HAXDOOR-BGN (Found the root problem!)

[DavidR]

As whocares says, your system is virtually out of your control and since you don't have a firewall you have nothing to stop outbound connection to the internet and download more and more of this spyware/malware/adware.

As you are seeing every time you post a log file the contents might change but the problem is getting worse. Almost all of the 04 entries with a few exceptions

See this on-line analysis, ignore all 023 entries for avast, this is a known problem with HJT 1.99.1 - http://hijackthis.de/logfiles/c5c5c587a5cb9431166d661d387add36.html

A fresh start may be your only real way to regain control.

[Fishbomb]

http://forums.maddoktor2.com/index.php?showtopic=2659

THIS is exactly what I have!!!

There is a fix for it in this thread, but damn... *shakes head*. It seems to be some sort of new ubervirus...

The thing is, I do not want to wipe the computer clean. Why? Because then they win.

And if there's anything I hate, it is giving up.

However, I need to go and find the XP-pro install disc again which I lent to a friend because his system had froxen up a month or so ago... *laughs* The only time you notice they are gone is when you really need them.

I will keep you updated

--------------------------

Copy of the fix by BGN.

Any comments? Does this sound like a good idea?

Like I said in my first post (I think). I miss DOS. Oh how I miss it.


----
Hi!

I Think I was one of the first to catch this buggar  and kill it manually  .

You can call it the HAXDOOR-BGN from now on 

Symptoms:
Disables a range of firewalls.
Disables or crashes a range of antivirus products.
Collects confidential information from Windows (i.e. passwords).
Opens certain ports for an intruder to collect files.
Redirects you browser to a range of websites.
Not possible to remove trojan/virus files in failsafe mode.
Reinstalls after partial removal.
Crashes windows and reebots if only the virus/trojan files are removed.


From what I can tell it's some kind of HAXDOOR virus containing the following files (there may be more though):

mszx23.exe (The Trojan I think)
drct16.dll (A bad feature that can make your Winlogin fail and reebot PC)
p2.ini (Also used in the HAXDOOR virus - check info on the net)
klo5.sys (A log with events, keyboard input and your passwords)
vdnt32.sys (Also used in the HAXDOOR virus)
klogini.dll (Also used in the HAXDOOR virus)
i.a3d (Also used in the HAXDOOR virus)
fltr.a3d (No info found on the net - propably some datafile)
redir.a3d (No info found on the net - propably some datafile)

Since at this point no virus scanner detects this buggar, and no trojan scanner either, it was a tough call to get rid of the key components since removing it only partly resulted in it coming back in full strength, and removing it fully and not removing the registry entry to drct16.dll resulted in the PC rebooting forever even in failsafe state!!!

Removing the virus/trojan manually is totally your own responsibility and as such also the possible risk of damaging your installed software/hardware.

What I did was:

1) Remove the registry entry (with regedit) with this key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Notify\drct16.

2) Reboot your PC from the Windows XP install CD-ROM in repair mode.
- rebooting into failsafe mode will still keep the files "open" and you will be unable to move the files into quarantine.

3) With the DOS like command interpreter change directory to the windows system folder (CD C:\WINDOWS\SYSTEM32)

4) Create a directory called quarantine (MD quarantine)

5) Copy all the above mentioned files into quarantine (COPY <filename> quarantine)

6) Delete the above mentioned files from the SYSTEM32 folder (DEL <filename>)

7) Eject Windows CD-ROM, type EXIT and press [enter] to boot from harddisk

Your system should now be clean (from this trojan that is!) 

If you have'nt taken following precautions do it now:
1) Install a firewall
2) Install an antivirus product with the newest virusdefinitions
3) Install Windows XP servicepack 2
4) Install one or more antispyware programs (Ad-aware, Hijack-This . . .)

[whocares]

THIS is exactly what I have!!!

This is tiny part of your PC's problems.. but if you want to live with a compromised system: your choice

You might want to come back after you've applied the above removal procedures/fixes, and post a new log..

ESCAN might also help you to check afterwards.. (see link "VirusRemoval")

 

[Fishbomb]

Well, thank you all for your kind help!

Now... I really hope that this Hijackthis log looks better. I've looked and looked but for me it seems pretty okay.

Any comments? I am currently downloading updates and anti virus protection, so all those systems are not up and running yet...

---

Logfile of HijackThis v1.99.1
Scan saved at 14:41:29, on 2005-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\QuickTime\qttask.exe
C:\Program\ALWILS~1\Avast4\ashmaisv.exe
C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Bra att ha\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\Program\ALWILS~1\Avast4\ashmaisv.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112452962546
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

[lee16]

Hi Fishbomb,


There is no malware in your log  , however this is safe to remove as it slows down System start up:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime

I am currently downloading updates and anti virus protection, so all those systems are not up and running yet...

Are you also downloading a firewall?, as you don't appear to have one, two good/free suggestions for firewalls are,

Sygate: http://smb.sygate.com/products/spf_standard.htm
OR
Zonealarm: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe


Only use one though, its a bad idea to use more then one firewall at the same time as it can cause conflicts.

--lee

[whocares]

There is no malware in your log

correct, but you wouldn't necessarily see it there..

-> This system is still compromised = not secure, but Who Cares

[Fishbomb]

*grins*

Well, I'm using the win XP firewall... would that confligt if I downloaded another one?

I've been thinking about doing that. *ponders*

The new Hijackthis file:

Logfile of HijackThis v1.99.1
Scan saved at 19:09:02, on 2005-04-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\Analog Devices\SoundMAX\SMAgent.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\Program\Analog Devices\SoundMAX\Smtray.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program\mozilla.org\Mozilla\mozilla.exe
C:\Bra att ha\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aftonbladet.se
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Smapp] C:\Program\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program\ICQ\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1112452962546
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program\Analog Devices\SoundMAX\SMAgent.exe

...

Removed the blasted quicktime thingy, it always sneaks in there. *grins* Updated pretty muche verything, reinstalled Avast, got myself Hitman Pro as well. Updated all fixes and service packs... Changing passwords everywhere as well.

*grins* Yeah,  I am probably compromised. But there's nothing of value for anyone on my PC, so I just hope that I will be moderately secure now.

And at least I'll have enough time to download all my stuff so I won't be so exposed if this ever happens again.

Thanks for the support here anyways, would have gone nuts without it!

[DavidR]

The windows XP SP2 firewall doesn't provide outbound protection, so you need to cover that to stop malware phonong home with your accounts, usernames, passwords and downloading more of the same, etc.

If the Security Center detects a firewall that is up to date then it usually switches off the windowd firewall. So it shouldn't be a problem.

[RJARRRPCGP]

---

I use windows XP-pro

What happened was: On a small fansite for comic books, I must have contracted a virus. I did not accept anything, or click any links (I'm not stupid) but appearantly it snuck in anyway.

It took over my computer. First it changed the wallpaper to one that advertised something called 'smart security' because obviously my computer was infected by trojans and viruses. All my shortcuts were erased and replaced with shortcuts to sites like 'home pharmacy' 'online poker' 'home mortages' and so on. It changed around everything so that it suited itself, task bars, shortcuts and so on. Other things I found was 'allcybersearch' and a program called 124489 which was the first thing that I noted, with a picture of a cute blode as an icon.

I also think it tried to hijack my modem, but since I am not using a modem that did not work.

That sounds like something you usually only get if going to a porn web site!!! Usually, "fan" web sites are neatly written.

I only gotten stuff like that, chiefly the modem hijacking when I went to a web site that's part of a porn ring.