Haxdoor help

[rezzzy]

i scanned my pc with xsoftspyse from paretologic ...in scan results found a trojan with the name Haxdoor...this trojan infected the w32tm.exe in system32..i scanned with antirootkits but any of them can find it..This is my HJK results


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:14:34 μμ, on 14/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamtrayctrl.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\PROGRA~1\Crypto\Crypto\TVTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HooTech\NetMeter\HooNetMeter.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [TVTray] C:\PROGRA~1\Crypto\Crypto\TVTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NetMeter] C:\Program Files\HooTech\NetMeter\HooNetMeter.exe
O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\npjpi160_06.dll
O9 - Extra button: (no name) - {85e1f530-48f4-11d9-9629-08ff2ffc9f67} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2D1FF4D-D1FA-4CE8-85F6-A5E4D5E840CF}: NameServer = 195.170.0.1
O20 - AppInit_DLLs: ,C:\WINDOWS\system32\cssdll32.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - - (no file)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
PLZ if anyone knows something about this prob help me thxz

 

[raybay]

Haxdoor is a very evil infestation. When you have this infestation, your passwords and ID's are compromised. You should stay off line with that computer. Anybody with whom you are in contact can be infected. Worse, this evil can find your communications with your bank and online sales to steal your passwords and even your bank account.

Haxdoor as a RootKit has many variations that are difficult to find..

Using another computer known secure, contact all banks, resellers, etc, and change your passwords and ID's.

As for your log, PnkBstraA is installed with PunkBuster. Remove it with this: http://websec.evenbalance.com/downloads/windows/pbsetup.zip. If that doesn't work, it is usually not harmful. But sometimes Haxdoor hides as Punkbuster

This looks suspicious, but I do not know what it is: R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις

In short: Haxdoor is a a specialized controlled backdoor rootkit that can be used to gain unauthorized access to your machine. This infection utilizes a rootkit to hide itself, and it has many variants. It gloms onto the user-mode from the Kernal, enabling remote unknown forces to get access to your computer by making changes to the system files, corrupting device drivers, .DLLs, with which it swipes user names and your passwords. This infection drops .dlls, system drivers, and modifies the registry.

Keep your computer disconnected from online while you are attempting removal.
Access your accounts normally accessed online with a computer known to be clean. or use a telephone to change all your accounts. Do NOT change anything from your infected computer.

MBAM MalwareBytes can usually remove this, but it appears it may not have done so. NOD32 is also very good, but hasn't done the job.


Once your accounts are safe, use SuperAntispyware, and Adaware 2008 to do removals, then use something for which you will have to pay... Kaspersky, Spyware Doctor 6.0, or Spysweeper to see if you can rid yourself of this virulent infestation. You can often download a free scanner before you have to pay.

Most techs cannot see the infestation in your log, because it hides itself, but the better spyware programs can, as it has been out for quite a while.

Good luck.

 

[Blind Dragon]

raybay - it's showing itself: Haxdoor xxxx32.dll ->

O20 - AppInit_DLLs: ,C:\WINDOWS\system32\cssdll32.dll
===============================================

Hi rezzzy, What country are you from?

Download haxfix.exe
and save it to your desktop. Double click on haxfix.exe. A "dos window" (dos box) will open with options:

• 
  
  [*]1. Make Logfile
  [*]U. Uninstall Haxfix
  [*]E. Exit Haxfix​

• Select option 1. Make logfile by typing 1 and then pressing Enter
• Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
• Copy the contents of that logfile and paste it into this thread