I-Worm/Opas.A help!

[southwest]

StartupList report, 1/19/03, 11:07:38 PM
StartupList version: 1.51
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RSCMPT.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Rscmpt = C:\WINDOWS\SYSTEM\Rscmpt.exe
WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
Avril Lavigne - Muse = C:\WINDOWS\SYSTEM\a24g8CB1a3d.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 17/1/2003, 20:15:10)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
PATH C:\BITWARE\;C:\PROGRA~1\GRISOFT\AVG6
set ci_holos_cli=c:\program files\seagate software\open olap

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------
End of report, 4,396 bytes
Report generated in 0.425 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[TonyKlein]

You've got the W32/Avril-A Worm and some spyware, Gator Date Manager and Precision Time among them.

Go to Start > Run > Msconfig, and uncheck the following on the Startup tab:

GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
Rscmpt = C:\WINDOWS\SYSTEM\Rscmpt.exe
WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
Avril Lavigne - Muse = C:\WINDOWS\SYSTEM\a24g8CB1a3d.EXE


Click OK, close Msconfig, reboot.

Delete C:\WINDOWS\SYSTEM\a24g8CB1a3d.EXE

Uninstall Date Manager and Precision Time.

Finally, download Spybot - Search & Destroy

After installing, press Online, and search for, put a check mark at, and install all updates.

Next, go to the Settings tab > File Sets, and uncheck 'System Internals' and 'Tracks' .
These aren't needed for our present purpose, and you can always experiment with them later on.

Finally, after closing down Internet Explorer, hit 'Check for Problems', and have SpyBot remove all it finds.

Finally, in Msconfig/Startup RE-check Scan Registry. You NEED the Scanreg tool to back up a good and working registry at Startup.

 

[southwest]

StartupList report, 1/19/03, 11:07:38 PM
StartupList version: 1.51
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RSCMPT.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Rscmpt = C:\WINDOWS\SYSTEM\Rscmpt.exe
WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
Avril Lavigne - Muse = C:\WINDOWS\SYSTEM\a24g8CB1a3d.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 17/1/2003, 20:15:10)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
PATH C:\BITWARE\;C:\PROGRA~1\GRISOFT\AVG6
set ci_holos_cli=c:\program files\seagate software\open olap

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------
End of report, 4,396 bytes
Report generated in 0.425 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[southwest]

how to clear opas.a permanently? It is coming on Saturday and Sunday.

 

[southwest]

StartupList report, 1/19/03, 11:07:38 PM
StartupList version: 1.51
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v5.00 (5.00.2614.3500)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RSCMPT.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\GMT\GMT.EXE
C:\PROGRAM FILES\DATE MANAGER\DATEMANAGER.EXE
C:\PROGRAM FILES\PRECISIONTIME\PRECISIONTIME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Rscmpt = C:\WINDOWS\SYSTEM\Rscmpt.exe
WinampAgent = "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
CMESys = "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
Avril Lavigne - Muse = C:\WINDOWS\SYSTEM\a24g8CB1a3d.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = C:\WINDOWS\SYSTEM\mstask.exe
Machine Debug Manager = C:\WINDOWS\SYSTEM\MDM.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\AutoCADScript\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE "%1"

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 17/1/2003, 20:15:10)

[rename]
NUL=C:\WINDOWS\TEMP\GLB1A2B.EXE

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
PATH C:\BITWARE\;C:\PROGRA~1\GRISOFT\AVG6
set ci_holos_cli=c:\program files\seagate software\open olap

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://active.macromedia.com/flash2/cabs/swflash.cab

--------------------------------------------------
End of report, 4,396 bytes
Report generated in 0.425 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Rollin' Rog]

Southwest, it's always better to post an independent thread for a problem rather than to append to a previous, so I've split yours off.

I really don't have confidence that I'm seeing what needs to be seen with this current configuration of the StartupList run in "normal" mode, so I'm going to ask you to edit your last post and replace the list with one generated with the /complete switch.

To do this, create a shortcut to the exe. Then right click on the shortcut and select "properties". After the end quote in the "Target" field, add a space and /complete

Run the startuplist from this new shortcut and replace the last one with this.

Meanwhile, if you haven't seen these two TSG threads, you should review them carefully.

http://forums.techguy.org/showthread.php?s=&threadid=102879

http://forums.techguy.org/t97918/s.html