1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Haxdoor and more

Discussion in 'Virus & Other Malware Removal' started by Cookem, Jan 25, 2007.

Thread Status:
Not open for further replies.
  1. Cookem

    Cookem Thread Starter

    Joined:
    Jan 25, 2007
    Messages:
    2
    I've a friend's win2k SP4 pc who really is computer illiterate. They asked me to help them with a virus infection and wow, I found the worst PC i've ever seen. I've removed lots of malware from the system but am now having trouble removing some of haxdoor. Additionally, I think there is some other stuff on the system I've overlooked as when the machine is online the network gets busy and the AVAST mail scanner goes active... not a good sign.

    I've run haxfix with option 3, manual, and used the key ASPI but it will not remove the file.

    The PC did have a copy of AVG on it, but it was disabled/not running, I couldn't get it to uninstall, so It's not loading at all now. There are a lot of files on the PC that are not readable, I believe because of a virus.

    Here are my Hijackthis and haxfix logs, Any help would be much appreciated:

    HAXFIX logfile - by Marckie

    version 4.361
    Thu 01/25/2007 21:13:11.51

    --- Checking for Haxdoor ---

    checking for a3d files
    a3d files not found

    checking for matching notify keys
    no matching notify keys found

    checking for matching services
    matching services found
    Aspi32

    checking for matching safeboot services
    no matching safeboot services found

    checking for other Haxdoor-files
    no other Haxdoor-files found


    --- Checking for Goldun ---


    checking for SSODL keys
    no ssodl keys found

    checking for notify keys
    no notify keys found

    checking for services
    no services found

    checking for other Goldun-files
    no other Goldun-files found

    checking iexplore.exe
    iexplore.exe is not infected

    ================================================

    Logfile of HijackThis v1.99.1
    Scan saved at 8:53:15 PM, on 1/25/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\adirss.exe
    C:\WINNT\system32\lnwin.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINNT\system32\taskdir.exe
    C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
    O2 - BHO: PeoplePC ScamGuard - {7E3659A6-4BC5-4d93-B3FD-8B5ACC2FEDED} - C:\Program Files\PeoplePC\Toolbar\ScamGrd.dll
    O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
    O4 - HKLM\..\Run: [Bart Station] C:\Program Files\PeoplePC\ISP6300\BIN\PPCOLink.exe -STATION
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [sysinter] C:\WINNT\system32\adirss.exe
    O4 - HKLM\..\Run: [lnwin.exe] C:\WINNT\system32\lnwin.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: MSDN Driver (msdndr) - Unknown owner - C:\WINNT\system32\msdndr.pif (file missing)
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe


    Finished!
     
  2. Cookem

    Cookem Thread Starter

    Joined:
    Jan 25, 2007
    Messages:
    2
    I worked on the PC a lot more and after deleting over 7000 infected files win2k wasn't quite right anymore. I did a restore of the protected windows files and then did a "install in place" and neither revived the "add/remove program" and tons of other ancillary windows functions. So i've re-partitioned and re-installed.

    Thanks for looking

    cookem
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538439

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice