August 25th, 2005 01:50 AM
If I was you, I would download ad-aware along with the latest update, boot to safe mode (per hesperus' advice) and try it. You have nothing to lose. At worst, it will just come back and you will have proved me and hesperus wrong.
Also, a few questions:
What leads you to believe this registry key is the key in question? HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avpu32
How do you know it "autoruns"?
When does the key come back? Immediately after deletion? Or after reboot?
Have you tried searching on google for Haxdoor? The first link looks interesting...
And finally two suggestions:
1. Stop using IE (Mozilla, Netscape, or Opera will do on Windows machines)
2. I would strongly suggest to be curteous to other AO members, especially when they are trying to help you.
Alright Brain, you don\'t like me, and I don\'t like you. But let\'s just do this, and I can get back to killing you with beer.
-- Homer S.
August 25th, 2005 02:21 AM
You are right, I replied too fast with 'safe mode', but you should be doing this anyway.
This is a rootkit, not just spyware. Have you tried any rootkit tools ? Here are two that may dig a little deeper than regular spyware detectors :
Most of these detectors require quite a bit of technical skill to interpret the results but one of the simplest to use and most effective is also free. It's called BlackLight  and is currently available as a free beta from F-Secure until the 1st of October 2005. I suggest everyone download this product and scan their PC. The chances of you being infected are small but for five minutes work it's not worth taking the risk. BlackLight will detect most rootkits missed by AV scanners but can still be fooled by state-of-the-art rootkits like Hacker Defender. To detect this and a few other insidious rootkits, you need heavier artillery. Currently the biggest gun in the rootkit detection war is a free Chinese product called IceSword . It will reveal absolutely everything running on your PC. Usage, however, requires considerable skill together with the patience to work out the program which is currently only documented in Chinese. In the hands of an expert, its an amazing tool.
Windows 2000 and later, 911KB.
slow Chinese site, 1.5MB[
Rooted twice ? Hmmm . . .
August 25th, 2005 03:30 AM
thank u all for trying to help i managed to fix it . there were 2 hidden trace files in windows\system32 folder called avpu32.sys & avpu64.sys and by using killbox i managed to prevent those 2 files from making the registry value return. I apologize to hasperous for getting out of line i was just a lil frustrated cuz i spent the past 24 hours without sleep trying to get rid of this menacing plague.
thank you both for trying to help me. problem is resolved.
by the way i will check out the rootkit software jus for kicks. lol