BackdoorAssasin/BackdoorBeast?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
I started a post elsewhere in the TSG forums:

http://forums.techguy.org/t217154.html

and VirtualMe said i should ask for help here.

This is my latest HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 1:57:14 PM, on 4/5/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSREG32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\PALTALK\PNETAWARE.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\WINDOWS\DESKTOP\PCGURU\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4177199074
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

These two lines won't go away. I've removed them with HJT but they keep coming back:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE

..when i search the PC for msreg32.exe i'm not able to find it.

Housecalls found 5 uncleanable files (BKDR Assasin, BKDR Beast).

i'm just a rookie, and i can only process one thing at a time. please give me any information you can to help me clean this machine, but say it s-l-o-w-l-y and clearly as i was a blonde in my past life and am easily confused. :)

thanks in advance for all your help.
 

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
i'm running a scan on RAV right now...it just got started and already found all this:
Scan started at 4/5/2004 2:45:36 PM

Scanning memory...
c:\_Restore\TEMP\A0149365.CPY->(EXEEmb) - Backdoor:Win32/Beastdoor.BY -> Infected
c:\_Restore\TEMP\A0149493.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149496.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149503.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149506.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149513.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149516.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149525.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149528.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149535.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149538.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149552.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149555.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149593.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149596.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149628.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149631.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149653.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149656.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149704.CPY - Backdoor:Win32/Beastdoor.BY -> Infected
c:\_Restore\TEMP\A0149708.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149711.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149719.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149722.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149730.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149733.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149741.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149744.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149755.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149756.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149757.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149758.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149805.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149808.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149834.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149837.CPY - Trojan:Win32/Madtol.C -> Infected

bad bad bad :(
 

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
well...i either posted in the wrong area of TSG...or nobody here knows anything about this trojan. in either case my problem isn't being fixed...and i'm almost out of Kleenex so i guess i'll find help elsewhere. thanks to the 10 people who even bothered to read my problem.

::sigh::
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
O4 - Startup: PowerReg Scheduler V3.exe

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files
C:\WINDOWS\SYSTEM\MSREG32.EXE

then
Reboot normally &

I would strongly recommend downloading and running a specialised anti trojan

the best antitrojan that I use for dealing with them is

TDS3 from http://tds.diamondcs.com.au/

download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

sit back with a cup of coffee and watch what it finds

NOTE:

Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

post back with the tds log after running please, just copy & paste the entries from the scandump.txt
 

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
wow...i had given up...and left pretty much for the day...but i'm glad to see that you posted.

i printed off your instructions...and followed them to a T...and this thing is still not gone. I've run SpyBot S&D, Trojan Hunter, 3 of the online scans (Panda, HouseCalls, and RAV) and now i've used this TDS thing, but this STUPID Assasin thing is STILL not gone. :( i don't know how people do this for a living...it's incredibly frustrating.

i feel like i'm missing something. this thing is really really good at self-preserving, because no matter what i do it just keeps coming back. i'm sure that if i were to know the proper order in which to delete these files, and the proper order in which to run the scans etc... that i would eventually be able to get rid of this thing...but i don't have a clue.

here are the TDS logs:

Scan Control Dumped @ 01:34:09 06-04-04
RegVal Trace: RAT.Y3K 1.5: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Winhelp=C:\Program Files\MsHelp\Help.exe]

Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
File: c:\windows\system\msvbvm06.dll

Positive identification <Adv>: RAT.Optix Pro 1.3x
File: c:\windows\system\vvin.exe

Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
File: c:\windows\system\ldrmsvbvm06.dll

Positive identification <Adv>: RAT.Optix Pro 1.3x
File: c:\windows\temporary internet files\content.ie5\ij6pe98h\o[1].exe

Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

Positive identification (DLL): RAT.Assasin 2.0 FWB (dll)
File: c:\program files\mshelp\1\0dll~1.tcf

Positive identification <Adv>: RAT.Optix Pro 1.3x
File: c:\recycled\dc25.exe

Positive identification (DLL): RAT.Assasin 2.0 FWB (dll)
File: c:\recycled\dc26.dll

i deleted all those but when i rebooted the computer i still got the same errors (that iexplorer.exe was causing an error in 0.dll). I ran HJT again and the items that i was told to delete are gone, but the errors aren't so somethings still not right.

Logfile of HijackThis v1.97.7
Scan saved at 2:06:27 AM, on 4/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\TROJANHUNTER.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PALTALK\PALTALK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\PCGURU\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinHelp] C:\Program Files\MsHelp\Help.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [WinUpdate] C:\Program Files\MsHelp\Help.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4177199074
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

so what now? i'm sorry for rambling on and on...and thank you for your help.
 

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
something interesting to note...after trying again to delete 0.dll and 1.mzp and running Trojan Hunter AND TDS again...when i rebooted the PC the error i got was different than the one i had before. now the error is

Iexplorer has caused an error in KERNEL32.dll

so at least it's not 0.dll anymore...but unfortunately 0.dll and 1.mzp are both back.

make the bad man go away! lol
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
boot into safe mode & delete this folder
c:\program files\mshelp

then do this please

open hijackthis, pres config/misc tools/ tick both little boxes about minor & empty sections and press generate start up list, post that list back here

before doing that let's clear the restore folder to get rid of all the old crap in there and stop those alarms
Turn off system restore by following instructions here

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

and then empty recycle bin, some alarms are coming from there

then also give me these 2 logs

Please download the KillBox from here:

http://download.broadbandmedic.com/VbStuff/KillBox.zip

UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find msg.dll, then on the little pop up window, that says killbox file list, press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here

Download this zip: http://www.zero.vulc4n.com/downloads/pv.zip, unzip it to the desktop.
Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
Notepad will open with a log in it

Don't worry about the length of them 99% if not all of them will be legitimate, I'm just looking for indications of certain files running
 

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
hi...

any possibility that you missed explaining a step in all of this? i booted in safe mode and deleted the mshelp, then did the bit in HJT and turned off system restore, and then emptied the recycle bin.

i downloaded KillBox and pv, into their own folders like you said...but when i click on File, find msg{}.dll i get a popup window that says KillBox File List and it says in the window --msg{}dll search--- but nothing else. there's nothing that says create log...i've got File/add to log...but like i said there's nothing to add to any log...it's blank.

then i ran pv, and got this:


C:\WINDOWS\Desktop\PcGuru\pv>pv -m iexplore.exe >log.txt
pv: No matching processes found

C:\WINDOWS\Desktop\PcGuru\pv>start notepad.exe log.txt

C:\WINDOWS\Desktop\PcGuru\pv>exit

in a Dos window...and a little blank notepad popped up...no log on it.

did i miss something?

btw...the computer booted up with no errors...i'm not jumping up and down and shreiking like a 14 year old yet...but the thought has crossed my mind. :)
 

dvk01

Derek
Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
The killbox log being empty is OK, don't worry about the other log either

I think deleting the mshelp folder did it as that is where the 0dll was hiding, along with emptying all the other folders

to run pv it must be on the desktop not in it's own folder and IE must be open as well, I don't think there is a neeed for it now, but if you want to try again, I'm happy to look at the log for you

any more problems post back
 

sighlentex

Thread Starter
Joined
Apr 4, 2004
Messages
21
i think You're right...and i also think You're GOD! :)

wanna get married? lol

THANKS SO MUCH for all your help!

(the story behind all this story is that the computer this happened to belongs to my ex "boyfriend" who i still live with and he was convinced that i had done something to his machine...so i'm glad to see it fixed...and it proves once and for all that it wasn't ME! :) you rock man!)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top