log





Logfile of HijackThis v1.99.1
Scan saved at 7:18:55 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Thinkpad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\System32\ybmxnegg.dll (file missing)
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin2.dll
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\iawqplwf.dll (file missing)
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QCTRAY] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [PRONoMgrWired] C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [loaddr] C:\DOCUME~1\Thinkpad\LOCALS~1\Temp\fred.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Update ThinkPad Software - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\ThinkPad\PkgMgr\\PkgMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1160698891503
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1160698870963
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.c...rt/IbmEgath.cab
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)
O20 - Winlogon Notify: tphotkey - C:\WINDOWS\SYSTEM32\tphklock.dll
O20 - Winlogon Notify: wavecr - C:\WINDOWS\AppPatch\wavecr.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: QCONSVC - IBM Corp. - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\System32\tcpip.exe (file missing)
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP