Hi. I have been having issues w/my system. Yahoo is my start page, and sometimes when I sign on, the links are highlighted, like I have already read the news article, but I have not. I have d/l and ran a bunch of software to try and decipher this problem, such as spybot, spysweeper, AVG, Avast, Adaware, TrojanRemover, and StopSign/Eanthology. I have even done an online trojan scan and a housecall. There was one trojan (mytins) in best.exe which was removed by AVG, but they ONLY program which has found a Possible Backdoor.Trojan is DoctorWeb, which states: ·C:\WINDOWS\csrss.exe may be infected, because it matches the pattern of BACKDOOR.Trojan. Also, I have two .tmp files under windows/temp which some of the above programs were unable to scan, and I am unable to delete b/c the system is using them, appaprently. Questions: What should I do about this. The trial version of Dr. Web will not remove the possible backdoor.trojan and I do not feel like paying $30 for it to tell me that it cannot remove the file. I am hesitant to delete the file b/c it is under windows and I do not want my system

Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, click "Save Log", and copy and paste it in a reply. HijackThis!

StAnger. Dr Web finds this? Dr.Web has strong heuristics and this could be a false positive. Stop Sign/eanthology: If it was me,I would get rid of that program. There has been debate in various support forums about this program. To sort this out,I would follow Tom41's advice and let him guide you on removal of any malware found. HTH, JB.

Well, I went to RAV to do an online scan and also updated my trojanhunter files and that found something also, but DR. Web was the only one that found the file I listed in my previous post. By the way, what does a UPX packed file in my windows system folder mean?? THats what trojanhunter found, not sure if it will clean it, it is still scanning. I haven't ran hijackthis yet but I am about to, once the scans finish. What program should I use to keep trojans from getting onto my system? Or are there any precautions that I should follow? Thanks for the advice gang. By the way, when I posted this it gave me a DIFFERENT IP address than when I posted my previous message. What's that about??

I have scan results, from Trojan Hunter. Apparently this best.exe trojan is back, now, however, it is under Windows folder. I have to run AVG again to see if it finds it, because Trojan Hunter considers it a POSSIBLE trojan downloader,, and will not clean it. Here are the results: File scan Found possible trojan file: C:\WINDOWS\SYSTEM\vatqnsfq.exe (Suspicious: UPX-packed file in Windows System folder) Found possible trojan file: C:\WINDOWS\best.exe (Possible trojan downloader) Warning: Unable to unpack UPX-packed file C:\Program Files\Trojan Remover\unp.exe 2 possible trojan files found When I ran the RAV scan found something in my recycle folder, but, when I went to look, I cannot find the folder name that it said the suspicious file was in. Also, when I try to use the FIND function, it won't let me scan my recycle folder. I am going to run Hijack This and post the results for TOM41. Thanks again!

Can you email me zipped copies of C:\WINDOWS\best.exe and C:\WINDOWS\SYSTEM\vatqnsfq.exe to analyze? Click my name for the email addy..

I got the HijackThis Log, here it is, I hope it makes some sense to you :) By the way, it says I am on 98SE, but I am on Win98. Weird, huh. I will email you those files you requested. Thanks in advance for your help. Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.exe C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.exe C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.exe C:\WINDOWS\EXPLORER.exe C:\WINDOWS\SYSTEM\RPCSS.exe C:\WINDOWS\SYSTEM\RNAAPP.exe C:\WINDOWS\SYSTEM\TAPISRV.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\GWHOTKEY.exe C:\WINDOWS\SYSTEM\ATI2EVXX.exe C:\WINDOWS\SYSTEM\ATIPTAXX.exe C:\WINDOWS\SYSTEM\ATI2CWXX.exe C:\WINDOWS\LOADQM.exe C:\PROGRAM FILES\EARTHLINK ACCELERATOR\PROPELAC.exe C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.exe C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.exe C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.exe C:\PROGRAM FILES\ANTI-TROJAN-55\ATWATCH.exe C:\PROGRAM FILES\TROJANHUNTER 3.7\THGUARD.exe C:\PROGRAM FILES\MESSENGER\MSMSGS.exe C:\WINDOWS\SYSTEM\TYPGBCLI.exe C:\WINDOWS\SYSTEM\WMIEXE.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\PROGRAM FILES\INTERNET DOWNLOAD MANAGER\IDMAN.exe C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.exe C:\WINDOWS\SYSTEM\PSTORES.exe C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 O2 - BHO: (no name) - {02478D28-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_5.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: Cyber-Defender for Internet Explorer - {68E69D9D-63C9-4C32-A53B-CBE1D5A5903E} - (no file) O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_5.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [IrMon] IrMon.exe O4 - HKLM\..\Run: [GRA] C:\Program Files\GATEWAY\gra\GRA.exe O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe O4 - HKLM\..\Run: [ATIPOLAB] ati2evxx.exe O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [LoadQM] loadqm.exe O4 - HKLM\..\Run: [Propel Accelerator] C:\PROGRAM FILES\EARTHLINK ACCELERATOR\PROPELAC.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.exe -k O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe O4 - HKLM\..\Run: [Anti-Trojan-Watch] C:\PROGRAM FILES\ANTI-TROJAN-55\ATWatch.exe O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.7\THGUARD.exe" O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashserv.exe O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRAM FILES\MESSENGER\MSMSGS.exe" /background O4 - HKCU\..\Run: [Anti-Keylogger check] C:\PROGRAM FILES\ANTI-KEYLOGGER\ANTIKEY.exe /checkautorun O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html O9 - Extra button: Real.com (HKLM) O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Cyber-Defender (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/3171d560df9467644f19/netzip/RdxIE601.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37868.7239930556 O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab