I didnt find any of the following:
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\LogFiles
C:\Program Files\Security IGuard
but i did manage to remove the BG.BMP and the other files you listed with Killbox:
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\system32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\system32\perfcii.ini
C:\Windows\System32\helper.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe
I did not find any of the:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINNT\xmllib.dll (file missing)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c420.cab
in my log file for HiJackThis (dont know if its bad or good)
then i run the "the hoster" and the "DelDomains.inf" and the "CleanUp!" and last the active scanner "Activescan" and i did find a lot of [bleep] on my computer.
So now im posting a log file from HiJackThis and can you tell me if anything is as it should?
Logfile of HijackThis v1.99.1
Scan saved at 12:37:35, on 17-06-05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\IEPA32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LINKSTS.EXE
C:\PROGRAMMER\AHEAD\INCD\INCD.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAMMER\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAMMER\FæLLES FILER\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ATLXV32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAMMER\MICROSOFT ACTIVESYNC\WCESCOMM.EXE
C:\FISC\FLASH\FLSHSTAT.EXE
C:\PROGRAMMER\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAMMER\LOGITECH\WINGMAN SOFTWARE\LWEMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SKRIVEBORD\HIJACKTHIS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\fnpav.dll/sp.html#34429
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAMMER\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmer\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {40085E62-C8C2-5EB8-A6B0-0E40313EDEB3} - C:\WINDOWS\JAVAWR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmer\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmer\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Skan registreringsdatabase] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WinFast_Gamma] rundll32.exe wfcpl.dll,DllLoadGammaRampSettings
O4 - HKLM\..\Run: [Linksts] Linksts.exe
O4 - HKLM\..\Run: [ADQuickAccess] D:\AFTERDRK\ADTRAY.EXE
O4 - HKLM\..\Run: [InCD] C:\Programmer\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AELaunch] AELaunch.exe
O4 - HKLM\..\Run: [Brasil] C:\WINDOWS\Brasil.pif
O4 - HKLM\..\Run: [Alevir] C:\WINDOWS\Alevir.exe
O4 - HKLM\..\Run: [cronos] C:\WINDOWS\marco!.scr
O4 - HKLM\..\Run: [MSVXD] C:\WINDOWS\MSVXD.EXE 1632
O4 - HKLM\..\Run: [instit] C:\WINDOWS\instit.bat
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Programmer\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Programmer\Fælles filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Programmer\Fælles filer\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [webscan] C:\PROGRAMMER\ACCELERATION SOFTWARE\ANTI-VIRUS\STOPSIGNAV.EXE -k
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\PROGRAMMER\INTERNET EXPLORER\IEXPLORE.EXE
O4 - HKLM\..\Run: [ATLXV32.EXE] C:\WINDOWS\SYSTEM\ATLXV32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Programmer\Fælles filer\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Programmer\Fælles filer\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Programmer\Fælles filer\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [IEPA32.EXE] C:\WINDOWS\SYSTEM\IEPA32.EXE /s
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Start WingMan Profiler] "C:\Programmer\Logitech\WingMan Software\lwtest.exe" /detect /quiet /launch "C:\Programmer\Logitech\WingMan Software\lwemon.exe /noui"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRAMMER\MICROSOFT ACTIVESYNC\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WindowsFY] C:\BSW.EXE
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Startup: Microsoft Office.lnk = C:\Programmer\Microsoft Office\Office10\OSA.EXE
O4 - Startup: FlashPath Status.lnk = C:\FISC\FLASH\FLSHSTAT.exe
O4 - Startup: Logitech Desktop Messenger Agent.lnk = C:\Programmer\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAMMER\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAMMER\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAMMER\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRAMMER\MICROSOFT ACTIVESYNC\INETREPL.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL
O9 - Extra button: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {62BE4FA0-D782-11D9-AF50-00119581EA54} - C:\WINDOWS\SYSTEM\WLDR.DLL (HKCU)
O12 - Plugin for .inp: C:\PROGRA~1\INTERN~1\PLUGINS\npincplg.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
dont know if its nessesary but ill post it anyway: here comes the Activescan log
Incident Status Location
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\IEPA32.EXE
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\SE.DLL
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\ATLXV32.EXE
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\JAVAWR.DLL
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\SE.DLL
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\ATLXV32.EXE
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\IEPA32.EXE
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Foretrukne\Search the web.url
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\se.dll
Adware:Adware/Startpage.JY No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/IGuard No disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/BlueScreenWarningNo disinfected Windows Registry
Virus:Trj/Downloader.CFJ Disinfected Operating system
Virus:Trj/Downloader.CVB Disinfected C:\WINDOWS\SYSTEM\nhaa.dll
Adware:Adware/BlueScreenWarningNo disinfected C:\WINDOWS\SYSTEM\wldr.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\SYSTEM\fnpav.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\iepa32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM\atlxv32.exe
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\What is hydrocodone.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\WINDOWS\Foretrukne\Sites about\Online instant loan.url
Adware:Adware/SearchAid No disinfected C:\WINDOWS\Foretrukne\Search the web.url
Adware:Adware/SearchExe No disinfected C:\WINDOWS\TEMP\se.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\javawr.dll
Adware:Adware/Startpage.VQ No disinfected C:\WINDOWS\ermegs.log
Virus:Trj/Downloader.DAK Disinfected C:\TEMP\ss_stopsign.exe
I hope you can help. thx Hoopstar...
P.S. I have removed the links in "C:\WINDOWS\Foretrukne\Sites about" just saw that after the scan.