To delete or not to delete?

Hi Lee

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY : -------------------------------------------------------------------------------- o4 - hklm\..\run: [loadqm] loadqm.exe o4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

What do I do to stop these programs loading at boottime then?

My settings are already to show all files, but I forgot to reboot after the last scan so I’ll reboot PC and rerun scan to see if C:\SEXO120gb has gone.

pjfb

What do I do to stop these programs loading at boottime then?

Just remove the entrys using hijackthis, basicly there programs that are not vital to the system, so this stops them starting up at boottime which savws time, they can be run manuly from windows if ever needed though.

–lee

Lee,
Results of latest scan after rebooting are attached.
Unfortunately C:\SEXO120gb is still there.
Any more ideas on getting rid of it?
pjfb

Logfile of HijackThis v1.99.1
Scan saved at 13:27:46, on 06/03/05
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\MEDIASCAPE\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\Mediascape\OnScreen Display\OSD.exe
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\CONFSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I0R2.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\PROGRAM FILES\GEARBOX CONNECTION KIT\BIN\GBTASK.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/cd_redirects/search.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/gearbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\PROGRAM FILES\EPSON\EPSON WEB-TO-PAGE\EPSON WEB-TO-PAGE.DLL
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [EM_EXEC] c:\mouse\system\em_exec.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Multimedia Keyboard] C:\Mediascape\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [OnScreen Display] C:\Mediascape\OnScreen Display\OSD.exe
O4 - HKLM..\Run: [Gearbox] “C:\Program Files\Gearbox Connection Kit\bin\confsvr.exe”
O4 - HKLM..\Run: [LoadQM] loadqm.exe
O4 - HKLM..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
O4 - HKLM..\Run: [EPSON Stylus C86 Series] C:\WINDOWS\SYSTEM\E_S4I0R2.EXE /P23 “EPSON Stylus C86 Series” /O7 “EPUSB1:” /M “Stylus C86”
O4 - HKLM..\Run: [Zone Labs Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O12 - Plugin for .exe: C:\Program Files\Netscape\Communicator\Program\PLUGINS\NPAUDIO.DLL
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/

Here are the results of the HJT Logfile Analyzer:


ANALYZER INFORMATION

Log created on : 06-03-2005 07:03:15
Analyzer version : 11
bad.dat version : 33
good.dat version : 35
rec.dat version : 26
dasb.dat version : 7
sus.dat version : 14
fire.dat version : 3


CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

You are using the latest version of Internet Explorer.
Software firewall detected.


GENERAL INFORMATION :

All items in the original HijackThis log file which
are not shown here need further investigation.

Tutorial on the hijackthislog : http://members.home.nl/edeijl/

For email support on this application : hjtbeta@yahoo.com

Use www.google.com to find out more on items
not listed here or if you have doubts.

In addition to this application, you can also analyze the
original HijackThis log online at: http://hijackthis.de


THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\windows\currentversion\internet settings


HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.


THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [loadqm] loadqm.exe


WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

Nothing found.


THE FOLLOWING ITEMS ARE SAFE TO KEEP :

\windows\system\kernel32.dll
\windows\system\msgsrv32.exe
\windows\system\mprexe.exe
\windows\system\mmtask.tsk
\windows\system\mstask.exe
\windows\system\zonelabs\vsmon.exe
\program files\alwil software\avast4\ashserv.exe
\windows\explorer.exe
\windows\system\rpcss.exe
\windows\taskmon.exe
\mouse\system\em_exec.exe
\windows\system\systray.exe
\windows\loadqm.exe
\program files\zone labs\zonealarm\zlclient.exe
\program files\alwil software\avast4\ashmaisv.exe
\windows\system\spool32.exe
\program files\finepixviewer\quickdcf.exe
r1 - hkcu\software\microsoft\internet explorer\main
r0 - hkcu\software\microsoft\internet explorer\main
r1 - hklm\software\microsoft\internet explorer\main
default_page_url = http://www.wanadoo.co.uk/
r1 - hkcu\software\microsoft\internet explorer\main
window title = microsoft internet explorer provided by freeserve
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
o2 - bho: acroiehlprobj class - {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\acroiehelper.ocx
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\sdhelper.dll
o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system\msdxm.ocx
o4 - hklm..\run: [scanregistry] c:\windows\scanregw.exe /autorun
o4 - hklm..\run: [taskmonitor] c:\windows\taskmon.exe
o4 - hklm..\run: [em_exec] c:\mouse\system\em_exec.exe
o4 - hklm..\run: [systemtray] systray.exe
o4 - hklm..\run: [loadpowerprofile] rundll32.exe powrprof.dll
loadcurrentpwrscheme
o4 - hklm..\run: [regshave] c:\program files\regshave\regshave.exe /autorun
o4 - hklm..\run: [zone labs client] “c:\program files\zone labs\zonealarm\zlclient.exe”
o4 - hklm..\run: [ashmaisv] c:\progra~1\alwils~1\avast4\ashmaisv.exe
o4 - hklm..\runservices: [loadpowerprofile] rundll32.exe powrprof.dll
loadcurrentpwrscheme
o4 - hklm..\runservices: [schedulingagent] mstask.exe
o4 - hklm..\runservices: [truevector] c:\windows\system\zonelabs\vsmon.exe -service
o4 - hklm..\runservices: [avast!] c:\program files\alwil software\avast4\ashserv.exe
o12 - plugin for .exe: c:\program files\netscape\communicator\program\plugins\npaudio.dll
o12 - plugin for .spop: c:\progra~1\intern~1\plugins\npdocbox.dll
o14 - iereset.inf: start_page_url=http://www.wanadoo.co.uk/

Also please note that the following item is not listed in the safe items:
O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t
and I would therefor also correct this item.

Hope that helps.

Are you just deleting it to recycle bin, or fully deleting te folder?

What scanners have you run?, where they up to date?

if you kill all processes apart from System tray and Explorer (Alt + Ctrl + Del) then delete the folder and remove the key using hijackthis does it work?

@bob

The problem is “O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t” and the corresponding folder keeps coming back, we release its a bad malware :wink:

–lee

Lee

Are you just deleting it to recycle bin, or fully deleting te folder?

What scanners have you run?, where they up to date?

I haven’t been able to delete it because I can’t find it! >:(
I ran a Find for it on the C: drive, using the standard Windows Find functionality in the Start menu. Is there some other sort of scanner I can download to hunt the little bleeder down? ???

Also,

Just remove the entrys using hijackthis, basicly there programs that are not vital to the system, so this stops them starting up at boottime which savws time, they can be run manuly from windows if ever needed though.

Do you mean I should tick these entries in HijackThis and click the Fix button? But won’t that delete them entirely? :-\

pjfb

I haven't been able to delete it because I can't find it! Angry I ran a Find for it on the C: drive, using the standard Windows Find functionality in the Start menu. Is there some other sort of scanner I can download to hunt the little bleeder down?

Hmm, very strange, when you go to Start > Run, there should be an advanced option below, there should be an option there to search for hidden files and folders, and subfolders, make sure there checked and search again.
If that still not find anything, go to My Computer > C, then look for “SEXO120gb”, if its not there, then its probably Gone by now, so just remove “O4 - HKLM..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t” and reboot, it should then be gone.

Also, Quote Just remove the entires using hijackthis, basicly there programs that are not vital to the system, so this stops them starting up at boottime which saves time, they can be run manuly from windows if ever needed though.

Do you mean I should tick these entries in HijackThis and click the Fix button?

Yes

But won't that delete them entirely?

No, only the start up Reg key. The program itself will remain and will be fully usable.

–lee

Hmm, very strange, when you go to Start > Run, there should be an advanced option below, there should be an option there to search for hidden files and folders, and subfolders, make sure there checked and search again. If that still not find anything, go to My Computer > C, then look for "SEXO120gb", if its not there, then its probably Gone by now, so just remove "O4 - HKLM\..\Run: [SEXO120gb] C:\SEXO120gb\SEXO120GB[1].EXE -t" and reboot, it should then be gone.
Done all that, but no joy. Also, hadn't noticed before, but when I tick it in HijackThis, press the Fix Checked button and then do another Scan, it's still there. In other words the Fix isn't fixing it. Tough little so-and-so, eh?

However, thought of another line of attack: instead of entering sexo120gb in the “Named” box of the Find program, I entered it in the “Containing” text box and searched the C: drive again. This time it found it in various places, which are presumably the ones where the virus (or whatever it is) is lurking. I don’t know how to post the complete results of the Search here, but the main file locations seem to be (all in C:WINDOWS):

  1. A DAT file called System
  2. A DAT file called User
  3. A file called ShellconCache
  4. A LOG file called f-mydoom.log (I caught the Mydoom virus some months ago and had to download a fix for it)
  5. A Registration Entries file called regLocal attached to a SpyBot backup

Can I use this info to get at it in any way?

pjfb

Have you rebooted after letting HijackThis do a fix? and then, do another scan.
Registry fixes need a reboot to take affect.

Can I use this info to get at it in any way?
No you can't. Unless you are a programmer. 1 & 2 belong to the registry. 3 is the icon cache file (I assume you made a typo since it is named ShellIconCache) 4 that log could have been created by the fix. (You shouldn't have needed a fix because you would have never been infected if you had kept your system up-to-date) 5 is a file from spybot S&D

Click on the link in my signature and follow the instructions in the malware removal section. That will make sure that your system is clean. For help with HijackThis, same link but than ofcourse the HijackThis section.

Have you rebooted after letting HijackThis do a fix? and then, do another scan. Registry fixes need a reboot to take affect.
Yes, but the problem is still there when I do another scan.

Will try the Malware removal section in Eddy’s link.

Thanks again, All, for your time and help.
Much appreciated.
pjfb

1. A DAT file called System 2. A DAT file called User 3. A file called ShellconCache 4. A LOG file called f-mydoom.log (I caught the Mydoom virus some months ago and had to download a fix for it) 5. A Registration Entries file called regLocal attached to a SpyBot backup

Can I use this info to get at it in any way?

Im not sure there releated, have you done a though scan with Avast set to scan inside Archives, I take it you have scanned with Ad-Aware and Spybot as well.

Also try this, Open MSDOS (Start > Programs >Accessories (i think)) and the type DEL C:\SEXO120gb

–lee