Haxdoor.BGN & Unregmp2 (How do I remove them

[sandman1981]

Hi;

I ran Xoftspy on my laptop (Windows Vista Home Premium - 32bit) & found following

Haxdoor.BGN = Trojan
Unregmp2 = Worm

My antivirus (Kaspersky) does not detect them, only XoftSpy does. I don't think I need to tell much here as some of you may have come across Haxdoor before (at least). Xoftspy deletes it but it comes back - an old story.

Now I believe many ppl have asked abt this virus here many times but I wanted to have a fresh response since I find it difficult to go through older threats & posts in it. Tend to get me confused.

I have tried the killbox. It doesn't delete either file.

The locations of the two malware are:

Haxdoor.GBN = C:\windows\system32\win32tm.exe
Unregmp2 in C:\windows\system32\Unregmp2.exe

[FreewheelinFrank]

To check if a suspect file is malware, submit the file to VirusTotal for analysis.

If confirmed as malware by several scanners, you'll need to submit the files to Kaspersky for analysis:

newvirus[at]kaspersky.com

They also have a support forum:

http://forum.kaspersky.com/index.php?act=idx

 

[sandman1981]

Ok let me try

[sandman1981]

virus scan is not recognizing it as a virus. Only XoftSpy is 

File w32tm.exe received on 04.26.2008 11:57:39 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

Antivirus     Version     Last Update     Result
AhnLab-V3   2008.4.25.2   2008.04.25   -
AntiVir   7.8.0.10   2008.04.25   -
Authentium   4.93.8   2008.04.26   -
Avast   4.8.1169.0   2008.04.25   -
AVG   7.5.0.516   2008.04.25   -
BitDefender   7.2   2008.04.26   -
CAT-QuickHeal   9.50   2008.04.26   -
ClamAV   0.92.1   2008.04.26   -
DrWeb   4.44.0.09170   2008.04.26   -
eSafe   7.0.15.0   2008.04.21   -
eTrust-Vet   31.3.5736   2008.04.26   -
Ewido   4.0   2008.04.25   -
F-Prot   4.4.2.54   2008.04.25   -
F-Secure   6.70.13260.0   2008.04.26   -
FileAdvisor   1   2008.04.26   -
Fortinet   3.14.0.0   2008.04.26   -
Ikarus   T3.1.1.26   2008.04.26   -
Kaspersky   7.0.0.125   2008.04.26   -
McAfee   5282   2008.04.25   -
Microsoft   1.3408   2008.04.22   -
NOD32v2   3056   2008.04.26   -
Norman   5.80.02   2008.04.25   -
Panda   9.0.0.4   2008.04.26   -
Prevx1   V2   2008.04.26   -
Rising   20.41.50.00   2008.04.26   -
Sophos   4.28.0   2008.04.26   -
Sunbelt   3.0.1056.0   2008.04.17   -
Symantec   10   2008.04.26   -
TheHacker   6.2.92.293   2008.04.26   -
VBA32   3.12.6.5   2008.04.26   -
VirusBuster   4.3.26:9   2008.04.25   -
Webwasher-Gateway   6.6.2   2008.04.26   -

[FreewheelinFrank]

I'd say it's probably a false positive identification by Xsoftspy then. You could send the files to them mentioning that they are identified as malware but that nothing on VirusTotal confirms their identification.

[sandman1981]

I have seen ppl remove this malware through HJT & KillBox. Any idea how it is done?

[FreewheelinFrank]

Well the file you submitted to VirusTotal is not malware, which means it's probably a legitimate Windows file, which means you really don't want to remove it.

Remove the crappy anti-spyware program that's telling you these programs are malware instead.

Here are some trusted and reliable anti-spyware programs:

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

[sandman1981]

Hmm... I'll download these but I still feel unsatisfied This is a brand new laptop I have.

Btw XoftSpy started showing these 2 files from yesterday. Before that it didn't show them. & my old laptop is also infested with the haxdoor.bgn in the same folder & file.

[FreewheelinFrank]

You need to contact Xsoftspy because they are telling you these files are malware.

Have you checked the other file at VirusTotal because it's clear w32tm.exe is not malware.

[sandman1981]

Yes I checked the other file also & the virus total did not recognize it as a malware.

As for the XoftSpy, the company has stopped producing it as well as its update. But they r still providing the final update.

I think I should contact them.

[FreewheelinFrank]

Then you really need to contact the support people at Xsoftspy.

helpdesk@paretologic.com

[sandman1981]

I have emailed them.

Meanwhile I have gone through various forums with ppl having found at least haxdoor.BGN, in the same directory, with their xoftspy & their files have been recognized as malwares.

[Lisandro]

sandman1981, I don't what start arguing, just share my personal experience. I don't trust on Xoftspy company: false positives and not that good support. I think there are better (and free) products available to do this work, including avast itself.

[sandman1981]

The thing that is bugging me the most is that I found haxdoor.BGN on my older laptop (Acer 1640, WinXP) with Xoftspy. For a while it just set there in the directory (C:\windows\system32\w32tm) but in couple of days it blocked my system restore option, disabled "Hide Files" option (did not allow me to hide anything), disabled drag & drop option & did not allow me give password to my System. I removed the password & it replaced it with logon screen & disabled the logon option. God knows I found a way around to operate my windows.

I am just afraid this might happen to my new laptop as well. So far neither Haxdoor not Unregmp2 has done anything.

[Lisandro]

I am just afraid this might happen to my new laptop as well.

So, you can just try avast full scanning and also SuperAntispyware and/or SpywareTerminator scannings.
Also, consider, on-line scanning with Kaspersky and NOD32.