BackdoorAssasin/BackdoorBeast?

i'm running a scan on RAV right now...it just got started and already found all this:
Scan started at 4/5/2004 2:45:36 PM

Scanning memory...
c:\_Restore\TEMP\A0149365.CPY->(EXEEmb) - Backdoor:Win32/Beastdoor.BY -> Infected
c:\_Restore\TEMP\A0149493.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149496.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149503.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149506.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149513.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149516.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149525.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149528.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149535.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149538.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149552.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149555.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149593.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149596.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149628.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149631.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149653.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149656.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149704.CPY - Backdoor:Win32/Beastdoor.BY -> Infected
c:\_Restore\TEMP\A0149708.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149711.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149719.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149722.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149730.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149733.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149741.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149744.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149755.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149756.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149757.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149758.CPY - Backdoor:Win32/Assasin.2_0.C -> Infected
c:\_Restore\TEMP\A0149805.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149808.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149834.CPY - Trojan:Win32/Madtol.C -> Infected
c:\_Restore\TEMP\A0149837.CPY - Trojan:Win32/Madtol.C -> Infected

bad bad bad

wow...i had given up...and left pretty much for the day...but i'm glad to see that you posted.

i printed off your instructions...and followed them to a T...and this thing is still not gone. I've run SpyBot S&D, Trojan Hunter, 3 of the online scans (Panda, HouseCalls, and RAV) and now i've used this TDS thing, but this STUPID Assasin thing is STILL not gone. i don't know how people do this for a living...it's incredibly frustrating.

i feel like i'm missing something. this thing is really really good at self-preserving, because no matter what i do it just keeps coming back. i'm sure that if i were to know the proper order in which to delete these files, and the proper order in which to run the scans etc... that i would eventually be able to get rid of this thing...but i don't have a clue.

here are the TDS logs:

Scan Control Dumped @ 01:34:09 06-04-04
RegVal Trace: RAT.Y3K 1.5: HKEY_LOCAL_MACHINE
File: SOFTWARE\Microsoft\Windows\CurrentVersion\Run [Winhelp=C:\Program Files\MsHelp\Help.exe]

Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
File: c:\windows\system\msvbvm06.dll

Positive identification <Adv>: RAT.Optix Pro 1.3x
File: c:\windows\system\vvin.exe

Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
File: c:\windows\system\ldrmsvbvm06.dll

Positive identification <Adv>: RAT.Optix Pro 1.3x
File: c:\windows\temporary internet files\content.ie5\ij6pe98h\o[1].exe

Suspicious Filename: Dual extensions
File: c:\program files\hewlett-packard\digital imaging\hpisinst\install.wse.exe

Positive identification (DLL): RAT.Assasin 2.0 FWB (dll)
File: c:\program files\mshelp\1\0dll~1.tcf

Positive identification <Adv>: RAT.Optix Pro 1.3x
File: c:\recycled\dc25.exe

Positive identification (DLL): RAT.Assasin 2.0 FWB (dll)
File: c:\recycled\dc26.dll

i deleted all those but when i rebooted the computer i still got the same errors (that iexplorer.exe was causing an error in 0.dll). I ran HJT again and the items that i was told to delete are gone, but the errors aren't so somethings still not right.

Logfile of HijackThis v1.97.7
Scan saved at 2:06:27 AM, on 4/6/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\UNLOAD\HPQCMON.EXE
C:\WINDOWS\SYSTEM\HPZTSB05.EXE
C:\WINDOWS\SYSTEM\HPHMON04.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.8\TROJANHUNTER.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\HPHIPM11.EXE
C:\PALTALK\PALTALK.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\DESKTOP\PCGURU\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://desktop.presario.net/scripts/redirectors/presario/deskredir.dll?c=3c00&s=consumer&LC=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.presario.net/scripts/redirectors/presario/srchredir.dll?c=3c00&s=searchbar&LC=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/ymsgr/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/ymsgr/defaults/su/*http://www.yahoo.com
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMMON\YCOMP5,0,2,0.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb05.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\SYSTEM\HPHMON04.EXE
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [WinHelp] C:\Program Files\MsHelp\Help.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.8\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [WinUpdate] C:\Program Files\MsHelp\Help.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Event Reminder.lnk = C:\Program Files\Broderbund\PrintMaster\pmremind.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Translate (HKLM)
O9 - Extra 'Tools' menuitem: AV &Translate (HKLM)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL (HKLM)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host (HKLM)
O9 - Extra 'Tools' menuitem: AV Live (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0727.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.4177199074
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

so what now? i'm sorry for rambling on and on...and thank you for your help.

hi...

any possibility that you missed explaining a step in all of this? i booted in safe mode and deleted the mshelp, then did the bit in HJT and turned off system restore, and then emptied the recycle bin.

i downloaded KillBox and pv, into their own folders like you said...but when i click on File, find msg{}.dll i get a popup window that says KillBox File List and it says in the window --msg{}dll search--- but nothing else. there's nothing that says create log...i've got File/add to log...but like i said there's nothing to add to any log...it's blank.

then i ran pv, and got this:


C:\WINDOWS\Desktop\PcGuru\pv>pv -m iexplore.exe >log.txt
pv: No matching processes found

C:\WINDOWS\Desktop\PcGuru\pv>start notepad.exe log.txt

C:\WINDOWS\Desktop\PcGuru\pv>exit

in a Dos window...and a little blank notepad popped up...no log on it.

did i miss something?

btw...the computer booted up with no errors...i'm not jumping up and down and shreiking like a 14 year old yet...but the thought has crossed my mind.