Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Hemenozu, Vodesome, Jojilite, Fofuhiza, Kipelebi DLLs


  • This topic is locked This topic is locked
6 replies to this topic

#1 Infected Win2000er

Infected Win2000er

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 25 April 2009 - 11:54 AM

Hello bleepingcomputer forum helpers,

I am a Win2000 user an I may have been recently affected by a host of Hijacking malicious malware, addware, etc. I have enclosed in text with this message my DDS Logfile and Trend Micro HijackThis Logfile. I also uploaded the DDS Attach.txt file. I am currently experiencing a really slow computer (although that may be its age and older Pentium III processor). I am also seeing a number of pop-up windows from sites related to the site I intend to surf on. For instance, when I went to the FoodNetwork website on my Mozilla Firefox Browser or Internet Explorer, a pop-up came up for diet and nutrition. Also when I am on these anti-virus sites and this forum, I receive pop-ups regarding registry cleaning and a host of anti-virus protection products. I also notice a rundll32.exe window appears when I try to shut down or log off. It is that type of window that shows up and warns that a program is running and you have the option to press "End Now" or let the progress bar go to completion. The computer also freezes when shutting down or logging off. If I keep pressing Ctrl+Aly+Del I can force it to "wake up" and shut down, or I press and hold the power on button.

I truly hope that my family's private information has not been compromised. Do we need to be seriously worried at this point? Do we start closing our bank accounts? Thank you for your time in reading this post. We truly appreciate any assistance that you, the more knowledgeable, can provide.


Kind regards,

A frustrated infectee


LOG FILES:


DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 12:17:38.80 on Sat 04/25/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_12
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.128.5 [GMT -4:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
S:\Program Files\crashreporter.exe
S:\Program Files\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\user\Desktop\dds.scr
C:\WINNT\system32\rundll32.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {8f4400b0-53a5-4166-b871-36acf7fe6ad1} - c:\winnt\system32\pobojohe.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [CPM8b7130c4] Rundll32.exe "c:\winnt\system32\fofuhiza.dll",a
mRun: [savoyuzonu] Rundll32.exe "c:\winnt\system32\zuwokuwu.dll",s
mRun: [88420358] rundll32.exe "c:\winnt\system32\hemenozu.dll",b
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\user\startm~1\programs\startup\openof~1.lnk - m:\openoffice\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUfox000
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5595/mcfscan.cab
AppInit_DLLs: c:\winnt\system32\fofuhiza.dll,c:\winnt\system32\kipelebi.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\fofuhiza.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\winnt\system32\fofuhiza.dll
LSA: Notification Packages = scecli c:\winnt\system32\kipelebi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ulbzc33f.default\
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ulbzc33f.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\ulbzc33f.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 3cpciadi;3Com Windows Modem Driver PCI ADI;c:\winnt\system32\drivers\3cpciadi.sys [2006-4-12 801072]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]

=============== Created Last 30 ================

2009-04-25 12:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_2a0.dat
2009-04-25 11:40 <DIR> --d----- c:\program files\Trend Micro
2009-04-25 11:16 88,064 a---h--- c:\winnt\system32\BIT1.tmp
2009-04-25 11:15 16,384 a------t c:\winnt\system32\Perflib_Perfdata_200.dat
2009-04-25 00:46 <DIR> --d----- c:\documents and settings\user\.housecall6.6
2009-04-24 21:07 16,384 a------t c:\winnt\system32\Perflib_Perfdata_234.dat
2009-04-24 20:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-24 20:47 <DIR> --d----- c:\program files\common files\iS3
2009-04-24 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-24 19:15 1,407,024 ---sh--- c:\winnt\system32\uzonemeh.ini
2009-04-02 13:25 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1f4.dat

==================== Find3M ====================

2009-04-25 12:17 81,408 a--sh--- c:\winnt\system32\mowukiwe.dll
2009-04-25 12:17 47,616 a--sh--- c:\winnt\system32\mufezuwi.exe
2009-04-25 11:16 50,688 a--sh--- c:\winnt\system32\yavayusa.dll
2009-04-24 19:15 81,920 a--sh--- c:\winnt\system32\hemenozu.dll
2009-04-24 19:15 88,576 a--sh--- c:\winnt\system32\fofuhiza.dll
2009-04-24 19:15 47,104 a--sh--- c:\winnt\system32\taruyola.exe
2009-04-24 19:15 9,216 a--sh--- c:\winnt\system32\wilawibe.exe
2009-04-18 12:16 1,636 a------- c:\winnt\system32\d3d9caps.dat
2009-02-12 14:13 410,984 a------- c:\winnt\system32\deploytk.dll
2007-07-30 13:32 439,296 ac------ c:\documents and settings\user\GoToAssist_phone__317_en.exe
2006-04-12 20:50 21,952 -c--h--- c:\program files\folder.htt
2006-04-12 20:50 271 ----h--- c:\program files\desktop.ini
1999-12-07 08:00 32,528 ac------ c:\winnt\inf\wbfirdma.sys

============= FINISH: 12:19:28.68 ===============


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:47 AM, on 4/25/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\iexplore.exe
S:\Program Files\crashreporter.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {8f4400b0-53a5-4166-b871-36acf7fe6ad1} - C:\WINNT\system32\pobojohe.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [88420358] rundll32.exe "C:\WINNT\system32\hemenozu.dll",b
O4 - HKLM\..\Run: [CPM8b7130c4] Rundll32.exe "c:\winnt\system32\fofuhiza.dll",a
O4 - HKLM\..\Run: [savoyuzonu] Rundll32.exe "C:\WINNT\system32\zuwokuwu.dll",s
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = M:\OpenOffice\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZUfox000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...595/mcfscan.cab
O20 - AppInit_DLLs: c:\winnt\system32\fofuhiza.dll,C:\WINNT\system32\kipelebi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\fofuhiza.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\fofuhiza.dll
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4382 bytes

Attached Files


Edited by Infected Win2000er, 25 April 2009 - 05:44 PM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 28 April 2009 - 02:12 AM

Hello, my name is fenzodahl512 and welcome to Bleeping Computer.. Please do the following....



Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
If you see "random" name, just leave it.. If you see "GMER", please rename GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Infected Win2000er

Infected Win2000er
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 28 April 2009 - 03:39 PM

Fenzo,

Thank you for so graciously responding to my computer dilemma. I believe an update is in order. First, I downloaded Malwarebytes AM a couple days ago and performed a full system scan, the result of which was 40+ counts of Vundo Torjan.H . I allowed MBAM to remove everything, change/delete registry keys, whatever it suggested to "fix" the problem. I also used CCleaner to resolve any registry issues. Moreover, I used an online scanner (Kaspersky 7) to scan my system and it came up with no infected files. Contained below are updated DDS and HijackThis logs. The only thing that looks funny to me are the two c:\winnt\system32\Perflib_Perfdata_#.dat files. Please consider this new information in determining what course of action should be executed.

Kind regards,
IW2Ker


DDS (Ver_09-03-16.01) - NTFSx86
Run by user at 16:28:43.95 on Tue 04/28/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_12
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.128.13 [GMT -4:00]


============== Running Processes ===============

C:\WINNT\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
S:\Program Files\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\user\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: SFCDisable=4 (0x4)
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: &Search
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {31564D57-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmvax.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\ulbzc33f.default\
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\ulbzc33f.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\ulbzc33f.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 3cpciadi;3Com Windows Modem Driver PCI ADI;c:\winnt\system32\drivers\3cpciadi.sys [2006-4-12 801072]
R3 USB_RNDIS_2K;Westell WireSpeed Dual Connect Modem;c:\winnt\system32\drivers\usb8023k.sys [2007-7-30 11136]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]

=============== Created Last 30 ================

2009-04-28 16:28 16,384 a------t c:\winnt\system32\Perflib_Perfdata_278.dat
2009-04-28 16:17 16,384 a------t c:\winnt\system32\Perflib_Perfdata_1f8.dat
2009-04-26 12:24 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-04-26 12:23 15,504 a------- c:\winnt\system32\drivers\mbam.sys
2009-04-26 12:23 38,496 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-04-26 12:23 <DIR> --d----- c:\program files\MAB
2009-04-26 12:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-25 17:26 <DIR> --d----- c:\program files\CCleaner
2009-04-25 11:40 <DIR> --d----- c:\program files\Trend Micro

==================== Find3M ====================

2009-04-18 12:16 1,636 a------- c:\winnt\system32\d3d9caps.dat
2009-02-12 14:13 410,984 a------- c:\winnt\system32\deploytk.dll
2007-07-30 13:32 439,296 ac------ c:\documents and settings\user\GoToAssist_phone__317_en.exe
2006-04-12 20:50 21,952 -c--h--- c:\program files\folder.htt
2006-04-12 20:50 271 ----h--- c:\program files\desktop.ini
1999-12-07 08:00 32,528 ac------ c:\winnt\inf\wbfirdma.sys

============= FINISH: 16:29:15.13 ===============



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:24:33 PM, on 4/28/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
S:\Program Files\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 2909 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 29 April 2009 - 12:48 AM

Latest logs look very good to me.. Tell me, how's the computer now?..

I haven't seen any antivirus in your logs.. Antivirus is extremely crucial as without it you will get re-infected again! Do you have any? If you don't, please install ONLY ONE of these free and excellent antivirus below:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Infected Win2000er

Infected Win2000er
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 29 April 2009 - 05:11 PM

Fenzo,

So the system32\Perflib_Perfdata_278.dat and system32\Perflib_Perfdata_1f8.dat are nothing to be worried about? My computer is still running slow, but that is only because the processor (pentium III) is ancient by today's standards. However, I am able to shut it down and log off on command, now that the stupid rundll32.exe process is GONE! I don't have much space on by C drive (maybe 500 MB or .5 GB), so that is why I never installed a virus protection program. I am probably going to wipe everything out and do a complete reinstall of Windows XP Pro that I was fortunate to get my hands on. I think this is the best thing to do because Win2000 is old and also I don't know what I allowed Malbytes and CCleaner to do to the registry. I would love to hear your advice on the matter. Also I have a 300-400MB avi video file on my S drive that I really do want to keep. It is the 100th episode of my now off the air favorite show. Is it safe to keep this, and also since I don't have an external hard drive, but I do have a zip drive, is it possible to compress the file to less than 100 MB or so?

Best regards,

IW2K

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 29 April 2009 - 05:26 PM

So the system32\Perflib_Perfdata_278.dat and system32\Perflib_Perfdata_1f8.dat are nothing to be worried about?


Nope, nothing to worry..

I am probably going to wipe everything out and do a complete reinstall of Windows XP Pro that I was fortunate to get my hands on. I think this is the best thing to do because Win2000 is old and also I don't know what I allowed Malbytes and CCleaner to do to the registry.


Its your choice whether to reformat or not, but migrate from Windows 2000 to XP Pro is a very good idea :thumbup2:

Also I have a 300-400MB avi video file on my S drive that I really do want to keep. It is the 100th episode of my now off the air favorite show. Is it safe to keep this, and also since I don't have an external hard drive, but I do have a zip drive, is it possible to compress the file to less than 100 MB or so?


Its safe to keep the file.. But I don't think you can compress the 400mb of avi files into 100mb.. Not possible unless you decode it back (which will be extremely hassle)..

If you seek my opinions, due to you use Pentium III, perhaps its better for you to stick with Windows 2000 as Windows XP Pro can be a bit heavy on old machine..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:08 AM

Posted 03 May 2009 - 05:54 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users