TechSpot

HijackThis log, Windows 2000

By DoThePieFace
Oct 30, 2007
  1. Hey, I'm new to these forums but I've had heaps of problems on my laptop lately and would greatly appreciate some assitance. I've run Spybot and Ad-Aware which keep coming up with various spyware's and what-not which just keep reappearing.

    My computer runs on Windows 2000 Professional, version 5.0.2195 Service Pack 4. I've downloaded the latest HijackThis and would love if anybody could look at the log file which is attached.

    Thank-you.
     
  2. Rik

    Rik Banned Posts: 3,814

    Hi DoThePieFace and welcome to TechSpot.

    Your pc is riddled with malware, please follow the instructions below very carefully and provide all the requested logs.


    You need to have a read of this - If your system is infected. Read this before deciding whether to CLEAN or REFORMAT.

    Then if you should wish to proceed with cleaning your system you need to go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, Combofix, , and AVG Antispyware logs as ATTACHMENTS into this thread, only after doing the above.
    We also need to know the result of Panda Antirootkit.


    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Hey Rik, thanks for responding so quickly. I attempted to follow the steps directed in the thread you directed me towards and got up to step 2 before the computer died on me entirely. Now, whenever I try to start it up it comes up with a blue screen when my log on page is meant to be there that says "beginning physical memory dump" or something similar which I can't read before it restarts itself and does the process all over again.

    Would I be wrong in assuming that all hope is lost and a reformat is my only option? I don't have any of the Windows 2000 discs as they didn't come with the laptop when I bought it, and don't know how to go about it.
     
  4. Rik

    Rik Banned Posts: 3,814

    Have you tried booting into safe mode by pressing F8 before windows begins to load and selecting safe mode from the options? If your bsod is software related then safe mode should work. If it's hardware related then it may not.
    Let me know how you get on.



    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Yes it will boot in safe mode without any problem.
     
  6. Rik

    Rik Banned Posts: 3,814

    Do what you can from the instructions in safe mode then.



    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Okay, so I managed to complete nearly all of it by transferring the downloaded files from the family copmuter to my laptop. I wasn't able to do the online scan and whenever I try to start internet explorer it says that it can't locate the 'iexlporer.exe' I think. I wasn't able to run combofix as it said the file 'C:\WINNT\regedit.exe'. Also, for some reason the latest Spybot wouldn't work, but I still had Spybot 1.4 installed and updated.

    The Panda Anti-Rootkit found nothing, but the new HJT log and AVG Anti-spyware report are attached. Thanks.
     
  8. Rik

    Rik Banned Posts: 3,814

    Just as a precaution, I would like you to do the following.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.



    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Alright, here's the awf file.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    You`re not running any antivirus or firewall software. This is a huge security risk and has no doubt contributed to your malware problems.

    Your system is a real mess and I don`t know if we can clean it successfully, but we`ll try.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    SecCenter
    Xriayfnf
    Adsense Helper Object
    wbkbcpcv

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    FFI

    Close the services window.


    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    mgrs.exe
    win53.tmp.exe
    scprot4.exe

    xpupdate.exe
    exm.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {0DFCFB5E-3974-3338-8F09-0B2552E546A8} - C:\Program Files\Xriayfnf\mnuuqnmv.dll

    O2 - BHO: Adsense Helper Object - {18FA53D3-B7A8-4309-8045-D43D6AA2DCE9} - C:\Program Files\Adsense Helper Object\aho.v5.dll (file missing)

    O2 - BHO: (no name) - {4401E4EE-B094-4BE9-8966-C88F19D2044F} - C:\WINNT\system32\khfgd.dll

    O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINNT\system32\wwwdnvbd.dll

    O4 - HKLM\..\Run: [smgr] mgrs.exe

    O4 - HKLM\..\Run: [avp] C:\WINNT\TEMP\win53.tmp.exe

    O4 - HKLM\..\Run: [3cd9458b] rundll32.exe "C:\WINNT\system32\lnfogtbl.dll",b

    O4 - HKLM\..\Run: [bgxoxwzo] rundll32.exe "C:\Program Files\wbkbcpcv\axifursx.dll",Init

    O4 - HKLM\..\Run: [wrkfkdux] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\wrkfkdux.dll"

    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

    O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Len\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)

    O20 - AppInit_DLLs: C:\WINNT\system32\__c004F829.dat

    O20 - Winlogon Notify: winhhm32 - C:\WINNT\SYSTEM32\winhhm32.dll

    O23 - Service: FFI - Unknown owner - C:\WINNT\system32\svchost.exe:exm.exe

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or folders(if there).

    C:\WINNT\system32\svchost.exe:exm.exe
    C:\WINNT\SYSTEM32\winhhm32.dll
    C:\WINNT\system32\__c004F829.dat

    C:\Windows\xpupdate.exe
    C:\Documents and Settings\All Users\Application Data\wrkfkdux.dll
    C:\Program Files\wbkbcpcv

    C:\WINNT\system32\lnfogtbl.dll
    C:\WINNT\TEMP\win53.tmp.exe
    C:\WINNT\system32\wwwdnvbd.dll

    C:\WINNT\system32\khfgd.dll
    C:\Program Files\Adsense Helper Object
    C:\Program Files\Xriayfnf

    C:\WINNT\mgrs.exe
    C:\Program Files\SecCenter

    Reboot into normal mode(if you can) and rehide your protected OS files.

    Go HERE and follow the instructions again. Make sure you install an antivirus and firewall programme as per the instructions.

    Post fresh HJT and Combofix logs.

    Regards Howard :wave: :wave:

    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Okay, I did as much of that as I could in safe mode. I wasn’t able to find a few of the files and ten the ones that I did find couldn’t be deleted because they were in use and I don’t know how to stop that. The ones that were in use were:

    C:\WINNT\SYSTEM32\winhhm32.dll
    C:\WINNT\system32\__c004F829.dat
    C:\WINNT\system32\khfgd.dll

    The rest I wasn’t able to find apart from SecCenter which was deleted. It still won’t boot in normal mode, it just comes up with a blue screen that says “beginning physical memory dump” and something else that isn’t there long enough to read and shuts itself down again. Any idea what that is? Thanks for all your effort so far.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, please post 5 or 6 of your latest minidumps as attachments. You should find them in the C:\Windows\Minidump folder.

    Regards Howard :)

    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    I don't seem to have a Windows or minidump file. I used the search function to try and find 'minidump' but it didn't come up with anything and the only windows files I found were in the username files and didn't have anything in them.
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Of course, you`re using Windows 2000 doh!

    The minidumps should be located at C:\winnt\minidumps.

    Go and read this thread HERE for instructions.

    Regards Howard :)

    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Okay after a bit of googling I managed to find out that my system properties can send me to where the minidump files are. There are four objects and I have attached them.
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You would need to follow the instructions in the link I gave you as I can`t analyse Windows 2000 minidumps as I`m running XP and Microsoft don`t provide the correct symbols.

    Look particularly at Cpc2004`s post #5.

    Regards Howard :)
     
  17. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    The program I needed to download for any of that to work won't install in safe mode and seeing as I can't start the computer in normal mode I can't intall it. I'm at a loss for what to do. Is there any other option then a complete reformat?
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    At this point, I think a reformat is the only sensible option. I know you don`t have a Windows 2000cd, so you`ll need to either purchase, borrow one, or take you laptop to a repair shop and have them reinstall it for you.

    Regards Howard :)

    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. DoThePieFace

    DoThePieFace TS Rookie Topic Starter

    Well thanks Rik and Howard for all your help. Reformat it is. Then I think it's time to get a firewall and some virus protection so it doesn't happen again. I appreciate all the help so thanks again.
     
  20. Rik

    Rik Banned Posts: 3,814

    Good luck with that and let us know how you get on and if you have any problems.



    This thread is for the use of DoThePieFace only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...