-=PCTechTalk=- Re: Help with TROJAN

Hi Don,
this is from the fist site 
www.sophos.com/virusinfo/analyses/trojhaxdoorh.html
Advanced  tab

Troj/Haxdoor-H is a backdoor Trojan that provides unauthorised access to an
infected computer. 
The installation executable for Troj/Haxdoor-H drops the following files to
the Windows system folder; i.a3d, draw32.dll, p2.ini, cm.dll, vdnt32.sys,
hm.sys, memlow.sys, wd.sys, klogini.dll (not all of these files will be
installed under Windows 95/98/ME). i.a3d, p2.ini and klogini.dll are
harmless data files. 
On NT-based versions of Windows services are created named memlow and vdnt32
(with display names of "LMMngr" and "MemDRV") to run memlow.sys and
vdnt32.sys respectively, creating registry entries under: 
HKLM\SYSTEM\CurrentControlSet\Services\memlow\
HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\ 
The new memlow service has a startup type set to automatic, so that the
service is run automatically on startup. 
On NT-based versions of Windows sub-keys of the following new registry entry
are created to load draw32.dll on startup and run the "MemManager" export: 
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32\ 
Under Windows 95/98/ME one of the following sets of registry entries are
created, so that draw32.dll is loaded on startup and the "MemManager" export
called: 
HKLM\System\currentcontrolset\control\mprser\
Dllname = draw32.dll
HKLM\System\currentcontrolset\control\mprser\
Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\mprser\
StackSize = 0 
HKLM\System\currentcontrolset\control\MPRServices\
TestService\Dllname = draw32.dll
HKLM\System\currentcontrolset\control\MPRServices\
TestService\Entrypoint = "MemManager"
HKLM\System\currentcontrolset\control\MPRServices\
TestService\StackSize = 0 
(the draw32.dll code will be run under the Mprexe system process.) 
The following registry entries are also set: 
HKLM\SYSTEM\RAdmin\v2.0\Server\Parameters\DisableTrayIcon = 1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\
Memory Management\EnforceWriteProtection = 0
HKLM\SYSTEM\CurrentControlSet\Control\Impersonate = 
HKLM\SYSTEM\CurrentControlSet\Control\StackSize = 20:8 
Troj/Haxdoor-H will delete the following files if they exist: 
%SYSTEM%\drivers\klif.sys
%SYSTEM%\drivers\klpf.sys 
Troj/Haxdoor-H attempts to disable certain anti-virus and security related
programs and may attempt to prevent itself and its dropped components from
being deleted. 

*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

******* Mike's  REPLY SEPARATOR *********

On 1/25/2005 at 2:05 PM Don Briggs wrote:

Hi Mike,
I have been to all these sites and found nothing about removing Haxdoor-H.
Searching in Google is the first thing I always do when I have a problem.
TomCoyote Forums had an anti-Trojan but did not list it as finding or
removing Haxdoor-H
Thanks again for your help,
Rocky de Dragon
----- Original Message ----- 
From: "Mike" <mikebike@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Tuesday, January 25, 2005 11:23 AM
Subject: -=PCTechTalk=- Re: Help with TROJAN


Hi Don,
I used Google to find these links;
Sophos virus analysis: Troj/Haxdoor-H
... Virus information Troj/Haxdoor-H. Summary. ... Profile, Name,
Troj/Haxdoor-H. Type,
Trojan. Affected operating systems, Windows. Side effects, ...
www.sophos.com/virusinfo/analyses/trojhaxdoorh.html - 25k - 24 Jan 2005 -
Cached - Similar pages


To unsub or change your email settings:
http://www.freelists.org/webpage/pctechtalk

To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/

For more info:
http://www.freelists.org/cgi-bin/list?list_id=pctechtalk

Other related posts: