instability after pexmor removal

Computing.Net > Forums > Security and Virus > instability after pexmor removal

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

instability after pexmor removal

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 06:20:29 Pacific
OS: Win 98 SE
CPU/Ram: 512MB

Comment:

I am working on a client's PC, and after removing a trojan horse named 5.AO (I can find no relevant information on this trojan) and the W32.pexmor@MM virus in safe mode, I restored his corrupt system files. The system remains stable until Quatro Pro 9 is opened. The computer then has to be rebooted, (BSOD's).
I am a beginning PC tech where viruses are concerned, so please be a little more explanation oriented for my sake, please!
I really enjoy my work, and the sluething involved, but I get stumped often. Any help you could offer me would be sincerely and greatly appreciated!

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: November 23, 2005 at 06:38:03 Pacific

Reply:

Ecoustic, Sounds like a damaged file in Quatto 9,does client have the install disk.
You can post a HT log if you want to maybe something will show up there.You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Response Number 2

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 08:08:22 Pacific

Reply:

Thank you for your response. I do know that the Hijackthis program is very powerful, and I have only scanned the computer with it.
Here is the text file from the scan:
(and thanks again)
Logfile of HijackThis v1.99.1
Scan saved at 10:52:25 AM, on 11/23/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\HPOOPM07.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.exe
C:\WINDOWS\SYSTEM\HPOIPM07.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.exe
C:\PROGRAM FILES\WINZIP\WINZIP32.exe
C:\TEMP\HIJACKTHIS.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\tngiejnc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CINTERNET%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\tngiejnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: Yahoo! Chat -
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\SYSTEM\QLINK32.DLL

Response Number 3

Name: jabuck
Date: November 23, 2005 at 09:44:11 Pacific

Reply:

Run Ht again,close all windows and browsers except HT, check th box to the left of these item then pres "fix checked".
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) -
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\WINDOWS\SYSTEM\QLINK32.DLL
Next reboot into
Safe Mode

Set the computer up to show hidden files by going to start>settings>control panel>folder options>view tab>scroll down to and tick the circle beside "show hidden files and folders">apply>ok.
and navigate to and delete this file if found:
C:\WINDOWS\SYSTEM\QLINK32.DLL
Reboot into normal mode and post a new HT log.

Response Number 4

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 09:45:53 Pacific

Reply:

Thank you so very much! Will post as soon as finished!
Eric

Response Number 5

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 10:24:49 Pacific

Reply:

Ok Jabuck, here it is. I cannot thank you enough. Any further information would be gratefully accepted as well.
God bless you, I am doing this job for a man whom I love like a father, as a favor.
Is there a site that I could study, to learn what to look for and delete as far a using HiJackThis, in relation to virus, spyware, trojan and browser high jack files? I love to learn and get better at my trade.
P.S. (How can I get rid of the AOL attached to the IE browser for him, so he can use a normal IE program? Delete the AOL key with HT?
Thanks again!
Here is the file:
Logfile of HijackThis v1.99.1
Scan saved at 12:56:46 PM, on 11/23/2005
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.exe
C:\WINDOWS\SYSTEM\MPREXE.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe
C:\WINDOWS\EXPLORER.exe
C:\WINDOWS\TASKMON.exe
C:\WINDOWS\SYSTEM\SYSTRAY.exe
C:\WINDOWS\SYSTEM\HPOOPM07.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPODEV07.exe
C:\WINDOWS\SYSTEM\SPOOL32.exe
C:\WINDOWS\SYSTEM\WMIEXE.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOEVM07.exe
C:\WINDOWS\SYSTEM\HPOIPM07.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOSTS07.exe
C:\PROGRAM FILES\HEWLETT-PACKARD\HP OFFICEJET V SERIES\BIN\HPOFXM07.exe
C:\TEMP\HIJACKTHIS.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\tngiejnc.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CINTERNET%5CNETSCAPE%5Csearchplugins%5CSBWeb_01.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\tngiejnc.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\SYSTEM\hpoopm07.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.exe -service
O4 - Startup: HPAiODevice.lnk = C:\Program Files\Hewlett-Packard\hp officejet v series\bin\hpodev07.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} -
O16 - DPF: Yahoo! Chat -
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

mirar toolbar removal aol spyzapper removal mirar toolbar removal	internet not working after virus removal computer slow after virus removal no internet after virus removal
See More

Response Number 6

Name: jabuck
Date: November 23, 2005 at 10:59:25 Pacific

Reply:

Yes, delete the key. Run HT again, close all browsers and windows except HT, mark this item, press "fix checked":R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
Will Quattro run now?

Response Number 7

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 11:17:21 Pacific

Reply:

Ok, I did delete that key, and it is now showing that it's gone when I run HT, but when I load IE, it still shows the AOL logo in the upper right corner. How can I get rid of that?
Quatro will run, and I haven't had fatal error, yet.... Yet being the keyword there. There were many programs giving me fatal system errors, and so far nothing like that has happened since the scan. Could it have been that simple?
You are an angel, and I thank you for your generosity!
Eric

Response Number 8

Name: jabuck
Date: November 23, 2005 at 11:33:19 Pacific

Reply:

Do you have the taskbar on the top of the screen or is it actually on the IE toolbar.

Response Number 9

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 11:56:49 Pacific

Reply:

It's actually in the IE tooltar Jabuck.

Response Number 10

Name: Knight Rider (by Ecoustic)
Date: November 23, 2005 at 12:22:46 Pacific

Reply:

Also, I am still getting "Internet Explorer has performed an illegal operation and will be shut down" whenever I visit most sites, but especially when I visit an Anti-Virus site like Symantec or Grisoft.
I have tried to download AVG free to this machine several times, but I ALWAYS get an installation error. (I have used AVG free on many computers for over six years with no problem and have NEVER been infected with a virus on my own machines)
What do you think could be the reason for this? I have to be able to get this machine online and stable for him soon. He is a Past Master of the Masonic Lodge, and many of his critical files are stored on this machine.
I bow in the long shadow of your excellence, and thank you once again for any and ALL of your help!
Eric

Response Number 11

Name: jabuck
Date: November 23, 2005 at 15:35:05 Pacific

Reply:

Go to add/remove program and if you have a stand alone entry for aol toolbar remove it.
Download hoster from this site http://www.funkytoad.com/hoster.htm to repair your host file. Just install it and click "repair original host".
Then go to add/remove programs and repair the internet explorer. Scroll down to microsoft internet explorer 6.0 and tools>click add/remove>tick the circle beside "repair internet explorer">ok>ok. It should reboot if not restart the computer and try the sites.

Sponsored Link

Ads by Google

Message from Sygate Firew...

W32 virus?

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: instability after pexmor removal

OS Unstable After Virus Removal

Summary

www.computing.net/answers/security/os-unstable-after-virus-removal/21962.html

Errors after virus removal(s)

Summary

www.computing.net/answers/security/errors-after-virus-removals/1857.html

difficulty after virus removal-agob

Summary

www.computing.net/answers/security/difficulty-after-virus-removalagob/10054.html

From the Geek Dictionary
unobtainium - Unobtainium is a extremely rare and costly material that is usually physica...

Ask a Question!

Weekly Poll
Do you believe in Video Game Addiction?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
sound driver

keyboar problem

Got No Speakers

Sharecentral 5 ruins keyboards ?

need to undo, always use this program to open

All Awaiting Reply

Tom's News
Queues in Manhattan Form as DROID Launches

Report: $99 iPhone 3GS in Time For the Holidays

Game Boy, Ball Gets Into Toy Hall of Fame

iPhone Developer Stealing Private Info

Nintendo: There is No Wii HD

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE