Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

About blank gone! but no wallpaper/background[RESOLVED]


  • This topic is locked This topic is locked

#46
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
hmm ok give me a minute on that one.

Will you go into this folder:

C:\PQSC\CPS00010D\NEW

Is there a lot of stuff in it? Look to see if wp.exe is there (please use Windows Explorer, not "search")
  • 0

Advertisements


#47
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ok yes there is quite alot of stuff in there. and yes wp.exe.is there
  • 0

#48
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please delete wp.exe and wp.bmp out of that folder.

Also, look to see if these are there:

sites.ini
popuper.exe
wldr.dll
helper.exe
intmon.exe
shnlog.exe
intmonp.exe
msole32.exe
ole32vbs.exe

If they are, delete them, but be very careful with the spelling as there may be legit files with similar spelling. Let me know if you find any of the ones above!
  • 0

#49
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
right i cannot see any of the files you listed in there. as for wp.exe and wp.bmp it will not let me delete it and says CANNOT DELETE wp: Accsess is denied. The source file may be in use.
  • 0

#50
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Is PQSC and CPS00010D the exact name of the folders? no spaces or anything?

We'll have to use killbox to get them, but the folder names have to be exact.
  • 0

#51
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Yes i am pretty sure they are the exact.
  • 0

#52
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Please post a new HiJackThis log. I think what we're going to do is make sure your system is clean then clear the backups Power Quest has made because there is no telling what else it backed-up. It won't do any good to have these backups because if you have to use them for some reason your system will be infected again.

I've not used Power Quest, do you know how to have it empty the backups made?
  • 0

#53
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
here is my HT sorry not to sure how to empty backups


Logfile of HijackThis v1.99.1
Scan saved at 21:37:05, on 03/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PQSC\PROGRAM\SCTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\SCTRAY.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\Csinsm32.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.hsbc.co.uk
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
  • 0

#54
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Do you know what this is:

O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab

If you know what that is, then your log looks great! One more thing I want you to do for me (I'll try to see if I can figure out how to empty the backups)

Please delete your temporary files. Double Click My Computer
You will see an icon representing your harddrive (most likely C: Drive). Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Then run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here.
  • 0

#55
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
hello, here is the scan asked for, and i think that
http://updates.lifes...ll/pinstall.cab has something to do with PICASA 2 so no problem.

Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd
Adware:Adware/nCase No disinfected C:\Temp\FLEOK
Adware:Adware/SearchAid No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\inf\localNRD.inf
Adware:Adware/WUpd No disinfected C:\Program Files\preview adservice
Adware:Adware/WinComm No disinfected C:\Program Files\Win Comm
Adware:Adware/Transponder No disinfected Windows Registry
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sys????.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\VX1X.NLS
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\VX1.NLS
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\VX0.NLS
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[msbe.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[bargains.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[adv.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\mac80ex.idf[adx.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd[exdl.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd[mqexdlm.srg]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd[exul.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd[javexulm.vxd]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd[msexreg.exe]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\SYSTEM\netut80ex.vxd[exclean.exe]
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\INF\PYNIX.INF
Spyware:Spyware/LocalNRD No disinfected C:\WINDOWS\INF\LOCALNRD.INF
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\INF\CERES.INF
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
Adware:Adware/Adsmart No disinfected C:\WINDOWS\SYSMON.EXE
Adware:Adware/IPInsight No disinfected C:\WINDOWS\FARMMEXT.ini
Adware:Adware/Adsmart No disinfected C:\WINDOWS\syszp32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sysgn32.exe
Adware:Adware/Adsmart No disinfected C:\WINDOWS\sysjq32.exe
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F39B.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB51.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000115\FILES\001\00D777.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB58.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000115\FILES\001\00D79C.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00D7A0.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB4F.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\000115\FILES\001\00EB19.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\000115\FILES\001\00EB1F.DAT
Adware:Adware/Startpage.VQ No disinfected C:\PQSC\CPS\000115\FILES\001\00D776.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB60.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000115\FILES\001\00D79D.DAT
Adware:Adware/WinTools No disinfected C:\PQSC\CPS\000115\FILES\001\00D751.DAT
Spyware:Spyware/LocalNRD No disinfected C:\PQSC\CPS\000115\FILES\001\00D739.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\000115\FILES\001\00EB1A.DAT
Adware:Adware/SearchAid No disinfected C:\PQSC\CPS\000115\FILES\001\00D773.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB6D.DAT
Adware:Adware/CWS.Aboutblank No disinfected C:\PQSC\CPS\000115\FILES\001\00EB45.DAT
Adware:Adware/Twain-Tech No disinfected C:\PQSC\CPS\000115\FILES\001\00D73C.DAT
Adware:Adware/WUpd No disinfected C:\PQSC\CPS\000115\FILES\001\012A5B.DAT
Adware:Adware/WUpd No disinfected C:\PQSC\CPS\000115\FILES\001\012A5C.DAT
Adware:Adware/SearchAid No disinfected C:\PQSC\CPS\000115\FILES\001\012A67.DAT
Adware:Adware/Transponder No disinfected C:\PQSC\CPS\000115\FILES\001\00D74A.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00D79A.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB44.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB5B.DAT
Virus:Trj/Downloader.BSU No disinfected C:\PQSC\CPS\000115\FILES\001\00EB6F.DAT
Adware:Adware/Startpage.VQ No disinfected C:\PQSC\CPS\000115\FILES\001\00D77E.DAT
Adware:Adware/BlazeFind No disinfected C:\PQSC\CPS\000115\FILES\001\00D754.DAT
Adware:Adware/WinComm No disinfected C:\PQSC\CPS\000115\FILES\001\012A68.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000115\FILES\001\00D676.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000115\FILES\001\00D7C1.DAT
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F39C.DAT
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F39D.DAT
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F39E.DAT
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F3A7.DAT
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F3A9.DAT
Spyware:Spyware/Bridge No disinfected C:\PQSC\CPS\000115\FILES\001\00F5D6.DAT
Adware:Adware/PurityScan No disinfected C:\PQSC\CPS\000119\FILES\001\01AD70.DAT
Virus:Trj/Downloader.BHX No disinfected C:\PQSC\CPS\00010C\FILES\001\070625.DAT
Adware:Adware/Twain-Tech No disinfected C:\PQSC\CPS\00010C\FILES\001\0700F9.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\00010F\FILES\001\0024EB.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\00010F\FILES\001\0024D1.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\00010F\FILES\001\0024F2.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\00010F\FILES\001\0024EA.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\00010F\FILES\001\0024D5.DAT
Adware:Adware/Startpage.VQ No disinfected C:\PQSC\CPS\00010F\FILES\001\0024F1.DAT
Adware:Adware/MediaTickets No disinfected C:\PQSC\CPS\00010F\FILES\001\002C8E.DAT[eied_s7_c_77.exe]
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\00010E\FILES\001\000164.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\00010E\FILES\001\0001B2.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\00010E\FILES\001\0001A9.DAT
Adware:Adware/Startpage.VQ No disinfected C:\PQSC\CPS\00010E\FILES\001\0001B0.DAT
Adware:Adware/PurityScan No disinfected C:\PQSC\CPS\00010E\FILES\001\000FA6.DAT
Adware:Adware/IPInsight No disinfected C:\PQSC\CPS\00010E\FILES\001\0020A3.DAT
Adware:Adware/IPInsight No disinfected C:\PQSC\CPS\00010E\FILES\001\000190.DAT
Adware:Adware/WinTools No disinfected C:\PQSC\CPS\00010E\FILES\001\000184.DAT
Spyware:Spyware/BargainBuddy No disinfected C:\PQSC\CPS\00010E\FILES\001\000F88.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\00010E\FILES\001\000F81.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\00010E\FILES\001\000F82.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\00010E\FILES\001\000F8B.DAT
Spyware:Spyware/BargainBuddy No disinfected C:\PQSC\CPS\00010E\FILES\001\000F86.DAT
Spyware:Spyware/BargainBuddy No disinfected C:\PQSC\CPS\00010E\FILES\001\000194.DAT
Adware:Adware/ExactSearch No disinfected C:\PQSC\CPS\00010E\FILES\001\000F83.DAT
Spyware:Spyware/BargainBuddy No disinfected C:\PQSC\CPS\00010E\FILES\001\000F84.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000110\FILES\001\00460F.DAT
Adware:Adware/Startpage.VQ No disinfected C:\PQSC\CPS\000110\FILES\001\004614.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000110\FILES\001\004616.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000110\FILES\001\004633.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000110\FILES\001\004610.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000110\FILES\001\00460A.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000110\FILES\001\004637.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000110\FILES\001\004636.DAT
Adware:Adware/Startpage.AS No disinfected C:\PQSC\CPS\000110\FILES\001\0045B6.DAT
Adware:Adware/SearchExe No disinfected C:\PQSC\CPS\000110\FILES\001\004603.DAT
Adware:Adware/PurityScan No disinfected C:\PQSC\CPS\000113\FILES\001\00BAE2.DAT
Adware:Adware/nCase No disinfected C:\temp\salm.exe
Adware:Adware/nCase No disinfected C:\temp\salmau.dat
Adware:Adware/nCase No disinfected C:\temp\salm.log
Adware:Adware/nCase No disinfected C:\temp\salm_kyf.dat
Adware:Adware/nCase No disinfected C:\temp\salm_gdf.dat
Adware:Adware/nCase No disinfected C:\temp\salm_kyf_update.dat
Adware:Adware/nCase No disinfected C:\temp\salmhook.dll
Adware:Adware/PurityScan No disinfected C:\hijackthis[1]\backups\backup-20050518-182518-730.inf
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab
  • 0

Advertisements


#56
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
PowerQuest did back up a bunch of nasty stuff! I don't know anything about the program so it was suggested to me by another staff member, that you should open PowerQuest or DataKeeper and browse through all of the options to find out how to delete the backups (if there is a way - should be!). There is also a help section in the program where you may be able to find the answer!

Please delete these folders, in bold:

C:\Temp\FLEOK
C:\Program Files\preview adservice
C:\Program Files\Win Comm

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINDOWS\farmmext.ini
C:\WINDOWS\inf\localNRD.inf
C:\WINDOWS\SYSTEM\VX1X.NLS
C:\WINDOWS\SYSTEM\VX1.NLS
C:\WINDOWS\SYSTEM\VX0.NLS
C:\WINDOWS\SYSTEM\mac80ex.idf
C:\WINDOWS\SYSTEM\mac80ex.idf[msbe.dll]
C:\WINDOWS\SYSTEM\mac80ex.idf[bargains.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[adv.exe]
C:\WINDOWS\SYSTEM\mac80ex.idf[adx.exe]
C:\WINDOWS\SYSTEM\netut80ex.vxd
C:\WINDOWS\SYSTEM\netut80ex.vxd[exdl.exe]
C:\WINDOWS\SYSTEM\netut80ex.vxd[mqexdlm.srg]
C:\WINDOWS\SYSTEM\netut80ex.vxd[exul.exe]
C:\WINDOWS\SYSTEM\netut80ex.vxd[javexulm.vxd]
C:\WINDOWS\SYSTEM\netut80ex.vxd[msexreg.exe]
C:\WINDOWS\SYSTEM\netut80ex.vxd[exclean.exe]
C:\WINDOWS\SYSTEM\exclean.exe
C:\WINDOWS\SYSTEMmsbe.dll
C:\WINDOWS\SYSTEMbargains.exe
C:\WINDOWS\SYSTEMadv.exe
C:\WINDOWS\SYSTEMadx.exe
C:\WINDOWS\SYSTEMexdl.exe
C:\WINDOWS\SYSTEMmqexdlm.srg
C:\WINDOWS\SYSTEMexul.exe
C:\WINDOWS\SYSTEMjavexulm.vxd
C:\WINDOWS\SYSTEM\wldr.dll
C:\WINDOWS\INF\PYNIX.INF
C:\WINDOWS\INF\LOCALNRD.INF
C:\WINDOWS\INF\CERES.INF
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\WINDOWS\SYSMON.EXE
C:\WINDOWS\FARMMEXT.ini
C:\WINDOWS\syszp32.exe
C:\WINDOWS\sysgn32.exe
C:\WINDOWS\sysjq32.exe
C:\temp\salm.exe
C:\temp\salmau.dat
C:\temp\salm.log
C:\temp\salm_kyf.dat
C:\temp\salm_gdf.dat
C:\temp\salm_kyf_update.dat
C:\temp\salmhook.dll
C:\eied_s7.cab


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post one more HiJackThis log.

Edited by bananafanafo, 04 June 2005 - 02:42 AM.

  • 0

#57
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Here is my new HTL. i am still looking for the backup option to delete. the only thing i found so far is how to delete the scheduled checkpoint. dont know if this helps, i will post back again soon if i find anything else. :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 12:12:29, on 04/06/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\PQSC\PROGRAM\SCTRAY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HIJACKTHIS[1]\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Fast4
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [SecondChance] C:\PQSC\PROGRAM\SCTRAY.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinject.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\Csinsm32.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.fast4.net/
O15 - Trusted Zone: http://www.hotmail.com
O15 - Trusted Zone: http://www.hsbc.co.uk
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btin...bcontrol023.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifes...ll/pinstall.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
  • 0

#58
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
It looks good! Any other problems?
  • 0

#59
munchkinman

munchkinman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
No everything seems to be fine, THANK YOU VERY MUCH.
could not find anything about how to delete the back up files in powerquest, the only thing is i found out how to delete the scheduled checkpoints. dont know if this helps! :tazz: again thanks for your time, patience and expertise
  • 0

#60
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
You're welcome! I'm glad CoachWife6 and I were able to help you out!

You might try asking in the software forum if they know how to delete backups made by PowerQuest. I would advise not using those backups, that's for sure!

Congratulations your log is clean! Great job on the clean up :tazz:

I recommend checking the http://www.microsoft.com website periodically for critical updates to install.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP