OK, I've tried to be my computer's hero and fix my virus problems myself, but now I'm breaking down and posting here since I am at a dead end. Hopefully this won't be too long, but here's the problem(s): My task manager, registry editor, etc. were not working for the past month, so I finally decided to fix the problem. I found out from several help sites that viruses were causing the problems. To fix the viruses, I used Trend Micro online, AVG 6.0 and AdAware 6. I was able to get my task manager and registry editor back after this, but these software programs were not able to get rid of the trojan horse virus, BeastDoor(Backdoor). I downloaded Trojan Hunter and was able to delete some of the files, but there are still a few files that could not be deleted. They are - C:\Windows\system32\msqsnt.com C:\Windows\msagent\mspbls.com They are the exact same file (size, modify date, etc.) I even tried to delete them in Safe Mode, but no luck (the processes are running even in Safe Mode). But my computer was working well once again, so I decided to live with it. Well, a few days later now my internet connection is all of a sudden not connecting to any websites and I think it may have to do with the virus. Even if getting help removing the virus doesn't restore my internet connection, I've at least rid myself of BeastDoor. Some background information -- 1) Before I ran Trojan Hunter, I noticed iexplore.exe was running in the background after startup, and when I would delete the process, mspbls.com would instantly start up, restore iexplore.exe and then end itself. Not only that, but iexplore.exe would open again and again (I think I got up to 50 iexplore.exe's at one time!) until I reset the computer. Well, mspbls.com was one of the files that Trojan Hunter identified as part of the trojan. It is located in C:\windows\msagent\. After running Trojan Hunter, it removes iexplore.exe every time I restart, so that problem seems to be fixed. It is in the registry though and I'd like to rid myself of it for good. 2) I looked at the registry editor and found the following: No files in - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx I deleted the following entries since they looked suspicious - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysComp (runs C:\Windows\system32\msqsnt.com - BeastDoor) HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SysExplore (runs C:\Windows\system32\explorer32.exe - I read on a forum somewhere that this is a virus) HKCU\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck (runs C:\Windows\system32\NeroCheck.exe - I think this has to do with my Nero software) The only problem here is that when I delete Run\SysComp, it comes back again when I restart Windows. I assume there is another registry entry creating this entry but I don't know where to begin there. The other 2 entries I deleted do not come back. Here is the information I am getting from Trojan Hunter and HijackThis: Trojan Hunter: At startup, Trojan Hunter finds the BeastDoor virus each time, after which I tell TH to "clean" the files. Here is the text I get in return: Module dxdgns.dll successfully unloaded from process WinLogon.exe (528) Module dxdgns.dll successfully unloaded from process Iexplore.exe (816) This process occurs each time I start XP. I don't have a file called dxdgns.dll anywhere on my computer, so maybe it is created from one of the .com files listed above? HijackThis StartupList report - StartupList report, 10/23/2003, 11:33:54 PM StartupList version: 1.52 Started from : F:\kill_the_viruses\HijackThis.exe Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\Program Files\EarthLink 5.0\updatemgr.exe C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe C:\WINDOWS\System32\mrtMngr.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe F:\kill_the_viruses\HijackThis.exe --------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Mirabilis ICQ = C:\Program Files\ICQ\ICQ.exe -minimize NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe ConMgr.exe = "C:\Program Files\EarthLink 5.0\ConMgr.exe" UpdateMgr.exe = "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM WinampAgent = "C:\Program Files\Winamp\Winampa.exe" DVDBitSet = "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI HPCDTray = "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe" SysComp = C:\WINDOWS\system32\msqsnt.com WindowsSetup = C:\WINDOWS\Config\Setup\Microsoft\svchost.exe SysCfgLoad = C:\WINNT\explorer.exe THGuard = "C:\Program Files\TrojanHunter 3.7\THGuard.exe" --------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* --------------------- Enumerating Browser Helper Objects: MyWay Search Assistant BHO - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL - {04079851-5845-4dea-848C-3ECD647AA554} (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} (no name) - C:\WINDOWS\system32\quiic.dll - {D0C09CCB-E8F1-48D2-82C1-82EA05A29E0C} --------------------- Enumerating Task Scheduler jobs: Symantec NetDetect.job --------------------- Enumerating Download Program Files: [Shockwave ActiveX Control] InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll CODEBASE = http://active.macromedia.com/director/cabs/sw.cab [{26E8361F-BCE7-4F75-A347-98C88B418322}] CODEBASE = http://dst.trafficsyndicate.com/Dnl/T_50010/btiein.cab [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8817013889 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab --------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll --------------------- End of report, 5,320 bytes Report generated in 0.100 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only And Finally, the HijackThis log- Logfile of HijackThis v1.97.3 Scan saved at 11:33:41 PM, on 10/23/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\EarthLink 5.0\ConMgr.exe C:\Program Files\EarthLink 5.0\updatemgr.exe C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe C:\WINDOWS\System32\mrtMngr.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\System32\inetsrv\inetinfo.exe C:\WINDOWS\System32\svchost.exe F:\kill_the_viruses\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm N1 - Netscape 4: user_pref("browser.startup.homepage", ""); (C:\Program Files\Netscape\Users\n8\prefs.js) O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {D0C09CCB-E8F1-48D2-82C1-82EA05A29E0C} - C:\WINDOWS\system32\quiic.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\ICQ.exe -minimize O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe" O4 - HKLM\..\Run: [UpdateMgr.exe] "C:\Program Files\EarthLink 5.0\updatemgr.exe" /NOCM O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe" O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI O4 - HKLM\..\Run: [HPCDTray] "C:\Program Files\HP CD-DVD\Umbrella\hpcdtray.exe" O4 - HKLM\..\Run: [SysComp] C:\WINDOWS\system32\msqsnt.com O4 - HKLM\..\Run: [WindowsSetup] C:\WINDOWS\Config\Setup\Microsoft\svchost.exe O4 - HKLM\..\Run: [SysCfgLoad] C:\WINNT\explorer.exe O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.7\THGuard.exe" O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50010/btiein.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/d052c1d7d32ead/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37878.8817013889 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab I would really appreciate any help I can get regarding these problems. Thanks! -Nathan

Oops, when I was referring to deletions from the registry editor, the three entries should have read HKLM, not HKCU. Sorry for any confusion.

You spent 1 month with your pc running like that ??? I have cleaned the beast 3 times and i always booted into safe mode, used TDS-3 twice and Trojan Hunter once, cleans everything up. You should try safe mode and see .. if it's not clean then format and reinstall ... no use wasting one month when a couple hours work will give you a guranteed clean machine. The Beast attaches to winlogon and explorer ok, so it's hell to get off ... if you have the necessary tools you can boot to dos and delete winlogon and explorer ad replace from cd .. that will do it too.

First, download and unzip this .exe fix to your desktop: http://www.dougknox.com/xp/fileassoc/xp_exe_fix.zip Then, Click Start > Run > type regedit and click OK. Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components Click on each sub key that is a CLSID string (The ones like {xxxxxx xxxxx xxxx xxxxx})and look in the right hand window for a reference to: msqsnt.com mspbls.com When you locate the correct key, right click on it and choose delete. Close regedit. Locate the following file and zip a copy of it to send me later to analyze. C:\WINDOWS\system32\quiic.dll Run HijackThis and check the following entries and click 'Fix checked'. O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL O2 - BHO: (no name) - {D0C09CCB-E8F1-48D2-82C1-82EA05A29E0C} - C:\WINDOWS\system32\quiic.dll O4 - HKLM\..\Run: [SysComp] C:\WINDOWS\system32\msqsnt.com O4 - HKLM\..\Run: [WindowsSetup] C:\WINDOWS\Config\Setup\Microsoft\svchost.exe O4 - HKLM\..\Run: [SysCfgLoad] C:\WINNT\explorer.exe O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50010/btiein.cab Reboot to safe mode and delete the following: C:\WINDOWS\system32\msqsnt.com C:\WINDOWS\Config\Setup\Microsoft\svchost.exe C:\WINNT\explorer.exe C:\Windows\msagent\mspbls.com Run the .exe fix and reboot to Windows. Email me the zipped C:\WINDOWS\system32\quiic.dll file. Click my name for the email addy.

Thanks guys. Luckily, there was no need to re-format anything. I found the registry entries for mspbls.com by using RegSeeker, so I deleted the two entries along with the one for msqsnt.com from the registry. When I restarted Windows, I was able to delete these files and dxdgns.dll using AVG, and all is well for now. I won't make the same mistake twice though, a new firewall is going to be installed this week. Great site and thanks for the help! -n8