Haxdoor [Archive] - Antionline Forums - Maximum Security for a Connected World

Click to See Complete Forum and Search --> : Haxdoor

isle_of_infamy

February 21st, 2005, 02:18 AM

Trojan:
Haxdoor.BGN or Haxdoor-O or mszx23.exe Backdoor.Haxdoor.D

Directory= C:\WINNT\system32
System = windows 2000 pro (NT)

Problem Symptom:
After Deleting vdnt32.sys
successfully in safe mode
file drct16.dll creates itself
in system32 folder ( 0kb)
which cannot be deleted.

notes:
w32tm.exe (returns after delete)
drct16.dll (cannot delete shares attributes with vdnt32.sys)
vdnt32.sys (cannot delete except in safe mode: shares attributes with drct16.dll)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_VDMT16
(cannot delete)

Yes I tried the file in use deleter application, and I also tried Killbox, but no such luck. Anyone know what service proccess causes the return of these 2 files ????

Relyt

February 21st, 2005, 02:27 AM

Here’s a free site that supposedly scans/removes haxdoor:

http://www.what-is-spyware.net/Haxdoor-o.html

Hope that helps.

cheers

isle_of_infamy

February 21st, 2005, 02:58 AM

thanks i will try and let u know what happens.

isle_of_infamy

February 21st, 2005, 03:22 AM

I downloaded this application and installed it although it does not allow me to run the software for some reason I get an application error.

meeeeeee

February 22nd, 2005, 12:16 AM

http://forums.maddoktor2.com/index.php?showtopic=2659

Read that thread and see if any of it is helpful.

:)

jinxy

February 22nd, 2005, 12:27 AM

And upload a copy of the .exe to your AV supplier if you can.

SirDice

February 22nd, 2005, 10:38 AM

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

isle_of_infamy

February 28th, 2005, 11:31 AM

7 days later and finally I kicked this trojans butt thanks to WebRoot Spy Sweeper 3.5.0.194 Beta Trial Version. It must be the 194 beta version otherwise you won't be able to update ur definition files. It detected haxdoor backdoor trojan right away, and in conjunction with that and Killbox I managed to delete the file that kept coming back in my windows system32 folder.

Safe at last thanks to WebRoot Spy Sweeper.

IKnowNot

February 28th, 2005, 12:30 PM

You know, I don't know which I am gladder about ..

The fact that you fixed the problem,
or,
The fact that you came back and reported it letting us know your progress and solutions!

isle_of_infamy

March 1st, 2005, 01:18 AM

Well thats one for the good guys. If I can make people aware of malware I will.

Score:
Spy Sweeper - 1
Haxdoor - 0

:D

ashtified

March 1st, 2005, 06:31 AM

use windows xp support tools like apimon, depends to see wat services it initialises wen its started.. depends my personal favourite...
n then delete or rename any .exe files it rewquires to be initialise bt not critical for system processs.. ,
like imapi..
or any .dll file... like msvbvm60.dll required for viruses made in visual basic..
at last u can try running msconfig..n see wat all services are started on boot...
also wen killing the process u can kill the process tree in task manager then jus the process..
i think this is sufficient..
ashtified..
HELL WAS FULL SO I M BACK.