haxdoor trojan woes!

Dukat

Resident Freddy
Joined
Jan 10, 2004
Messages
5,396
Hey all.

I recently got a nasty trojan off of a website I thought was safe, I'm moderately experienced with dealing with such things but this thing is nastier than anything I've previously seen before.

here's a bit of info on what I'm pretty sure I have: http://support.microsoft.com/?scid=kb;en-us;903251

Ok, so the symptoms are that the computer restarts or shuts down as soon as(if not before) it loads.

It seemed to be starting off with just rebooting when I logged into normal mode. I tried going in through safe mode and was able to stay in there and tried to find and delete the relevant registry keys. I looked for the keys listed on the microsoft page I linked to above but I couldnt find any of them. I'm still pretty sure that what I have is a variant of this though, as I am getting the same reboot symptoms and the files klo5.sys and ps.a3d both exist.

Before I was locked out I did a search and checked for files created in the last 3 hours, I got those two files and none others that looked suspicous.

anyways, the stage I'm at now is that every time I turn the computer on it reboots before I get anywhere at all. I've tried booting from the windows CD but it still reboots the computer immediatly, before I get any options at all.

I'm really stuck here, I cant seem to get into the computer at all.

Not sure what information will help for this aside from what I've said so far, but if you think you can help ask away and I'll try and get as much info as I can.

I would try formatting it, but I have several assignments on that computer and without them I'm in a REALLY bad position.

any help much appreciated.
 

Dukat

Resident Freddy
Joined
Jan 10, 2004
Messages
5,396
update: I've just managed to get into the recovery console after booting from CD, it seems there's now an admin password, since I never had an admin password, or any logon passwords at all, I'm at a loss as to what to do :(

really getting a little worried here, seeing as I stand to lose alot of work.
 

Dukat

Resident Freddy
Joined
Jan 10, 2004
Messages
5,396
smurkin said:
Are you able to install Norton (safe mode)...it'll remove (most of) it.

/edit...ouch, thats a nasty one :(

http://www.symantec.com/avcenter/venc/data/backdoor.haxdoor.d.html

I did try that, I had AVG running but the virus seems to have disabled it, I tried to install norton but because the trojan created an admin account and locked me out of it I cant install anything, even in safe mode :(

I phoned up a computer repair type person this morning after staying up all night trying to sort it, normally I'd try and do it myself, however the fact that I might end up making things worse and losing the files I need means that I'm reluctant to try anything.

In a way its not that bad, I was tired when I wrote the first post, looking at it with a clear head I guess I can revert to my backups of college work if needed, and I did need to format and rebuild that computer at some point anyway, just a pain that I have to lose all my savegames, configuration settings and alot of work to do it.

Usually I have 2 or 3 partitions, one of which holds the O/S and enough space for the page/swap file, then programs on another drive and documents/files on a final drive, however this computer had it all one on drive, and so I'll likely end up losing everything.
 

Kryten

Old Cow.
Moderator
Joined
Dec 22, 2003
Messages
3,351
Tried a recovery installation from your windows cd?

If not, boot off the xp cd, follow instructions to install windows (as if from new) and when it asks you where you want it, point it at your existing windows installation - it will allow a recovery installation, replacing the relevant and important system files whilst retaining your apps and files. This may of course keep the virus in the first place depending on how it installs but it's probably worth a try before having to format from scratch.

Oh, and if you're using sp2, you'll need an xp sp2 slipstreamed CD to do it.
 

SAS

Can't get enough of FH
Joined
Dec 23, 2003
Messages
1,004
Did you use any firewalls before you got infected? Also do you have SP2 and all the latest MS patches installed?

I'm using AVG anti-virus too and wondering if I should upgrade. Always been concerned it could be easily disabled :/.
 

Dukat

Resident Freddy
Joined
Jan 10, 2004
Messages
5,396
SAS said:
Did you use any firewalls before you got infected? Also do you have SP2 and all the latest MS patches installed?

I'm using AVG anti-virus too and wondering if I should upgrade. Always been concerned it could be easily disabled :/.

Aye I used zone alarm firewall, it was on "stealthmode" setting while I was browsing the website I reckon I was infected from too.

Also had SP2, I had been keeping up to date with the auto upgrades as well, which is strange for me - I always used to turn autoupdate off.

Thats one of the reasons I was suprised for the first few seconds - I've had viruses before but that was just scary, went right through the firewall and avg didnt seem to notice, after a few seconds it must've disabled some vital service or other because I got the RPC error saying "the computer will close in 60 seconds" message, after the restart (and after several reboots before windows would load) AVG didnt start, opening IE or outlook caused the system to reboot and I couldnt install anything because of the admin account I'd been locked out of.

Luckily I seem to have access to my DVDRW drive and am backing up my files atm, will hopefully rebuild it and start over, it was scary for a few hours though - the system wouldnt load, kept rebooting before it even started to boot into windows, never had anything like that and tbh I thought I'd lost everything on the hard drive. luckily the rebooting seems to be temperamental if you boot in safemode(if and when it ever gets that far without restarting), I've managed to write 1 dvd's worth of stuff so far and am half way through another, no restarts so far, with luck I should beable to back up most of my files without it rebooting as long as I'm carefull.
 

DaGaffer

Down With That Sorta Thing
Joined
Dec 22, 2003
Messages
18,397
Jesus, what kind of site were you on? Or don't we want to know? ;)
 

xane

Fledgling Freddie
Joined
Dec 22, 2003
Messages
1,695
Dukat said:
it seems there's now an admin password, since I never had an admin password, or any logon passwords at all, I'm at a loss as to what to do.

You can try overriding the Admin password by building a special boot CD.

http://home.eunet.no/~pnordahl/ntpasswd/

I did try this once, but didn't get anywhere, so your mileage may vary.

As a last resort, take out the HDD, get to another computer or get a new HDD and build Windows on it, then install the old HDD as a second drive or get a USB converter, and get the important files off of it.
 

Dukat

Resident Freddy
Joined
Jan 10, 2004
Messages
5,396
Seems like I'm clear now - ended up managing to get in on safe mode after a few tries and was able to back up 2 DVD's worth of files before it restarted again.

I wiped the computer and managed to get it back more or less as it was (minus 100gigs or so :().

DaGaffer said:
Jesus, what kind of site were you on? Or don't we want to know? ;)

lol it does sound rather dodgy doesnt it? thats why I said:

Dukat said:
I recently got a nasty trojan off of a website I thought was safe

The website was totally clean in nature (I'd actually pondered posting a link to it on FH at one point), it was a joke flash animation about someone phoning up about a computer problem and getting the stereotypical indian helpdesk.

It was really funny tbh, the only reason I didnt post it on FH in the end was because it might possibly have been seen as mildly racist (because of the fact that the tech guy was indian). It wasnt racist at all in my opinion but as you know some people can get upset about things like that.

A college mate gave me the link and the first time I went there it was fine - I didnt get any dodgy popups or anything that would rouse my suspicion. The second time however I got a URL redirect, browser hung and then I got a .exe appearing on the desktop and the system hung when I tried to delete it.

The worst thing is that the second you talk to any learned computer person about stuff like this they immediately jump to the same conclusion you did :) I know I do tbh when I hear others talking about it, hence my indepth explanation :)

cheers for all the help and suggestions though people, I guess the only real lesson to be learnt here is to "backup everything".
 

Users who are viewing this thread

Top Bottom