Windows BBS The Place for Microsoft Windows Support! Windows, Support, Help Site

Go Back   Windows BBS > Security > Malware and Virus Removal
Reload this Page

Microsoft visual c++ error

Register FAQDonate Mark Forums Read

Malware and Virus Removal Problems removing malware/viruses? Get help from our Malware removal experts.

Register your FREE account to unlock additional features at WindowsBBS.com
Register
Welcome to WindowsBBS.com
Microsoft Windows Support

Mission Statement

WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.

Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.

Discussion Forums
Operating Systems
Windows 7 Windows 7
Windows Vista Windows Vista
Windows XP Windows XP
Windows Server System Windows Server System
Windows 2000 Windows 2000
Windows 95/98/Me/NT Windows 95/98/Me/NT
Internet & Networking
Networking
Internet Explorer
Microsoft Mail
Firefox, Thunderbird
      & SeaMonkey
General Internet
Security
General Security
Malware and Virus
     Removal
Other
Other Software
Hardware
Test Posts
Community
Introductions
General Discussions
Comments
      & Suggestions
News @ WindowsBBS

Forum Sponsor
Image

Closed Thread
 
LinkBack Thread Tools
Old 30th January 2005   #1
Inactive
 
Profile:
Join Date: Jan 2005
Posts: 33
Computer Experience:
beginner
Adam Wal Reputation Level
Microsoft visual c++ error
when my computer boots up and gets in to windows, this error appears.
It only has one option (OK) and if i click it the icons dissappear and i can't do anything
i can work around the error though

*other errors
my computer also has many .dll erros such as KERNEL32 and SHELL erros to name a few

any help would be Appreciated

Logfile of HijackThis v1.99.0
Scan saved at 5:21:31 PM, on 1/30/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ADDSC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\EXPOLER.EXE
C:\WINDOWS\SYSTEM\SPOOL.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSMC.EXE
C:\WINDOWS\TEMP\32F4.TMP.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
C:\TEMP\SALM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLIKEEP.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\OEJLJMW.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\PACKAGER.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\ANTISPYWARE\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=155351
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=155351
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=155351
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BCE91F60-1199-9788-372A-9B4D8255E7E3} - C:\WINDOWS\SYSTEM\NTEJ.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [winexpoler] C:\WINDOWS\SYSTEM\expoler.exe
O4 - HKLM\..\Run: [winhostx] C:\WINDOWS\SYSTEM\spool.exe %srun%
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SYSMC.EXE] C:\WINDOWS\SYSMC.EXE
O4 - HKLM\..\Run: [32F4.TMP] C:\WINDOWS\TEMP\32F4.TMP.exe 0 28129
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Admilli Service] C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [32F4.TMP.EXE] C:\WINDOWS\TEMP\32F4.TMP.EXE 0 28129
O4 - HKLM\..\Run: [oejljmw] c:\windows\system\oejljmw.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ADDSC.EXE] C:\WINDOWS\ADDSC.EXE
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:MP3download:t
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MP3download - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\SYSTEM\MP3download (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c46.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...0006_adult.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/pdfzzy.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
Last edited by Adam Wal; 30th January 2005 at 18:40. Reason: extra errors
Adam Wal is offline  
Didn't find the information you thought to find?
Check out these Similar Threads
Old 31st January 2005   #2
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

Welcome to WindowsBBS Adam

You've got quite a mess there. Download, install and immediately update both Spybot and Ad-aware (links in my signature). Run Spybot and remove all that it finds and prechecks. Run Ad-aware in full scan mode and delete all it finds. Reboot and post a new HijackThis log.
noahdfear is offline  
Old 31st January 2005   #3
Inactive
 
Profile:
Join Date: Jan 2005
Posts: 33
Computer Experience:
beginner
Adam Wal Reputation Level
Thank you noahdfear for your help, though when I run spybot, the following measage appears when it is 1/4 of the way through

Error during check!: Common hijacker (Datei C:\WINDOWS\hosts kann nicht geöffnet werden. The process cannot access the file because it is being used by another process) ()

ad-aware also freezes very early on

any advice anyone?

p.s. i made a new hijacktihs log:

Logfile of HijackThis v1.99.0
Scan saved at 8:04:03 PM, on 1/31/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ADDSC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\EXPOLER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSMC.EXE
C:\WINDOWS\TEMP\32F4.TMP.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-GB\MSNAPPAU.EXE
C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE
C:\TEMP\SALM.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\SED\SED.EXE
C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLIKEEP.EXE
C:\WINDOWS\SYSTEM\WSXSVC\WSXSVC.EXE
C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
C:\PROGRAM FILES\BULLSEYE NETWORK\BIN\BARGAINS.EXE
C:\WINDOWS\SYSTEM\OEJLJMW.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\CALC.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\ADAM'S\MISC\COMP REPAIR STUFF\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET\TISCALI_UK\TB.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_p...ount_id=155351
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_p...ount_id=155351
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=155351
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BCE91F60-1199-9788-372A-9B4D8255E7E3} - C:\WINDOWS\SYSTEM\NTEJ.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [winexpoler] C:\WINDOWS\SYSTEM\expoler.exe
O4 - HKLM\..\Run: [winhostx] C:\WINDOWS\SYSTEM\spool.exe %srun%
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SYSMC.EXE] C:\WINDOWS\SYSMC.EXE
O4 - HKLM\..\Run: [32F4.TMP] C:\WINDOWS\TEMP\32F4.TMP.exe 0 28129
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [Admilli Service] C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [oejljmw] c:\windows\system\oejljmw.exe
O4 - HKLM\..\Run: [32F4.TMP.EXE] C:\WINDOWS\TEMP\32F4.TMP.EXE 0 28129
O4 - HKLM\..\Run: [elaf] c:\windows\elaf.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ADDSC.EXE] C:\WINDOWS\ADDSC.EXE
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:MP3download:t
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: MP3download - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\SYSTEM\MP3download (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\aklsp.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.124.130 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CD...bridge-c46.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwa...0006_adult.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/pdfzzy.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
Last edited by Adam Wal; 31st January 2005 at 21:04. Reason: extra stuff
Adam Wal is offline  
Old 1st February 2005   #4
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

You should print this out and/or save it to text where you can access it in safe mode.

Download Symantec Trojan.Vundo Removal Tool 1.2.4. Save FixVundo.exe to a convenient location, such as your desktop.

Download LSPFix.zip and unzip the files to their own folder.

Download Domains.zip and unzip the files to their own folder.


Download AboutBuster from one of the following locations.

http://tools.zerosrealm.com/AboutBuster.zip

http://www.downloads.subratam.org/AboutBuster.zip

First unzip all files from the zip folder to a folder on your desktop. Open and double click AboutBuster.exe, click ok, then update. A new screen should popup. On that screen click Check for Updates. If it says it found an update click Download Updates. If it doesn't, it will automatically tell you and exit. Close for now.


Check for updates to Ad-aware.

Download CWShredder 2.0 from here. Save it to the desktop. Double click to install.

Turn off System Restore

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_...count_id=155351
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_...count_id=155351
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=155351
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\hiarh.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BCE91F60-1199-9788-372A-9B4D8255E7E3} - C:\WINDOWS\SYSTEM\NTEJ.DLL
O3 - Toolbar: (no name) - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - (no file)
O4 - HKLM\..\Run: [winexpoler] C:\WINDOWS\SYSTEM\expoler.exe
O4 - HKLM\..\Run: [winhostx] C:\WINDOWS\SYSTEM\spool.exe %srun%
O4 - HKLM\..\Run: [SYSMC.EXE] C:\WINDOWS\SYSMC.EXE
O4 - HKLM\..\Run: [32F4.TMP] C:\WINDOWS\TEMP\32F4.TMP.exe 0 28129
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [autoclk] autoclk.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [oejljmw] c:\windows\system\oejljmw.exe
O4 - HKLM\..\Run: [32F4.TMP.EXE] C:\WINDOWS\TEMP\32F4.TMP.EXE 0 28129
O4 - HKLM\..\Run: [elaf] c:\windows\elaf.exe
O4 - HKLM\..\RunServices: [ADDSC.EXE] C:\WINDOWS\ADDSC.EXE
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:MP3download:t
O9 - Extra button: MP3download - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - C:\WINDOWS\SYSTEM\MP3download (file missing)
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://Cne.MHT!http://www.t058.com//inst//x.chm::/open.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/C.../bridge-c46.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw.../0006_adult.cab
O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} (Matrix Class) - http://acceso.masminutos.com/laaplicacion.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/pdfzzy.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.zestyfind.com/app/DS4/DS4.cab


Go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

You will need to show hidden files and folders.

Double-click FixVundo.exe to start the Vundo removal tool. Click "Start" to begin the removal process.

Open CWShredder and click fix.

Open AboutBuster, click start then OK. Exit when finished.

Open Ad-aware and run in full scan mode. Delete all it finds.

Search the drive for the files autoclk.exe and adiras.exe, delete when found.
Open C:\WINDOWS and delete the file SYSMC.EXE, elaf.exe, ADDSC.EXEand MSA64CHK.DLL, and the folder Matrix if present.
Open C:\WINDOWS\system and delete the files expoler.exe, spool.exe and oejljmw.exe, and the folders wsxsvc and VMSS if present.
Open C:\Program Files and delete the folders Internet Optimizer, SED and BullsEye Network if present.
Open C:\Temp, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and Settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open the control panel, then internet options and delete the temporary internet files, checking the box for offline content. Click the 'Publishers' button on the 'Content' tab. Remove any entries in the 'Trusted Publishers' list that refer to 'Matrix Technology Network SA', 'Futurpago SA', 'Desarrollos Huella Digital, S.L.' or 'MSN Technologies, S.L.'. (Normally, it is a good idea to keep this list completely empty.)
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes and click OK.

Open the LSPFix folder and double click LSPFix.exe. If aklsp.dll is in the list, add it to the remove column, check the box I know what I'm doing and click finish.

Open the Domains folder and double click RemoveDomains.reg, then click OK to merge. Double click the ResetDomains.reg and merge.

Uncheck the box to 'enable start menu' in msconfig and OK out. Reboot.

Back in Windows, scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log (with version 1.99).
noahdfear is offline  
Old 1st February 2005   #5
Inactive
 
Profile:
Join Date: Jan 2005
Posts: 33
Computer Experience:
beginner
Adam Wal Reputation Level
Here is the RAV report

Statistics

Scanned files: 12750
Scanned directories: 1109
Scanned archives: 484
Size of the scanned files: 2289731702
Packed files: 807
Known viruses found: 78
Virus bodies: 9
Suspicious files: 1

Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 100306
Mail files: 189




Found viruses
File: c:\WINDOWS\hiarh.dll
Virus: TrojanDownloader:Win32/WinShow.AK Status: Suspicious

File: c:\WINDOWS\addsc.exe
Virus: TrojanDownloader:Win32/Agent.X Status: Infected

File: c:\WINDOWS\dtiloi.dat
Virus: TrojanProxy:Win32/Ranky.BG Status: Infected

File: c:\WINDOWS\taskmon.exe.$$$
Virus: TrojanDownloader:Win32/Agent.Z Status: Infected

File: c:\WINDOWS\scanregw.exe
Virus: TrojanDownloader:Win32/Agent.Z Status: Infected

File: c:\WINDOWS\sysmc.exe
Virus: TrojanProxy:Win32/Ranky.BG Status: Infected

File: c:\WINDOWS\FSCWBQ.EXE
Virus: TrojanDownloader:Win32/Agent.Z Status: Infected

File: c:\WINDOWS\QYJTW.EXE.$$$
Virus: TrojanDownloader:Win32/Agent.Z Status: Infected

File: c:\WINDOWS\SYSTEM\nonzipsr.noz->(Base64)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\SYSTEM\clsobern.isc->(Base64)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\SYSTEM\zippedsr.piz->(Base64)->message_text.txt .pif
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\SYSTEM\clonzips.ssc->(Base64)->message_text.txt .pif
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\SYSTEM\ATPartners.dll
Virus: TrojanDownloader:Win32/Rameh.C Status: Infected

File: c:\WINDOWS\SYSTEM\akupd.dll
Virus: TrojanDownloader:Win32/Agent.BR Status: Infected

File: c:\WINDOWS\SYSTEM\akrules.dll
Virus: TrojanDownloader:Win32/Agent.BT Status: Infected

File: c:\WINDOWS\SYSTEM\aklsp.dll
Virus: TrojanDownloader:Win32/Agent.BR Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.51: (new_account@comcast.net [Your Password])->(part0001:comcast_972.DOC.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.50: (Error_Mail@genius2000.com [Mail_Delivery_failure ])->(part0001:genius2000_1248.DOC.zip)->message_text.txt ...
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.49: (new_account@juno.com [Your Password ])->(part0001:juno.4056.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.47: (Auto-Mailer@juno.com [Re: Faulty_mail delivery <2375>])->(part0001:mail5139.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.46: (info@hotmail.com [FwD: Your mail password])->(part0001:hotmail.xls.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.45: (re-mail_system@yahoo.com [mail delivery system])->(part0001:yahoo.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.42: (user_info@nissan-nmuk.co.uk [FwD: Your mail password])->(part0001:nissan-nmuk.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.41: (webmaster@comcast.net [Faulty_mail delivery <1381>])->(part0001:comcast.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.40: (Naomi@biosculpturelondon.co.uk [Oh God it's])->(part0001h_nono.4558.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.39: (user_info@teesdaleenterprise.co.uk [Re: Confirmation ])->(part0001:teesdaleenterprise.TXT.zip)->message_text.txt ...
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.38: (new_account@bbc.co.uk [Your mail password ])->(part0001:bbc.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.37: (torquemada_gi@hotmail.com [FwD: Details])->(part0001:thats_hard_9961.zip)->message_text.txt ...
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.36: (info@aol.com [Confirmation])->(part0001:aol.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.35: (abergmann@biosculpture.com.au [Oh God it's])->(part0001:thats_hard_3669.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.33: (new_account@hotmail.com [Registration confirmation])->(part0001:hotmail.953.TXT.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.32: (hostmaster@yahoo.com [FwD: Confirmation])->(part0001:yahoo.7644.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.30: (MB4neesBro@hotmail.com [Oh God it's])->(part0001:im_shocked_6220.DOC.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.29: (info@teesdaleenterprise.co.uk [Your Password ])->(part0001:teesdaleenterprise.6940.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.26: (hostmaster@innocent.com [Re: Your Password ])->(part0001:innocent.4658.eml.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.25: (new_account@biosculpture.com.au [Your Password ])->(part0001:biosculpture_7778.txt.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.24: (Auto-Mailer@aol.com [invalid mail ])->(part0001:aol.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.23: (info@teesdaleenterprise.co.uk [Your Password])->(part0001:teesdaleenterprise.6270.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.22: (BioSculptureIRL@aol.com [Oh God it's])->(part0001:im_shocked_535.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.17: (new_account@hotmail.com [Confirmation])->(part0001:hotmail.6878.eml.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.15: (hostmaster@juno.com [Registration confirmation])->(part0001:juno_2014.word.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.12: (Auto-Mailer@teesdaleenterprise.co.uk [FwD: mail delivery system ])->(part0001:mail.7960.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.11: (Error_Mail@aol.com [Faulty_mail delivery ])->(part0001:mail.5692.word.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.10: (Auto-Mailer@hotmail.com [FwD: Mail Error <1192>])->(part0001:mail_7314.EML.zip)->message_text.txt ...
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.9: (user_info@gto.net.om [Re: Registration confirmation])->(part0001:gto_6274.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.8: (user_info@aol.com [Re: Registration confirmation ])->(part0001:aol_422.doc.zip)->message_text.txt ...
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.7: (re-mail_system@hotmail.com [Re: Mail_Delivery_failure])->(part0001:mail_6173.eml.zip)->message_text.txt ...
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.6: (re-mail_system@hotmail.com [FwD: invalid mail ])->(part0001:re_mail_1062.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.5: (Error_Mail@yahoo.com [mail delivery system])->(part0001:auto__mail.yahoo_6155.eml.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.2: (Auto-Mailer@eudoramail.com [invalid mail])->(part0001:mail.4518.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.1: (hostmaster@biosculpturelondon.co.uk [FwD: Your mail password ])->(part0001:biosculpturelondon9186.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Application Data\Identities\{922C60A0-4E12-11D9-B9BB-D1588122244D}\Microsoft\Outlook Express\Inbox.dbx->Message.0: (Error_Mail@hotmail.com [illegal signs in your mail ])->(part0001:mail_8612.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\WINDOWS\Temporary Internet Files\Content.IE5\F4C78B09\CAC747MH.HTM
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: c:\My Documents\hijackthis.log
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: c:\My Documents\ADAM'S\MISC\COMP REPAIR STUFF\backups\backup-20050201-163943-898
Virus: Exploit:HTML/MhtRedir.gen* Status: Infected

File: c:\My Documents\ADAM'S\MISC\COMP REPAIR STUFF\backups\backup-20050201-163943-265.dll
Virus: TrojanDownloader:Win32/IstBar.GD.dll Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.35: (abergmann@biosculpture.com.au [Oh God it's])->(part0001:thats_hard_3669.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.33: (new_account@hotmail.com [Registration confirmation])->(part0001:hotmail.953.TXT.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.32: (hostmaster@yahoo.com [FwD: Confirmation])->(part0001:yahoo.7644.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.30: (MB4neesBro@hotmail.com [Oh God it's])->(part0001:im_shocked_6220.DOC.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.29: (info@teesdaleenterprise.co.uk [Your Password ])->(part0001:teesdaleenterprise.6940.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.26: (hostmaster@innocent.com [Re: Your Password ])->(part0001:innocent.4658.eml.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.25: (Error_Mail@hotmail.com [illegal signs in your mail ])->(part0001:mail_8612.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.24: (new_account@biosculpture.com.au [Your Password ])->(part0001:biosculpture_7778.txt.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.23: (Auto-Mailer@aol.com [invalid mail ])->(part0001:aol.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.22: (info@teesdaleenterprise.co.uk [Your Password])->(part0001:teesdaleenterprise.6270.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.21: (BioSculptureIRL@aol.com [Oh God it's])->(part0001:im_shocked_535.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.16: (new_account@hotmail.com [Confirmation])->(part0001:hotmail.6878.eml.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.14: (hostmaster@juno.com [Registration confirmation])->(part0001:juno_2014.word.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.11: (Auto-Mailer@teesdaleenterprise.co.uk [FwD: mail delivery system ])->(part0001:mail.7960.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.10: (Error_Mail@aol.com [Faulty_mail delivery ])->(part0001:mail.5692.word.scr)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.9: (Auto-Mailer@hotmail.com [FwD: Mail Error <1192>])->(part0001:mail_7314.EML.zip)->message_text.txt .pif
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.8: (user_info@gto.net.om [Re: Registration confirmation])->(part0001:gto_6274.com)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.7: (user_info@aol.com [Re: Registration confirmation ])->(part0001:aol_422.doc.zip)->message_text.txt .pif
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.6: (re-mail_system@hotmail.com [Re: Mail_Delivery_failure])->(part0001:mail_6173.eml.zip)->message_text.txt .pif
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.5: (re-mail_system@hotmail.com [FwD: invalid mail ])->(part0001:re_mail_1062.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.4: (Error_Mail@yahoo.com [mail delivery system])->(part0001:auto__mail.yahoo_6155.eml.bat)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.1: (Auto-Mailer@eudoramail.com [invalid mail])->(part0001:mail.4518.pif)
Virus: Win32/Sober.I@mm Status: Infected

File: c:\My Documents\JOHN'S\Outlook Express(COPY)\Inbox.dbx->Message.0: (hostmaster@biosculpturelondon.co.uk [FwD: Your mail password ])->(part0001:biosculpturelondon9186.com)
Virus: Win32/Sober.I@mm Status: Infected

and the hijack this report

Logfile of HijackThis v1.99.0
Scan saved at 5:32:35 PM, on 2/1/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\ADDSC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMGR.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TEMP\32F4.TMP.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\LEXMARK X1100 SERIES\LXBKBMON.EXE
C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLIKEEP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\SAGEM\SAGEM F@ST 800-840\DSLMON.EXE
C:\PROGRAM FILES\INTERMUTE\SPYSUBTRACT\SPYSUB.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\INTERNET\ICC\ICC2000.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET\TISCALI_UK\TB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\MY DOCUMENTS\ADAM'S\MISC\COMP REPAIR STUFF\HIJACKTHIS.EXE

R3 - Default URLSearchHook is missing
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-GB\MSNTB.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_16_0.DLL (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [LexStart] lexstart.exe
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [Admilli Service] C:\PROGRAM FILES\ADMILLI SERVICE\ADMILLISERV.EXE
O4 - HKLM\..\Run: [SESync] "C:\PROGRAM FILES\SED\SED.EXE"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\SYSTEM\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\SYSTEM\VMSS\VMSS.EXE
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [oejljmw] c:\windows\system\oejljmw.exe
O4 - HKLM\..\Run: [32F4.TMP.EXE] C:\WINDOWS\TEMP\32F4.TMP.EXE 0 28129
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ADDSC.EXE] C:\WINDOWS\ADDSC.EXE
O4 - HKCU\..\Run: [MP3download] rundll32.exe C:\WINDOWS\SYSTEM\MSA64CHK.DLL,DllMostrar Matrix_HTML:MP3download:t
Adam Wal is offline  
Old 1st February 2005   #6
Inactive
 
Profile:
Join Date: Jan 2005
Posts: 33
Computer Experience:
beginner
Adam Wal Reputation Level
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st_current.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab


any more clues?
Adam Wal is offline  
Old 2nd February 2005   #7
Staff
 
noahdfear's Avatar
 
Profile:
Join Date: Apr 2003
Location: New Bremen, Ohio U.S.A.
Posts: 12,524
Computer Experience:
~@<*+
noahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Levelnoahdfear Reputation Level

My System

Start with deleting all of those infected emails and saved copies in your My Documents folder. It's late, so I'll post instructions for removing the other infected files and further cleanup tomorrow evening. Try running Spybot and Ad-aware again, in safe mode if they still don't run or won't fix what they find while in Windows, and let us know how that goes. A new HJT log after running them would be helpful too.
noahdfear is offline  
Closed Thread

« [Pop ups problem - HijackThis log included] | To all those with spyware infections »
Thread Tools


Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows XP Pro - Intermittent Restarts [DUMP] krhymer Windows XP 1 16th January 2005 20:52
Visual C++ Runtime Error in Frontpage 2000 annieb Other Software 0 12th January 2005 11:21
Win ME locks up since media player stopped working Ozgt General Security 40 17th August 2004 04:37
Windows ME - Microsoft Visual c++ runtime error mtbike11 Windows 95/98/Me/NT 0 8th August 2004 16:18
Taskbar won't load! Raistlin X Windows 2000 2 16th March 2004 04:19


All times are GMT +1. The time now is 05:09.




Advertise - Contact Us - Windows BBS - Archive - Privacy Statement - Top

Advertisements do not imply our endorsement of the product or service advertised.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2
Copyright © 2002 - 2009 WindowsBBS.com. All rights reserved.
Terms of Use, Legal Information & Privacy Policy
[]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32