1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Weird WIN2k Random Restart

Discussion in 'Virus & Other Malware Removal' started by zedsama, Jul 27, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    Hello all!
    I'm having a small problem with my Windows 2000 Proffessional work computer. It seems to randomly restart about 4-6 times a day. Here is my HJT log, I don't see anything out of the ordinary.

    Logfile of HijackThis v1.99.1
    Scan saved at 7:49:54 AM, on 7/27/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Temp\HijackThis.exe

    O2 - BHO: CIEPl Object - {DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - C:\WINNT\system32\syspcap.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll
    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll
    O20 - Winlogon Notify: syspcap - C:\WINNT\SYSTEM32\syspcap.dll
    O20 - Winlogon Notify: vmpwqlnt - C:\WINNT\SYSTEM32\vmpwqlnt.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    · Double-click VundoFix.exe to run it.
    · Click the Scan for Vundo button.
    · Once it's done scanning, click the Remove Vundo button.
    · You will receive a prompt asking if you want to remove the files, click YES
    · Once you click yes, your desktop will go blank as it starts removing Vundo.
    · When completed, it will prompt that it will shutdown your computer, click OK.
    · Turn your computer back on.
    · Please post the contents of C:\vundofix.txt and a new HiJackThis log.
    ===================
    Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
    · Install ewido.
    · Run the application
    · Click on scanner
    · Click Complete System Scan and the scan will begin.
    · When the scan is finished, Set all items to delete
    · Apply all actions
    · look at the bottom of the screen and click the Save report button.
    · Save the report to your C: Drive
    This will take some time to run!
    RE-Boot
    Post that log and a new HiJack log
     
  3. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    Allright, I downloaded VundoFix.exe and ran the program. It said it didn't detect any Vundo and then I ran Ewido and applied all actions as delete.

    Here is the report before I applied the actions:
    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:43:44 AM 7/29/2006

    + Scan result:



    C:\WINNT\system32\bwighxym.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\efghapih.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\eivlhmra.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\gtniblpm.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\jimcyfff.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\kixvnmwl.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\qwjkjdoh.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\rijtjbdx.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\thfoiyra.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\woheivje.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\wqetiayt.dll -> Adware.BHO : No action taken.
    C:\WINNT\system32\syspcap.dll -> Adware.Virtumonde : No action taken.
    C:\WINNT\system32\gyijigyt.exe -> Downloader.Murlo.dy : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Adviva : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Com : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Overture : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Tradedoubler : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : No action taken.
    [196] C:\WINNT\system32\syspcap.dll -> Trojan.Virtumod : No action taken.
    [992] C:\WINNT\system32\syspcap.dll -> Trojan.Virtumod : No action taken.


    ::Report end


    I then applied all actions and saved an additional report, this is what it said:

    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 11:44:07 AM 7/29/2006

    + Scan result:



    C:\WINNT\system32\bwighxym.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\efghapih.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\eivlhmra.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\gtniblpm.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\jimcyfff.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\kixvnmwl.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\qwjkjdoh.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\rijtjbdx.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\thfoiyra.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\woheivje.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\wqetiayt.dll -> Adware.BHO : Cleaned with backup (quarantined).
    C:\WINNT\system32\syspcap.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\WINNT\system32\gyijigyt.exe -> Downloader.Murlo.dy : Cleaned with backup (quarantined).
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Adserver : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Advertising : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Adviva : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Bridgetrack : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Burstbeacon : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Com : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Esomniture : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Euroclick : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Falkag : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Hitbox : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Pointroll : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Questionmarket : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Ru4 : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Serving-sys : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Specificclick : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Statcounter : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Tacoda : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Tradedoubler : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Trafficmp : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\DFuson\Cookies\[email protected][2].txt -> TrackingCookie.Zedo : Cleaned.
    [196] C:\WINNT\system32\syspcap.dll -> Trojan.Virtumod : Cleaned with backup (quarantined).
    [992] C:\WINNT\system32\syspcap.dll -> Trojan.Virtumod : Cleaned with backup (quarantined).


    ::Report end

    I'm still getting a goofy random restart problem and I'm not sure what else to do. Any more direction would be appreciated. Here is my most current HJT log (taken right after doing the Ewido full system scan)


    Logfile of HijackThis v1.99.1
    Scan saved at 11:50:09 AM, on 7/29/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Temp\HijackThis.exe

    O2 - BHO: CIEPl Object - {DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - C:\WINNT\system32\syspcap.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll
    O20 - Winlogon Notify: jtntdvbi - C:\WINNT\SYSTEM32\jtntdvbi.dll
    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll
    O20 - Winlogon Notify: syspcap - C:\WINNT\SYSTEM32\syspcap.dll
    O20 - Winlogon Notify: vmpwqlnt - C:\WINNT\SYSTEM32\vmpwqlnt.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Add remove programs – remove all occurrences of Viewpoint

    Fix these with HJT – mark them, close IE, click fix checked

    O2 - BHO: CIEPl Object - {DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - C:\WINNT\system32\syspcap.dll

    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll

    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll

    O20 - Winlogon Notify: jtntdvbi - C:\WINNT\SYSTEM32\jtntdvbi.dll

    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll

    O20 - Winlogon Notify: syspcap - C:\WINNT\SYSTEM32\syspcap.dll

    O20 - Winlogon Notify: vmpwqlnt - C:\WINNT\SYSTEM32\vmpwqlnt.dll

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT\system32\syspcap.dll
    C:\Program Files\Viewpoint
    C:\WINNT\SYSTEM32\chmmtjam.dll
    C:\WINNT\SYSTEM32\ipquolia.dll
    C:\WINNT\SYSTEM32\jtntdvbi.dll
    C:\WINNT\SYSTEM32\saurodkx.dll
    C:\WINNT\SYSTEM32\syspcap.dll
    C:\WINNT\SYSTEM32\vmpwqlnt.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  5. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    Ok, I did everything as you said, in the order you said. Here is my most recent HJT log file (made just after I did everything as you requested.

    Logfile of HijackThis v1.99.1
    Scan saved at 12:22:59 PM, on 8/1/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Temp\HijackThis.exe

    O2 - BHO: CIEPl Object - {DAD9C3A5-FB4E-45CD-93EB-2059F4EEF4D1} - C:\WINNT\system32\syspcap.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll
    O20 - Winlogon Notify: jtntdvbi - C:\WINNT\SYSTEM32\jtntdvbi.dll
    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll
    O20 - Winlogon Notify: syspcap - C:\WINNT\SYSTEM32\syspcap.dll
    O20 - Winlogon Notify: vmpwqlnt - vmpwqlnt.dll (file missing)
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

    It seems syspcap.dll is still there among other things. I don't know if it is still malfunctioning, I will let you know if it is still randomly restarting.
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Please download http://www.atribune.org/ccount/click.php?id=4 to your desktop.
    Double-click VundoFix.exe to run it.
    Put a check next to Run VundoFix as a task.
    You will receive a message saying vundofix will close and re-open in a minute or less. Click OK.
    When VundoFix re-opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt and a new HijackThis log.
    ===========================

    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HJT – mark them, close IE, click fix checked

    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll

    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll

    O20 - Winlogon Notify: jtntdvbi - C:\WINNT\SYSTEM32\jtntdvbi.dll

    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll

    O20 - Winlogon Notify: vmpwqlnt - vmpwqlnt.dll (file missing)

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\chmmtjam.dll
    C:\WINNT\SYSTEM32\ipquolia.dll
    C:\WINNT\SYSTEM32\jtntdvbi.dll
    C:\WINNT\SYSTEM32\saurodkx.dll


    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  7. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    So I've been trying to get this fixed. I have tried running vundofix and here is what I come up with. When I run it normally (not as a task) the program runs fine, but it doesn't detect any vundo (which, according to Ewido, there is one on my system). When I check "run as a task" it shows a message saying it will now close VundoFix and reopen in a minute or less, I click "OK" and nothing happens. There is no additional task opened and I've left the computer alone for as much as a half-hour with no result. I'm not sure if the program isn't design to work with Win2K or what the problem is. Also, I noticed today, windows will generate an error from time to time that restarts my computer. The error says "winlog.exe has generated too many errors, the computer will have to restart" or something to that effect. It only happens every once in a while. The rest of the time the computer restarts without a warning. Some direction would be greatly appreciated. Thanks!
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    DL vundofix to C:\ instead of the desk top and try it
     
  9. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    I downloaded VundoFix to C:\ and ran it as a task. It worked great, but it still didn't detect anything. Where should I go from here? This random restart is very irritating and it is affecting my work as you can imagine.
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Go to the link below and download the trial version of SpySweeper:

    SpySweeper http://www.webroot.com/consumer/products/spysweeper/index.html?acode=af1&rc=4129&ac=tsg

    * Click the Free Trial link under "SpySweeper" to download the program.
    * Install it. Once the program is installed, it will open.
    * It will prompt you to update to the latest definitions, click Yes.
    * Once the definitions are installed, click Options on the left side.
    * Click the Sweep Options tab.
    * Under What to Sweep please put a check next to the following:
    o Sweep Memory
    o Sweep Registry
    o Sweep Cookies
    o Sweep All User Accounts
    o Enable Direct Disk Sweeping
    o Sweep Contents of Compressed Files
    o Sweep for Rootkits

    o Please UNCHECK Do not Sweep System Restore Folder.

    * Click Sweep Now on the left side.
    * Click the Start button.
    * When it's done scanning, click the Next button.
    * Make sure everything has a check next to it, then click the Next button.
    * It will remove all of the items found.
    * Click Session Log in the upper right corner, copy everything in that window.
    * Click the Summary tab and click Finish.
    * Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  11. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    That might have done the trick. Here is my new HJT log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:14:52 AM, on 8/8/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Temp\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll
    O20 - Winlogon Notify: ggstlnwl - C:\WINNT\SYSTEM32\ggstlnwl.dll
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll
    O20 - Winlogon Notify: jtntdvbi - C:\WINNT\SYSTEM32\jtntdvbi.dll
    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll
    O20 - Winlogon Notify: vmpwqlnt - vmpwqlnt.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


    Here is the session log file for Spy Sweeper:

    7:12 AM: Removal process completed. Elapsed time 00:00:14
    7:12 AM: Quarantining All Traces: zedo cookie
    7:12 AM: Quarantining All Traces: adserver cookie
    7:12 AM: Quarantining All Traces: tripod cookie
    7:12 AM: Quarantining All Traces: tribalfusion cookie
    7:12 AM: Quarantining All Traces: trafficmp cookie
    7:12 AM: Quarantining All Traces: statcounter cookie
    7:12 AM: Quarantining All Traces: serving-sys cookie
    7:12 AM: Quarantining All Traces: realmedia cookie
    7:12 AM: Quarantining All Traces: one-time-offer cookie
    7:12 AM: Quarantining All Traces: nextag cookie
    7:12 AM: Quarantining All Traces: mediaplex cookie
    7:12 AM: Quarantining All Traces: maxserving cookie
    7:12 AM: Quarantining All Traces: webtrends cookie
    7:12 AM: Quarantining All Traces: domainsponsor cookie
    7:12 AM: Quarantining All Traces: howstuffworks cookie
    7:12 AM: Quarantining All Traces: humanclick cookie
    7:12 AM: Quarantining All Traces: fastclick cookie
    7:12 AM: Quarantining All Traces: ru4 cookie
    7:12 AM: Quarantining All Traces: go.com cookie
    7:12 AM: Quarantining All Traces: casalemedia cookie
    7:12 AM: Quarantining All Traces: belnk cookie
    7:12 AM: Quarantining All Traces: bannerspace cookie
    7:12 AM: Quarantining All Traces: atwola cookie
    7:12 AM: Quarantining All Traces: atlas dmt cookie
    7:12 AM: Quarantining All Traces: ask cookie
    7:12 AM: Quarantining All Traces: apmebf cookie
    7:12 AM: Quarantining All Traces: tacoda cookie
    7:12 AM: Quarantining All Traces: advertising cookie
    7:12 AM: Quarantining All Traces: adreactor cookie
    7:12 AM: Quarantining All Traces: cd freaks cookie
    7:12 AM: Quarantining All Traces: adrevolver cookie
    7:12 AM: Quarantining All Traces: adknowledge cookie
    7:12 AM: Quarantining All Traces: adecn cookie
    7:12 AM: Quarantining All Traces: yieldmanager cookie
    7:12 AM: Quarantining All Traces: about cookie
    7:12 AM: Quarantining All Traces: websponsors cookie
    7:12 AM: Quarantining All Traces: 2o7.net cookie
    7:12 AM: Quarantining All Traces: smart-browser
    7:12 AM: Quarantining All Traces: virtumonde
    7:12 AM: Removal process initiated
    7:09 AM: Traces Found: 59
    7:09 AM: Full Sweep has completed. Elapsed time 00:15:22
    7:09 AM: File Sweep Complete, Elapsed Time: 00:13:34
    7:09 AM: C:\Documents and Settings\DFuson\Recent\Readme.txt.lnk (5 subtraces) (ID = 2147486978)
    7:09 AM: Warning: Failed to access drive D:
    6:56 AM: C:\Program Files\SB (5 subtraces) (ID = 2147486978)
    6:56 AM: Found Adware: smart-browser
    6:55 AM: Starting File Sweep
    6:55 AM: Warning: Failed to access drive A:
    6:55 AM: Cookie Sweep Complete, Elapsed Time: 00:00:04
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 3762)
    6:55 AM: Found Spy Cookie: zedo cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2142)
    6:55 AM: Found Spy Cookie: adserver cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 3591)
    6:55 AM: Found Spy Cookie: tripod cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 3589)
    6:55 AM: Found Spy Cookie: tribalfusion cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 3581)
    6:55 AM: Found Spy Cookie: trafficmp cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 6444)
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 3447)
    6:55 AM: Found Spy Cookie: statcounter cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 3343)
    6:55 AM: Found Spy Cookie: serving-sys cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 3235)
    6:55 AM: Found Spy Cookie: realmedia cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 3095)
    6:55 AM: Found Spy Cookie: one-time-offer cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 5014)
    6:55 AM: Found Spy Cookie: nextag cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 1958)
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 6442)
    6:55 AM: Found Spy Cookie: mediaplex cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2966)
    6:55 AM: Found Spy Cookie: maxserving cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 3669)
    6:55 AM: Found Spy Cookie: webtrends cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2535)
    6:55 AM: Found Spy Cookie: domainsponsor cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2805)
    6:55 AM: Found Spy Cookie: howstuffworks cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2810)
    6:55 AM: Found Spy Cookie: humanclick cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2728)
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2651)
    6:55 AM: Found Spy Cookie: fastclick cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2038)
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 3269)
    6:55 AM: Found Spy Cookie: ru4 cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2729)
    6:55 AM: Found Spy Cookie: go.com cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2371)
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2370)
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2354)
    6:55 AM: Found Spy Cookie: casalemedia cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2292)
    6:55 AM: Found Spy Cookie: belnk cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2284)
    6:55 AM: Found Spy Cookie: bannerspace cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2255)
    6:55 AM: Found Spy Cookie: atwola cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2253)
    6:55 AM: Found Spy Cookie: atlas dmt cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2245)
    6:55 AM: Found Spy Cookie: ask cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2229)
    6:55 AM: Found Spy Cookie: apmebf cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 6445)
    6:55 AM: Found Spy Cookie: tacoda cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2175)
    6:55 AM: Found Spy Cookie: advertising cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2087)
    6:55 AM: Found Spy Cookie: adreactor cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2371)
    6:55 AM: Found Spy Cookie: cd freaks cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][3].txt (ID = 2088)
    6:55 AM: Found Spy Cookie: adrevolver cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2072)
    6:55 AM: Found Spy Cookie: adknowledge cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][1].txt (ID = 2063)
    6:55 AM: Found Spy Cookie: adecn cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 3751)
    6:55 AM: Found Spy Cookie: yieldmanager cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 2037)
    6:55 AM: Found Spy Cookie: about cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 3665)
    6:55 AM: Found Spy Cookie: websponsors cookie
    6:55 AM: c:\documents and settings\dfuson\cookies\[email protected][2].txt (ID = 1957)
    6:55 AM: Found Spy Cookie: 2o7.net cookie
    6:55 AM: Starting Cookie Sweep
    6:55 AM: Registry Sweep Complete, Elapsed Time:00:00:24
    6:55 AM: HKLM\software\classes\iepl.iepl.1\ (ID = 1064409)
    6:55 AM: HKLM\software\classes\iepl.iepl\ (ID = 1064403)
    6:55 AM: HKCR\iepl.iepl.1\ (ID = 1064376)
    6:55 AM: HKCR\iepl.iepl\ (ID = 1064370)
    6:55 AM: Found Adware: virtumonde
    6:55 AM: Starting Registry Sweep
    6:55 AM: Memory Sweep Complete, Elapsed Time: 00:01:07
    6:54 AM: Starting Memory Sweep
    6:54 AM: Sweep initiated using definitions version 734
    6:54 AM: Spy Sweeper 5.0.5.1286 started
    6:54 AM: | Start of Session, Tuesday, August 08, 2006 |
    ********
    6:54 AM: | End of Session, Tuesday, August 08, 2006 |
    Keylogger Shield: On
    BHO Shield: On
    IE Security Shield: On
    Alternate Data Stream (ADS) Execution Shield: On
    Startup Shield: On
    Common Ad Sites Shield: Off
    Hosts File Shield: On
    Spy Communication Shield: On
    ActiveX Shield: On
    Windows Messenger Service Shield: On
    IE Favorites Shield: On
    Spy Installation Shield: On
    Memory Shield: On
    IE Hijack Shield: On
    IE Tracking Cookies Shield: Off
    6:53 AM: Shield States
    6:53 AM: Spyware Definitions: 734
    6:53 AM: Spy Sweeper 5.0.5.1286 started
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HJT – mark them, close IE, click fix checked

    O20 - Winlogon Notify: chmmtjam - C:\WINNT\SYSTEM32\chmmtjam.dll

    O20 - Winlogon Notify: ggstlnwl - C:\WINNT\SYSTEM32\ggstlnwl.dll

    O20 - Winlogon Notify: ipquolia - C:\WINNT\SYSTEM32\ipquolia.dll

    O20 - Winlogon Notify: jtntdvbi - C:\WINNT\SYSTEM32\jtntdvbi.dll

    O20 - Winlogon Notify: saurodkx - C:\WINNT\SYSTEM32\saurodkx.dll

    O20 - Winlogon Notify: vmpwqlnt - vmpwqlnt.dll (file missing)

    DownLoad http://www.downloads.subratam.org/KillBox.zip

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINNT\SYSTEM32\chmmtjam.dll
    C:\WINNT\SYSTEM32\ggstlnwl.dll
    C:\WINNT\SYSTEM32\ipquolia.dll
    C:\WINNT\SYSTEM32\jtntdvbi.dll
    C:\WINNT\SYSTEM32\saurodkx.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  13. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    Here is my most recent HJT log. I put two entries in bold for O20, because they didn't look right, are these ok to have on the system?

    Logfile of HijackThis v1.99.1
    Scan saved at 1:46:05 PM, on 8/10/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\System32\hkcmd.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
    C:\Temp\HijackThis.exe

    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] "mobsync.exe" /logon
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by123fd.bay123.hotmail.msn.com/resources/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll

    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Those are totally legit entries

    You have no active AntiVirus!

    Get the free AVG 7 install it, check for updates and run a full scan

    AVG 7 - http://free.grisoft.com/freeweb.php/doc/2/
    =============
    How are things now
     
  15. zedsama

    zedsama Thread Starter

    Joined:
    Jun 21, 2006
    Messages:
    13
    Everything appears to be working properly. I'll keep you posted. Thanks again for all of your time and help!
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Weird WIN2k Random
  1. spoonthumb
    Replies:
    9
    Views:
    512
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/486869

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice