somehow i have managed to get the worm WORM_YAHA.B onto my computer and it has restricted my Norton antivirus. can anyone help get rid of this worm???

This should give you some pointers as to how to get rid of it: Trend Micro HouseCall (http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_YAHA.B&VSect=T>http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=WORM_YAHA.B&VSect=T</a>

However,)

thanks tony.....well, ive managed to find it and everything. ive deleted the infected files, all but one. its, C:\RECYCLED\mcqgsr.exe when i go to delete it it says that it is in use and cant. i dont know what file that is or how not to use it so i can delete it. any suggestions? thanks

Try this:

Reboot in MS-DOS, and type the following lines to delete your recycle bin, clicking 'enter' after each line:

cd\
attrib -s -h recycled.
del recycled
exit or win (to return to Windows).

A brand new Recycle bin will be recreated on reboot, and your problem should be over.

Good luck, Tony

tony, well, i have managed to delete the worm, but apparently one of the files i deleted that was infected is need in order for any of my "applications" will open. it says, "windows cannot find file dikpwr".exe. so now all i can do use internet explorer. thats it. i cant even open winword. this thing is being to irritate me. sorry for all the trouble.

i scanned my computer again and its still there. i tried your suggestion with the dos prompt, but it says file not found and i choose yes to delete.

Download Exefix.com from this site: <a target="_blank" href=http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html>http://home.earthlink.net/~rmbox/Reticulated/Only_IE.html</a>

Run the file: It restores the Windows file associations for exefiles, allowing you to execute them normally again.

Next, you need to remove the reference to this file from startup.

Do this:

Download StartLog.com from the same site you downloaded exefix from.

Doubleclick it, and it will generate a text file on your desktop that will list all the applications that start in the many places when you start Windows.

We don't need to see StubPath.txt, just Startup.Log

Just go to 'Edit/select all', then copy, and paste it into your reply.

This will enable us to get rid of your error at startup.

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________ ________________________
__________________________________________________ ________________________

The following is a list of your current Start-Ups
__________________________________________________ ________________________
__________________________________________________ ________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"RemoteCenter"="C:\\Program Files\\Creative\\SBLive\\RemoteCenter\\Rc\\RcMan.E XE"
"Creative Launcher"="C:\\PROGRAM FILES\\CREATIVE\\SBLIVE\\LAUNCHER\\CTLAUNCHER.EXE"
"AudioHQ"="C:\\Program Files\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"NewsUpd"="C:\\Program Files\\Creative\\News\\NewsUpd.EXE /q"
"CTAVTray"="C:\\PROGRAM FILES\\CREATIVE\\SBLIVE\\PROGRAM\\CTAvTray.EXE"
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~2\\ONETOU~2.EXE"
"StillImageMonitor"="C:\\WINDOWS\\SYSTEM\\STIMON.EXE"
"zBrowser Launcher"="C:\\PROGRA~1\\LOGITECH\\ITOUCH\\iTouch.exe"
"EM_EXEC"="C:\\PROGRA~1\\LOGITECH\\MOUSEW~1\\SYSTEM\\EM_EXEC. EXE"
"LoadQM"="loadqm.exe"
"CloneCDTray"="C:\\Program Files\\Elaborate Bytes\\CloneCD\\CloneCDTray.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\SYSTEM\\hpztsb01.exe"
"InstantAccess"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\INSTAN~1.EXE /h"
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
"ASUS Probe"="C:\\Program Files\\ASUS\\Probe\\AsusProb.exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"Norton Auto-Protect"="C:\\PROGRA~1\\NORTON~1\\NAVAPW32.EXE /LOADQUIET"
"CMESys"="\"C:\\PROGRAM FILES\\COMMON FILES\\CMEII\\CMESYS.EXE\""
"TkBellExe"="C:\\Program Files\\Common Files\\Real\\Update_OB\\evntsvc.exe -osboot"
"SVAPlayer"="C:\\Program Files\\SVA Player\\SVAPLAYER.EXE"
"Plug and Play Devices"="PnPDev.exe"
"PrecisionTime"="C:\\PROGRA~1\\PrecisionTime\\PrecisionTime.exe"
"Date Manager"="\"C:\\PROGRA~1\\Date Manager\\DateManager.exe\""
"ABC"="C:\\JOHN\\AIM95\\Keylogger.exe"
"BhrQxAwp"="C:\\WINDOWS\\SYSTEM\\TIKL.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\OptionalComponents\MSFS]
"Installed"="1"


================================================== ========================
__________________________________________________ ________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run]
"PPWebCap"="C:\\PROGRAM FILES\\VISIONEER\\PAPERPORT\\PPWebCap.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Attune Download"="C:\\PROGRA~1\\AVEO\\ATTUNE\\UPDATER1\\ATTUNEL.EXE"
"HXIUL.EXE"="C:\\Program Files\\Alset\\HelpExpress\\HXIUL.EXE"
"Weather"="C:\\PROGRAM FILES\\AWS\\WEATHERBUG\\WEATHER.EXE 1"


================================================== ========================
__________________________________________________ ________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]


================================================== ========================
__________________________________________________ ________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce]


================================================== ========================
__________________________________________________ ________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices]
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\BIN\\REGIST~1.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"
"Plug and Play Devices"="PnPDev.exe"


================================================== ========================
__________________________________________________ ________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce]


================================================== ========================
__________________________________________________ ________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=

load=

================================================== ========================
__________________________________________________ ________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

================================================== ========================
__________________________________________________ ________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

rem - By Windows 98 Network - C:\WINDOWS\net start
SET BLASTER=A220 I5 D1 H5 P330 T6
SET CTSYN=C:\WINDOWS
C:\PROGRA~1\CREATIVE\SBLIVE\DOSDRV\SBEINIT.COM

PATH C:\BITWARE\


================================================== ========================
__________________________________________________ ________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\reminder-ScanSoft Product Registration.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Office.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\GStartup.lnk

================================================== ========================
__________________________________________________ ________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

================================================== ========================
__________________________________________________ ________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.................................................. ...................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.................................................. ...................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\User Shell Folders


.................................................. ...................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.................................................. ...................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\exp lorer\User Shell Folders


.................................................. ...................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx]


-=========================-
HKU (.Default) Run - Registry
-=========================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\Run]
"PPWebCap"="C:\\PROGRAM FILES\\VISIONEER\\PAPERPORT\\PPWebCap.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"Attune Download"="C:\\PROGRA~1\\AVEO\\ATTUNE\\UPDATER1\\ATTUNEL.EXE"
"HXIUL.EXE"="C:\\Program Files\\Alset\\HelpExpress\\HXIUL.EXE"
"Weather"="C:\\PROGRAM FILES\\AWS\\WEATHERBUG\\WEATHER.EXE 1"


-==============================-
HKU (.Default) RunOnce - Registry
-==============================-


[HKEY_USERS\.Default\Software\Microsoft\Windows\Cur rentVersion\RunOnce]

You've got some keylogger trojan there, some other malware (BhrQxAwp), and a lot of spy/foistware.

Go to Start/run, type Msconfig, and uncheck the following harmful and/or unneccessary items on the Startup tab:

NewsUpd, ZBrowser Launcher, EM_EXEC, LoadQM, CMESys, TKbell.exe, Plug and Play Devices, ABC, and BhrQxAwp.

Click OK, close Msconfig, and reboot.

Now delete C:\Windows\System\Tikl.exe

Download and install Refupdate Utility (http://www.jamcomputerservices.com/lavasoft/aaw.exe>Ad-Aware</a>).
This utility searches for, downloads and automatically installs the latest AAW reffile (the spyware definitions, so to speak).

Run the refupdate.exe installation file, and once installed, go to Start Menu&gt;Programs, find the Lavasoft Refupdate entry and run it.
Click connect; it will open a connection to the internet to check and update the current signature file.

When that's completed, run Ad-Aware, have your drives and registry scanned for spyware, check all found files and reg keys, click continue, and have them removed.

Reboot one last time.

NOTE: should you have Ad-Aware installed already, and it's a version prior to v 5.80, you MUST uninstall it first, before installing the new version.

Finally, do a final online scan at <a target="_blank" href=http://housecall.antivirus.com/pc_housecall/>Trend Micro HouseCall</a>


Good luck, Tony

Hi guys,
I wanted to quickly add a little DOS to this. In order to delete the recycle bin in DOS you need to use the deltree command, not del. That's why you got the error. Del deletes a file(s) inside a folder. It is an internal command. Deltree deletes a folder and all its contents. It is an external command, and a dangerous one. Always take care when you use it. I delete the recycle Bin all the time and never have had to remove the attributes. You can go ahead and use the attrib command to remove if you like. I do it in pure DOS. I reboot and hold down CTRL to bring up the boot menu. I then choose Command prompt only from the menu and press enter. At the C prompt which looks like this:
C:\>
I type this command to remove the bin.

deltree recycled (and then press enter)

That removes it entirely. You will be prompted to affirm that you want to remove the Recycled bin and all its contents. Press Y.
After the removal you will be brought to another prompt. At that prompt type
win and press enter to boot into Windows.

You're right, Mo.

I often paste these things from my files without duly checking them, and this certainly qualifies as a major league boo-boo.../images/forums/icons/blush.gif

I need to be demoted for 'un-gurulike' behavior! /images/forums/icons/laugh.gif

Hey don't beat yourself up Tony, there was only one perfect person & they nailed him, err I guess we all know that story. But seriously I think you're very knowledgeable in the computer field & you've helped me fix my computer many times. . . keep up the good work &lt;&lt;&lt;/images/forums/icons/wink.gif&gt;&gt;&gt;


<font color=blue>&lt;&lt;Hally&gt;&gt;
&lt;&lt;&lt;/images/forums/icons/smile.gif&gt;&gt;&gt;</font color=blue>

NO, You Don't!

Nana /images/forums/icons/mad.gif

You guys are just too kind... /images/forums/icons/wink.gif

Cheers, Tony

Aren't we though.

Nana /images/forums/icons/wink.gif