Trojan, HJT log included

Hello,

I haven't really touched a Windows PC in about 2 years since switching to a Mac so please forgive my relative ignorance/forgetfulness. But I remember getting GREAT help from here when I had a trojan on my previous win pc.

I am currently trying to fix my sister-in-law's computer and need a little help. She has a Dell Inspiron running Win XP Professional without SP2. She complained about her computer being a very slow on start up and not being able to access a certain page due to IE not allowing a popup window.

To my dismay, she hasn't done any of her updates or anything! I did the win update, ran a defrag, and cleaned up all the spyware using ad-aware (v6.2.0.236), spybot S&D (v1.4.0.3) and spyware blaster (v3.5.0.1). There was a LOT of gunk in her system!

I also found out she doesn't have an anti-virus app since her Norton subscription ran out nearly 2 years ago! I downloaded a free app from www.free-av.com and ran it. It found several bugs that it was able to fix but it has also come across a VERY stubborn one that won't budge! The program is C:\:MSCRPLGN.DLL and it's trojan horse TR/Spy.Agent.BS.1
None of the antivirus program's options are working on it, and to open ANYTHING takes at least 15 clicks because the app keeps popping up telling us the trojan's been found.

I google'd the name of the trojan to see if I could find any info and there was a bit of info on stuff to fix in the regedit, but when I went in there, those things weren't in there to delete, but that probably wouldn't have been the best option anyways.

We're wondering whether we should just reformat it...?

Also, here is the HJT log for her computer:


Logfile of HijackThis v1.99.1
Scan saved at 1:02:14 AM, on 2/18/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAM_2K.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\Didem Isik.DIDEM-NB\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihlas.net.tr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=...hmPXoJGMtsOvU+t/TNekRZPrvPUbgvQkHrY403rPtkio=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=...btgFkkCJ36pfCnwskDf83M2L1RCShYOi5yidIktfrk6E=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ihlas.de:8080
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe



Thank you all very much, and please ask for any remiss info.



EDIT: Here's the av app report, it shows that it found 2 other trojans, which it did and was able to fix, but it doesn't even show it as having seen this 3rd one, even though it keeps popping up asking us what to do with it. It is still not responding to commands to delete/wipe/ignore/access deny.



Report file date: Saturday, February 18, 2006 01:14


Jobname: 'Local Hard Disks'

Scanning for 316424 virus strains and unwanted programs.

Licensed to: AntiVir PersonalEdition Classic
Serialnumber: 0000149996-WURGE-0001
Platform: Windows XP
Windowsversion: (Service Pack 1) [5.1.2600]
Username: Didem Isik
Computername: DIDEM-NB

Versioninformations:
AVSCAN.EXE : 7.0.0.21 528424 31.01.2006 09:54:48
AVSCAN.DLL : 7.0.0.21 42536 31.01.2006 09:54:48
LUKE.DLL : 7.0.0.21 114728 31.01.2006 09:54:48
LUKERES.DLL : 7.0.0.21 27688 31.01.2006 09:54:48
ANTIVIR0.VDF : 6.32.0.60 4323840 06.12.2005 09:47:34
ANTIVIR1.VDF : 6.33.0.207 1160192 08.02.2006 07:09:40
ANTIVIR2.VDF : 6.33.0.234 97280 17.02.2006 22:56:45
ANTIVIR3.VDF : 6.33.1.4 52224 17.02.2006 22:56:45
AVEWIN32.DLL : 6.33.0.36 1163776 17.02.2006 22:56:46
AVPREF.DLL : 6.34.0.0 38440 18.01.2006 11:06:02
AVREP.DLL : 6.33.1.0 2392104 17.02.2006 22:56:46
AVPACK32.DLL : 6.33.0.6 331816 09.01.2006 08:03:38
AVREG.DLL : 6.31.0.90 27688 28.07.2005 09:06:36
NETNT.DLL : 6.32.0.0 6696 27.09.2005 06:56:50
NETNW.DLL : 6.32.0.0 9768 27.09.2005 06:56:50


Start of the scan: Saturday, February 18, 2006 01:14


Start scanning boot sectors:

Boot sector 'C:'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( 22 files ).


Starting the file scan:

C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Didem Isik.DIDEM-NB\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\Didem Isik.DIDEM-NB\NTUSER.DAT.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Didem Isik.DIDEM-NB\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Didem Isik.DIDEM-NB\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\Didem Isik.DIDEM-NB\Local Settings\Temp\Perflib_Perfdata_4f8.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\Didem Isik.DIDEM-NB\Local Settings\Temp\ICD7.tmp\qames.exe
[DETECTION] Is the Trojan horse TR/Dialer.LT.8
[INFO] The file was deleted!
C:\Documents and Settings\Didem Isik.DIDEM-NB\Local Settings\Temp\ICD8.tmp\qames.exe
[DETECTION] Is the Trojan horse TR/Dialer.LT.8
[INFO] The file was moved to '44635988.qua'!
C:\Documents and Settings\LocalService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\NTUSER.DAT
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\ntuser.dat.LOG
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat
[WARNING] The file could not be opened!
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\SoftwareDistribution\EventCache\{0D539F85-E7D2-40D4-9678-39A408FE7973}.bin
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!


End of the scan: Saturday, February 18, 2006 01:38
Used time: 23:39 min

The scan has been done completely.

2157 Scanning directories
146755 Files were scanned
2 viruses and/or unwanted programs was found
1 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
1082 Archives were scanned
52 Warnings
0 Notes

 

Hi Meryem13,

Couple of things I'd like you to do.

1. Download WindPFind.zip and save to Local Disk C:

Extract WinPFind.zip to it's own folder in the Local Disk C: directory.
Reboot your computer into Safe Mode. Logon to your user account, then open C:\WinPFind and double-click on WinPFind.exe.
When the program is open, click on the 'Start Scan' button to start scanning your computer. Be patient as this scan may take a while.
When it is done, it will show a log and tell you the scan is completed. Reboot your computer back to normal mode and and post the contents of C:\WinPFind\WinPFind.txt

2. Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in MSCRPLGN.DLL .......wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

Note: The search log is not automatically saved, and will be gone when you close it if not saved first.

 

Thank you for the help. You want to know how long it's been since I used windows? I had to google how to enter safe mode! *sigh*

The Registry Search Tool didn't find anything (Search complete in 18 seconds, no instances of "mscrplgn.dll" found) so no log was shown.
Here's the WinPFind Log:

ªªªªªªªªªªªªªªªªª Windows OS and Versions ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

ªªªªªªªªªªªªªªªªª Checking Selected Standard Folders ªªªªªªªªªªªªªªªªªªªª

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 2/15/2006 7:01:18 PM 17671229 C:\WINDOWS\LPT$VPN.213
qoologic 2/15/2006 7:01:18 PM 17671229 C:\WINDOWS\LPT$VPN.213
SAHAgent 2/15/2006 7:01:18 PM 17671229 C:\WINDOWS\LPT$VPN.213
UPX! 2/15/2006 7:01:18 PM 176709 C:\WINDOWS\tsc.exe
PECompact2 2/15/2006 7:01:18 PM 17671229 C:\WINDOWS\VPTNFILE.213
qoologic 2/15/2006 7:01:18 PM 17671229 C:\WINDOWS\VPTNFILE.213
SAHAgent 2/15/2006 7:01:18 PM 17671229 C:\WINDOWS\VPTNFILE.213
UPX! 2/15/2006 7:01:18 PM 1077328 C:\WINDOWS\vsapi32.dll
aspack 2/15/2006 7:01:18 PM 1077328 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/23/2001 2:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 6:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 2/7/2006 9:28:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 2/7/2006 9:28:40 PM 4513120 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/29/2002 5:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 2:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
127.0.0.1 download.abetterinternet.com # ***Inserted By STOPzilla***


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
2/19/2006 4:24:58 PM S 2048 C:\WINDOWS\bootstat.dat
2/19/2006 4:23:46 PM S 64 C:\WINDOWS\CSC\00000001
2/17/2006 10:57:28 PM S 64 C:\WINDOWS\CSC\00000002
2/3/2006 11:23:08 PM S 64 C:\WINDOWS\CSC\csc1.tmp
1/12/2006 2:10:02 AM H 10820 C:\WINDOWS\Help\nocontnt.GID
2/17/2006 9:15:56 PM H 0 C:\WINDOWS\inf\oem12.inf
1/5/2006 3:30:02 AM H 0 C:\WINDOWS\LastGood\INF\oem11.inf
1/5/2006 3:30:02 AM H 0 C:\WINDOWS\LastGood\INF\oem11.PNF
2/17/2006 8:41:08 PM H 0 C:\WINDOWS\LastGood\INF\oem12.inf
2/17/2006 8:41:08 PM H 0 C:\WINDOWS\LastGood\INF\oem12.PNF
2/17/2006 9:16:04 PM H 0 C:\WINDOWS\LastGood\INF\oem13.inf
2/17/2006 9:16:04 PM H 0 C:\WINDOWS\LastGood\INF\oem13.PNF
2/17/2006 9:13:32 PM H 0 C:\WINDOWS\LastGood\INF\q823353.inf
2/17/2006 9:13:32 PM H 0 C:\WINDOWS\LastGood\INF\q823353.PNF
2/17/2006 9:15:58 PM H 0 C:\WINDOWS\LastGood\INF\q832483_271_winxpx.inf
2/17/2006 9:15:58 PM H 0 C:\WINDOWS\LastGood\INF\q832483_271_winxpx.PNF
2/17/2006 9:17:08 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_10.cab
2/17/2006 9:17:08 PM RHS 25566 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_11.cab
2/17/2006 9:17:08 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_12.cab
2/17/2006 9:17:08 PM RHS 25530 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_13.cab
2/17/2006 9:17:08 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_14.cab
2/17/2006 9:17:08 PM RHS 26317 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_15.cab
2/17/2006 9:17:08 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_16.cab
2/17/2006 9:17:08 PM RHS 26387 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_17.cab
2/17/2006 9:17:08 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_18.cab
2/17/2006 9:17:08 PM RHS 26657 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_19.cab
2/17/2006 9:17:08 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_20.cab
2/17/2006 9:17:08 PM RHS 26652 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_21.cab
2/17/2006 9:17:10 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_22.cab
2/17/2006 9:17:10 PM RHS 26255 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_23.cab
2/17/2006 9:17:10 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_24.cab
2/17/2006 9:17:10 PM RHS 26108 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_25.cab
2/17/2006 9:17:10 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_26.cab
2/17/2006 9:17:10 PM RHS 26449 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_27.cab
2/17/2006 9:17:10 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_28.cab
2/17/2006 9:17:10 PM RHS 25853 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_29.cab
2/17/2006 9:17:10 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_30.cab
2/17/2006 9:17:12 PM RHS 26290 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_31.cab
2/17/2006 9:17:12 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_32.cab
2/17/2006 9:17:12 PM RHS 26383 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_33.cab
2/17/2006 9:17:12 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_34.cab
2/17/2006 9:17:12 PM RHS 26291 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_35.cab
2/17/2006 9:17:12 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_36.cab
2/17/2006 9:17:12 PM RHS 25896 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_37.cab
2/17/2006 9:17:12 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_38.cab
2/17/2006 9:17:12 PM RHS 26494 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_39.cab
2/17/2006 9:17:12 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_40.cab
2/17/2006 9:17:12 PM RHS 26229 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_41.cab
2/17/2006 9:17:14 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_42.cab
2/17/2006 9:17:14 PM RHS 26467 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_43.cab
2/17/2006 9:17:14 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_44.cab
2/17/2006 9:17:14 PM RHS 26283 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_45.cab
2/17/2006 9:17:14 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_46.cab
2/17/2006 9:17:14 PM RHS 26320 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_47.cab
2/17/2006 9:17:14 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_48.cab
2/17/2006 9:17:14 PM RHS 26284 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_49.cab
2/17/2006 9:17:14 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_50.cab
2/17/2006 9:17:14 PM RHS 26290 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_51.cab
2/17/2006 9:17:14 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_52.cab
2/17/2006 9:17:14 PM RHS 26126 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_53.cab
2/17/2006 9:17:16 PM RHS 10470 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_54.cab
2/17/2006 9:17:04 PM RHS 26173 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_8.cab
2/17/2006 9:17:06 PM RHS 25959 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_9.cab
1/3/2006 1:17:06 PM S 8792 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911564.cat
1/4/2006 7:39:38 AM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB911927.cat
1/3/2006 1:09:36 AM S 11223 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
1/13/2006 9:28:32 PM S 10925 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB913446.cat
2/19/2006 4:24:48 PM H 8192 C:\WINDOWS\system32\config\default.LOG
2/19/2006 4:25:24 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
2/19/2006 4:25:02 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
2/19/2006 4:26:08 PM H 77824 C:\WINDOWS\system32\config\software.LOG
2/19/2006 4:25:04 PM H 765952 C:\WINDOWS\system32\config\system.LOG
2/17/2006 7:57:16 PM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
1/27/2006 11:23:18 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\87c37bf2-bcff-4d9d-a51b-130a0fb189e7
1/27/2006 11:23:18 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
2/19/2006 4:23:46 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/23/2001 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 11/10/2005 1:03:50 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 6/24/2003 5:32:00 PM 143360 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
GemTek Corporation 10/12/2001 12:04:52 AM 322592 C:\WINDOWS\SYSTEM32\PRISMCFG.cpl
Apple Computer, Inc. 12/15/1995 2:10:00 AM R 342016 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft Corporation 8/29/2002 5:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 578560 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 129024 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 292352 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 121856 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 268288 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
NVIDIA Corporation 6/28/2002 2:08:00 PM 106496 C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFiles\nvtuicpl.cpl

ªªªªªªªªªªªªªªªªª Checking Selected Startup Folders ªªªªªªªªªªªªªªªªªªªªª

Checking files in %ALLUSERSPROFILE%\Startup folder...
3/9/2003 5:58:14 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
3/9/2003 9:48:50 PM 1735 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/8/2006 11:54:30 PM 305 C:\Documents and Settings\All Users\Application Data\addr_file.html
3/9/2003 7:42:50 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
3/9/2003 5:58:14 PM HS 84 C:\Documents and Settings\Didem Isik.DIDEM-NB\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
3/9/2003 7:42:50 PM HS 62 C:\Documents and Settings\Didem Isik.DIDEM-NB\Application Data\desktop.ini
9/19/2004 12:54:56 AM 19864 C:\Documents and Settings\Didem Isik.DIDEM-NB\Application Data\GDIPFONTCACHEV1.DAT

ªªªªªªªªªªªªªªªªª Checking Selected Registry Keys ªªªªªªªªªªªªªªªªªªªªªªª

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Shell Extension for Malware scanning
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = C:\Program Files\AntiVir PersonalEdition Classic\shlext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

 

sorry it didn't all fit into one post... continued:


[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Toolbar :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
RAM Idle C:\Program Files\Customizer XP\RAM_2K.exe
SpySpotter System Defender C:\Program Files\SpySpotter3\Defender.exe -startup
nwiz nwiz.exe /installquiet
avgnt "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTFMON.EXE C:\WINDOWS\System32\ctfmon.exe
SpybotSD TeaTimer C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoInstrumentation 0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
NoDispAppearancePage 0
NoDispBackgroundPage 0
NoDispScrSavPage 0
NoDispSettingsPage 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


ªªªªªªªªªªªªªªªªªªªªªªªª Scan Complete ªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªªª
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 2/19/2006 4:32:49 PM

 

Please do a reg search for the following two items and post both results.

6DFD7C5C-2451-11d3-A299-00C04F8EF6AF
0DF44EAA-FF21-4412-828E-260A8728E7F1


Please download the Killbox by Option^Explicit.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the filepath below and paste it into Killbox:
  
  C:\MSCRPLGN.DLL
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

See if your AV is still detecting the rogue file and let me know.

 

Reg Search for 6DFD7C5C-2451-11d3-A299-00C04F8EF6AF:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "6dfd7c5c-2451-11d3-a299-00c04f8ef6af" 2/19/2006 9:34:13 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\Open\Command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\Shell\RunAs\Command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}\ShellFolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} "=dword:40000021





Reg Search for 0DF44EAA-FF21-4412-828E-260A8728E7F1:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "0df44eaa-ff21-4412-828e-260a8728e7f1" 2/19/2006 9:37:34 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\Shell\Open\Command]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DF44EAA-FF21-4412-828E-260A8728E7F1}\ShellFolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{0DF44EAA-FF21-4412-828E-260A8728E7F1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{0DF44EAA-FF21-4412-828E-260A8728E7F1} "= "Taskbar and Start Menu "



I ran Killbox and it gave me a "PendingFileRenameOperations Registry has been removed by External Process" prompt!!!!

 

Is the file C:\MSCRPLGN.DLL visible? If so, please download and install Move-on-Boot. It will add a right click option for files, to delete on the next reboot. Use it to tag that file and reboot.

Results of those reg searches are good. Please do the next two as well.

2318C2B1-4965-11D4-9B18-009027A5CD4F
42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6

 

No, I haven't been able to locate C:\MSCRPLGN.DLL on the computer, even with hidden files shown. Also, it doesn't say "c:\mscr... ", it says "c:\:mscr... ", don't know if that's a clue of some sort.

RegSearch result for 2318C2B1-4965-11D4-9B18-009027A5CD4F:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "2318c2b1-4965-11d4-9b18-009027a5cd4f" 2/19/2006 10:56:05 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1123561945-1383384898-854245398-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F} "=hex:b1,c2,18,23,65,49,d4,11,9b,18,00,\



RegSearch result for 42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "42cdd1bf-3ffb-4238-8ad1-7859df00b1d6" 2/19/2006 10:57:51 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "=hex:bf,d1,cd,42,fb,3f,38,42,8a,d1,78,\

[HKEY_USERS\S-1-5-21-1123561945-1383384898-854245398-500\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "=hex:bf,d1,cd,42,fb,3f,38,42,8a,d1,78,\

[HKEY_USERS\S-1-5-21-1123561945-1383384898-854245398-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "=hex:bf,d1,cd,42,fb,3f,38,42,8a,d1,78,\

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} "=hex:bf,d1,cd,42,fb,3f,38,42,8a,d1,78,\

 

I'm satisfied with those reg search results as well.

SpySpotter is on the rogue applications list and I recommned it be uninstalled via Add/Remove Programs.

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Right click the desktop and create a new folder named HJT. Drag HijackThis.exe to the folder and run it from there. Scan again and place a check next to the following items if present, close all other windows and click Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...kHrY403rPtkio=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.com/dp/search?x=w...yi dIktfrk6E=
R3 - URLSearchHook: (no name) - - (no file)
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup

Close HJT.

Try using Killbox again using C:\:Mscrplgn.dll
If it does not work, use the following method

Please boot into safe mode, logon to your user account, click Start>run and type cmd then hit enter. Type the following commands (note spaces) and hit enter after each.

attrib -r -h C:\:Mscrplgn.dll
del /q C:\:Mscrplgn.dll
attrib -r -h C:\:Comxt.exe
del /q C:\:Comxt.exe

Close the command window.

The following needs to be done regardless of whether killbox was successful or command line was used (while in safe mode)

Click Start>run and type the following commands, hitting enter after each.

sc stop comxt
sc delete comxt

Open C:\Program Files and delete the folder SpySpotter3
Open C:\windows\temp, select all from Edit on the toolbar then delete.
Open C:\windows\prefetch (hidden folder), click the file layout.ini once to select (or just point at it to select if files are set to open with 1 click), click Edit>invert selection, then delete.
Open My Computer and right click on Local Disk C: then select properties. Click Disk Cleanup, then when the selection window comes up, check all boxes and click OK. Be patient as sometimes this process can take a long time.

Reboot back into normal mode and let me know how things are working. Is the infected file still found by the AV?

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report along with a fresh HJT log.

 

So sorry I never got back to you on this! Life decided to catch up with me and I completely lost track of everything.

I did not see SpySpotter in the Add/Remove Programs List.

I was able to fix those 4 things using HJT.

I tried to search for the file again using KillBox, but it said it was unable to find it.

I went into safe mode and tried to use the commands you gave me, but for each one it said that it couldn't find the files.

I didn't see a folder named SpySpotter in Program Files.

This all made me think that perhaps the AV program I'm using isn't as good as it used to be, so I deleted it and downloaded a new one called Avast! (www.avast.com) I learned about from a friend who I trust in these matters.

I cleaned out the Temp and Prefetch folders like you said and ran the Disk Clean Up. I rebooted in normal mode. I installed Avast and ran a scan, it found no infected files. This makes me think that there was a glitch in the free-av program I was using before. I also re-ran the spyware finders.

I had to disable the new AV program in order to download Panda's Active Scan, it said it was a virus. *sigh* I hate these comaptibility issues.

Still, here's a fresh HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 9:29:31 PM, on 4/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Customizer XP\RAM_2K.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Didem Isik.DIDEM-NB\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ihlas.net.tr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ihlas.de:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RAM Idle] C:\Program Files\Customizer XP\RAM_2K.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


And the Panda Scan:

Incident Status Location

Adware:adware/gator Not disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:adware/cws Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Favorites\Fun & Games
Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/dyfuca Not disinfected Windows Registry
Dialer:dialer.ok Not disinfected HKEY_CLASSES_ROOT\Interface\{66BD1BD0-3655-42E4-8CE9-16D3613B0B25}
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Cookies\didem isik@adopt.hbmediapro[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Cookies\didem isik@com[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Cookies\didem isik@toplist[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Application Data\Mozilla\Firefox\Profiles\frf7oq7v.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Application Data\Mozilla\Firefox\Profiles\frf7oq7v.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Application Data\Mozilla\Firefox\Profiles\frf7oq7v.default\cookies.txt[.com.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Application Data\Mozilla\Firefox\Profiles\frf7oq7v.default\cookies.txt[]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Cookies\didem isik@adopt.hbmediapro[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Cookies\didem isik@com[2].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Didem Isik.DIDEM-NB\Cookies\didem isik@toplist[1].txt