Backdoor.Haxdoor.B

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.haxdoor.b.html

Læs under removal instructions hvordan den fjernes

Jeg er rimelig sikker på at denne gratis scannet kan fjerne den også

http://www.snapfiles.com/get/stinger.html

Følg vejledningen her:
Gå ind her og hent Hijackthis.
http://danborg.org/spy1/HJT/hijackthis.exe
Kør Hijackthis, scan, save log og kopier logfilen herind, så kigger jeg på den. Lad være med at slette noget selv med Hijackthis, det kan skade mere end det gavner.

her er logfilen
Logfile of HijackThis v1.99.1
Scan saved at 12:40:52, on 09-08-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
E:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\spupdsvc.exe
E:\WINDOWS\system32\spnpinst.exe
E:\WINDOWS\system32\Sysocmgr.exe
E:\WINDOWS\Explorer.EXE
E:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Programmer\Analog Devices\SoundMAX\Smax4.exe
E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\QuickTime\qttask.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmer\MSN Messenger\MsnMsgr.Exe
E:\Programmer\iPod\bin\iPodService.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Programmer\PokerStars\PokerStars.exe
E:\Documents and Settings\Svend\Lokale indstillinger\Temporary Internet Files\Content.IE5\80AB34E6\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [ATIPTA] E:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Programmer\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121848939921
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: IAtsf0IGmNY3C2ETr1qIzWn3j2dib0 - Kaspersky Labs. - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\Avp32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Programmer\iPod\bin\iPodService.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: rRUL11zgIYL1KmxJk2s8PS93Z5JV22ovkVL2NVTWH2 - Kaspersky Labs. - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\Avp32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Programmer\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

stinger fjerner den ikke, desværre

Hmm.. loggen er faktisk ren og tegnene på en haxdor infektion kan ikke ses deri.

Hent denne fil og pak den ud på Skrivebordet:

http://www.atribune.org/downloads/HSFix.zip

... og denne fil (gem den på dit Skrivebord):

www.spywareinfo.dk/download/cleantempxp2k.bat

Genstart i Fejlsikret tilstand (ved at taste F8 under opstart).

Kør hsfix.bat - 2 gange.

Dobbeltklik på cleantempxp2k.bat

Genstart i Normal tilstand og kør mindst én af disse online scannere:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Genstart i Normal tilstand og læg en frisk hijackthis log samt hsfix log'en (som du finder i C:/hslog.txt)

Hvis den stadig er på computeren efter den omgang, så fortæl hvilket værktøj der finder den samt hvor præcis den finder virus'en.

ok forløbig tak - jeg vender tilbage når jeg har prøvet det.

Hej igen

Så er ovenstående gjort. Den online scanner som jeg har brugt er bitdefender. Den finder stadigvæk virus. De 2 andre finder intet. virusen ligger følgende steder:

G:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP31\A0010764.exe=>(CAB Sfx o)=>\data2.cab=>(IShield Module 78)
Infected with: Backdoor.Haxdoor.B

G:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP31\A0010764.exe=>(CAB Sfx o)=>\data2.cab=>(IShield Module 78)
Disinfection failed

G:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP31\A0010764.exe=>(CAB Sfx o)=>\data2.cab=>(IShield Module 78)
Deleted

G:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP31\A0010764.exe=>(CAB Sfx o)=>\data2.cab
Update failed

I:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP35\A0011116.exe=>(CAB Sfx o)=>\data2.cab=>(IShield Module 78)
Infected with: Backdoor.Haxdoor.B

I:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP35\A0011116.exe=>(CAB Sfx o)=>\data2.cab=>(IShield Module 78)
Disinfection failed

I:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP35\A0011116.exe=>(CAB Sfx o)=>\data2.cab=>(IShield Module 78)
Deleted

I:\System Volume Information\_restore{44C28D7A-D215-4C27-828E-A47959D802AB}\RP35\A0011116.exe=>(CAB Sfx o)=>\data2.cab
Update failed

hijack this ser sådan ud:
Logfile of HijackThis v1.99.1
Scan saved at 15:05:01, on 09-08-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\System32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Programmer\Sygate\SPF\smc.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
E:\Programmer\Analog Devices\SoundMAX\SMAgent.exe
E:\WINDOWS\system32\spupdsvc.exe
E:\WINDOWS\system32\spnpinst.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\Sysocmgr.exe
E:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Programmer\Analog Devices\SoundMAX\Smax4.exe
E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
E:\Programmer\iTunes\iTunesHelper.exe
E:\Programmer\QuickTime\qttask.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Programmer\MSN Messenger\MsnMsgr.Exe
E:\Programmer\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Programmer\Internet Explorer\iexplore.exe
E:\Documents and Settings\Svend\Lokale indstillinger\Temporary Internet Files\Content.IE5\IDCNA58L\hijackthis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.signon.stofanet.dk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O4 - HKLM\..\Run: [ATIPTA] E:\Programmer\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Programmer\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Programmer\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [SmcService] E:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programmer\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "E:\Programmer\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = E:\Programmer\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Programmer\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121848939921
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVP Control Centre Service (AVPCC) - Unknown owner - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /service (file missing)
O23 - Service: IAtsf0IGmNY3C2ETr1qIzWn3j2dib0 - Kaspersky Labs. - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\Avp32.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - E:\Programmer\iPod\bin\iPodService.exe
O23 - Service: KAV Monitor Service (KAVMonitorService) - Unknown owner - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe" /service (file missing)
O23 - Service: rRUL11zgIYL1KmxJk2s8PS93Z5JV22ovkVL2NVTWH2 - Kaspersky Labs. - E:\Programmer\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\Avp32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Programmer\Sygate\SPF\smc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Programmer\Analog Devices\SoundMAX\SMAgent.exe

Hs log sådan:
Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
  Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

Kan se at noget af virusen er væk - er ikke længere på mit systemdrev E, hvilket har givet problemer for kaspersky virus programmet. kan ikke køre virus monitor mere - update og scan køre fint

Virus'en ligger i systemgendannelses-filerne.

Dem sletter du således:
Ryd op i systemgendannelses filerne. Deaktiver systemgendannelse  - genstart din computer - aktiver systemgendannelse.
(klik start | indstillinger | kontrolpanel | system, fanebladet systemgendannelse)

Og ellers er loggen ren.

Tak for hjælpen. Nu er alt væk.

Velbekomme og takker for point :)