Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

help i have trojan horse collected.5.L [RESOLVED]


  • This topic is locked This topic is locked

#61
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
OK. Later. :tazz:
  • 0

Advertisements


#62
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi i am back but the computer is back to its old tricks every 30 seconds avg pops up with a virus warning some i can heal some i cant looks like the same one each time also the regprot is stopping to keys that keep popping up one was istsvc.exe and the next one is powerscan.exe i have not allowd either of these entries this virus sure is a hard one to beat
  • 0

#63
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Post a new HijackThis log.

Regards,
  • 0

#64
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
here it is thanks for your help

Logfile of HijackThis v1.99.1
Scan saved at 7:58:44 p.m., on 18/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\xpjava.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\documents and settings\dug and tania\my documents\downloads\regprot.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netaccess.co.nz/
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Linked ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://www.giftedonl...edusearch.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098860877234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\prime95.exe (file missing)
  • 0

#65
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Copy the information in the quote box into notepad. Save it to your desktop as type "all files" and name it remove.reg.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"=-
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"


Then boot to safe mode.

Double click on the remove.reg file you created and grant it permission to add the registry entries.

Close all windows and fix the following with hijackthis if it is still listed:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe


Open Killbox

Click on Tools>Delete Temp Files

Then check the following boxes:

Unregister .dll before deleting (unless it is greyed out)
Delete on Reboot

Then copy & paste them ONE at a time into the Killbox topmost box.

C:\WINDOWS\System32\xpjava.exe

After pasting them into the topmost textbox. Click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? Click yes.

Note: Killbox will let you know if the file does not exist.

After the reboot,

Scan and post another log.

Regards,
  • 0

#66
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
HI again have followed instructions here is the new log
thanks for your help
AVG is still popping up with a virus warning

Logfile of HijackThis v1.99.1
Scan saved at 5:23:41 p.m., on 19/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\documents and settings\dug and tania\my documents\downloads\regprot.exe
C:\WINDOWS\System32\rundll32.exe
C:\Documents and Settings\Dug And Tania\My Documents\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netaccess.co.nz/
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegProt] c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Linked ima&ges - C:\Program Files\IEimage\IEimage.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: http://www.giftedonl...edusearch.co.nz
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098860877234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Prime95 Service - Unknown owner - C:\Program Files\Prime95\prime95.exe (file missing)
  • 0

#67
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
That didn't work. :tazz:

Are you allowing the change to be made?
The startup entry is there but the file looks gone.

Close all windows and fix the following with hijackthis:
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
  • Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
Reboot into Safe Mode

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Regards,

Edited by Metallica, 19 July 2005 - 12:50 PM.

  • 0

#68
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Never mind. I edited the previous post.
  • 0

#69
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hello yes i did allow changes last time when i used kill box i typed in the file name as i could not find it under the brouse option here is the log as requested
thanks for the help
Cheers

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 1/07/2005 20:08:38 5548 C:\pfind.txt
FSG! 1/07/2005 20:08:38 5548 C:\pfind.txt
aspack 1/07/2005 20:08:38 5548 C:\pfind.txt
PTech 1/07/2005 20:08:38 5548 C:\pfind.txt
UPX! 2/06/2004 08:00:34 50176 C:\VCLEANER.EXE

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 6/07/2005 21:15:40 267968512 C:\WINDOWS\MEMORY.DMP
PEC2 6/07/2005 21:15:40 267968512 C:\WINDOWS\MEMORY.DMP

Checking %System% folder...
PEC2 19/07/1995 22:00:00 1371436 C:\WINDOWS\system32\VBAR2132.DLL
PEC2 31/03/2003 12:00:00 41397 C:\WINDOWS\system32\dfrg.msc
Umonitor 31/03/2003 12:00:00 631808 C:\WINDOWS\system32\rasdlg.dll
winsync 31/03/2003 12:00:00 1309184 C:\WINDOWS\system32\wbdbase.deu
UPX! 29/10/2002 13:56:18 128000 C:\WINDOWS\system32\fmod.dll
aspack 20/02/2005 20:46:22 197120 C:\WINDOWS\system32\K2_SS_ver1.scr
UPX! 19/06/2005 16:02:30 38787 C:\WINDOWS\system32\snapple.exe

Checking %System%\Drivers folder and sub-folders...
UPX! 17/07/2005 17:07:58 667744 C:\WINDOWS\system32\drivers\avg7core.sys
FSG! 17/07/2005 17:07:58 667744 C:\WINDOWS\system32\drivers\avg7core.sys
aspack 17/07/2005 17:07:58 667744 C:\WINDOWS\system32\drivers\avg7core.sys

Checking the Windows folder for system and hidden files within the last 60 days...
19/07/2005 21:26:32 54156 QTFont.qfn
3/07/2005 09:58:14 749 WindowsShell.Manifest
3/07/2005 09:59:30 860160 ntuser.dat
3/07/2005 09:58:14 749 cdplayer.exe.manifest
3/07/2005 09:58:18 488 WindowsLogon.manifest
3/07/2005 09:58:14 749 ncpa.cpl.manifest
3/07/2005 09:58:14 749 nwc.cpl.manifest
3/07/2005 09:58:14 749 sapi.cpl.manifest
3/07/2005 09:58:14 749 wuaucpl.cpl.manifest
3/07/2005 09:58:18 488 logonui.exe.manifest
20/07/2005 17:30:22 815104 system.LOG
20/07/2005 17:30:22 86016 software.LOG
20/07/2005 17:30:22 20480 default.LOG
3/07/2005 09:59:34 1024 userdiff.LOG
3/07/2005 09:51:20 1024 TempKey.LOG
20/07/2005 17:31:32 1024 SAM.LOG
20/07/2005 17:31:16 12288 SECURITY.LOG
3/07/2005 09:59:34 1024 userdifr.LOG
5/06/2005 20:27:06 67 desktop.ini
20/07/2005 19:58:46 67 desktop.ini
20/07/2005 19:58:46 67 desktop.ini
20/07/2005 19:58:46 67 desktop.ini
20/07/2005 19:58:46 67 desktop.ini
31/05/2005 19:35:44 8628 hpfuih07.GID
3/07/2005 10:45:32 13698 filelist.xml
3/07/2005 09:58:52 67 desktop.ini
24/06/2005 21:08:48 331776 drmstore.hds
24/06/2005 21:08:48 30652 migration.log
3/07/2005 09:58:20 65 desktop.ini
3/07/2005 09:58:18 65 desktop.ini
20/07/2005 17:30:18 6 SA.DAT
14/06/2005 12:47:56 0 oem13.inf
14/06/2005 12:47:56 0 oem13.PNF
3/07/2005 17:46:52 0 oem15.inf
3/07/2005 17:46:52 0 oem15.PNF
18/07/2005 20:03:40 0 oem16.inf
18/07/2005 20:03:40 0 oem16.PNF

»»»»»»»»»»»»»»»»»»»»»»»» Checking Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
19/10/2004 20:01:14 1493 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
16/11/2004 22:42:20 13 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameG.txt

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
17/09/2004 16:33:28 1441 C:\Documents and Settings\Dug And Tania\Application Data\DW.LOG
31/05/2005 19:33:02 91864 C:\Documents and Settings\Dug And Tania\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension
{1E2CDF40-419B-11D2-A5A1-002018648BA7} =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG Free\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
AdaptecDirectCD C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
NeroCheck C:\WINDOWS\System32\\NeroCheck.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
KernelFaultCheck %systemroot%\system32\dumprep 0 -k
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
RegProt c:\documents and settings\dug and tania\my documents\downloads\regprot.exe /start
nwiz nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NVIEW rundll32.exe nview.dll,nViewLoadHook

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
= C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\{0DF44EAA-FF21-4412-828E-260A8728E7F1}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
CDRAutoRun
LinkResolveIgnoreLinkInfo 1
NoStartBanner 1
NoWindowsUpdate 0
NoActiveDesktop 1
NoActiveDesktopChanges 1
NoCustomizeWebView 1
NoFavoritesMenu 1
NoInternetIcon 1
NoSetActiveDesktop 1
NoSettingsWizards 1
NoWebMenu 1
EditLevel 0
NoRun 0
NoClose 0
NoSaveSettings 0
NoFileMenu 0
SpecifyDefaultButtons 0
Btn_Search 0
NoBandCustomize 0
NoToolbarCustomize 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell Explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\UPnPMonitor
{e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\System32\upnpui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.15 - Log file written to "WinPFind.Txt" in the WinPFind folder.
  • 0

#70
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
You have some files I'd like to have a look at, before we decide what to do with them.
Can you surf to:
http://www.thespykil...x.php?topic=5.0
Follow the instructions there to upload:
C:\WINDOWS\system32\fmod.dll (could this be from fmod.org ?)
C:\WINDOWS\system32\snapple.exe (probably W32/Forbot-EG )

I'll let you know.

Regards,
  • 0

Advertisements


#71
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
hello posted as requested here is the link http://www.thespykil...php?topic=503.0
also got this email i dont understand but you maybe ablr to help
Thanks

Hello
I saw your issue as regards the rootkit trojan (collected). I am the "owner" of such thing!
I want to get rid of it!
As Metallica told you (does it have an email?) you have to build a legacy.reg file as:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SVKP]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SVKP]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVKP]
1) Do you know what for? What this reg file is doing?
2) Under [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP]
is smth like:
[-
Is a mistake?
3) As far as I know this file needs to be made not by carriage returns but just one row! I didn't obtains such one! Do you have one for me(in cse is important)?
Unfortunately there is not a removal tool for this, although this site can be an approach:
http://support.micro...kb;en-us;897079
Thanks for your patiance
  • 0

#72
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Ignore people asking for help by PM or mail.
(That's what I do as well)

snapple.exe was the one causing the misery:
AVG recognizes it as Downloader.Istbar.7.N
Delete that file please.

fmod.dll is harmless and comes from: http://www.fmod.org/

Regards,
  • 0

#73
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
Hi there
thanks for the advice i have shredded the file with spybot
what do i do next?
thanks for your help
  • 0

#74
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,942 posts
Run a full system scan with AVG and let me know if and what it finds.
Specifically if there is anything that it can't remove.

Regards,
  • 0

#75
duglartis

duglartis

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 159 posts
still have lots of pop ups here is the log file from the avg scan
Partition table (MBR) ok Quick checked
Boot sector of disk C: Change Changed
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Load Scanned
System registry Software\Microsoft\Windows NT\CurrentVersion\Windows\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Run Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunOnceEx Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServices Scanned
System registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnce Scanned
System registry Software\Microsoft\Windows\CurrentVersion\Winlogon\Userinit Scanned
System registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell Scanned
System registry exefile\shell\open\command Scanned
System registry scrfile\shell\open\command Scanned
System registry scrfile\shell\config\command Scanned
System registry batfile\shell\open\command Scanned
System registry cmdfile\shell\open\command Scanned
System registry comfile\shell\open\command Scanned
System registry piffile\shell\open\command Scanned
System registry giffile\shell\open\command Scanned
System registry htmlfile\shell\open\command Scanned
System registry htafile\shell\open\command Scanned
System registry jpegfile\shell\open\command Scanned
System registry txtfile\shell\open\command Scanned
System registry regfile\shell\open\command Scanned
System registry cplfile\shell\cplopen\command Scanned
System registry Word.Document.8\shell\open\command Scanned
System registry WordPad.Document.1\shell\open\command Scanned
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe ok Quick checked
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe ok Quick checked
C:\Program Files\Internet Explorer\IEXPLORE.EXE ok Quick checked
C:\Program Files\Microsoft Office\Office\WINWORD.EXE ok Quick checked
C:\Program Files\QuickTime\qttask.exe ok Quick checked
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe ok Quick checked
C:\WINDOWS\System32\1.bat ok Quick checked
C:\WINDOWS\System32\ActiveScan\as.dll ok Quick checked
C:\WINDOWS\System32\ActiveScan\ascontrol.dll ok Quick checked
C:\WINDOWS\System32\ActiveScan\pavpz.dll ok Quick checked
C:\WINDOWS\System32\\NeroCheck.exe ok Quick checked
C:\WINDOWS\System32\mshta.exe ok Quick checked
C:\WINDOWS\System32\nview.dll ok Quick checked
C:\WINDOWS\System32\nwiz.exe ok Quick checked
C:\WINDOWS\System32\regsvr32.exe ok Quick checked
C:\WINDOWS\System32\rundll32.exe ok Quick checked
C:\WINDOWS\System32\shell32.dll ok Quick checked
C:\WINDOWS\System32\shimgvw.dll ok Quick checked
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe ok Quick checked
C:\WINDOWS\regedit.exe ok Quick checked
c:\documents and settings\dug and tania\my documents\downloads\regprot.exe ok Quick checked
C:\IO.SYS ok Quick checked
C:\MSDOS.SYS ok Quick checked
C:\WINDOWS\System32\kernel32.dll ok Quick checked
C:\WINDOWS\System32\wsock32.dll ok Quick checked
C:\WINDOWS\System32\user32.dll ok Quick checked
C:\WINDOWS\System32\shell32.dll ok Quick checked
C:\WINDOWS\System32\ntoskrnl.exe ok Quick checked
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP1\A0000074.exe:\1.exe Trojan horse Downloader.Istbar.7.N Infected, Embedded object
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP1\A0000074.exe Trojan horse Downloader.Istbar.7.N Infected, Archive
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP13\A0007831.exe:\1.exe Trojan horse Downloader.Istbar.7.N Infected, Embedded object
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP13\A0007831.exe Trojan horse Downloader.Istbar.7.N Infected, Archive
C:\WINDOWS\SYSTEM32\msdirectx.sys Deleted
C:\WINDOWS\SYSTEM32\mssvces.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP3\A0000301.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP4\A0000308.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP4\A0000310.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP4\A0000326.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP10\A0005539.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP10\A0005548.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP10\A0005602.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005605.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005607.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005612.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005614.dll Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005624.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005633.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005638.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0005654.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0006655.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0006696.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0006739.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0006742.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP11\A0006744.EXE Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP12\A0006752.sys Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP12\A0006800.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP13\A0006821.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP13\A0006822.exe Deleted
C:\System Volume Information\_restore{FB2C172A-0CD0-4F4D-A7F9-E95E2025EFD2}\RP13\A0006823.exe Deleted
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP