Is my PC infected with a haxdoor form pptp trojan?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Victor Mor, Jul 15, 2007.

  1. Victor Mor

    Victor Mor Private E-2

    Hello, last week I did a deeply scan in my PC. I get two messages that make me feel uncomfortable...

    from HAXFIX log:

    "checking for matching services
    matching services found
    aspi 32"

    from GetRunKey log:

    "Looking for forms of Trojan.Haxdoor
    ------------------------------------------------------------------------
    Haxdoor Trojan, pptp form found!

    "DriverDesc"="Minipuerto WAN (PPTP)"
    "Minipuerto WAN (PPTP)"=hex(7):31,00,00,00,00,00
    "DeviceDesc"="Minipuerto WAN (PPTP)"
    "DisplayName"="Minipuerto WAN (PPTP)"
    "Description"="Minipuerto WAN (PPTP)"
    "DriverDesc"="Minipuerto WAN (PPTP)"
    "Minipuerto WAN (PPTP)"=hex(7):31,00,00,00,00,00
    "DeviceDesc"="Minipuerto WAN (PPTP)"
    "DisplayName"="Minipuerto WAN (PPTP)"
    "Description"="Minipuerto WAN (PPTP)"
    "DriverDesc"="Minipuerto WAN (PPTP)"
    "Minipuerto WAN (PPTP)"=hex(7):31,00,00,00,00,00
    "DeviceDesc"="Minipuerto WAN (PPTP)"
    "DisplayName"="Minipuerto WAN (PPTP)"
    "Description"="Minipuerto WAN (PPTP)"

    I tried to fix the "problem" using Haxfix (step 1 firts, then 2 auto fix and also 3, manual fix, but couldn't include pptp key, haxfix doesn't accept it, and says no service or infection found ...

    I scanned my PC with the following software:

    - AVG Anti Virus Free Edition
    - Spy Bot - Search And Destroy
    - Counter Spy
    - Bitdefender online scanner
    - Panda online scanner
    - Karpesky on line scanner
    - Symantec online scanner
    - CC Cleaner
    - Haxfix
    - Vundofix
    - Fixware
    - HijackThis

    Everything seems to be okay... no infection (virus, malware, trojans etc.) detected. But when I run GetRunKey... that message appears.... and the same with HaxFix... matching services found, Aspi 32.
    Haxdoor form pptp...? MiniPuerto Wan...? pptp is related to "point to point tunneling protocol"...? I would not like to have a VPN connection for Remote Control Access...!!!
    Must I concern about it...? I would appreciate so much your help and recomendations.

    thanks a lot
     

    Attached Files:

    Victor Mor, Jul 15, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    The info from GetRunKey is false. GetRunKey was written for English based Windows PCs and did not recognize the format for your PPTP text formatting.

    I doubt you have a Haxdoor infection.

    If you really want to continue to check your PC for malware, you will have to follow the directions in the READ & RUN ME properly and completely.

    • You are using MSconfig to control startups and was requested that you not do this in step 0 of the READ ME.
    • You did not do step 2 of the READ ME.
    • You did not install and rename HijackThis as requested in step 7.
    • And you did not attach the other 3 requested logs from the READ ME
      • CounterSpy
      • BitDefender Online Scan
      • PandaActiveScan
    I do suggest that you delete the below three files:
    Code:
    "C:\WINDOWS\system32\"
lap20n~1.dll   9 May 2007       18909  "lap20nh3l4dkszi4a.dll"
qke3ki~1.dll   9 May 2007        3521  "qke3kixfeflkszi4a.dll"
xkh1ud~1.dll   9 May 2007       28613  "xkh1udoe84fkszi4a.dll"
     
    chaslang, Jul 15, 2007
    #2
  3. Victor Mor

    Victor Mor Private E-2

    Hi Chaslang, thanks for your reply and suggestions. Will delete the three files from C:\Windows\system32\
    I do want to continue checking my PC for malwares, so I will follow your indications and send a new message with the 6 attachments.
    Thanks!
     
    Victor Mor, Jul 15, 2007
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay make sure you complete those steps I indicated that were missed while doing the READ ME.
     
    chaslang, Jul 15, 2007
    #4
  5. Victor Mor

    Victor Mor Private E-2

    I followed the 7 steps of the READ ME exactly as written and get the 6 logs. I am attaching the files for your analisis and comments.
    Thanks.
     

    Attached Files:

    Victor Mor, Jul 16, 2007
    #5
  6. Victor Mor

    Victor Mor Private E-2

    the other 3 log files...
     

    Attached Files:

    Victor Mor, Jul 16, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your logs do not show any malware issues. I suggest that you uninstall the CounterSpy trial now. You can also uninstall/delete/cleanup any other programs you have downloaded and the logs from them (things like GetRunKey, ShowNew, FixWareOut, HaxFix..... etc).
     
    chaslang, Jul 16, 2007
    #7
  8. Victor Mor

    Victor Mor Private E-2

    Hello Chaslang

    Thanks for your help and assistance, it's so good to confirm that my PC is not infected by any virus or malware at this moment.
    Your comment about the false message from Getrunkey was so clear, was built for English language and do not recongnize another format text.

    My last question... Must I be totally relax reagading the Halfix message "searching for matching services, services found, Aspi 32" ..?
    I would like to understand / learn what does it mean...? If it is all okay in my PC, why after running Halfix I get these message..? Maybe it would be better to get: searching for matching services, services not found...! as appears in the other lines. : )
    I don't want to take your valueable time or bother you with this kind of stuff... I tried to search through internet and found several questions and inquires about this topic. It is interesting to notice that none of them was clearly answered... nobody just say: "you get that message from Halfix because..." or "just forget it, don't worry about, it is a false message", or, "you must change settings or delete files" or something like that. All replies from other users or experts refer to run Halfix again (option 1, then 2, or 3 and so on...). But when somebody just wonder "I did all the steps and several times and still get the "matching service Aspi 32 found" in my log... no more answer or comments.
    Is this message irrelevant? Must I don't worry about?.
    Thank for your patience with us, non experience PC users... : )
     
    Victor Mor, Jul 16, 2007
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You jkeep saying aspi 32. That is not what HaxFix would say. It would either say aspi32.dll or aspi32.sys (no space after the aspi). If it is aspi32.dll it is not a problem. When working on malware (or any other PC problem) you must always be specific and give exact inforamtion.

    • Start Haxfix
    • A red "dos window" (dos box) will open with options:
      • 1. Make logfile
      • 2. Run auto fix
      • 3. Run manual fix
      • E. Exit Haxfix
    • Select option 2. Run auto fix by typing 2 and then pressing Enter
    • If an infection is found, you'll get a message to close all other open windows.
    • Close all open windows except the red dos window from haxfix and then press Enter
    • The computer will reboot
    • After reboot a logfile will open > (c:\haxfix.txt)
     
    chaslang, Jul 16, 2007
    #9
  10. Victor Mor

    Victor Mor Private E-2

    Hi Chaslang

    Thanks for your quick reply. I am sorry about writing aspi32, but I just used the exact words written in the halfix log, without any reference to .dll or .sys

    I followed the steps you indicated, I am sending you three attachments (haxlog.txt / haxfix.txt / serv.txt).

    Thanks.
     

    Attached Files:

    Victor Mor, Jul 16, 2007
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your last log from HaxFix (the haxfix.txt log) was run on 16/07/2007 16:56:59,98
    It indicates no infections were found.

    You previous log did mention an aspi32 service but there were no associated files.

    I still maintain that your PC is clean.
     
    chaslang, Jul 17, 2007
    #11
  12. Victor Mor

    Victor Mor Private E-2

    Hi Chaslang

    Thanks for your reply, your last message make me feel relax and it is far enough ok for me, I will stop my searchs and questions. From now on I will keep trying to maintain my PC free of infections, following the recommendations you post in the READ ME.
    Thanks for your help and assistance and also for the time you spent viewing the logs and analizying them.
    Sorry for my bad English, my native language is Spanish. Best wishes.
    Victor.
     
    Victor Mor, Jul 17, 2007
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Here is what you want to follow to help you stay clean:

    How to Protect yourself from malware!


    You're welcome Victor. And you English was just fine. It is about a thousand times better than my Spanish. ;)
     
    chaslang, Jul 17, 2007
    #13

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds