1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

BackdoorAssasin/BackdoorBeast?

Discussion in 'Virus & Other Malware Removal' started by sighlentex, Apr 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    I started a post elsewhere in the TSG forums:

    http://forums.techguy.org/t217154.html

    and VirtualMe said i should ask for help here.

    This is my latest HJT log:

    Logfile of HijackThis v1.97.7
    Scan saved at 1:57:14 PM, on 4/5/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\MSREG32.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
    C:\WINDOWS\SYSTEM\HPHMON04.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\PALTALK\PNETAWARE.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\SYSTEM\HPHIPM11.EXE
    C:\WINDOWS\DESKTOP\PCGURU\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: PalNetaware.lnk = C:\Paltalk\pnetaware.exe
    O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4177199074
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab

    ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

    These two lines won't go away. I've removed them with HJT but they keep coming back:

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE

    ..when i search the PC for msreg32.exe i'm not able to find it.

    Housecalls found 5 uncleanable files (BKDR Assasin, BKDR Beast).

    i'm just a rookie, and i can only process one thing at a time. please give me any information you can to help me clean this machine, but say it s-l-o-w-l-y and clearly as i was a blonde in my past life and am easily confused. :)

    thanks in advance for all your help.
     
  2. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    i'm running a scan on RAV right now...it just got started and already found all this:
    Scan started at 4/5/2004 2:45:36 PM

    Scanning memory...
    c:\_Restore\TEMP\A0149365.CPY->(EXEEmb) - Backdoor:Win32/Beastdoor.BY -> Infected
    c:\_Restore\TEMP\A0149493.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149496.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149503.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149506.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149513.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149516.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149525.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149528.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149535.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149538.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149552.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149555.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149593.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149596.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149628.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149631.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149653.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149656.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149704.CPY - Backdoor:Win32/Beastdoor.BY -> Infected
    c:\_Restore\TEMP\A0149708.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149711.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149719.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149722.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149730.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149733.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149741.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149744.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149755.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
    c:\_Restore\TEMP\A0149756.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
    c:\_Restore\TEMP\A0149757.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
    c:\_Restore\TEMP\A0149758.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
    c:\_Restore\TEMP\A0149805.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149808.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149834.CPY - Trojan:Win32/Madtol.C -> Infected
    c:\_Restore\TEMP\A0149837.CPY - Trojan:Win32/Madtol.C -> Infected

    bad bad bad :(
     
  3. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    well...i either posted in the wrong area of TSG...or nobody here knows anything about this trojan. in either case my problem isn't being fixed...and i'm almost out of Kleenex so i guess i'll find help elsewhere. thanks to the 10 people who even bothered to read my problem.

    ::sigh::
     
  4. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\SYSTEM\MSREG32.EXE
    F1 - win.ini: run=C:\WINDOWS\SYSTEM\MSREG32.EXE
    O4 - Startup: PowerReg Scheduler V3.exe

    Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    Delete these files
    C:\WINDOWS\SYSTEM\MSREG32.EXE

    then
    Reboot normally &

    I would strongly recommend downloading and running a specialised anti trojan

    the best antitrojan that I use for dealing with them is

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
     
  5. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    wow...i had given up...and left pretty much for the day...but i'm glad to see that you posted.

    i printed off your instructions...and followed them to a T...and this thing is still not gone. I've run SpyBot S&D, Trojan Hunter, 3 of the online scans (Panda, HouseCalls, and RAV) and now i've used this TDS thing, but this STUPID Assasin thing is STILL not gone. :( i don't know how people do this for a living...it's incredibly frustrating.

    i feel like i'm missing something. this thing is really really good at self-preserving, because no matter what i do it just keeps coming back. i'm sure that if i were to know the proper order in which to delete these files, and the proper order in which to run the scans etc... that i would eventually be able to get rid of this thing...but i don't have a clue.

    here are the TDS logs:

    Scan Control Dumped @ 01:34:09 06-04-04
    RegVal Trace: RAT.Y3K 1.5: HKEY_LOCAL_MACHINE
    File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Winhelp=C:\Program Files\MsHelp\Help.exe]

    Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
    File: c:\windows\system\msvbvm06.dll

    Positive identification <Adv>: RAT.Optix Pro 1.3x
    File: c:\windows\system\vvin.exe

    Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
    File: c:\windows\system\ldrmsvbvm06.dll

    Positive identification <Adv>: RAT.Optix Pro 1.3x
    File: c:\windows\temporary internet files\content.ie5\ij6pe98h\o[1].exe

    Suspicious Filename: Dual extensions
    File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

    Positive identification (DLL): RAT.Assasin 2.0 FWB (dll)
    File: c:\program files\mshelp\1\0dll~1.tcf

    Positive identification <Adv>: RAT.Optix Pro 1.3x
    File: c:\recycled\dc25.exe

    Positive identification (DLL): RAT.Assasin 2.0 FWB (dll)
    File: c:\recycled\dc26.dll

    i deleted all those but when i rebooted the computer i still got the same errors (that iexplorer.exe was causing an error in 0.dll). I ran HJT again and the items that i was told to delete are gone, but the errors aren't so somethings still not right.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:06:27 AM, on 4/6/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
    C:\WINDOWS\SYSTEM\HPZTSB05.EXE
    C:\WINDOWS\SYSTEM\HPHMON04.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\LEXPPS.EXE
    C:\PROGRAM FILES\TROJANHUNTER 3.8\TROJANHUNTER.EXE
    C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\HPHIPM11.EXE
    C:\PALTALK\PALTALK.EXE
    C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\DESKTOP\PCGURU\HIJACK THIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
    O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
    O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
    O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
    O4 - HKLM\..\Run: [WinHelp] C:\Program Files\MsHelp\Help.exe
    O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [WinUpdate] C:\Program Files\MsHelp\Help.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Translate (HKLM)
    O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
    O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
    O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
    O9 - Extra 'Tools' menuitem: AV Live (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4177199074
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

    so what now? i'm sorry for rambling on and on...and thank you for your help.
     
  6. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    something interesting to note...after trying again to delete 0.dll and 1.mzp and running Trojan Hunter AND TDS again...when i rebooted the PC the error i got was different than the one i had before. now the error is

    Iexplorer has caused an error in KERNEL32.dll

    so at least it's not 0.dll anymore...but unfortunately 0.dll and 1.mzp are both back.

    make the bad man go away! lol
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    boot into safe mode & delete this folder
    c:\program files\mshelp

    then do this please

    open hijackthis, pres config/misc tools/ tick both little boxes about minor & empty sections and press generate start up list, post that list back here

    before doing that let's clear the restore folder to get rid of all the old crap in there and stop those alarms
    Turn off system restore by following instructions here

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001012513122239
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    and then empty recycle bin, some alarms are coming from there

    then also give me these 2 logs

    Please download the KillBox from here:

    http://download.broadbandmedic.com/VbStuff/KillBox.zip

    UnZip it to it's own folder not to the Desktop or a Temp folder. Click on The KillBox.exe and it will open. Now click find then find msg.dll, then on the little pop up window, that says killbox file list, press file/create log and a pop up says do you want to create a log in notepad, say yes and then save as usual in notepad and copy & paste the resulting list here

    Download this zip: http://www.zero.vulc4n.com/downloads/pv.zip, unzip it to the desktop.
    Be sure to have at least 1 Internet Explorer open, then double click on the runme.bat.
    Notepad will open with a log in it

    Don't worry about the length of them 99% if not all of them will be legitimate, I'm just looking for indications of certain files running
     
  8. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    hi...

    any possibility that you missed explaining a step in all of this? i booted in safe mode and deleted the mshelp, then did the bit in HJT and turned off system restore, and then emptied the recycle bin.

    i downloaded KillBox and pv, into their own folders like you said...but when i click on File, find msg{}.dll i get a popup window that says KillBox File List and it says in the window --msg{}dll search--- but nothing else. there's nothing that says create log...i've got File/add to log...but like i said there's nothing to add to any log...it's blank.

    then i ran pv, and got this:


    C:\WINDOWS\Desktop\PcGuru\pv>pv -m iexplore.exe >log.txt
    pv: No matching processes found

    C:\WINDOWS\Desktop\PcGuru\pv>start notepad.exe log.txt

    C:\WINDOWS\Desktop\PcGuru\pv>exit

    in a Dos window...and a little blank notepad popped up...no log on it.

    did i miss something?

    btw...the computer booted up with no errors...i'm not jumping up and down and shreiking like a 14 year old yet...but the thought has crossed my mind. :)
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    The killbox log being empty is OK, don't worry about the other log either

    I think deleting the mshelp folder did it as that is where the 0dll was hiding, along with emptying all the other folders

    to run pv it must be on the desktop not in it's own folder and IE must be open as well, I don't think there is a neeed for it now, but if you want to try again, I'm happy to look at the log for you

    any more problems post back
     
  10. sighlentex

    sighlentex Thread Starter

    Joined:
    Apr 4, 2004
    Messages:
    21
    i think You're right...and i also think You're GOD! :)

    wanna get married? lol

    THANKS SO MUCH for all your help!

    (the story behind all this story is that the computer this happened to belongs to my ex "boyfriend" who i still live with and he was convinced that i had done something to his machine...so i'm glad to see it fixed...and it proves once and for all that it wasn't ME! :) you rock man!)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/217360

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice