Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spy-Agent.n Trojan

Started by tomc1228 , Mar 19 2006 01:48 AM

  • Please log in to reply

#1
tomc1228
Posted 19 March 2006 - 01:48 AM

tomc1228

    Member

  • Member
  • PipPip
  • 16 posts
Windows XP, Version 2002, SP 1, Pentium 4, Dell Dimension 8250.

I'm getting a message from McAfee Virus Scan that "C:\Windows\System32\winlogon.exe is infected by the Spy-Agent.n Trojan and cannot be cleared." When I tried to run SFC to find and replace the infected file, I keep getting the same message: "Windows File Protection: Files that are required for Windows to run properly must be copied to the DLL cache. Insert your Windows XP Professional Service Pack 1 CD now." When I insert the CD, the same message keeps coming up, even after I keep hitting the retry button. Another message says, "Files required for Windows to run properly have been replaced by unrecognized versions."

I have McAfee Anti-Virus and Firewall installed and updated. I've tried Ewido Security Suite, Clean Up, AntiPuper, Trend Micro House Call, NoAdware, Adware SE, Webroot Spy Sweeper v4.5.9, AOL Spyware Protection, Trojan Hunter, and XoftSpy, but nothing clears it. A few other forms of malware were found and cleared.

I have no idea how to go about replacing the winlogon.exe file. I don't see any signs of a variation of it in Win/Sys32 (winlogin.exe, w?nlogon.exe, etc). A search for winlogon.exe brought up three application files: winlogon.exe in Windows/System32, winlogon.exe in Windows/Software Distribution/Download 16b2c96aOc4 and winlogon.exe in Windows/Software Distribution/Download 6ca7b3a8efd.

I appreciate any help you can provide. A HijackThis logfile is attached.

Logfile of HijackThis v1.99.1
Scan saved at 2:11:17 AM, on 3/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Common Files\AOL\1102019139\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\program files\common files\aol\1102019139\ee\services\antiSpywareApp\ver2_0_25_1\AOLSP Scheduler.exe
c:\program files\common files\aol\1102019139\ee\aolsoftware.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Tom Costello\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Omnipage] C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe"
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [OK] c:\documents and settings\tom costello\local settings\temp\OK.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102019139\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: cpeupdate.lnk = E:\Media\Xtras\ShareIns\cpeupdate.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor.lnk = C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Microsoft AntiSpyware helper - {FD5F0ACF-34A9-4821-8634-1EBAB86AD719} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FD5F0ACF-34A9-4821-8634-1EBAB86AD719} - C:\WINDOWS\System32\wldr.dll (file missing)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com...f70a0/enter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

Advertisements

#2
tomc1228
Posted 21 March 2006 - 03:14 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I guess nobody wants to touch this one. I'm disappointed. I could use the help. I've tried almost everything I can think of, but this trojan won't quit. I was finally able to run an SFC scan last night and a disk scan, but they didn't help. Has anybody had success removing this one (Spy-Agent.n)? I may try a system restore or, as a last resort, reload Windows XP. In the meantime, somebody is monitoring keystrokes (passwords, etc).

tomc1228
  • 0

#3
loophole
Posted 21 March 2006 - 03:51 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi tomc1228 :tazz:

Well lets give it a go shall we...

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [OK] c:\documents and settings\tom costello\local settings\temp\OK.exe
O9 - Extra button: Microsoft AntiSpyware helper - {FD5F0ACF-34A9-4821-8634-1EBAB86AD719} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {FD5F0ACF-34A9-4821-8634-1EBAB86AD719} - C:\WINDOWS\System32\wldr.dll (file missing)
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} - http://www.20x2p.com...f70a0/enter.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab


Now close all windows other than HiJackThis, then click Fix Checked

Please download ATF Cleaner by Atribune.Save it to the desktop
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
.
  • 0

#4
tomc1228
Posted 21 March 2006 - 07:58 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Loophole:

Thank you for helping me out!

I followed your directions and fixed those files that were still on the posted Hijack This Log from a few days ago (I removed a few yesterday). I ran a new log (below). I then ran the ATF Cleaner and Kaspersky scan (results below).

Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:39:28 PM, on 3/21/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Documents and Settings\Tom Costello\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\FTW\Html\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\FTW\Html\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0b\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\Common Files\aolshare\Coach\Player\plugin\ToolBar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternati.../00/alttiff.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgall..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalci....1.11_en_dl.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Kaspersky Scan:

Tuesday, March 21, 2006 8:33:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 22/03/2006
Kaspersky Anti-Virus database records: 183297


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 119939
Number of viruses found 3
Number of infected objects 27
Number of suspicious objects 4
Duration of the scan process 01:23:38

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip/127703.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS6.zip/127703.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS6.zip ZIP: suspicious - 1 skipped

G:\Misc Photos\Audio Converter.exe/data0002/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\Audio Converter.exe/data0002/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\Audio Converter.exe/data0002/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\Audio Converter.exe/data0002/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\Audio Converter.exe/data0002/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\Audio Converter.exe/data0002 Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\Audio Converter.exe/data0003/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

G:\Misc Photos\Audio Converter.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

G:\Misc Photos\Audio Converter.exe Inno: infected - 8 skipped

G:\Misc Photos\ossac.exe/data0002/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossac.exe/data0002/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossac.exe/data0002/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossac.exe/data0002/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossac.exe/data0002/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossac.exe/data0002 Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossac.exe/data0003/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

G:\Misc Photos\ossac.exe/data0003 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

G:\Misc Photos\ossac.exe Inno: infected - 8 skipped

G:\Misc Photos\ossacp.exe/data0002/data0139 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

G:\Misc Photos\ossacp.exe/data0002 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped

G:\Misc Photos\ossacp.exe/data0003/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossacp.exe/data0003/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossacp.exe/data0003/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossacp.exe/data0003/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossacp.exe/data0003/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossacp.exe/data0003 Infected: not-a-virus:AdWare.Win32.NavExcel skipped

G:\Misc Photos\ossacp.exe Inno: infected - 8 skipped

Scan process completed.

I'm not sure what the 'Misc Photos' are. Two possibilities: I'm a photographer and I'm always downloading digital photos from several cameras into My Documents. The past few weeks, I've been copying a lot of on-line photos from the NCAA Tournament onto my hard drive, all into the same folder. Not a great idea, but I never had a problem.


Tomc1228
  • 0

#5
loophole
Posted 21 March 2006 - 09:01 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi Tom

Not much there

Go ahead and delete these two files

G:\Misc Photos\Audio Converter.exe
G:\Misc Photos\ossac.exe

Dont delete them out of your recycle bin yet

Are you still getting the winlogon infected warning from Mcafee? If so do the following

Download WindPFind

Extract WinPFind.zip to your c:\ folder.

please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter

Then open c:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the Start Scan button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of c:\WinPFind\WinPFind.txt as a reply to this topic.
  • 0

#6
tomc1228
Posted 21 March 2006 - 09:58 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Loophole:

I deleted the two files. I'm waiting for WinPFind to finish the scan. Yes, I'm still getting a McAfee pop-up window telling me the winlogon.exe file is infected with Spy-Agent.n. The pop-up is driving me crazy!

Tom
  • 0

#7
loophole
Posted 21 March 2006 - 10:31 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Ok post when you can

I don't believe i've seen the winlogon file infected before

Lets get a second opinion

Please go here: Jotti

Click the "browse" button and locate this file:

C:\windows\system32\winlogon.exe

Click "Open", then click the "Submit" button. Copy the results and paste them here with the winpfind log.

Thanks
  • 0

#8
tomc1228
Posted 21 March 2006 - 10:44 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
The WinPFind scan is still running (I think). There's a hanging hourglass. Windows Task Mgr shows something is going on, but should it take this long?

Here's what I got from Jotti's scan:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
  • 0

#9
loophole
Posted 22 March 2006 - 10:20 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi :tazz:

WinPfind must be hanging, It should only take a few minutes

Reboot to safemode and do the following

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Save the report
  • Reboot into normal windows
  • Copy and past the StartupList from the notepad into your next post
Thanks

Edited by loophole, 22 March 2006 - 10:21 AM.

  • 0

#10
tomc1228
Posted 22 March 2006 - 02:07 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I ran the WinPFind scan again, and the Startup List from Hijack This. One follows the other:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PECompact2 12/23/2005 7:49:52 PM 11817800 C:\GoogleEarthPlus.exe
PECompact2 12/21/2005 2:26:58 PM 11817800 C:\GoogleEarthSetup.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 9/3/2002 11:30:40 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 11/11/2003 3:00:22 PM 236544 C:\WINDOWS\SYSTEM32\DivXdec.ax
Umonitor 6/2/1999 12:01:12 AM 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll
PTech 7/12/2005 4:50:44 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
Umonitor 9/3/2002 11:54:44 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 9/3/2002 12:10:48 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
3/22/2006 1:14:38 AM S 2048 C:\WINDOWS\bootstat.dat
3/21/2006 4:33:46 PM H 54156 C:\WINDOWS\QTFont.qfn
3/8/2006 2:59:38 PM S 9341 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB914798.cat
3/22/2006 2:45:34 PM H 1024 C:\WINDOWS\system32\config\default.LOG
3/22/2006 1:14:44 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
3/22/2006 1:14:52 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
3/22/2006 2:50:00 PM H 1024 C:\WINDOWS\system32\config\software.LOG
3/22/2006 2:44:36 PM H 1024 C:\WINDOWS\system32\config\system.LOG
2/13/2006 3:02:38 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\961e970d-2287-4283-8f86-83ba67b1983c
2/13/2006 3:02:38 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
3/22/2006 1:14:46 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 9/3/2002 11:26:48 AM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 9/3/2002 11:27:24 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
FotoNation inc. 11/30/1999 9:14:30 AM 26624 C:\WINDOWS\SYSTEM32\camcpl.cpl
5/24/2002 10:45:48 AM 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Creative Technology Ltd. 3/30/2001 1:00:00 AM 230912 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Creative Technology Ltd. 2/21/2002 1:00:00 AM 212992 C:\WINDOWS\SYSTEM32\CTDevCtrl.cpl
Microsoft Corporation 9/3/2002 11:30:36 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
OLYMPUS OPTICAL CO.,LTD. 6/19/2002 12:37:46 PM 45056 C:\WINDOWS\SYSTEM32\DSSFSSET.cpl
Microsoft Corporation 9/3/2002 11:34:00 AM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 9/3/2002 11:35:14 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 9/3/2002 11:35:24 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
InstallShield Software Corporation8/9/2004 6:04:02 AM 73728 C:\WINDOWS\SYSTEM32\ISUSPM.cpl
Microsoft Corporation 9/3/2002 11:37:12 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 9/3/2002 11:40:02 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
AvantGo, Inc. 12/6/2004 1:07:08 PM 69632 C:\WINDOWS\SYSTEM32\mbllnk.cpl
Microsoft Corporation 9/3/2002 11:42:08 AM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 9/3/2002 11:50:26 AM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
3/9/2006 3:29:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 9/3/2002 11:50:44 AM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 9/3/2002 11:52:44 AM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
RealNetworks, Inc. 1/17/2005 3:51:24 PM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 9/3/2002 12:05:50 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 9/3/2002 12:06:38 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 9/3/2002 12:06:48 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 3:16:30 PM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 9/3/2002 11:26:48 AM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 9/3/2002 11:27:24 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 9/3/2002 11:30:36 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 9/3/2002 11:34:00 AM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 9/3/2002 11:35:14 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 9/3/2002 11:35:24 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/17/2001 10:37:02 PM 48128 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 9/3/2002 11:37:12 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 9/3/2002 11:40:02 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 9/3/2002 11:42:08 AM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 9/3/2002 11:47:04 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 9/3/2002 11:50:26 AM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 9/3/2002 11:50:44 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 9/3/2002 11:52:44 AM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 9/3/2002 11:57:12 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 9/3/2002 12:05:50 PM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 9/3/2002 12:06:38 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 9/3/2002 12:06:48 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
10/23/2004 2:44:42 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/22/2004 7:35:32 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
3/12/2006 10:11:22 PM 1371 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
10/23/2004 2:44:42 PM HS 84 C:\Documents and Settings\Tom Costello\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
10/22/2004 7:35:32 PM HS 62 C:\Documents and Settings\Tom Costello\Application Data\desktop.ini
11/17/2004 9:04:18 PM 0 C:\Documents and Settings\Tom Costello\Application Data\dm.ini
3/21/2006 9:42:00 PM 152488 C:\Documents and Settings\Tom Costello\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINDOWS\System32\tds3shl.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\{CFC7205E-2792-4378-9591-3879CC6C9022}
= c:\progra~1\mcafee.com\vso\mcvsshl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido anti-malware\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TDS-3
{E8ADA3E1-CE9B-44A0-A165-997304EF4E18} = C:\WINDOWS\System32\tds3shl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{BA52B914-B692-46c4-B683-905236F6F655} = McAfee VirusScan : c:\progra~1\mcafee.com\vso\mcvsshl.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F}
ButtonText = Create Mobile Favorite :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F}
MenuText = Create Mobile Favorite... : C:\Program Files\Microsoft ActiveSync\inetrepl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4982D40A-C53B-4615-B15B-B5B5E98D167C}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MCAgentExe c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
VSOCheckTask "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online C:\Program Files\McAfee.com\VSO\mcvsshld.exe
MSO
MPFExe C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
OASClnt C:\Program Files\McAfee.com\VSO\oasclnt.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SpySweeper "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
_AntiSpyware C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AOL Fast Start "C:\Program Files\America Online 9.0b\AOL.EXE" -b

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^cpeupdate.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cpeupdate.lnk
backup C:\WINDOWS\pss\cpeupdate.lnkCommon Startup
location Common Startup
command E:\Media\Xtras\ShareIns\cpeupdate.exe
item cpeupdate
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cpeupdate.lnk
backup C:\WINDOWS\pss\cpeupdate.lnkCommon Startup
location Common Startup
command E:\Media\Xtras\ShareIns\cpeupdate.exe
item cpeupdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 2.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Olympus\DEVICE~1\DevDtct2.exe
item Device Detector 2
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Device Detector 2.lnk
backup C:\WINDOWS\pss\Device Detector 2.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Olympus\DEVICE~1\DevDtct2.exe
item Device Detector 2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office10\OSA.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Monitor.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup C:\WINDOWS\pss\Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\ArcSoft\MEDIAC~1\MCCMON~1.EXE -r
item Monitor
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Monitor.lnk
backup C:\WINDOWS\pss\Monitor.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\ArcSoft\MEDIAC~1\MCCMON~1.EXE -r
item Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WinZip\WZQKPICK.EXE
item WinZip Quick Pick
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\WinZip\WZQKPICK.EXE
item WinZip Quick Pick

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOL Fast Start
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOL
hkey HKCU
command "C:\Program Files\America Online 9.0b\AOL.EXE" -b
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOL
hkey HKCU
command "C:\Program Files\America Online 9.0b\AOL.EXE" -b
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOLCC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ACCAgnt
hkey HKCU
command "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ACCAgnt
hkey HKCU
command "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AOLDialer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
command C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLDial
hkey HKLM
command C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\H/PC Connection Agent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WCESCOMM
hkey HKCU
command "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WCESCOMM
hkey HKCU
command "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HostManager
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSoftware
hkey HKLM
command C:\Program Files\Common Files\AOL\1102019139\ee\AOLSoftware.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item AOLSoftware
hkey HKLM
command C:\Program Files\Common Files\AOL\1102019139\ee\AOLSoftware.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HP Lamp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hplamp
hkey HKLM
command "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hplamp
hkey HKLM
command "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\HPDJ Taskbar Utility
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb05
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item hpztsb05
hkey HKLM
command C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISUSPM Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISUSPM
hkey HKLM
command C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISUSPM
hkey HKLM
command C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISUSScheduler
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item issch
hkey HKLM
command "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item issch
hkey HKLM
command "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
command "C:\Program Files\iTunes\iTunesHelper.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoneyAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Money Express
hkey HKCU
command "C:\Program Files\Microsoft Money\System\Money Express.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Money Express
hkey HKCU
command "C:\Program Files\Microsoft Money\System\Money Express.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MoneyStartUp10.0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Activation
hkey HKLM
command "C:\Program Files\Microsoft Money\System\Activation.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Activation
hkey HKLM
command "C:\Program Files\Microsoft Money\System\Activation.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Omnipage
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item opware32
hkey HKLM
command C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item opware32
hkey HKLM
command C:\Program Files\ScanSoft\OmniPageSE\opware32.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pure Networks Port Magic
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PortAOL
hkey HKLM
command "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PortAOL
hkey HKLM
command "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RegSvr32
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RemoteControl
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PDVDServ
hkey HKLM
command "C:\Program Files\CyberLink\PowerDVD SE\PDVDServ.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\rfagent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rfagent
hkey HKLM
command "C:\Program Files\RFA\rfagent.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item rfagent
hkey HKLM
command "C:\Program Files\RFA\rfagent.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RoxioDragToDisc
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DrgToDsc
hkey HKLM
command "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DrgToDsc
hkey HKLM
command "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpySweeper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SpySweeper
hkey HKLM
command "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SpySweeper
hkey HKLM
command "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun _
NoCDBurning 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 3/22/2006 2:52:27 PM



Startup List from Hijack This:

StartupList report, 3/22/2006, 3:01:59 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Tom Costello\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\America Online 9.0b\waol.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\America Online 9.0b\shellmon.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Tom Costello\My Documents\WinPFind\winpfind.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Tom Costello\Desktop\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Tom Costello\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
*No files*

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

MCAgentExe = c:\PROGRA~1\mcafee.com\agent\mcagent.exe
MCUpdateExe = c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
VSOCheckTask = "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
VirusScan Online = C:\Program Files\McAfee.com\VSO\mcvsshld.exe
MSO =
MPFExe = C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
OASClnt = C:\Program Files\McAfee.com\VSO\oasclnt.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
SpySweeper = "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
_AntiSpyware = C:\Program Files\McAfee\McAfee AntiSpyware\MssCli.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

AOL Fast Start = "C:\Program Files\America Online 9.0b\AOL.EXE" -b

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\HemeraThumbnail.Archive\shell\open\command

*Registry key not found*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = c:\WINDOWS\system32\dllcache\notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{969B3B70-8765-11D5-9809-0050BACBF861}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\Program Files\CyberLink\MP3PowerEncoder\Cyber.inf,PerUserStub

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.ur
  • 0

Advertisements

#11
tomc1228
Posted 22 March 2006 - 06:57 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Loophole:

When I dropped the infected file into a winzipped folder, Jotti's scanned it. It couldn't scan the file alone, but it knew there was a possibility of a malware infection. It also couldn't scan when I disabled the McAfee firewall. Here's the report. Note the photo.exe reference at the bottom.

Tom

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1


File to upload & scan:



Service
Service load: 0% 100%

File: winlogon.zip
Status: INFECTED/MALWARE
MD5 5736d0b54d2c8118de775766232ff055
Packers detected: -
Scanner results
AntiVir Found Trojan/Agent.HA
ArcaVir Found W32.Inject.LogonSMDB
Avast Found Win32:Trojano-2423
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.4177
F-Prot Antivirus Found W32/Agent.AFV
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan.Win32.Agent.gq
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Last file scanned at least one scanner reported something about: photo.exe, detected by:
Scanner Malware name
AntiVir Backdoor-Server/Outbreak.030 backdoor
ArcaVir X
Avast Win32:Outbreak
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web X
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
UNA X
VirusBuster X
VBA32 X
  • 0

#12
loophole
Posted 27 March 2006 - 12:58 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Lets try this Tom

Download and Save Blacklight to your desktop:

Double-click blbeta.exe then accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
  • 0

#13
tomc1228
Posted 27 March 2006 - 10:01 AM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Not sure if I did this right. I downloaded Blacklight, but never saw a place to check "scan through Windows Explorer." Here's the log. There weren't any hidden files found.

03/27/06 10:57:19 [Info]: BlackLight Engine 1.0.33 initialized
03/27/06 10:57:19 [Info]: OS: 5.1 build 2600 (Service Pack 1)
03/27/06 10:57:19 [Note]: 7019 4
03/27/06 10:57:19 [Note]: 7005 0
03/27/06 10:57:21 [Note]: 7006 0
03/27/06 10:57:21 [Note]: 7011 1452
03/27/06 10:57:22 [Note]: FSRAW library version 1.7.1015
03/27/06 10:58:02 [Note]: 7007 0


Tom
  • 0

#14
loophole
Posted 27 March 2006 - 06:19 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hi tom

Open Hijack this and then click on the open misc tools section
  • Click the Process manager tab
  • Put a check in the show dll box at the top tight
  • Find the process C:\windows\system32\winlogon
  • Left click it once to highlight it
  • Click the clipboard icon to copy the items to your clipboard
  • Paste the results into this thread

Edited by loophole, 27 March 2006 - 06:20 PM.

  • 0

#15
tomc1228
Posted 27 March 2006 - 06:32 PM

tomc1228

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Process list saved on 7:31:55 PM, on 3/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
632 C:\WINDOWS\System32\smss.exe 5.1.2600.1106 Microsoft Corporation
712 C:\WINDOWS\system32\winlogon.exe
756 C:\WINDOWS\system32\services.exe 5.1.2600.0 Microsoft Corporation
768 C:\WINDOWS\system32\lsass.exe 5.1.2600.1106 Microsoft Corporation
944 C:\WINDOWS\system32\svchost.exe 5.1.2600.0 Microsoft Corporation
1024 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
1452 C:\WINDOWS\Explorer.EXE 6.0.2800.1106 Microsoft Corporation
1516 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.1699 Microsoft Corporation
1640 C:\PROGRA~1\mcafee.com\agent\mcagent.exe 6.0.0.16 McAfee, Inc
1664 C:\Program Files\McAfee.com\VSO\mcvsshld.exe 10.0.0.22 McAfee, Inc.
1680 C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe 7.1.0.113 McAfee Security
1692 C:\Program Files\McAfee.com\VSO\oasclnt.exe 10.0.0.24 McAfee, Inc.
1700 C:\Program Files\QuickTime\qttask.exe 7.0.4.80 Apple Computer, Inc.
1716 C:\progra~1\mcafee\MCAFEE~1\masalert.exe 1.5.0.110 McAfee, Inc.
1724 C:\Program Files\iTunes\iTunesHelper.exe 6.0.4.2 Apple Computer, Inc.
1744 C:\WINDOWS\BCMSMMSG.exe 3.5.25.0 Broadcom Corporation
1792 c:\progra~1\mcafee.com\vso\mcvsescn.exe 10.0.0.20 McAfee, Inc.
1848 C:\WINDOWS\System32\RUNDLL32.EXE 5.1.2600.0 Microsoft Corporation
248 C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe 3.0.0.1 America Online
260 C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe 2.0.0.0 America Online, Inc
272 C:\WINDOWS\System32\CTsvcCDA.exe 1.0.1.0 Creative Technology Ltd
296 C:\Program Files\Olympus\DeviceDetector\DM1Service.exe 1.1.0.0 OLYMPUS OPTICAL CO.,LTD
352 C:\Program Files\ewido anti-malware\ewidoctrl.exe 3.0.0.1 ewido networks
448 C:\Program Files\ewido anti-malware\ewidoguard.exe 3.0.0.1 ewido networks
476 c:\progra~1\mcafee\mcafee antispyware\massrv.exe 1.5.0.110 McAfee, Inc.
496 c:\program files\mcafee.com\agent\mcdetect.exe 6.0.0.19 McAfee, Inc
540 c:\PROGRA~1\mcafee.com\vso\mcshield.exe 11.0.0.151 McAfee Inc.
612 c:\PROGRA~1\mcafee.com\agent\mctskshd.exe 6.0.0.13 McAfee, Inc
1108 C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe 7.1.0.113 McAfee Corporation
1128 C:\WINDOWS\System32\nvsvc32.exe 6.14.10.8421 NVIDIA Corporation
1276 C:\WINDOWS\System32\svchost.exe 5.1.2600.0 Microsoft Corporation
2196 C:\WINDOWS\wanmpsvc.exe 9.0.0.0 America Online, Inc.
2444 C:\Program Files\iPod\bin\iPodService.exe 6.0.4.2 Apple Computer, Inc.
2648 C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe 7.1.0.113 McAfee Security
3108 C:\Program Files\America Online 9.0b\waol.exe 9.2.0.0 America Online, Inc.
2028 C:\Program Files\America Online 9.0b\shellmon.exe 9.2.0.0 America Online, Inc.
2936 C:\Documents and Settings\Tom Costello\Desktop\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.


DLLs loaded by process C:\WINDOWS\system32\winlogon.exe:

[full path to filename] [file version] [company name]
C:\WINDOWS\System32\ntdll.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\kernel32.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 Microsoft Corporation
C:\WINDOWS\system32\GDI32.dll 5.1.2600.1789 Microsoft Corporation
C:\WINDOWS\system32\USER32.dll 5.1.2600.1634 Microsoft Corporation
C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\NDdeApi.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 Microsoft Corporation
C:\WINDOWS\system32\Secur32.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\WINSTA.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\PROFMAP.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\NETAPI32.dll 5.1.2600.1343 Microsoft Corporation
C:\WINDOWS\system32\REGAPI.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\WS2_32.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\AUTHZ.dll 5.1.2600.1634 Microsoft Corporation
C:\WINDOWS\system32\PSAPI.DLL 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\SETUPAPI.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 Microsoft Corporation
C:\WINDOWS\system32\SHELL32.dll 6.0.2800.1751 Microsoft Corporation
C:\WINDOWS\system32\SHLWAPI.dll 6.0.2800.1740 Microsoft Corporation
C:\WINDOWS\system32\COMCTL32.dll 5.82.2800.1106 Microsoft Corporation
C:\WINDOWS\System32\ODBC32.dll 3.520.9030.0 Microsoft Corporation
C:\WINDOWS\system32\comdlg32.dll 6.0.2800.1106 Microsoft Corporation
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1740_x-ww_7cb8ab44\comctl32.dll 6.0.2800.1740 Microsoft Corporation
C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Corporation
C:\WINDOWS\System32\SHSVCS.dll 6.0.2800.1605 Microsoft Corporation
C:\WINDOWS\system32\sfc.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\sfc_os.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 Microsoft Corporation
C:\WINDOWS\system32\ole32.dll 5.1.2600.1720 Microsoft Corporation
C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\WINSCARD.DLL 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\sxs.dll 5.1.2600.1579 Microsoft Corporation
C:\WINDOWS\System32\uxtheme.dll 6.0.2800.1106 Microsoft Corporation
C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\serwvdrv.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\umdmxfrm.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\system32\cscdll.dll 5.1.2600.1599 Microsoft Corporation
C:\WINDOWS\system32\WlNotify.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\MPR.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 Microsoft Corporation
C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\system32\msv1_0.dll 5.1.2600.1106 Microsoft Corporation
C:\WINDOWS\System32\wdmaud.drv 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\msacm32.drv 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\MSACM32.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\midimap.dll 5.1.2600.0 Microsoft Corporation
C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42 Microsoft Corporation
C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft Corporation
C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.62 Microsoft Corporation
C:\WINDOWS\system32\Apphelp.dll 5.1.2600.1106 Microsoft Corporation
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP