To delete or not to delete?

[pjfb]

Right, boys n girls, here goes.
Results of my HijackThis scan attached.
I'm not a techie, but the following look dodgy to me:

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [qxyp] C:\WINDOWS\qxyp.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx

All assistance very gratefully received.
pjfb


Logfile of HijackThis v1.99.1
Scan saved at 10:05:57, on 06/03/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I0R2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\WINHLP32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\SYSTEM\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O7 "EPUSB1:" /M "Stylus C86"
O4 - HKLM\..\Run: [saap] c:\windows\saap.exe
O4 - HKLM\..\Run: [qxyp] C:\WINDOWS\qxyp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Freeserve - {E4F0BBE0-DD93-11D4-BD0F-92BD21DFA03D} - http://www.freeserve.net/ (file missing) (HKCU)
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {380D8192-23CB-11D3-B94F-00105A566F76} (first-e E-Mail Reader) - https://secure1.first-e.com/jsp/display/tnbinst.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

[lee16]

Hi


--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = about:blank
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
r1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
o4 - HKLM\..\Run: [WinUpdate] C:\windows\p385.hta
o4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
o4 - HKLM\..\Run: [saap] c:\windows\saap.exe
o4 - HKLM\..\Run: [qxyp] C:\WINDOWS\qxyp.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra 'tools' menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: freeserve - {e4f0bbe0-dd93-11d4-bd0f-92bd21dfa03d} - http://www.freeserve.net/ (file missing) (hkcu)
o16 - dpf: {380d8192-23cb-11d3-b94f-00105a566f76} (first-e e-mail reader) - https://secure1.first-e.com/jsp/display/tnbinst.cab
o16 - dpf: {79849612-a98f-45b8-95e9-4d13c7b6b35c} - http://static.topconverting.com/activex/loader2.ocx
o16 - dpf: {ce28d5d2-60cf-4c7d-9fe8-0f47a3308078} (activedatainfo class) - https://www-secure.symantec.com/techsupp/asa/symadata.cab
o16 - dpf: {1f2f4c9e-6f09-47bc-970d-3c54734667fe} (lssupctl class) - https://www-secure.symantec.com/techsupp/asa/lssupctl.cab


--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [loadqm] loadqm.exe
o4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe


The delete these files:

C:\windows\p385.hta
C:\SEXO120gb\SEXO120GB[1].EXE -t
c:\windows\saap.exe
C:\WINDOWS\qxyp.exe

Then delete all your temp files from your Temp folder, if you want you can have it done with a nice free program called ccleaner (http://www.ccleaner.com/ccdownload2.php)

BTW, I take it you are with Wanadoo.co.uk?


Then Reboot your computer, redo and repost your hijackthis log so we can confirm your system is clean.

--lee

[pjfb]

Lee,
Have done as you said and here is the new scan log.
Two issues:
1. O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
is still in the scan log, despite having "fixed" it.  So what next?
2. I couldn't find the four files that you recommend I delete, neither looking in Windows Explorer, nor when I ran a Find over the whole C: drive.  Again, what next?

And yes I am with Wanadoo.  Also with ntlworld.
Thanks again for your help.
pjfb


Logfile of HijackThis v1.99.1
Scan saved at 12:23:10, on 06/03/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I0R2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\SYSTEM\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O7 "EPUSB1:" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

[lee16]

Hi pjfb,

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------

o4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t


--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [loadqm] loadqm.exe
o4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe


The  delete the folder:

C:\SEXO120gb (if it goes to the recycle bin, delete it from there as well)

I couldn't find the four files that you recommend I delete, neither looking in Windows Explorer, nor when I ran a Find over the whole C: drive.  Again, what next?

Open My Documents > Tools > folder Options > View > Show hidden files and folders, then relook for the files, if there still not there, that should mean there no longer there.

You may want to go though the steps/programs here as well: http://members.home.nl/edeijl/ache/cleaning.htm

The ones i suggest the most are Ad-Aware, Spybot, Avast, CWshredder, but there are some other nice suggestions/programs as well.

The reboot your computer, redo and repost your hijackthis log.

--lee

[bob3160]

pjfb

ps I've read VLK's comments re ZA, Niko, but have got version 4.5 of avast!, so no conflict there, but a good reason not to download the upgraded version until they've fixed it.  Thanks for the tip, quand-meme.

Vlk's comment didn't say anything about not using the latest version of avast!
It simply said that if you use avast! and ZA you should change some of the settings in ZA.
I suggest that you update avast! and then change your settings in ZA.
I use both the latest version of avast! and ZA and have no conflicts between this 2 programs.

[pjfb]

Hi Lee

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [loadqm] loadqm.exe
o4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

What do I do to stop these programs loading at boottime then?

My settings are already to show all files, but I forgot to reboot after the last scan so I'll reboot PC and rerun scan to see if C:\SEXO120gb has gone.

pjfb

[lee16]

What do I do to stop these programs loading at boottime then?

Just remove the entrys using hijackthis, basicly there programs that are not vital to the system, so this stops them starting up at boottime which savws time, they can be run manuly from windows if ever needed though.

--lee

[pjfb]

Lee,
Results of latest scan after rebooting are attached.
Unfortunately C:\SEXO120gb is still there.
Any more ideas on getting rid of it?
pjfb

Logfile of HijackThis v1.99.1
Scan saved at 13:27:46, on 06/03/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I0R2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM\..\Run: [Gearbox] "C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM\..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\SYSTEM\E_S4I0R2.EXE /P23 "EPSON Stylus C86 Series" /O7 "EPUSB1:" /M "Stylus C86"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

[bob3160]

Here are the results of the HJT Logfile Analyzer:

--------------------------------------------------------------------------------
ANALYZER INFORMATION
--------------------------------------------------------------------------------
Log created on   : 06-03-2005 07:03:15
Analyzer version : 11
bad.dat  version : 33
good.dat version : 35
rec.dat  version : 26
dasb.dat version :  7
sus.dat  version : 14
fire.dat version :  3

--------------------------------------------------------------------------------
CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :
--------------------------------------------------------------------------------
You are using the latest version of Internet Explorer.
Software firewall detected.

--------------------------------------------------------------------------------
GENERAL INFORMATION :
--------------------------------------------------------------------------------
All items in the original HijackThis log file which
are not shown here need further investigation.

Tutorial on the hijackthislog : http://members.home.nl/edeijl/

For email support on this application : hjtbeta@yahoo.com

Use www.google.com to find out more on items
not listed here or if you have doubts.

In addition to this application, you can also analyze the
original HijackThis log online at: http://hijackthis.de

--------------------------------------------------------------------------------
THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :
--------------------------------------------------------------------------------
r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\windows\currentversion\internet settings

--------------------------------------------------------------------------------
HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :
--------------------------------------------------------------------------------
Nothing found.

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :
--------------------------------------------------------------------------------
o4 - hklm\..\run: [loadqm] loadqm.exe

--------------------------------------------------------------------------------
WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :
--------------------------------------------------------------------------------
Nothing found.

--------------------------------------------------------------------------------
THE FOLLOWING ITEMS ARE SAFE TO KEEP :
--------------------------------------------------------------------------------
\windows\system\kernel32.dll
\windows\system\msgsrv32.exe
\windows\system\mprexe.exe
\windows\system\mmtask.tsk
\windows\system\mstask.exe
\windows\system\zonelabs\vsmon.exe
\program files\alwil software\avast4\ashserv.exe
\windows\explorer.exe
\windows\system\rpcss.exe
\windows\taskmon.exe
\mouse\system\em_exec.exe
\windows\system\systray.exe
\windows\loadqm.exe
\program files\zone labs\zonealarm\zlclient.exe
\program files\alwil software\avast4\ashmaisv.exe
\windows\system\spool32.exe
\program files\finepixviewer\quickdcf.exe
r1 - hkcu\software\microsoft\internet explorer\main
r0 - hkcu\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
default_page_url = http://www.wanadoo.co.uk/
r1 - hkcu\software\microsoft\internet explorer\main
window title = microsoft internet explorer provided by freeserve
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
o2 - bho: acroiehlprobj class - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\sdhelper.dll
o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system\msdxm.ocx
o4 - hklm\..\run: [scanregistry] c:\windows\scanregw.exe /autorun
o4 - hklm\..\run: [taskmonitor] c:\windows\taskmon.exe
o4 - hklm\..\run: [em_exec] c:\mouse\system\em_exec.exe
o4 - hklm\..\run: [systemtray] systray.exe
o4 - hklm\..\run: [loadpowerprofile] rundll32.exe powrprof.dll
loadcurrentpwrscheme
o4 - hklm\..\run: [regshave] c:\program files\regshave\regshave.exe /autorun
o4 - hklm\..\run: [zone labs client] "c:\program files\zone labs\zonealarm\zlclient.exe"
o4 - hklm\..\run: [ashmaisv] c:\progra~1\alwils~1\avast4\ashmaisv.exe
o4 - hklm\..\runservices: [loadpowerprofile] rundll32.exe powrprof.dll
loadcurrentpwrscheme
o4 - hklm\..\runservices: [schedulingagent] mstask.exe
o4 - hklm\..\runservices: [truevector] c:\windows\system\zonelabs\vsmon.exe -service
o4 - hklm\..\runservices: [avast!] c:\program files\alwil software\avast4\ashserv.exe
o12 - plugin for .exe: c:\program files\netscape\communicator\program\plugins\npaudio.dll
o12 - plugin for .spop: c:\progra~1\intern~1\plugins\npdocbox.dll
o14 - iereset.inf: start_page_url=http://www.wanadoo.co.uk/

Also please note that the following item is not listed in the safe items:
O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
and I would therefor also correct this item.

Hope that helps.

[lee16]

Are you just deleting it to recycle bin, or fully deleting te folder?

What scanners have you run?, where they up to date?

if you kill all processes apart from System tray and Explorer (Alt + Ctrl + Del) then delete the folder and remove the key using hijackthis does it work?



@bob

The problem is "O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t" and the corresponding folder keeps coming back, we release its a bad malware 


--lee

[pjfb]

Lee

Are you just deleting it to recycle bin, or fully deleting te folder?

What scanners have you run?, where they up to date?

I haven't been able to delete it because I can't find it!
I ran a Find for it on the C: drive, using the standard Windows Find functionality in the Start menu.  Is there some other sort of scanner I can download to hunt the little bleeder down?

Also,

Just remove the entrys using hijackthis, basicly there programs that are not vital to the system, so this stops them starting up at boottime which savws time, they can be run manuly from windows if ever needed though.

Do you mean I should tick these entries in HijackThis and click the Fix button?  But won't that delete them entirely?

pjfb

[lee16]

I haven't been able to delete it because I can't find it! Angry
I ran a Find for it on the C: drive, using the standard Windows Find functionality in the Start menu.  Is there some other sort of scanner I can download to hunt the little bleeder down?

Hmm, very strange, when you go to Start > Run, there should be an advanced option below, there should be an option there to search for hidden files and folders, and subfolders, make sure there checked and search again.
If that still not find anything, go to My Computer > C, then look for "SEXO120gb", if its not there, then its probably Gone by now, so just remove "O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t" and reboot, it should then be gone.

Also,
Quote
Just remove the entires using hijackthis, basicly there programs that are not vital to the system, so this stops them starting up at boottime which saves time, they can be run manuly from windows if ever needed though.

Do you mean I should tick these entries in HijackThis and click the Fix button?

Yes

But won't that delete them entirely?

No, only the start up Reg key.  The program itself will remain and will be fully usable.

--lee

[pjfb]

Hmm, very strange, when you go to Start > Run, there should be an advanced option below, there should be an option there to search for hidden files and folders, and subfolders, make sure there checked and search again.
If that still not find anything, go to My Computer > C, then look for "SEXO120gb", if its not there, then its probably Gone by now, so just remove "O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t" and reboot, it should then be gone.

Done all that, but no joy.
Also, hadn't noticed before, but when I tick it in HijackThis, press the Fix Checked button and then do another Scan, it's still there.  In other words the Fix isn't fixing it.  Tough little so-and-so, eh?

However, thought of another line of attack: instead of entering sexo120gb in the "Named" box of the Find program, I entered it in the "Containing" text box and searched the C: drive again.  This time it found it in various places, which are presumably the ones where the virus (or whatever it is) is lurking.  I don't know how to post the complete results of the Search here, but the main file locations seem to be (all in C:WINDOWS):
1. A DAT file called System
2. A DAT file called User
3. A file called ShellconCache
4. A LOG file called f-mydoom.log (I caught the Mydoom virus some months ago and had to download a fix for it)
5. A Registration Entries file called regLocal attached to a SpyBot backup

Can I use this info to get at it in any way?

pjfb

[bob3160]

Have you rebooted after letting HijackThis do a fix? and then, do another scan.
Registry fixes need a reboot to take affect.

[Eddy]

Can I use this info to get at it in any way?

No you can't. Unless you are a programmer.
1 & 2 belong to the registry.
3 is the icon cache file (I assume you made a typo since it is named ShellIconCache)
4 that log could have been created by the fix. (You shouldn't have needed a fix because you would have never been infected if you had kept your system up-to-date)
5 is a file from spybot S&D

Click on the link in my signature and follow the instructions in the malware removal section. That will make sure that your system is clean. For help with HijackThis, same link but than ofcourse the HijackThis section.