Haxdoor-H and CoolWWWSearch infection

1. I ran sysclean.com (in safe mode and system restore off) along with the
latest pattern file and it did not detect anything using PC-Cillin. I no longer have this virus log.

2. In safe mode with networking and system restore off: I did an online scan at
Trend micro using housecall and it did not detect anything.

3. In safe mode with networking and system restore off: I did an online scan at
Symantec Security Check and it detected 9 infected
files including the following: a) Adware.Gati in D:\codecs_and_player\DivX\Divx
Pro codec\gain_trickler.exe b) downloader.trojan in new.exe c)
Adware.BetterInternet in windows\phage2.exe d) Bloodhound.packed in
windows\system32\cm.dll e) Backdoo.Tofger in windows\system32\paydial.exe f)
Adware.CoolWebSearch in windows\system32\ppma.dll g) Adware.WhenU in
windows\system32\WSN_MKTE0404Inst.exe h) Download.trojan in documents and
settings\Administrator\LocalSetting\TemporaryInternetFiles\Content.IE5\8L6BCDAN\Sploit[1].anr
i) Adware.BetterInternet in documents and
settings\Administrator\LocalSettings\temp\phage2.exe

3. In safe mode with networking and system restore off: I ran McAfee AVERT
Stinger and it did not detect anything.

4. I cleaned the hard drive, removed temporary internet files with CCleaner.

5. Scanned machine with Ad-Aware SE with the Ad-Aware VX2 Cleaner plug-in and it
did not detect anything critical.

6. Scanned with Spybot with the Spybot DSO Exploit patch and it found Haxdoor-H.
Under the Haxdoor-H heading there are 2 files including klogini.dll and
draw32.dll. Although I selected "fix" it was only able to "fix" one of the
files but both re-appeared upon re-boot and re-scan with spybot.

7. I ran CWShredder, Kill2me, about:buster and HSremover. I ran these because at
one point I had an about:search hijacker but I think it has been destroyed.

8. Haxdoor-H still present so I scanned with Hijack this. Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:57:20 PM, on 3/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Edit by chaslang: Unrequested inline log removed


Things that the computer is doing:

1. Whenever I try to run a full PC-cillin scan the computer crashes and re-boots.

2. PC-cillin is running without all the internet security setting that it
usually does (i.e. no firewall and no Wi-Fi detection.

3. While browsing, Internet Explorer will suddenly pop up with a message that a problem has been encountered (annoying pop-up that sends back report of encountered problems with IE to Microsoft). Clicking on "Don't Send" kills all internet windows.

4. Also, comp will crash randomly when the control panel is accessed to "Add/Remove any programs" as well as when searching for files/folders.

 

Hi!

Thanks for your reply. I was not able to delete C:\windows\system32\draw32.dll. I went to see if the file was read only but it wasn't (i.e. the read-only box was already unchecked. But i went ahead and did the other things that you asked me to do.

I forgot to mention in my original post that during the AVAST scan, it was not able to scan c:\windows\system32\draw32.dll or c:\windows\system32\vtd_16.exe. Similarly, during my Bitdefender scan it identified many password protected files. I am not sure what the significance of this is so I will attach the Bitdefender log along with my most recent HJT log.

 

Here is the hslog.txt and the new HJT log after running hsfix.bat

 

I have attached the 2 HSFix logs. On the second one draw32.dll and
vtd_16.exe were not detected. I re-ran spybot and it did not detect Haxdoor-H. Does this mean that the trojan has been deleted and that the computer is clean?

 

This is very likely the case. You should run a few IE sessions and then attach another HJT Log for Chaslang to review.

If you think some Haxdoor remains (it is a persistent little bugger!) you can check out this thread and search your machine for the files I listed in post #28. (Don't do those steps, though! Just look for the baddies.)

http://forums.majorgeeks.com/showthread.php?t=54566

PP

 

Hi!

Here is my HJT log. I went through the files in the post you suggested and I didn't find any of the files listed.

Only one thing remains to be solved! My PC-cillin settings cannot be returned to normal! I cannot enable Wi-Fi detection or the personal firewall. Aside from that, the computer is not crashing and the IE explorer pop up has ceased!

One question! I suppose that HJT is letting us know all the processes that are running? Its interesting because I downloaded process explorer but I could never find the names of files that would be running due to the virus. Anyways, after trying to fix the computer for 3 days myself I am SO glad I fell upon this site! You guys are terrific. Thanks so much for helping me! I will definetly update my system and make sure I am better equipped to prevent this from happening again!!

 

so I spoke too soon! I went back to double check all the files and this is what I found:

[HKEY_Local_machine\SYSTEM\currentControlSet\ENUM\ROOT\LEGACY_MEMLOW

although in the text of the link provided it was written as:
[HKEY_Local_machine\currentControlSet\ENUM\ROOT\LEGACY_MEMLOW
(I.E. no system)

I also found c:\windows\system32\hm.sys

 

sorry...i tried to edit my post but it was too late!

I also found:

[HKEY_Local_machine\SYSTEM\CurrentControlSet\Control\SessionManager\MemoryManagement]
Name = "EnforceWriteProtection" and the value in the data set was 0x00000000(0)