To delete or not to delete?

Just downloaded and run avast! for the first time and it found 9 viruses, all of which are now safely stored in the virus chest :).
However, having been through the Help contents, I can’t find how I decide whether to delete them or not. I am afraid that if I delete them, I may delete a crucial file by mistake :'(.
If they are safely stored in the virus chest, aren’t they harmless because they can’t be accessed? :-
Or should I delete them anyway because they might escape?!
Please give me some advice.
Many thanks
pjfb

Hi pjfb,

We need a little more info to be of any help:

What OS are you using?
What is the filename and location of the files?
What are the infection names?

–lee

Generally, if you move something to the chest, and your computer still works fine, then you can rest assured that you haven’t removed an important file.

If they are safely stored in the virus chest, aren't they harmless because they can't be accessed?

Yes, they can do no harm if they are in the chest

Or should I delete them anyway because they might escape?!

The only way they will escape is if you let them

They’re safe there. No worry.
Answer Lee’s questions and we could help you more.
Welcome to forums 8)

Thanks guys.
Additional info re infected files (filename, original location, virus) as follows:

  1. bqxdihrdtzx.exe, c:\bqxdihrdtzx.exe, Win32:Trojan-gen.{UPX!}
  2. dload.exe, c:\WINDOWS\dload.exe, Win32:Trojano 027 [trj]
  3. exdl.exe, c:\WINDOWS\SYSTEM\exdl.exe, Win32:Exdl[Adw]
  4. exdl0.exe, c:\WINDOWS\SYSTEM\exdl0.exe, Win32:Exdl[Adw]
  5. exdl1.exe, c:\WINDOWS\SYSTEM\exdl1.exe, Win32:Exdl[Adw]
  6. loader2.ocx, c:\WINDOWS\Downloaded Program Files\loader2.ocx, Win32:Trojano 874 [trj]
  7. MQEXDLM.SRG, c:\WINDOWS\SYSTEM\MQEXDLM.SRG, Win32:Exdl[Adw]
  8. optimize.exe, c:\WINDOWS\optimize.exe, Win32:Trojan-gen.{Other}
  9. saaphook.dll, c:\WINDOWS\saaphook.dll, Win32:Trojan-gen.{Other}

Any further advice and some principles to follow very gratefully received.
pjfb

Except for the file 6, I think they’re safe to delete.
Are your system working well without them?
How long were they sent to Chest?

Like I said before. They’re safe on Chest. Let them at least 15 days. Test your system. After that you can delete them.
About file 6, maybe you can Google its name to see what you get :wink:

Thanks again, Technical.
I only downloaded and used avast! for the first time this morning, so as you suggest, I will leave them in the chest for a couple of weeks and see how the system runs (no problems so far).
pjfb

Ok, you’re new here. Some of us don’t ;D
Feel free to ask your questions and try to help the others on the forum 8)

6 is part of the ADW_SPEYLOD.B :wink:

There could be more on that system (reg keys). I suggest to run HijackThis and make sure everything is gone.

pjfb
You still haven’t told us what operating system you use but,
with reguard to item #6, if its Windows ME or better, you’ll also need to disable System Restore.
You can look at the following thread for more information.
http://www.trendmicro.com/vinfo/grayware/graywareDetails.asp?SNAME=ADW_SPEYLOD.A

Hi Bob.
I’m using Windows 98.
I’ve also now downloaded a firewall (basic version of ZoneAlarm) and Spybot, and am therefore hoping that I’ll be better defended in the future against the gremlins.
I’ve recently started playing the casinos online which is where I suspect a lot of the viruses came from.
Thanks for your advice
pjfb

pjfb
Since you’ve been cruising the internet without a firewall, I’d defenitly follow
Eddy’s advice and get install and run HijackThis and his Excellent HJT FileAnalyzer.
More help on his website and you’ll also find some help on its use in the HelpfulShortcuts
link in my signature.

Hi Pjfb,

I've also now downloaded a firewall (basic version of ZoneAlarm)

Please read VLK notice in “Avast! home/Pro” for ZA users :wink:

As recommended, I’ve downloaded and run HijackThis and got a log file.
Since you’ve all been so helpful so far, can I post the log file to this board for your comments, or should I go elsewhere for advice on what to do with the HijackThis results?
pjfb

ps I’ve read VLK’s comments re ZA, Niko, but have got version 4.5 of avast!, so no conflict there, but a good reason not to download the upgraded version until they’ve fixed it. Thanks for the tip, quand-meme.

Since you've all been so helpful so far, can I post the log file to this board for your comments, or should I go elsewhere for advice on what to do with the HijackThis results?

Of course you can post it here, we always help with hijackthis logs here :wink:

–lee

Right, boys n girls, here goes.
Results of my HijackThis scan attached.
I’m not a techie, but the following look dodgy to me:

O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [WinUpdate] C:\windows\p385.hta
O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM..\Run: [saap] c:\windows\saap.exe
O4 - HKLM..\Run: [qxyp] C:\WINDOWS\qxyp.exe
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx

All assistance very gratefully received.
pjfb :smiley:

Logfile of HijackThis v1.99.1
Scan saved at 10:05:57, on 06/03/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I0R2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\WINHLP32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM..\Run: [Gearbox] “C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [WinUpdate] C:\windows\p385.hta
O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\SYSTEM\E_S4I0R2.EXE /P23 “EPSON Stylus C86 Series” /O7 “EPUSB1:” /M “Stylus C86”
O4 - HKLM..\Run: [saap] c:\windows\saap.exe
O4 - HKLM..\Run: [qxyp] C:\WINDOWS\qxyp.exe
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Freeserve - {E4F0BBE0-DD93-11D4-BD0F-92BD21DFA03D} - http://www.freeserve.net/ (file missing) (HKCU)
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {380D8192-23CB-11D3-B94F-00105A566F76} (first-e E-Mail Reader) - https://secure1.first-e.com/jsp/display/tnbinst.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab

Hi


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = about:blank
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
r1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
o4 - HKLM..\Run: [WinUpdate] C:\windows\p385.hta
o4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
o4 - HKLM..\Run: [saap] c:\windows\saap.exe
o4 - HKLM..\Run: [qxyp] C:\WINDOWS\qxyp.exe
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o9 - extra button: freeserve - {e4f0bbe0-dd93-11d4-bd0f-92bd21dfa03d} - http://www.freeserve.net/ (file missing) (hkcu)
o16 - dpf: {380d8192-23cb-11d3-b94f-00105a566f76} (first-e e-mail reader) - https://secure1.first-e.com/jsp/display/tnbinst.cab
o16 - dpf: {79849612-a98f-45b8-95e9-4d13c7b6b35c} - http://static.topconverting.com/activex/loader2.ocx
o16 - dpf: {ce28d5d2-60cf-4c7d-9fe8-0f47a3308078} (activedatainfo class) - https://www-secure.symantec.com/techsupp/asa/symadata.cab
o16 - dpf: {1f2f4c9e-6f09-47bc-970d-3c54734667fe} (lssupctl class) - https://www-secure.symantec.com/techsupp/asa/lssupctl.cab


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [loadqm] loadqm.exe
o4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

The delete these files:

C:\windows[b]p385.hta[/b]
C:\SEXO120gb[b]SEXO120GB[1].EXE -t[/b]
c:\windows[b]saap.exe[/b]
C:\WINDOWS[b]qxyp.exe[/b]

Then delete all your temp files from your Temp folder, if you want you can have it done with a nice free program called ccleaner (http://www.ccleaner.com/ccdownload2.php)

BTW, I take it you are with Wanadoo.co.uk?

Then Reboot your computer, redo and repost your hijackthis log so we can confirm your system is clean.

–lee

Lee,
Have done as you said and here is the new scan log.
Two issues:

  1. O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
    is still in the scan log, despite having “fixed” it. So what next?
  2. I couldn’t find the four files that you recommend I delete, neither looking in Windows Explorer, nor when I ran a Find over the whole C: drive. Again, what next?

And yes I am with Wanadoo. Also with ntlworld.
Thanks again for your help.
pjfb

Logfile of HijackThis v1.99.1
Scan saved at 12:23:10, on 06/03/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I0R2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBDASH.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM..\Run: [Gearbox] “C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\SYSTEM\E_S4I0R2.EXE /P23 “EPSON Stylus C86 Series” /O7 “EPUSB1:” /M “Stylus C86”
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

Hi pjfb,


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

o4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [loadqm] loadqm.exe
o4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

The delete the folder:

C:[b]SEXO120gb[/b] (if it goes to the recycle bin, delete it from there as well)

I couldn't find the four files that you recommend I delete, neither looking in Windows Explorer, nor when I ran a Find over the whole C: drive. Again, what next?

Open My Documents > Tools > folder Options > View > Show hidden files and folders, then relook for the files, if there still not there, that should mean there no longer there.

You may want to go though the steps/programs here as well: http://members.home.nl/edeijl/ache/cleaning.htm

The ones i suggest the most are Ad-Aware, Spybot, Avast, CWshredder, but there are some other nice suggestions/programs as well.

The reboot your computer, redo and repost your hijackthis log.

–lee

pjfb

ps I've read VLK's comments re ZA, Niko, but have got version 4.5 of avast!, so no conflict there, but a good reason not to download the upgraded version until they've fixed it. Thanks for the tip, quand-meme.
Vlk's comment didn't say anything about not using the latest version of avast! It simply said that if you use avast! and ZA you should change some of the settings in ZA. I suggest that you update avast! and then change your settings in ZA. I use both the latest version of avast! and ZA and have no conflicts between this 2 programs.