Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Backdoor.haxdoor 302

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Backdoor.haxdoor 302

Unread postby coffee_ » July 6th, 2006, 7:01 pm

Hello. =)

I've been having sites that pops up every few mins while I'm on the net (something like WinAntivirus Pro 2006, Sysprotect, Stopzilla, warning boxes, etc ). I don't know how I got this if I always visit the same websites everyday and they're not any dangerous ones either.

I've ran ad-aware, spybot - S&D and quarranted infected files/critical objects and re-scanned to make sure they were gone (all in safe mode). After I did that there were no more infected or critical files. However after I went on the net the pop ups came right back. I've tried vundofix which didn't find anything. So I downloaded Ewido which quarantined all the files in safe mode but there was one file (backdoor.haxdoor 302) that keeps getting an error while quarantining. I did it 3 times and it still had that error. BTW, I also used Symantec Antivirus which seems totally useless cause it never reports anything.

Well so far after running Ewido and just getting back online for a few hours yesterday and today there seems to be no pop ups yet. However, every time I start the computer ewido pops up and says there's backdoor.haxdoor so I choose to quarantine it but it's still not completely gone. ='( So please help!!!!
_____________________________________________________________

Here's one of my most recent Ewido report, I did another one but I forgot to save the log but I think the results are the same with that error thing:
+ Scan result:

C:\System Volume Information\_restore{A16CD48B-CF9B-47DE-B80F-A7A42D5573D7}\RP346\A0976951.dll -> Adware.Aws :

Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A16CD48B-CF9B-47DE-B80F-A7A42D5573D7}\RP346\A0976946.dll ->

Backdoor.Haxdoor.302 : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\__delete_on_reboot__y_v_p_p_0_1_._d_l_l_ -> Backdoor.Haxdoor.302 : Cleaned with backup

(quarantined).
[208] C:\WINDOWS\system32\yvpp01.dll -> Backdoor.Haxdoor.302 : Error during cleaning.
C:\System Volume Information\_restore{A16CD48B-CF9B-47DE-B80F-A7A42D5573D7}\RP346\A0976947.dll ->

Downloader.Agent.anm : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A16CD48B-CF9B-47DE-B80F-A7A42D5573D7}\RP346\A0976949.exe ->

Downloader.WinShow.z : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A16CD48B-CF9B-47DE-B80F-A7A42D5573D7}\RP346\A0976950.exe ->

Downloader.WinShow.z : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{A16CD48B-CF9B-47DE-B80F-A7A42D5573D7}\RP346\A0976948.exe ->

Dropper.Agent.amr : Cleaned with backup (quarantined).


::Report end


And my Hijack log:
Logfile of HijackThis v1.99.1
Scan saved at 6:59:20 PM, on 7/6/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ca44fdcb-a93a-4afc-a44c-1442be48a623} - C:\WINDOWS\system32\THUMfde.dll (file missing)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: THUMfde - THUMfde.dll (file missing)
O20 - Winlogon Notify: yvbb01 - yvbb01.dll (file missing)
O20 - Winlogon Notify: yvpp01 - yvpp01.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
coffee_
Active Member
 
Posts: 2
Joined: July 6th, 2006, 6:50 pm
Advertisement
Register to Remove

Unread postby Navigator » July 6th, 2006, 7:32 pm

Hello coffee_....welcome to MalwareRemoval!

We'd like to help you clean your computer...but you need to help us (and yourself) first:

IMPORTANT
You are currently using an unpatched version of Windows XP.
It is CRITICAL that you update to Service Pack 1a
Please go here and download and install Service Pack 1a. If you have any problems, please post them here.

DO NOT update to Service pack 2. Doing so before your computer is clean can cause Windows to become unstable.

When you have updated Windows, please post a new HJT log (run in Normal Mode) in case you have picked up anything else since you posted your first one.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby coffee_ » July 7th, 2006, 5:18 pm

I can't seem to download it. =(
Is there just a way to get rid of that backdoor haxdoor?

I just want to solve this problem and then probably not go on this comp again since it's not mines (it's my sister's old comp) I'm just temporarily going on it while waiting for my new computer, but I still want to fix it since she has some important stuff on here. >_<
coffee_
Active Member
 
Posts: 2
Joined: July 6th, 2006, 6:50 pm

Unread postby Navigator » July 7th, 2006, 6:01 pm

Cleaning an unpatched version of WindowsXP is generally a waste of time...it makes it much harder to do (if possible at all) and the computer will become reinfected again in short order. I also hope you understand that the number one reason for people having an unpatched version of WindowsXP is because their copy is pirated/cracked/illegal and it is this sites (and most if not all malware assistance sites) policy not to support such products.

Can you do this for me:

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)
  • Click on Windows Validation Assistant
  • Click on the Validate Now button.
  • Be patient while the ActiveX loads, do not click on any links.
  • Read the instructions on this page while it's loading. You will be prompted to install - click YES.
  • Enter your product key then click continue
  • When it says "Validation Complete" please click Continue to return to your previous activity
  • Copy what it says and paste it here.
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Navigator » July 8th, 2006, 1:10 am

Hello coffee_ .....

I've been informed that it may be possible that the infection may be precluding your attempts to update/verify you WindowsXP...sorry for the delay, but let's try and get the computer clean and then verify later:

Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"

A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix

  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt
  • Copy the contents of that logfile and paste it into this thread. (c:\haxfix.txt)
User avatar
Navigator
MRU Honors Grad Emeritus
 
Posts: 1237
Joined: December 21st, 2005, 8:35 pm
Location: Missouri

Unread postby Nellie2 » July 24th, 2006, 5:51 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Nellie2
Administrator Emeritus
 
Posts: 8737
Joined: December 16th, 2004, 5:01 pm
Location: UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 52 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware