Haxdoor

Printable View

February 21st, 2005, 02:18 AM
isle_of_infamy

Haxdoor

Trojan:
Haxdoor.BGN or Haxdoor-O or mszx23.exe Backdoor.Haxdoor.D

Directory= C:\WINNT\system32
System = windows 2000 pro (NT)

Problem Symptom:
After Deleting vdnt32.sys
successfully in safe mode
file drct16.dll creates itself
in system32 folder ( 0kb)
which cannot be deleted.

notes:
w32tm.exe (returns after delete)
drct16.dll (cannot delete shares attributes with vdnt32.sys)
vdnt32.sys (cannot delete except in safe mode: shares attributes with drct16.dll)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_VDMT16
(cannot delete)

Yes I tried the file in use deleter application, and I also tried Killbox, but no such luck. Anyone know what service proccess causes the return of these 2 files ????
February 21st, 2005, 02:27 AM
Relyt

Here’s a free site that supposedly scans/removes haxdoor:

http://www.what-is-spyware.net/Haxdoor-o.html

Hope that helps.

cheers
February 21st, 2005, 02:58 AM
isle_of_infamy

thanks

thanks i will try and let u know what happens.
February 21st, 2005, 03:22 AM
isle_of_infamy

XoftSpy4.10

I downloaded this application and installed it although it does not allow me to run the software for some reason I get an application error.
February 22nd, 2005, 12:16 AM
meeeeeee

http://forums.maddoktor2.com/index.php?showtopic=2659

Read that thread and see if any of it is helpful.

:)
February 22nd, 2005, 12:27 AM
jinxy

And upload a copy of the .exe to your AV supplier if you can.
February 22nd, 2005, 10:38 AM
SirDice

http://securityresponse.symantec.com...haxdoor.d.html
February 28th, 2005, 11:31 AM
isle_of_infamy

7 days later and finally I kicked this trojans butt thanks to WebRoot Spy Sweeper 3.5.0.194 Beta Trial Version. It must be the 194 beta version otherwise you won't be able to update ur definition files. It detected haxdoor backdoor trojan right away, and in conjunction with that and Killbox I managed to delete the file that kept coming back in my windows system32 folder.

Safe at last thanks to WebRoot Spy Sweeper.
February 28th, 2005, 12:30 PM
IKnowNot

You know, I don't know which I am gladder about ..

The fact that you fixed the problem,
or,
The fact that you came back and reported it letting us know your progress and solutions!
March 1st, 2005, 01:18 AM
isle_of_infamy

Haxdoor

Well thats one for the good guys. If I can make people aware of malware I will.

Score:
Spy Sweeper - 1
Haxdoor - 0

:D
March 1st, 2005, 06:31 AM
ashtified

use windows xp support tools like apimon, depends to see wat services it initialises wen its started.. depends my personal favourite...
n then delete or rename any .exe files it rewquires to be initialise bt not critical for system processs.. ,
like imapi..
or any .dll file... like msvbvm60.dll required for viruses made in visual basic..
at last u can try running msconfig..n see wat all services are started on boot...
also wen killing the process u can kill the process tree in task manager then jus the process..
i think this is sufficient..
ashtified..
HELL WAS FULL SO I M BACK.