TechSpot

Haxdoor help

By rezzzy
Aug 14, 2008
  1. i scanned my pc with xsoftspyse from paretologic ...in scan results found a trojan with the name Haxdoor...this trojan infected the w32tm.exe in system32..i scanned with antirootkits but any of them can find it..This is my HJK results


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:14:34 μμ, on 14/8/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
    C:\PROGRA~1\Crypto\Crypto\TVTray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\HooTech\NetMeter\HooNetMeter.exe
    C:\Program Files\Xfire\xfire.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [TVTray] C:\PROGRA~1\Crypto\Crypto\TVTray.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [NetMeter] C:\Program Files\HooTech\NetMeter\HooNetMeter.exe
    O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
    O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D1FF4D-D1FA-4CE8-85F6-A5E4D5E840CF}: NameServer = 195.170.0.1
    O20 - AppInit_DLLs: ,C:\WINDOWS\system32\cssdll32.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - - (no file)
    O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
    O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

    --
    PLZ if anyone knows something about this prob help me thxz
     
  2. raybay

    raybay TS Evangelist Posts: 7,241   +9

    Haxdoor is a very evil infestation. When you have this infestation, your passwords and ID's are compromised. You should stay off line with that computer. Anybody with whom you are in contact can be infected. Worse, this evil can find your communications with your bank and online sales to steal your passwords and even your bank account.

    Haxdoor as a RootKit has many variations that are difficult to find..

    Using another computer known secure, contact all banks, resellers, etc, and change your passwords and ID's.

    As for your log, PnkBstraA is installed with PunkBuster. Remove it with this: http://websec.evenbalance.com/downloads/windows/pbsetup.zip. If that doesn't work, it is usually not harmful. But sometimes Haxdoor hides as Punkbuster

    This looks suspicious, but I do not know what it is: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις

    In short: Haxdoor is a a specialized controlled backdoor rootkit that can be used to gain unauthorized access to your machine. This infection utilizes a rootkit to hide itself, and it has many variants. It gloms onto the user-mode from the Kernal, enabling remote unknown forces to get access to your computer by making changes to the system files, corrupting device drivers, .DLLs, with which it swipes user names and your passwords. This infection drops .dlls, system drivers, and modifies the registry.

    Keep your computer disconnected from online while you are attempting removal.
    Access your accounts normally accessed online with a computer known to be clean. or use a telephone to change all your accounts. Do NOT change anything from your infected computer.

    MBAM MalwareBytes can usually remove this, but it appears it may not have done so. NOD32 is also very good, but hasn't done the job.


    Once your accounts are safe, use SuperAntispyware, and Adaware 2008 to do removals, then use something for which you will have to pay... Kaspersky, Spyware Doctor 6.0, or Spysweeper to see if you can rid yourself of this virulent infestation. You can often download a free scanner before you have to pay.

    Most techs cannot see the infestation in your log, because it hides itself, but the better spyware programs can, as it has been out for quite a while.

    Good luck.
     
  3. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    raybay - it's showing itself: Haxdoor xxxx32.dll ->

    O20 - AppInit_DLLs: ,C:\WINDOWS\system32\cssdll32.dll
    ===============================================

    Hi rezzzy, What country are you from?

    Download haxfix.exe
    and save it to your desktop. Double click on haxfix.exe. A "dos window" (dos box) will open with options:

    • [*]1. Make Logfile
      [*]U. Uninstall Haxfix
      [*]E. Exit Haxfix​
    • Select option 1. Make logfile by typing 1 and then pressing Enter
    • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
    • Copy the contents of that logfile and paste it into this thread
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...