Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo Trojan In Registry Key. Can't Open Registry Nor Any File


  • This topic is locked This topic is locked
12 replies to this topic

#1 alexpatel

alexpatel

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 15 April 2007 - 01:34 PM

I have Vundo trojan in my registry. I tried Vundofix.exe, fixvundo.exe and many other program. Vundofix.exe removed vundo from regular files but unable to remove from registry.

Also, i can't open any file on desktop and under start>programs. All of my icon changesd and missing supporting program. If i click on any file on desktop or under start program it pop up windows saying following:

"Windows cannot open this file:
File: filename with LNK extention (all of my program has .lnk extention)
To open this File, windows needs to know the program created it. Windows can go online to look it up automatically or you can manually select from a list of programs on your computer"

I tried spybot, ad-aware, trendmicro (housecall), etc. Problem is hard to remove virus, trojan etc from registry. Program in control panel doesn't work so i can't even open add or remove program. i tried system restore with safe mode comand prompt but that doesn't work either. Please Help me.

Here is logfile form hijackthis.

Logfile of HijackThis v1.99.1
Scan saved at 2:11:17 PM, on 4/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\mdbfuwyy.dll (file missing)
O2 - BHO: (no name) - {93B08C4C-9360-4884-A661-F45C467E290A} - C:\WINDOWS\System32\tuvsp.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.cricinfo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/171859a8b37f6f...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172086831463
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rqromjj - rqromjj.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

BC AdBot (Login to Remove)

 


#2 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:51 PM

Posted 16 April 2007 - 08:47 PM

WElcome to BC :thumbsup:

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Files Created Within group click 30 days
    • In the Files Modified Within group select 30 days
    • In the File String Search group select Non-Microsoft
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in
Microsoft MVP Consumer Security--2007-2010

#3 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 17 April 2007 - 10:03 PM

Thank you for all your help. Please find following is the report generated after running winpfind3u.exe. Also, i want to tell you that everytime i click on any icon on desktop it tell me i don't have associated program. To open i have to right click on ICON and then click on RUN AS and then windows up saying which account you want to use to open program and i select Current user Hetudy (hetudy is my computer name). I had to do the same thing before extracting winpfind3u zip file. In control panel folder i can't open any icon. If right click on icon it doesn't even give option Run As. So i can't open at all anything in control panel. I have also removed vundo trojan from registry manually. I download xoftspy Se and scan it. Xoftspy detected Vundo in registry but didn't remove it. To remove i need to buy their premium software which i didn't buy. But Xoftspy told me where in registry Vundo trojan is so i went to task manager click on file and hold control panel and click on new and went into registry. and went to location where vundo trojan was. After removing it i scanned Xoftspy again and it didn't detected it. so i guess iw as successful in removing it.


WinPFind3 logfile created on: 4/17/2007 10:33:34 PM
WinPFind3U by OldTimer - Version 1.0.34 Folder = C:\Documents and Settings\hetudy\My Documents\WinPFind3u\
Microsoft Windows XP (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2600.0000)

319.48 Mb Total Physical Memory | 139.21 Mb Available Physical Memory | 43.57% Memory free
773.64 Mb Paging File | 590.92 Mb Available in Paging File | 76.38% Paging File free
Paging file location(s): C:\pagefile.sys 480 960;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 19.01 Gb Total Space | 8.86 Gb Free Space | 46.64% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: HETUDY-JCA2EP9U
Current User Name: hetudy
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
aluschedulersvc.exe -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 7/25/2006 6:03:44 PM | Attr = ]
ccsetmgr.exe -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 103.0.1.26 | Size = 164984 bytes | Modified Date = 9/21/2004 4:17:24 AM | Attr = ]
firefox.exe -> %ProgramFiles%\Mozilla Firefox\firefox.exe -> Mozilla Corporation [Ver = 1.8.1.3: 2007030919 | Size = 7633008 bytes | Modified Date = 4/2/2007 12:05:36 PM | Attr = ]
googleupdaterservice.exe -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.767.25472.beta | Size = 136952 bytes | Modified Date = 4/1/2007 4:23:52 PM | Attr = ]
navapsvc.exe -> %ProgramFiles%\Norton AntiVirus\navapsvc.exe -> Symantec Corporation [Ver = 11.0.1.3 | Size = 176768 bytes | Modified Date = 9/21/2004 4:17:14 AM | Attr = ]
npfmntor.exe -> %ProgramFiles%\Norton AntiVirus\IWP\NPFMntor.exe -> Symantec Corporation [Ver = 11.0.1.3 | Size = 46208 bytes | Modified Date = 9/21/2004 4:17:20 AM | Attr = ]
pctspk.exe -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 6:36:54 PM | Attr = ]
stng260 stinger mcfee.exe -> %UserDocuments%\stng260 stinger Mcfee.exe -> [Ver = | Size = 1144839 bytes | Modified Date = 4/14/2007 11:44:56 PM | Attr = ]
winpfind3u.exe -> %UserDocuments%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified Date = 4/10/2007 10:00:18 PM | Attr = ]
winpfind3u.exe -> %UserDocuments%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.34.0 | Size = 318976 bytes | Modified Date = 4/10/2007 10:00:18 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(Automatic LiveUpdate Scheduler) Automatic LiveUpdate Scheduler [Win32_Own | Auto | Running] -> %ProgramFiles%\Symantec\LiveUpdate\ALUSchedulerSvc.exe -> Symantec Corporation [Ver = 3.0.0.171 | Size = 100032 bytes | Modified Date = 7/25/2006 6:03:44 PM | Attr = ]
(Belkin 54g Wireless USB Network Adapter Service) Belkin 54g Wireless USB Network Adapter [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Belkin\Belkin Wireless Network Utility\WLService.exe -> File not found
(ccSetMgr) Symantec Settings Manager [Win32_Own | Auto | Running] -> %CommonProgramFiles%\Symantec Shared\ccSetMgr.exe -> Symantec Corporation [Ver = 103.0.1.26 | Size = 164984 bytes | Modified Date = 9/21/2004 4:17:24 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.0.503.0 | Size = 204800 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
(GoogleDesktopManager) GoogleDesktopManager [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopManager.exe -> Google [Ver = 5.0.702.7034 | Size = 69120 bytes | Modified Date = 4/1/2007 4:25:24 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.767.25472.beta | Size = 136952 bytes | Modified Date = 4/1/2007 4:23:52 PM | Attr = ]
(LiveUpdate) LiveUpdate [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Symantec\LiveUpdate\LuComServer_3_0.EXE -> Symantec Corporation [Ver = 3.0.0.171 | Size = 2119360 bytes | Modified Date = 7/25/2006 6:03:44 PM | Attr = ]
(navapsvc) Norton AntiVirus Auto-Protect Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\navapsvc.exe -> Symantec Corporation [Ver = 11.0.1.3 | Size = 176768 bytes | Modified Date = 9/21/2004 4:17:14 AM | Attr = ]
(NPFMntor) Norton AntiVirus Firewall Monitor Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton AntiVirus\IWP\NPFMntor.exe -> Symantec Corporation [Ver = 11.0.1.3 | Size = 46208 bytes | Modified Date = 9/21/2004 4:17:20 AM | Attr = ]
(NProtectService) Norton Unerase Protection [Win32_Own | Auto | Stopped] -> %ProgramFiles%\Norton AntiVirus\AdvTools\NPROTECT.EXE -> File not found
(Pctspk) PCTEL Speaker Phone [Win32_Own | Auto | Running] -> %System32%\pctspk.exe -> PCtel, Inc. [Ver = 4.00 | Size = 86016 bytes | Modified Date = 8/17/2001 6:36:54 PM | Attr = ]
(SAVScan) SAVScan [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Norton AntiVirus\SAVScan.exe -> Symantec Corporation [Ver = 9.4.0.53 | Size = 197864 bytes | Modified Date = 9/21/2004 4:17:16 AM | Attr = ]
(SBService) ScriptBlocking Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBServ.exe -> Symantec Corporation [Ver = 11.0.1.3 | Size = 66688 bytes | Modified Date = 8/18/2004 7:45:02 AM | Attr = ]
(SNDSrvc) Symantec Network Drivers Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Symantec Shared\SNDSrvc.exe -> Symantec Corporation [Ver = 5.4.0.110 | Size = 206048 bytes | Modified Date = 9/21/2004 4:17:40 AM | Attr = ]
(SPBBCSvc) Symantec SPBBCSvc [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\SPBBC\SPBBCSvc.exe -> Symantec Corporation [Ver = 1,0,1,47 | Size = 173160 bytes | Modified Date = 9/21/2004 4:17:40 AM | Attr = ]
(Symantec Core LC) Symantec Core LC [Win32_Own | Disabled | Stopped] -> %CommonProgramFiles%\Symantec Shared\CCPD-LC\symlcsvc.exe -> Symantec Corporation [Ver = 1, 8, 54, 419 | Size = 817304 bytes | Modified Date = 8/11/2006 9:58:20 PM | Attr = ]
(SymWSC) SymWMI Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Security Center\SymWSC.exe -> File not found

[Registry - Non-Microsoft Only]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< AppInit_DLLs [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
{021E2CF4-D34F-4C9C-8338-51BBB4E690F3} [HKLM] -> Reg Data - Key not found [] -> File not found
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} [HKLM] -> %ProgramFiles%\SUPERAntiSpyware\SASSEH.DLL [] -> SuperAdBlocker.com [Ver = 1, 0, 0, 1008 | Size = 77824 bytes | Modified Date = 12/20/2006 12:55:48 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
!SASWinLogon -> %ProgramFiles%\SUPERAntiSpyware\SASWINLO.dll -> SUPERAntiSpyware.com [Ver = 1, 0, 0, 1030 | Size = 282624 bytes | Modified Date = 2/27/2007 11:39:26 AM | Attr = ]
rqromjj -> rqromjj.dll -> File not found
< HOSTS File > (734 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts
127.0.0.1 localhost -> ->
< Internet Explorer Settings > ->
HKLM: Search Page -> http://www.google.com ->
HKLM: Start Page -> http://www.hotmail.com ->
HKCU: Search Page -> http://www.google.com ->
HKCU: Start Page -> http://www.hotmail.com ->
HKCU: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn7\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 11:28:40 AM | Attr = ]
HKCU: ProxyEnable -> 0 ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Reg Data - Value does not exist] -> Safer Networking Limited [Ver = 1, 4, 0, 0 | Size = 853672 bytes | Modified Date = 5/31/2005 1:04:00 AM | Attr = ]
{67C55A8D-E808-4caa-9EA7-F77102DE0BB6} [HKLM] -> %System32%\mdbfuwyy.dll [Reg Data - Value does not exist] -> File not found
{93B08C4C-9360-4884-A661-F45C467E290A} [HKLM] -> %System32%\tuvsp.dll [Reg Data - Value does not exist] -> File not found
< Internet Explorer Bars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer Bars [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.1.3 | Size = 210048 bytes | Modified Date = 9/21/2004 4:17:16 AM | Attr = ]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn7\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 11:28:40 AM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
ShellBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
ShellBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.1.3 | Size = 210048 bytes | Modified Date = 9/21/2004 4:17:16 AM | Attr = ]
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> %ProgramFiles%\Google\googletoolbar4.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 11.0.1.3 | Size = 210048 bytes | Modified Date = 9/21/2004 4:17:16 AM | Attr = ]
WebBrowser\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKLM] -> %ProgramFiles%\Yahoo!\Companion\Installs\cpn7\yt.dll [Yahoo! Toolbar] -> Yahoo! Inc. [Ver = 2006, 10, 26, 1 | Size = 440384 bytes | Modified Date = 10/26/2006 11:28:40 AM | Attr = ]
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} -> Reg Data - Value does not exist [ButtonText: Yahoo! Services] -> File not found
< Internet Explorer Menu Extensions [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\
&Yahoo! Search -> %ProgramFiles%\Yahoo!\Common\YCSRCH.HTM -> [Ver = | Size = 605 bytes | Modified Date = 6/3/2005 6:07:38 PM | Attr = ]
Add to Google Photos Screensa&ver -> -> File not found
Yahoo! &Dictionary -> %ProgramFiles%\Yahoo!\Common\YCDICT.HTM -> [Ver = | Size = 616 bytes | Modified Date = 6/3/2005 6:07:16 PM | Attr = ]
Yahoo! &Maps -> %ProgramFiles%\Yahoo!\Common\ycmap.htm -> [Ver = | Size = 690 bytes | Modified Date = 6/3/2005 6:07:44 PM | Attr = ]
Yahoo! &SMS -> %ProgramFiles%\Yahoo!\Common\YCsms.htm -> [Ver = | Size = 1006 bytes | Modified Date = 8/1/2005 5:43:00 PM | Attr = ]
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
{61B32111-2369-2316-F371-09CCED5CEC35} -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\
{17FEE3EC-D361-468D-BE98-57CF9BEC930A} -> () ->
{2506BF76-C283-48A9-999F-F657364D90FF} -> (Belkin 54Mbps Wireless USB Network Adapter) ->
{CBE7BD49-E470-4214-A4DD-E1D4904C25F3} -> (Belkin 54Mbps Wireless USB Network Adapter) ->
{DE700452-B71C-4A1F-A668-50406F7A76F0} -> (SiS 900-Based PCI Fast Ethernet Adapter) ->
< Winsock2 Catalogs [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\
Protocol_Catalog9\Catalog_Entries\000000000001 -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopNetwork1.dll -> [Ver = | Size = 8704 bytes | Modified Date = 5/6/2006 2:28:22 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000002 -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopNetwork1.dll -> [Ver = | Size = 8704 bytes | Modified Date = 5/6/2006 2:28:22 PM | Attr = ]
Protocol_Catalog9\Catalog_Entries\000000000031 -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopNetwork1.dll -> [Ver = | Size = 8704 bytes | Modified Date = 5/6/2006 2:28:22 PM | Attr = ]
< Default Protocols [HKLM] - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
shell -> shell protocol not assigned ->
< Default Protocols [HKCU] - Select to Repair > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults
shell -> shell protocol not assigned ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
vnd.ms.radio -> %System32%\msdxm.ocx -> [Ver = | Size = 843804 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
{01113300-3E00-11D2-8470-0060089874ED} -> Support.com Configuration Class - CodeBase = https://www.cricinfo.com/diskless/bin/tgctlcm.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwa...director/sw.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -> YInstStarter Class - CodeBase = http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab ->
{56336BCB-3D8A-11D6-A00B-0050DA18DE71} -> - CodeBase = http://software-dl.real.com/171859a8b37f6f...ip/RdxIE601.cab ->
{6414512B-B978-451D-A0D8-FCFDF33E833C} -> WUWebControl Class - CodeBase = http://update.microsoft.com/windowsupdate/...b?1172086831463 ->
{6F750200-1362-4815-A476-88533DE61D0C} -> Ofoto Upload Manager Class - CodeBase = http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab ->
{B38870E4-7ECB-40DA-8C6A-595F0A5519FF} -> MsnMessengerSetupDownloadControl Class - CodeBase = http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab ->
{D54160C3-DB7B-4534-9B65-190EE4A9C7F7} -> SproutLauncherCtrl Class - CodeBase = http://download.games.yahoo.com/games/web_...outLauncher.cab ->
{D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} -> TikGames Online Control - CodeBase = http://download.games.yahoo.com/games/web_...inematycoon.cab ->


[Files/Folders - Created Within 30 days]
boot.ini.SAB -> %SystemDrive%\boot.ini.SAB -> [Ver = | Size = 194 bytes | Created Date = 4/6/2007 4:54:15 PM | Attr = H ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 335073280 bytes | Created Date = 1/1/1601 5:00:00 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Created Date = 4/14/2007 6:40:57 PM | Attr = ]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 25 bytes | Created Date = 3/29/2007 3:49:37 PM | Attr = ]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Created Date = 4/15/2007 8:09:23 AM | Attr = ]
zllsputility.exe -> %SystemRoot%\zllsputility.exe -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 75512 bytes | Created Date = 4/15/2007 8:17:35 AM | Attr = ]
Norton Security Scan.job -> %SystemRoot%\tasks\Norton Security Scan.job -> [Ver = | Size = 410 bytes | Created Date = 4/1/2007 3:26:28 PM | Attr = ]
XoftSpySE 2.job -> %SystemRoot%\tasks\XoftSpySE 2.job -> [Ver = | Size = 434 bytes | Created Date = 4/14/2007 6:23:40 PM | Attr = ]
XoftSpySE.job -> %SystemRoot%\tasks\XoftSpySE.job -> [Ver = | Size = 364 bytes | Created Date = 4/14/2007 6:23:38 PM | Attr = ]
CMMGR32.EXE -> %System32%\CMMGR32.EXE -> [Ver = | Size = 0 bytes | Created Date = 4/2/2007 7:35:36 PM | Attr = ]
eoqsfle.dll -> %System32%\eoqsfle.dll -> [Ver = | Size = 63488 bytes | Created Date = 4/1/2007 8:30:57 AM | Attr = ]
fhkjihwb.ini -> %System32%\fhkjihwb.ini -> [Ver = | Size = 1633745 bytes | Created Date = 4/6/2007 8:32:39 PM | Attr = HS]
GPhotos.scr -> %System32%\GPhotos.scr -> Google Inc. [Ver = 2.0.0.1067 | Size = 2784264 bytes | Created Date = 3/23/2007 1:29:18 PM | Attr = ]
isknomfd.ini -> %System32%\isknomfd.ini -> [Ver = | Size = 1691389 bytes | Created Date = 4/1/2007 8:41:53 AM | Attr = HS]
jlwlphca.ini -> %System32%\jlwlphca.ini -> [Ver = | Size = 1690768 bytes | Created Date = 4/1/2007 3:03:23 PM | Attr = HS]
libeay32_0.9.6l.dll -> %System32%\libeay32_0.9.6l.dll -> [Ver = | Size = 796312 bytes | Created Date = 4/15/2007 8:16:57 AM | Attr = ]
ngzxeu.dll -> %System32%\ngzxeu.dll -> [Ver = | Size = 64000 bytes | Created Date = 4/1/2007 7:05:11 PM | Attr = ]
runtime -> %System32%\runtime -> [Folder | Created Date = 4/1/2007 3:27:28 PM | Attr = ]
SuperAdBlocker.com -> %System32%\SuperAdBlocker.com -> [Folder | Created Date = 4/13/2007 7:01:10 PM | Attr = ]
vmbcltwe.ini -> %System32%\vmbcltwe.ini -> [Ver = | Size = 1632045 bytes | Created Date = 4/2/2007 3:04:26 PM | Attr = HS]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49617 bytes | Created Date = 4/15/2007 8:11:53 AM | Attr = ]
vsdata.dll -> %System32%\vsdata.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 83696 bytes | Created Date = 4/15/2007 8:09:21 AM | Attr = ]
vsdatant.sys -> %System32%\vsdatant.sys -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 394192 bytes | Created Date = 4/15/2007 8:11:53 AM | Attr = ]
vsinit.dll -> %System32%\vsinit.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 157424 bytes | Created Date = 4/15/2007 8:09:20 AM | Attr = ]
vsmonapi.dll -> %System32%\vsmonapi.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 104176 bytes | Created Date = 4/15/2007 8:11:55 AM | Attr = ]
vspubapi.dll -> %System32%\vspubapi.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 276208 bytes | Created Date = 4/15/2007 8:11:55 AM | Attr = ]
vsregexp.dll -> %System32%\vsregexp.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 71408 bytes | Created Date = 4/15/2007 8:16:57 AM | Attr = ]
vsutil.dll -> %System32%\vsutil.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 472816 bytes | Created Date = 4/15/2007 8:09:19 AM | Attr = ]
vswmi.dll -> %System32%\vswmi.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 46832 bytes | Created Date = 4/15/2007 8:11:57 AM | Attr = ]
vsxml.dll -> %System32%\vsxml.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 100080 bytes | Created Date = 4/15/2007 8:11:56 AM | Attr = ]
VundoFixSVC.exe -> %System32%\VundoFixSVC.exe -> Atribune.org [Ver = 1.00.0002 | Size = 24576 bytes | Created Date = 4/14/2007 6:57:10 PM | Attr = ]
yuwztyh.dll -> %System32%\yuwztyh.dll -> [Ver = | Size = 86528 bytes | Created Date = 4/1/2007 7:05:10 PM | Attr = ]
zbaiynh.dll -> %System32%\zbaiynh.dll -> [Ver = | Size = 86528 bytes | Created Date = 4/1/2007 8:30:57 AM | Attr = ]
zlcomm.dll -> %System32%\zlcomm.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 83696 bytes | Created Date = 4/15/2007 8:16:52 AM | Attr = ]
zlcommdb.dll -> %System32%\zlcommdb.dll -> Zone Labs, LLC [Ver = 7.0.337.000 | Size = 71408 bytes | Created Date = 4/15/2007 8:16:52 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Created Date = 4/15/2007 8:18:25 AM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Created Date = 4/15/2007 8:11:55 AM | Attr = ]
zpeng24.dll -> %System32%\zpeng24.dll -> Python Software Foundation [Ver = 2.4.2 | Size = 1087216 bytes | Created Date = 4/15/2007 8:11:56 AM | Attr = ]
cdr4_xp.sys -> %System32%\drivers\cdr4_xp.sys -> Sonic Solutions [Ver = 8.0.0.212 | Size = 2432 bytes | Created Date = 4/1/2007 3:30:34 PM | Attr = ]
cdralw2k.sys -> %System32%\drivers\cdralw2k.sys -> Sonic Solutions [Ver = 8.0.0.212 | Size = 2560 bytes | Created Date = 4/1/2007 3:30:34 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 10784 bytes | Created Date = 4/15/2007 8:30:12 AM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 1220 bytes | Created Date = 4/15/2007 8:30:12 AM | Attr = HS]
fidbox2.dat -> %System32%\drivers\fidbox2.dat -> [Ver = | Size = 800 bytes | Created Date = 4/15/2007 8:30:12 AM | Attr = HS]
fidbox2.idx -> %System32%\drivers\fidbox2.idx -> [Ver = | Size = 1148 bytes | Created Date = 4/15/2007 8:30:12 AM | Attr = HS]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 4/6/2007 9:23:42 PM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 335073280 bytes | Modified Date = 4/17/2007 8:40:44 AM | Attr = HS]
hjt -> %SystemDrive%\hjt -> [Folder | Modified Date = 4/15/2007 5:32:44 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 4/15/2007 9:11:56 AM | Attr = ]
RECYCLER -> %SystemDrive%\RECYCLER -> [Folder | Modified Date = 4/1/2007 9:50:02 AM | Attr = HS]
VundoFix Backups -> %SystemDrive%\VundoFix Backups -> [Folder | Modified Date = 4/14/2007 11:34:00 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 4/15/2007 12:09:04 PM | Attr = ]
$MSI31Uninstall_KB893803v2$ -> %SystemRoot%\$MSI31Uninstall_KB893803v2$ -> [Folder | Modified Date = 4/1/2007 5:00:20 PM | Attr = H ]
aGV0dWR5 -> %SystemRoot%\aGV0dWR5 -> [Folder | Modified Date = 4/1/2007 7:25:24 PM | Attr = HS]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 4/17/2007 8:40:58 AM | Attr = S]
cdplayer.ini -> %SystemRoot%\cdplayer.ini -> [Ver = | Size = 25 bytes | Modified Date = 3/29/2007 4:49:38 PM | Attr = ]
Debug -> %SystemRoot%\Debug -> [Folder | Modified Date = 4/17/2007 8:41:22 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 4/1/2007 5:05:16 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 4/6/2007 5:50:40 PM | Attr = HS]
Internet Logs -> %SystemRoot%\Internet Logs -> [Folder | Modified Date = 4/17/2007 10:19:40 PM | Attr = ]
mozver.dat -> %SystemRoot%\mozver.dat -> [Ver = | Size = 3480 bytes | Modified Date = 4/13/2007 8:01:12 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 4/17/2007 10:32:12 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 4/6/2007 9:24:28 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 4/15/2007 10:27:24 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 4/14/2007 7:23:42 PM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 4/15/2007 10:05:44 PM | Attr = ]
Web -> %SystemRoot%\Web -> [Folder | Modified Date = 4/14/2007 9:59:22 PM | Attr = R ]
WebCamC.ini -> %SystemRoot%\WebCamC.ini -> [Ver = | Size = 603 bytes | Modified Date = 3/30/2007 6:37:08 PM | Attr = ]
WinSxS -> %SystemRoot%\WinSxS -> [Folder | Modified Date = 4/1/2007 5:33:02 PM | Attr = ]
Ad-Watch SE Professional.job -> %SystemRoot%\tasks\Ad-Watch SE Professional.job -> [Ver = | Size = 302 bytes | Modified Date = 4/15/2007 6:19:02 PM | Attr = ]
Norton Security Scan.job -> %SystemRoot%\tasks\Norton Security Scan.job -> [Ver = | Size = 410 bytes | Modified Date = 4/13/2007 3:20:24 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 4/17/2007 8:41:10 AM | Attr = H ]
XoftSpySE 2.job -> %SystemRoot%\tasks\XoftSpySE 2.job -> [Ver = | Size = 434 bytes | Modified Date = 4/17/2007 5:00:04 PM | Attr = ]
XoftSpySE.job -> %SystemRoot%\tasks\XoftSpySE.job -> [Ver = | Size = 364 bytes | Modified Date = 4/14/2007 7:23:42 PM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 4/15/2007 12:09:18 PM | Attr = ]
CMMGR32.EXE -> %System32%\CMMGR32.EXE -> [Ver = | Size = 0 bytes | Modified Date = 4/2/2007 8:35:38 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 4/6/2007 9:25:24 PM | Attr = ]
d3d8caps.dat -> %System32%\d3d8caps.dat -> [Ver = | Size = 1632 bytes | Modified Date = 3/21/2007 10:07:06 PM | Attr = ]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 4/1/2007 5:03:22 PM | Attr = RHS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 4/15/2007 10:27:56 PM | Attr = ]
eoqsfle.dll -> %System32%\eoqsfle.dll -> [Ver = | Size = 63488 bytes | Modified Date = 4/1/2007 9:30:58 AM | Attr = ]
fhkjihwb.ini -> %System32%\fhkjihwb.ini -> [Ver = | Size = 1633745 bytes | Modified Date = 4/6/2007 10:30:44 PM | Attr = HS]
GPhotos.scr -> %System32%\GPhotos.scr -> Google Inc. [Ver = 2.0.0.1067 | Size = 2784264 bytes | Modified Date = 3/23/2007 2:29:18 PM | Attr = ]
isknomfd.ini -> %System32%\isknomfd.ini -> [Ver = | Size = 1691389 bytes | Modified Date = 4/1/2007 9:44:22 AM | Attr = HS]
jlwlphca.ini -> %System32%\jlwlphca.ini -> [Ver = | Size = 1690768 bytes | Modified Date = 4/1/2007 4:05:24 PM | Attr = HS]
M?crosoft.NET -> %System32%\M?crosoft.NET -> [Folder | Modified Date = 4/2/2007 4:44:06 PM | Attr = ]
ngzxeu.dll -> %System32%\ngzxeu.dll -> [Ver = | Size = 64000 bytes | Modified Date = 4/1/2007 8:05:12 PM | Attr = ]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 39992 bytes | Modified Date = 4/1/2007 9:30:40 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 311604 bytes | Modified Date = 4/1/2007 9:30:40 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 356120 bytes | Modified Date = 4/1/2007 9:30:40 AM | Attr = ]
runtime -> %System32%\runtime -> [Folder | Modified Date = 4/1/2007 4:27:30 PM | Attr = ]
SuperAdBlocker.com -> %System32%\SuperAdBlocker.com -> [Folder | Modified Date = 4/15/2007 10:27:34 PM | Attr = ]
vmbcltwe.ini -> %System32%\vmbcltwe.ini -> [Ver = | Size = 1632045 bytes | Modified Date = 4/2/2007 4:08:10 PM | Attr = HS]
vsconfig.xml -> %System32%\vsconfig.xml -> [Ver = | Size = 49617 bytes | Modified Date = 4/15/2007 12:37:14 PM | Attr = ]
VundoFixSVC.exe -> %System32%\VundoFixSVC.exe -> Atribune.org [Ver = 1.00.0002 | Size = 24576 bytes | Modified Date = 4/14/2007 7:57:12 PM | Attr = ]
wbem -> %System32%\wbem -> [Folder | Modified Date = 4/6/2007 9:24:36 PM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2184 bytes | Modified Date = 4/17/2007 8:41:10 AM | Attr = ]
yuwztyh.dll -> %System32%\yuwztyh.dll -> [Ver = | Size = 86528 bytes | Modified Date = 4/1/2007 8:05:12 PM | Attr = ]
zbaiynh.dll -> %System32%\zbaiynh.dll -> [Ver = | Size = 86528 bytes | Modified Date = 4/1/2007 9:30:58 AM | Attr = ]
zllictbl.dat -> %System32%\zllictbl.dat -> [Ver = | Size = 4212 bytes | Modified Date = 4/15/2007 9:21:58 AM | Attr = H ]
ZoneLabs -> %System32%\ZoneLabs -> [Folder | Modified Date = 4/15/2007 10:29:26 PM | Attr = ]
fidbox.dat -> %System32%\drivers\fidbox.dat -> [Ver = | Size = 10784 bytes | Modified Date = 4/15/2007 9:41:20 AM | Attr = HS]
fidbox.idx -> %System32%\drivers\fidbox.idx -> [Ver = | Size = 1220 bytes | Modified Date = 4/15/2007 9:41:20 AM | Attr = HS]
fidbox2.dat -> %System32%\drivers\fidbox2.dat -> [Ver = | Size = 800 bytes | Modified Date = 4/15/2007 9:41:20 AM | Attr = HS]
fidbox2.idx -> %System32%\drivers\fidbox2.idx -> [Ver = | Size = 1148 bytes | Modified Date = 4/15/2007 9:41:20 AM | Attr = HS]

[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\fmod.dll -> Firelight Technologies Pty, Ltd [Ver = 3.74 | Size = 161280 bytes | Modified Date = 6/24/2005 5:04:36 PM | Attr = ]
Thawte Consulting , -> %System32%\rmoc3260.dll -> RealNetworks, Inc. [Ver = 6.0.9.2568 | Size = 185952 bytes | Modified Date = 11/16/2006 9:23:04 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/23/2001 8:00:00 AM | Attr = ]

< End of report >

#4 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 17 April 2007 - 10:14 PM

THis is my new hijackthis logfile. I thought i should give you uptodate logfile since i edited my registry yesterday before you replied to my earlier logfile. Sorry.

I ran hijackthis after[/u] i ran winpfind3u.exe. so this logfile is created after[u] i scanned computer with winpfind3u.exe.

Logfile of HijackThis v1.99.1
Scan saved at 11:05:36 PM, on 4/17/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\hetudy\My Documents\stng260 stinger Mcfee.exe
C:\Documents and Settings\hetudy\My Documents\WinPFind3u\WinPFind3U.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\mdbfuwyy.dll (file missing)
O2 - BHO: (no name) - {93B08C4C-9360-4884-A661-F45C467E290A} - C:\WINDOWS\System32\tuvsp.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\System32\GPhotos.scr/200
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://www.cricinfo.com/diskless/bin/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/171859a8b37f6f...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1172086831463
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnM...pDownloader.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_...outLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/games/web_...inematycoon.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rqromjj - rqromjj.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin 54g Wireless USB Network Adapter (Belkin 54g Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (file missing)

#5 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:51 PM

Posted 18 April 2007 - 03:23 PM

Well, SuperAnti-Spyware killed it. Why do you have all startup programs disabled?????

Run HijackThis, and press "Do a System Scan Only".
1. When the scan is complete place a check mark next to the following entries:

O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\mdbfuwyy.dll (file missing)
O2 - BHO: (no name) - {93B08C4C-9360-4884-A661-F45C467E290A} - C:\WINDOWS\System32\tuvsp.dll (file missing)
O20 - Winlogon Notify: rqromjj - rqromjj.dll (file missing)

2. After checking these items CLOSE ALL open windows EXCEPT HijackThis and click "Fix Checked." Then, reboot your computer...


===========================

You have a file i would like you to get anaylzed. Please go to VirusTotal. On the very top of the Website, you will see a Browse button. Use that to search for this file
C:\WINDOWS\system32\zbaiynh.dll
C:\WINDOWS\system32\yuwztyh.dll
. Then Click on Send. This could take between 30 Second-a couple of minutes. When you get the Results, Open Notepad, please highlight the results, copy them to Notepad and save it as "Scan.txt and Scan2.txt". Save the text file "Scan.txt and Scan2.txt" to your desktop. Please include the file in your next post.


Note: You may need to unhide hidden files and folders.
Configure Windows XP to show hide hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
Microsoft MVP Consumer Security--2007-2010

#6 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 19 April 2007 - 08:53 PM

Hello & thank you for all your help.
First of all, I really don't know why my all start up program and desktop program disabled. I didn't disabled it. How do i enable it. I have to right click on icon and select RUN AS to open any program. AND i can't open any program under my control panel. its say i don't have associated file or program that created it etc etc. Also, after i delete recommended file from hijack this and restarted i got this note before it load up desktop that WIndows can't open this file: File: rundll32.exe To open windows need to know what prog. created it and etc etc. Also, i am attaching scan.txt and scan2.txt file into attachment.

Again, i really appreciate all the help you are offering. Thank you very

much.Attached File  scan.txt   2.2KB   5 downloads


Attached File  scan2.txt   2.09KB   4 downloads

#7 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:51 PM

Posted 20 April 2007 - 11:44 AM

Please go to Start > Run > In the space provided, type msconfig and the enter key. Click on the Startup Tab > At the bottom, click on Enable All > Click on Appy > then Ok. Please post a fresh Hijackthis log. Thanks.

Download OTMoveIt by OldTimer and save to your Desktop.
  • Double-click on OTMoveIt.exe to launch the program.
  • Please copy the file(s)/folder(s) paths listed below - highlight everything in red and press CTRL+C or right-click and choose Copy.
    • C:\WINDOWS\system32\zbaiynh.dll
      C:\WINDOWS\system32\yuwztyh.dll
  • Then in OTMoveIt, right-click in the open text box labeled "Paste List of Files/Folders to be Moved" and choose Paste.
  • Click the red MoveIt! button.
  • The list will be processed and the results for each line will be displayed in the right-hand pane.
  • Highlight everything in the Results window, press CTRL+C or right-click, choose Copy, right-click again and Paste it in your next reply.
  • Close the program when done.
  • Important! If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes.

Microsoft MVP Consumer Security--2007-2010

#8 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 20 April 2007 - 07:34 PM

Hi, It didn't work.

I paste the link and clicked on Moveit and it says: "cannot create file C:\_OTMOVEIT\movefiles\04202007_201340.log

On the right had side it says


[b]File/Folder C:\WINDOWS\system32\zbaiynh.dll not found.
File/Folder C:\WINDOWS\system32\yuwztyh.dll not found.

Created on 04/20/2007 20:13:40



Also, as you said i went to start_Run_typed msconfig and run it but it didn't work so i went into search to find msconfig.exe physical location and went to where msconfig was located and I right click on Msconfig.exe and click run as and then selected current user: hetudy (computer name) and it took me to system config. utility where i enabled all programs but still it didn't help. I did reboot computer.


There is something happend to my computer that i can't open any program or file under start menu or any program/file on desktop with double click on icon. In order to open any program/file, i have to highlight icon then right click on it and then select RUn As (not open) and then it open up window saying which user account do you want to use to run this program? i get two option 1) current user (hetudy) - underneath of option 1 box with checked it says protect my computer and data from unauthorized program activity. this option can prevent computer viruses etc etc . Option 2) the following user with underneath username and password.

Also, i can't open any programs in control panel folder except network connection. I want to open "add & remove program" to see whats install on my computer. if there is anything that it was not supposed to be there i can uninstall it.
Can you please help! I really appreciate for all your help.

#9 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:51 PM

Posted 20 April 2007 - 07:47 PM

  • Download the file UnHookExec.inf and save it to your Windows desktop.

    Note: The tool has a .inf file extension.
  • Locate the download file on the Windows desktop
  • Right-click the UnHookExec.inf file and click install. (This is a small file. It does not display any notice or boxes when you run it.)
======================================

Lets run WinPFind3u again
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • Under Additional Scans (please uncheck non microsoft only)
    • Desktop Components
    • Disabled MS Config Items
    • File Associations
    • Policy Settings
    • Security Settings
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in

Note: Due to the length of the log, please attach it. Thanks.
Microsoft MVP Consumer Security--2007-2010

#10 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 20 April 2007 - 08:40 PM

Ok i right clicked on unhookexec.inf file and click on Install but it failed. It says

ERROR
Installation Failed.


Further, on winfind3U do you want me to check marked following right?
# Desktop Components
# Disabled MS Config Items
# File Associations
# Policy Settings
# Security Settings

all of above i have to select (marked checked). I did uncheck "non microsoft only" Under Additional Scans. I have attached the file because of its length. Attached File  WinPFind3.Txt   36.65KB   8 downloads

#11 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 20 April 2007 - 08:47 PM

Hello i can open all of my program now with double click on it. i don't have to right click and then click on run as. etc etc. I download this program called regcure.exe from tuneupadvisor.com. This program scans & repair shared dll,application path, uninstall entries, program shortcut, start up items, emply registry keys, file/path refrences, COm/activex entries, file associations etc etc
YOu probably want to check in it and i am sure it can cure many users problems.....I really appreciate all your help. Thank you.

Edited by alexpatel, 20 April 2007 - 09:03 PM.


#12 sjpritch25

sjpritch25

  • Security Colleague
  • 903 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Coast of Florida, USA
  • Local time:07:51 PM

Posted 20 April 2007 - 09:20 PM

Hi, alexpatel :thumbsup:

Please close all open programs because this could affect the fix. Thanks.

Start WinPFind3U. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.





[Registry - Additional Scans - All]
< Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\svchost.exe -> C:\Program Files\Common Files\svchost.exe
< Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0
[Files/Folders - Created Within 30 days]
NY -> fhkjihwb.ini -> %System32%\fhkjihwb.ini
NY -> isknomfd.ini -> %System32%\isknomfd.ini
NY -> jlwlphca.ini -> %System32%\jlwlphca.ini
NY -> vmbcltwe.ini -> %System32%\vmbcltwe.ini






The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).



I will review the information when it comes back in.



Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.



========================================

Be sure you have your Flash drive plugged in.



Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a Batch file, get autoruns.bat, Written by Mosaic1. Once extracted, open the folder and double click on the get autoruns.bat to run the fix.
  • The fix will make a report and if any autoruns are found, move them to a backup folder.
  • If any autoruns are found on the root of your drives, it will kill explorer so that the registry entries in the MountPoints key are fixed.
  • A document, Part 1.txt, will be created. It will show the pre-cleaning state.
  • Run get autoruns.bat again immediately.
  • It will produce a file named autos.txt and this one will show the state after the cleaning.
  • Please post the contents of Part1.txt and then autos.txt along with a fresh Hjackthis log.
** It is important that you follow these directions exactly. Don't skip the second run or the reporting sequence, as we will become confused.

Attached Files


Microsoft MVP Consumer Security--2007-2010

#13 alexpatel

alexpatel
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:07:51 PM

Posted 20 April 2007 - 09:30 PM

[Registry - Additional Scans - All]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\\svchost.exe deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableTaskMgr deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
[Files/Folders - Created Within 30 days]
C:\WINDOWS\SYSTEM32\fhkjihwb.ini moved successfully.
C:\WINDOWS\SYSTEM32\isknomfd.ini moved successfully.
C:\WINDOWS\SYSTEM32\jlwlphca.ini moved successfully.
C:\WINDOWS\SYSTEM32\vmbcltwe.ini moved successfully.
< End of log >
Created on 04/20/2007 22:24:41



Following is Hijack this log
Attached File  hijackthis.log   5.04KB   6 downloads




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users