Help Plz, I Have Haxdoor.BGN [RESOLVED]

Hi Kovia, and welcome to GeeksToGo!

Before we begin, I'll need a bit more information from you. What makes you believe you have contracted the Haxdoor.BGN trojan?

Regards,
Matt

I ran Xoftspy and it say it was a virus so i went to the windows folder and checked it with my antivirus and that confirmed it.

Filename = w32tm.exe

Location = C:\Windows\System32

Edited by Kovia, 26 January 2006 - 10:51 AM.

Hello Kovia!

Let's try and get rid of that file and see if that helps things.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Windows\System32\w32tm.exe
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a fresh HijackThis log

Regards,
Matt

I seems to of done the job, I thought I had got rid of myself but it came back so i'll wait and see and I will pm you if its not gone.

as far the thing goes

Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

No I didnt get that message, it just auto rebooted after pressing yes

Actually erm, Having just run a spyware scan again I'm gonna have to change my mind and say no it didnt work, it is still in

C:\Windows\System32\w32tm.exe

Please run the Panda scan for me and post the results.

Incident Status Location

Adware:adware/ucontrol Not disinfected C:\PROGRAM FILES\COMMON FILES\UControl
Spyware:spyware/cws.olehelp Not disinfected Windows Registry

Kovia,

Please download ewido anti-malware it is a free version of the program.

• Install ewido anti-malware
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display ("Update successful")

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido anti-malware.

Please reply with the ewido log and a fresh HJT log for review.

Regards,
Matt

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 21:55:51, 28/01/2006
+ Report-Checksum: 7DBF95D7

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-299502267-1979792683-839522115-1004\Software\KMiNT21 -> Spyware.DesktopSpyAgent : Cleaned with backup
HKU\S-1-5-21-299502267-1979792683-839522115-1004\Software\KMiNT21\WindowsHiderPro -> Spyware.DesktopSpyAgent : Cleaned with backup
HKU\S-1-5-21-299502267-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-6CB0-410C-8C3D-8FA8D2011D0A} -> Spyware.iMesh : Cleaned with backup
HKU\S-1-5-21-299502267-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKU\S-1-5-21-299502267-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
HKU\S-1-5-21-299502267-1979792683-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B} -> Spyware.SaveNow : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Sexlist : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Ben\Application Data\Mozilla\Firefox\Profiles\xzssqmgu.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Gordon\Application Data\Mozilla\Firefox\Profiles\rwqvz3v3.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup


::Report End

----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:40:21, on 28/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Teamspeak2_RC2\server_windows.exe
C:\Program Files\Teamspeak2_RC2\TeamSpeak.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Shareaza\Shareaza.exe
C:\Documents and Settings\Ben\My Documents\Misc Program\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {10093E98-C073-4C75-8D0E-FB5CD3A71D33} (ZoneUpwords Object) - http://messenger.zon...ds.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR3\RpcSandraSrv.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe

Is the w32tm.exe file still present?

Yes but now my anti virus program doesnt say its a trojan, Only Xoftspy does

Please follow the Killbox instructions from post #4 and let me know if the file returns after a reboot.

My xoftspy says its still there, I guess I am starting to lean closer to a complete reformat, although i didnt rly want to do that if it could be avoided.

I figured Xoftspy might be conflicting with the file or something or maybe it was picking it up from a quarantene.

So anyway, I figured I'd run my antivirus again and it didnt show that it was a virus anymoe, so I ran microsoft anti spyware also and that didnt find anything on my machine either

I decided to uninstall xoftspy and reinstall it and now xoftspy says there is nothing on my pc either.

So i guess its fixed now