I run XP Professional which was updated from ME about a year ago. I started having the Dr. Watson Postmortme Debugger issues after updating Windows and trying to run Spybot. It was only after the update that I even knew about Dr. Watson and probably would not have concerned myself except that I was (and still am) unable to access Windows Explorer or My Computer or Control Panel.
I arguably had spyware problems as well as trojan problems, but having followed the advice in the ditto post of Aug 10, 2004 and the advice from Efwis relating to the Win32.TrojanDownloader.Agent.a1 I am fairly confident that I have removed the virus/trojans (which were multiple and pervasive).
The only other error message I have not yet solved is the following error and I include it only to be thorough. I have not reloaded the dll file as it took me a while to locate my Windows update disks and I have to research how to restore the file from the cab folder. That error is: "The application or dll c:\windows\sdkkk32.dll is not a valid windows image. Please check this agains yur installation diskette."
I have run Spybot ver. 1.3
Trojan Hunter 4.2
CleanUp!
CWShredder 2.11
Ad-Aware
and the virus scan from Computer Associates
Some I had to run in Safe mode because it is the only place I could access Explorer. Once I was certain where the .exe files were located, I also then ran them from my regular desktop using the run command from the Start Menu. That is also how I have to run HiJack This and enclosed is my log.
You have had numerous posts about this problem recently and am hoping someone will come up with an answer. My guess is the Malicious Software Removal Tool which came with the Windows Upgrades, but since I can't access the add/remove programs I couldn't uninstall it.
By the way, I access the internet through my Yahoo Browser. Programs which force the access through IE (looking for updates, etc.) cause IE to close with the sorry for the inconvenience message (or some such language).
The end of the log has a file listed which came up as a problem in one of the Ad-Aware scans (which it was unable to fix) and which led me to the info to download Trojan Hunter. It relates to APIQC.EXE which also shows up in taskmanager when I look for the Dr. Watson problem.
Like other users, I was ending one (sometimes out of three) drwatson32.exe's that were running as a way to release my screen. Now after all the trojan and virus removal I just get a blank blue screen for about 8 seconds and then my desktop comes back -- until I try to access Explorer or My Computer, etc., etc., etc.
Help! Please! Please!
Logfile of HijackThis v1.99.1
Scan saved at 5:50:20 PM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE
C:\WINDOWS\SYSTEM32\qttask.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\YAHOO!\BROWSER\YCOMMON.EXE
C:\Program Files\Hewlett-Packard\CLJ1500\Toolbox\HPPOUMUI.EXE
C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\system32\hppapml0.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\apiqg.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AB90497A-D4F9-39DC-2618-B49C0779D546} - C:\WINDOWS\system32\d3yu.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\common\ycomp5_2_3_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Status Monitor CLJ1500] C:\Program Files\Hewlett-Packard\CLJ1500\\Toolbox\HPPOUMUI.exe
O4 - HKLM\..\Run: [crlv32.exe] C:\WINDOWS\system32\crlv32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winab32.exe] C:\WINDOWS\system32\winab32.exe
O4 - HKLM\..\Run: [ipdh32.exe] C:\WINDOWS\system32\ipdh32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppdirector.exe
O4 - Global Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\PROGRAM FILES\YAHOO!\COMMON\YLOGIN.DLL
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02466323-75ED-11CF-A267-0020AF2546EA} (VivoActive Control) - http://player.vivo.com/ie/vvweb.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://sheetmusic.mu...ad/mnviewer.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093537514222
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yim...ctl_0_0_0_1.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell..../SysProfLCD.CAB
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
O23 - Service: Remote Procedure Call (RPC) Helper ( 6Q'8) - Unknown owner - C:\WINDOWS\apiqg.exe