Need to remove haxdoor

[Mike]

Hi again,

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

Quote:

@VER > Log.txt
@Start Notepad Log.txt

In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.



Double click on fix.bat. Log.txt will appear, please post the contents here.

[centurian]

I got this:

Microsoft Windows XP [Version 5.1.2600]

[Mike]

Good,

This should supposedly do the trick, your somewhat of a test subject at the moment .

Delete your old copy of combofix once again, download a new copy here

It should run this time, tell me how it goes.

[centurian]

It worked!!

ComboFix 08-08-28.06 - One 2008-08-30 21:51:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT 10:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\One\Application Data\macromedia\Flash Player\#SharedObjects\P9FKCP87\bin.clearspring.com
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\#SharedObjects\P9FKCP87\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\#SharedObjects\P9FKCP87\interclick.com
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\#SharedObjects\P9FKCP87\interclick.com\ud.sol
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\One\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ROTW


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-30 )))))))))))))))))))))))))))))))
.

2008-08-15 23:36 . 2008-08-15 23:36 <DIR> d-------- C:\Program Files\Avira
2008-08-15 23:36 . 2008-08-15 23:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-14 23:43 . 2008-08-14 23:43 250 --a------ C:\WINDOWS\gmer.ini
2008-08-14 23:25 . 2008-08-14 23:25 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-14 23:25 . 2008-07-30 20:15 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-14 23:25 . 2008-07-30 20:15 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-13 23:12 . 2008-05-02 00:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-02 21:53 . 2008-08-02 21:53 <DIR> d-------- C:\Deckard
2008-07-30 23:13 . 2008-07-30 23:13 <DIR> d-------- C:\ie-spyad_zo
2008-07-27 23:26 . 2008-07-27 23:33 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-21 00:11 . 2008-07-21 00:11 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-20 23:07 . 2008-07-18 22:07 270,880 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-20 23:07 . 2008-07-18 22:07 29,728 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-16 22:38 . 2008-08-10 23:16 <DIR> d-------- C:\Program Files\Panda Security
2008-07-14 22:54 . 2008-07-19 21:02 <DIR> d-------- C:\Documents and Settings\Two\Application Data\Spyware Terminator
2008-07-14 00:37 . 2008-07-14 01:00 <DIR> d-------- C:\Program Files\Exterminate It!
2008-07-14 00:13 . 2008-07-14 00:13 <DIR> d-------- C:\HaxFix
2008-07-14 00:13 . 2008-08-10 23:18 466,502 --a------ C:\HaxFix.exe
2008-07-08 06:32 . 2008-07-08 06:32 253,952 --------- C:\WINDOWS\system32\dllcache\es.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 03:19 --------- d-----w C:\Documents and Settings\One\Application Data\Canon
2008-08-25 13:49 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-18 12:55 --------- d-----w C:\Program Files\Java
2008-07-23 13:10 --------- d-----w C:\Program Files\Spyware Terminator
2008-07-19 11:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spyware Terminator
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 02:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-02 21:22 98304]
"SpywareTerminator"="C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe" [2008-06-14 21:00 1817600]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"VTTimer"="VTTimer.exe" [2006-08-03 16:53 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2006-08-25 15:52 176128 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 16:22 577536 C:\WINDOWS\soundman.exe]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 07:01 544768 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTIVBOARD]
--a------ 2003-05-02 10:31 24576 c:\APPS\ABoard\ABOARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 13:00 208952 C:\WINDOWS\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-14 02:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 12:00 49152 C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2004-09-15 21:17 81920 c:\APPS\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 13:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 13:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2004-11-02 21:22 98304 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
--a------ 2004-04-16 14:53 249856 C:\WINDOWS\system32\Keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-02-23 13:38]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-02-23 13:39]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-06-14 21:00]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-07-05 06:33]
.
Contents of the 'Scheduled Tasks' folder

2004-12-17 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 13:00]

2004-12-17 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\system32\OOBE\oobebaln.exe [2004-08-04 13:00]

2008-08-30 C:\WINDOWS\Tasks\User_Feed_Synchronization-{C589FB80-3B7F-484B-B209-9D78088D82CC}.job
- C:\WINDOWS\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Windows Defender - C:\Program Files\Windows Defender\MSASCui.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.powerup.com.au/
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-30 22:00:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Sygate\SPF\Smc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
.
**************************************************************************
.
Completion time: 2008-08-30 22:08:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-30 12:07:57

Pre-Run: 24,932,560,896 bytes free
Post-Run: 24,964,927,488 bytes free

155 --- E O F --- 2008-08-15 13:55:15

[Mike]

That looks good

Click START then RUN
Now type Combofix /u in the runbox and click OK

Notice the space between the x and / -- That needs to be there.

Now please download OTCleanIt.

• Save it to your desktop.
• Double Click on OTCleanIt.exe, a window will appear.
• Please press the CleanUp! Button.

This will remove the tools we used during the process of cleaning your computer.


Now that your are clean, you'll want to stay that way.

Some important things that you should keep in mind in order to protect yourself:

• Use common sense. This is the big one! Don't download programs from suspicious sites and be careful where you browse.
  Things you can do to avoid downloading bad programs:
  • Google the program. Read reviews and opinions from other people on the internet, if you dont see any reports of foul play - then there more than likely is none.
  • Stay away from Cracks! However luring the thought of free software can be it's not worth the hassle and potential danger of getting infected.
  • Download the program directly from the website of the developer - then you can be certain you haven't downloaded a bogus copy.
  • Read the EULA (End User License Agreement) - Find out exactly what you are downloading. A good tool to aid you in this would be EULAyzer.
• Keep your programs updated! Software developers update their programs to patch possible security risks. Do a scan once in a while for outdated programs using Secunia's Software Inspector
• Keep your protection programs up to date! No matter how good your Antivirus or Antispyware program is, without an updated set of definitions it will do you no good against the new infections. If you run a free program make sure to update them at least once a week.
• Make sure that windows updates is enabled. Keeping your system up to date is a must - to turn on automatic updates take a look at this article by Microsoft.

I have listed two programs to boost your security while using no resources.

• SpywareBlaster Take a look at the tutorial here.
• ZonedOut Adds thousands of websites to your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Also consider using an alternative web browser. Two big named ones, both far superior to Internet Explorer in terms of security and performance, would be Firefox and Opera.

Make a habit of scanning your computer for viruses every week or so and backing up important files regularly.

Please also read Expert Tony Klein's excellent article: How I got Infected in the First Place

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.

[centurian]

Assuming the instructions for ComboFix were meant to result in a briefly-appearing blue window, everything's great!

Thank you so much!

[Mike]

No problem, thanks for sticking with me.

Take care and have a great day still!

Mike