Can anyone help me please?

**sam225** · July 29th, 2004, 02:03 PM

I have this virus that only AVG catches. It says it's a Backdoor.HaxDoor.2.T
and it is found in C:\\WINDOWS\system32\debugg.dll

I'll wait to post my HiJackThis log. I am such a moron when it comes to PC security.

**NooNoo** · July 29th, 2004, 02:10 PM

Welcome to Windrivers sam225
this what norton says about it Hope you didn't keep your passwords on that machine! Removal instructions are there, read the whole document.

**GrandDad** · July 29th, 2004, 02:12 PM

Originally Posted by NooNoo

Welcome to Windrivers sam225
http://securityresponse.symantec.com...r.haxdoor.htmlthis what norton says about it Hope you didn't keep your passwords on that machine! Removal instructions are there, read the whole document.

well I see you fixed it.

**sam225** · July 29th, 2004, 02:39 PM

I tried what NAV suggested first thing this morning.

I'm unable to find this:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\MPRServices\
TestService\MPRServices\TestServices

or

the JSDAPI.exe in the process.

or

SMTAPI.SYS in the \system32\ folder.

I tried deleting it in SAFE mode (couldn't get to it) and I've tried Trojan Hunter and Tauscan. Nothing finds it other than AVG but AVG doesn't have any info about it on Grisoft.com

Any other suggestions? Does it matter when it's... HaxDoor.2.T as compared to that on the Symantec site ...Kaxdoor.i ?

Originally Posted by sam225

I have this virus that only AVG catches. It says it's a Backdoor.HaxDoor.2.T
and it is found in C:\\WINDOWS\system32\debugg.dll

I'll wait to post my HiJackThis log. I am such a moron when it comes to PC security.

**NooNoo** · July 29th, 2004, 03:23 PM

yes, its a variant, so some things will be different... got that hijack log yet?

**sam225** · July 29th, 2004, 03:33 PM

Originally Posted by NooNoo

yes, its a variant, so some things will be different... got that hijack log yet?

I'm sorry. Her is my Log.

Logfile of HijackThis v1.98.0
Scan saved at 4:32:40 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net/vzn.dsl/....htm?ver=4448&
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L 1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Verizon Online Dialer.lnk = F:\bin\Components\ConnectionManager\Verizon Online.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.mt-download.com
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/.../Client_IE.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.shscares.org/lawson/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A305FBA3-4A87-483D-A53B-138F9F635357} (PCInfo.CMClass) - http://ciscdb.sel.sony.com/support/p...ect/PCInfo.CAB
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O21 - SSODL: System - {1D2EB6E0-89EE-42C2-AC3E-4BA2690FBD84} - C:\WINDOWS\system32\system32.dll (file missing)

**NooNoo** · July 29th, 2004, 04:53 PM

ok you still have trojans

taumon.exe

Go to http://housecall.antivirus.com and run the online scan.... will run up a list of stuff to delete with hijack in a few.

**NooNoo** · July 29th, 2004, 05:04 PM

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O15 - Trusted Zone: *.mt-download.com

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab

ouch! this is not a trojan guard at all! O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

Get rid of that lot by running hijack this in safe mode.

The processes are hidden which is why you cannot track it down.... go find and delete the files using explorer. If you cannot delete them, then check task manager in safe mode, see if they show up.

**sam225** · July 30th, 2004, 07:59 AM

Originally Posted by NooNoo

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://thesearchmall.com/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://thesearchmall.com/index.php

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://thesearchmall.com/index.php

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: TheSearchMall.com Bar - {4B8F38C7-62FC-4762-B9A0-27E63F768167} - C:\WINDOWS\System32\winsrm32.dll
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O15 - Trusted Zone: *.mt-download.com

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab

ouch! this is not a trojan guard at all! O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"

Get rid of that lot by running hijack this in safe mode.

The processes are hidden which is why you cannot track it down.... go find and delete the files using explorer. If you cannot delete them, then check task manager in safe mode, see if they show up.

First off, "Thank you so much for taking the time to help me with this problem! I truly appreciate it!"

I ran the "Housecall" and it didn't find anything. Should I run HiJack in safe mode and then delete all of the things you have listed that you picked out of my log?
I'm pretty smart when it comes to some things, but I am a complete idiot when it comes to this stuff. Sorry.

**sam225** · July 30th, 2004, 08:05 AM

Originally Posted by sam225

First off, "Thank you so much for taking the time to help me with this problem! I truly appreciate it!"

I ran the "Housecall" and it didn't find anything. Should I run HiJack in safe mode and then delete all of the things you have listed that you picked out of my log?
I'm pretty smart when it comes to some things, but I am a complete idiot when it comes to this stuff. Sorry.

What was that taumon.exe? I clicked the link and read what Symantec has to say about it, but I can't find it on my computer. Do I have it?

**NooNoo** · July 30th, 2004, 09:23 AM

You do have it, it shows up in the hijack this log.

Yes go to safe mode, run hijack this, make a note of the log, tell it to fix the stuff I listed. Now go look for any of the file names listed in the hijack log - for instance
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll
hijack this tells you precisely where it is - it may be a hidden and/or system file, it may be set to read only. Allow viewing of hidden and system files by opening my computer, tools, folder options - under hidden files and folders uncheck every box and check the radio button "show hidden files and folders" XP will warn you - accept the warning.

To unset readonly on a file right click the file, properties, uncheck the read only box and apply. If the system is not using the file you can now delete it. If it is, start task manager and go to the process tab... see if you can find the file listed there, if you do, right click and end process tree. Now try and delete the file again.

It is important to do these in safe mode because most of the processes and drivers are not running and it makes it easier to search and destroy the baddies.

**sam225** · July 30th, 2004, 02:08 PM

Originally Posted by NooNoo

You do have it, it shows up in the hijack this log.

Yes go to safe mode, run hijack this, make a note of the log, tell it to fix the stuff I listed. Now go look for any of the file names listed in the hijack log - for instance
O2 - BHO: ohb - {0AEE4D0C-4B38-4196-AE32-70ACE5656647} - C:\WINDOWS\System32\winsrm32.dll
hijack this tells you precisely where it is - it may be a hidden and/or system file, it may be set to read only. Allow viewing of hidden and system files by opening my computer, tools, folder options - under hidden files and folders uncheck every box and check the radio button "show hidden files and folders" XP will warn you - accept the warning.

To unset readonly on a file right click the file, properties, uncheck the read only box and apply. If the system is not using the file you can now delete it. If it is, start task manager and go to the process tab... see if you can find the file listed there, if you do, right click and end process tree. Now try and delete the file again.

It is important to do these in safe mode because most of the processes and drivers are not running and it makes it easier to search and destroy the baddies.

Ok, I deleted most of what you said, except for the FlashGet things. Some of the other items I couldn't find when in safe mode. Can I go to HiJackThis OUT of safe mode and fix them? How do I know what the processes are? How do I get rid of the "debugg.dll" file that is the haxdoor virus?

Thank you again.

**sam225** · July 31st, 2004, 11:13 AM

Originally Posted by sam225

Ok, I deleted most of what you said, except for the FlashGet things. Some of the other items I couldn't find when in safe mode. Can I go to HiJackThis OUT of safe mode and fix them? How do I know what the processes are? How do I get rid of the "debugg.dll" file that is the haxdoor virus?

Thank you again.

Ok NooNoo Sir:

I did exactly what you said for me to do. But I still can't get rid of the debugg.dll or the w32_ss.exe files that are said to be viruses? What should I do now?

Thanks again.