advice i need advice

stuveltje · 2005-01-22, 06:53 PM

i have haxdoor-h in my puter, dont ask me how i got it, but the last thing i worked on was with the sites (with the special code from the cheaters form) it tried to put something in my puter if i clicked the free site, now i thought my puter had stopped it but it didnt, it blocked my virus scanner and my puter wa full with shit, i have removed mosta nd reinstal but i still got on piece left of that haxdoor-h which will return everytime when i connct the net..... anyone knows something about it?

tiny · 2005-01-22, 07:17 PM

Thats gotta suck bigtime.I would first try and install this program and also the second link is from a messageboard

http://www.microsoft.com/athome/secu...e/default.mspx

messageboard
http://forums.tomcoyote.org/index.ph...ic=24067&st=15

another one
http://www.sophos.com/virusinfo/analyses/

http://www.informit.com/guides/conte...rity&seqNum=27

hope that helps

stuveltje · 2005-01-22, 07:32 PM

Quote:

Originally Posted by tiny

Thats gotta suck bigtime.I would first try and install this program and also the second link is from a messageboard

http://www.microsoft.com/athome/secu...e/default.mspx

messageboard
http://forums.tomcoyote.org/index.ph...ic=24067&st=15

another one
http://www.sophos.com/virusinfo/analyses/

http://www.informit.com/guides/conte...rity&seqNum=27

hope that helps

thanks me gonna try all, i am already working 10 hours to remove that pieve of shit from my puter and realy i am getting pissed huge.........i am gonna kill my puter if i cant get it fixed

docholly · 2005-01-22, 07:34 PM

I had that too..got it from reviewing a site even tho i had mega power on the virus/trojan etc..

i used hijackthis and spybot s&d.

yeah Tiny i saw that MS had a fix.. but you know i love free market commerce.. first they give you a defective product (Windows) and then they sell you the fix.. creeping cruds.. |viking|

stuveltje · 2005-01-22, 07:49 PM

Quote:

Originally Posted by docholly

I had that too..got it from reviewing a site even tho i had mega power on the virus/trojan etc..

i used hijackthis and spybot s&d.

yeah Tiny i saw that MS had a fix.. but you know i love free market commerce.. first they give you a defective product (Windows) and then they sell you the fix.. creeping cruds.. |viking|

hijackthis and spybot removs it but it keeps coming back............

Porn Meister · 2005-01-22, 08:01 PM

Copied from a site found with google:

"From Symantec's web site:

"Registers and runs JSDAPI.EXE as a process.
Creates the following files to the %System% folder:
DEBUGG.DLL
BOOT32.SYS
C3.DLL
C3.SYS
C4.SYS
SMTAPI.SYS"

If you killed the process then deleted the files you may be rid of it. Of course nothing beats a full scan from an up-to-date anti-virus program as it will remove Registry entries as well.
"

Still looking

tiny · 2005-01-22, 08:05 PM

I can never understand why assholes make shit like this.might be a keylogger trojan piece of shit

Porn Meister · 2005-01-22, 08:14 PM

Interesting thread from a board found n google:
http://forums.thatcomputerguy.us/ind...pic=8918&st=15
Explains a registry edit that solved the reoccurance for someone.

Porn Meister · 2005-01-22, 08:22 PM

Other suggestions are to try an online virus scanner, since the trojan attempts to disable a local copy, it cant disable an online scanner. And to disable system restore, then reboot to safe mode and *then* try removal tools.
Good luck anyway

stuveltje · 2005-01-22, 08:36 PM

Quote:

Originally Posted by Porn Meister

Other suggestions are to try an online virus scanner, since the trojan attempts to disable a local copy, it cant disable an online scanner. And to disable system restore, then reboot to safe mode and *then* try removal tools.
Good luck anyway

thanks i am trying more things now, already did some online scans and they cant find it, but if i run spybot it found it, the nasty thing is it use the restore system thing from xp , i have disabled that now and hope to get rid of the shit thing

DarkEmber · 2005-01-22, 08:58 PM

if you remove it and it comes back, boot into safe mode (f8 before the windows screen appears) and clean it....sometimes the resident stuff is tricky

icq 266835420 if you need any help

chilihost · 2005-01-22, 08:58 PM

Quote:

(with the special code from the cheaters form)

it sucks but you kinda got what you deserved on that one! Good luck getting it all removed, make sure you also change all your passwords after you have a clean running machine - for everything!!!

cheers,
Luke

tiny · 2005-01-22, 09:25 PM

Quote:

Originally Posted by chilihost

it sucks but you kinda got what you deserved on that one! Good luck getting it all removed, make sure you also change all your passwords after you have a clean running machine - for everything!!!

cheers,
Luke

What do you mean she kinda got what she deserved on that one ?

stuveltje · 2005-01-23, 05:08 AM

Quote:

Originally Posted by chilihost

it sucks but you kinda got what you deserved on that one! Good luck getting it all removed, make sure you also change all your passwords after you have a clean running machine - for everything!!!

cheers,
Luke

yeah now i am awake again, the part" you kinda got what you deserved on that one" have you problems with me? or didnt you agree i removed a bunch of sites with that code? if you gonna say something, explain also why you saying that.

GeorgeTH · 2005-01-23, 07:53 PM

When I was hit late last year the bloody thing (wasn't haxdoor) re-installed itself all time because the initial infection came in form of .cab files, which are self-extracting sorta-ZIP-files, and my AV software couldn't read their content, so they remained on the hd until I removed them manually. The day before yesterday I was hit by some java trojan which installed itself in a .jar file - another self-extracting compression, and again missed by my AV (and firewall!)

So: keep eye on the error reports from your AV *, and do a housecall or two at http://housecall.trendmicro.com/ - and then manually (best in 'safe mode') drill into the directories where the AV found infections and delete all compressed files [if you want to be careful only delete the ones with names similar to the virus/trojan files].

*= you might need a piece of paper to write down all files and their location

I'm now 98% clean, just that somehow my svhost is playing up from time to time (~ once a week), and bloody XP refuses to re-install it from CD...

stuveltje · 2005-01-24, 12:01 AM

Quote:

Originally Posted by GeorgeTH

When I was hit late last year the bloody thing (wasn't haxdoor) re-installed itself all time because the initial infection came in form of .cab files, which are self-extracting sorta-ZIP-files, and my AV software couldn't read their content, so they remained on the hd until I removed them manually. The day before yesterday I was hit by some java trojan which installed itself in a .jar file - another self-extracting compression, and again missed by my AV (and firewall!)

So: keep eye on the error reports from your AV *, and do a housecall or two at http://housecall.trendmicro.com/ - and then manually (best in 'safe mode') drill into the directories where the AV found infections and delete all compressed files [if you want to be careful only delete the ones with names similar to the virus/trojan files].

*= you might need a piece of paper to write down all files and their location

I'm now 98% clean, just that somehow my svhost is playing up from time to time (~ once a week), and bloody XP refuses to re-install it from CD...

well one thing keeps coming back and only spybot sees it no other scanner picks it up, when i run hijack this, i see nothing strange, but if i lett spybot run it finds fix the "1 piece haxdoor-h" it gives an message saying "c:\WINDOWS\System32\klonigi.dll is not a official certificate thing from windows (or something like that), btw same as with that stupid DSO Exploit which always comes back.I will find it somewhere......

Porn Meister · 2005-01-24, 12:38 AM

The DSO exploit that spybot finds is possibly due to you not having the windows update.. Spybot tells me that too..

Did you try that Regedit fix and look for "RAdmin" and nuke?

stuveltje · 2005-01-24, 12:42 AM

Quote:

Originally Posted by Porn Meister

The DSO exploit that spybot finds is possibly due to you not having the windows update.. Spybot tells me that too..

Did you try that Regedit fix and look for "RAdmin" and nuke?

yep i did i cant find it, me going thru all again now, at one side i dont believe that the last haxdoor-h in my puter is dangerous because now all works, but still i cant take that risk, so going again to check all in save mode...on this moment i am running an online scan again to see if it finds something.

Porn Meister · 2005-01-24, 12:51 AM

k

Good luck!
I just ran spybot and highlighted the DSO, then clicked on the two arrows on the right edge middle of the screen, and it gives details and indeed it says it's a microsoft security flaw in explorer.

There is a program called EasyCleaner that can help remove orphaned registry entries, and remove programs that windows (add/remove programs) can't.. I can't think of anything else to suggest.

2005-01-22, 06:53 PM	#1
stuveltje Live and learn. And take very careful notes! Join Date: Apr 2003 Location: Sunny Holland Posts: 6,157	advice i need advice i have haxdoor-h in my puter, dont ask me how i got it, but the last thing i worked on was with the sites (with the special code from the cheaters form) it tried to put something in my puter if i clicked the free site, now i thought my puter had stopped it but it didnt, it blocked my virus scanner and my puter wa full with shit, i have removed mosta nd reinstal but i still got on piece left of that haxdoor-h which will return everytime when i connct the net..... anyone knows something about it? __________________ Canadian Sexlinks - submit Erotica search -submit

2005-01-22, 07:17 PM	#2
tiny Hello, is this President Clinton? Good! I figured if anyone knew where to get some tang it would be you Join Date: Aug 2003 Location: maine Posts: 447	Thats gotta suck bigtime.I would first try and install this program and also the second link is from a messageboard http://www.microsoft.com/athome/secu...e/default.mspx messageboard http://forums.tomcoyote.org/index.ph...ic=24067&st=15 another one http://www.sophos.com/virusinfo/analyses/ http://www.informit.com/guides/conte...rity&seqNum=27 hope that helps Last edited by tiny; 2005-01-22 at 07:24 PM..

2005-01-22, 07:34 PM	#4
docholly Nothing funnier than the ridiculous faces you people make mid-coitus Join Date: Aug 2003 Location: Sin-City USA Posts: 4,973	I had that too..got it from reviewing a site even tho i had mega power on the virus/trojan etc.. i used hijackthis and spybot s&d. yeah Tiny i saw that MS had a fix.. but you know i love free market commerce.. first they give you a defective product (Windows) and then they sell you the fix.. creeping cruds.. \|viking\| __________________ Support Indie Porn Sites OMGoddess You know you need some Bling!!

2005-01-22, 08:01 PM	#6
Porn Meister Asleep at the switch? I wasn't asleep, I was drunk Join Date: Dec 2004 Posts: 214	Copied from a site found with google: "From Symantec's web site: "Registers and runs JSDAPI.EXE as a process. Creates the following files to the %System% folder: DEBUGG.DLL BOOT32.SYS C3.DLL C3.SYS C4.SYS SMTAPI.SYS" If you killed the process then deleted the files you may be rid of it. Of course nothing beats a full scan from an up-to-date anti-virus program as it will remove Registry entries as well. " Still looking __________________ I like Pimproll.

2005-01-22, 08:14 PM	#8
Porn Meister Asleep at the switch? I wasn't asleep, I was drunk Join Date: Dec 2004 Posts: 214	Interesting thread from a board found n google: http://forums.thatcomputerguy.us/ind...pic=8918&st=15 Explains a registry edit that solved the reoccurance for someone. __________________ I like Pimproll.

2005-01-22, 08:05 PM	#7
tiny Hello, is this President Clinton? Good! I figured if anyone knew where to get some tang it would be you Join Date: Aug 2003 Location: maine Posts: 447	I can never understand why assholes make shit like this.might be a keylogger trojan piece of shit

2005-01-22, 08:22 PM	#9
Porn Meister Asleep at the switch? I wasn't asleep, I was drunk Join Date: Dec 2004 Posts: 214	Other suggestions are to try an online virus scanner, since the trojan attempts to disable a local copy, it cant disable an online scanner. And to disable system restore, then reboot to safe mode and then try removal tools. Good luck anyway __________________ I like Pimproll.

2005-01-22, 08:58 PM	#11
DarkEmber WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Sep 2004 Location: Where the Cows Graze Posts: 47	if you remove it and it comes back, boot into safe mode (f8 before the windows screen appears) and clean it....sometimes the resident stuff is tricky icq 266835420 if you need any help

2005-01-23, 07:53 PM	#15
GeorgeTH Don't let a programmer design your front-end pages! Join Date: Aug 2003 Location: currently on the road in CA Posts: 781	When I was hit late last year the bloody thing (wasn't haxdoor) re-installed itself all time because the initial infection came in form of .cab files, which are self-extracting sorta-ZIP-files, and my AV software couldn't read their content, so they remained on the hd until I removed them manually. The day before yesterday I was hit by some java trojan which installed itself in a .jar file - another self-extracting compression, and again missed by my AV (and firewall!) So: keep eye on the error reports from your AV , and do a housecall or two at http://housecall.trendmicro.com/ - and then manually (best in 'safe mode') drill into the directories where the AV found infections and delete all compressed files [if you want to be careful only delete the ones with names similar to the virus/trojan files]. = you might need a piece of paper to write down all files and their location I'm now 98% clean, just that somehow my svhost is playing up from time to time (~ once a week), and bloody XP refuses to re-install it from CD... __________________ Have a nice day!

2005-01-24, 12:38 AM	#17
Porn Meister Asleep at the switch? I wasn't asleep, I was drunk Join Date: Dec 2004 Posts: 214	The DSO exploit that spybot finds is possibly due to you not having the windows update.. Spybot tells me that too.. Did you try that Regedit fix and look for "RAdmin" and nuke? __________________ I like Pimproll.

2005-01-24, 12:51 AM	#19
Porn Meister Asleep at the switch? I wasn't asleep, I was drunk Join Date: Dec 2004 Posts: 214	k Good luck! I just ran spybot and highlighted the DSO, then clicked on the two arrows on the right edge middle of the screen, and it gives details and indeed it says it's a microsoft security flaw in explorer. There is a program called EasyCleaner that can help remove orphaned registry entries, and remove programs that windows (add/remove programs) can't.. I can't think of anything else to suggest. __________________ I like Pimproll.