Haxdoor.BGN & Unregmp2 (How do I remove them

Hi;

I ran Xoftspy on my laptop (Windows Vista Home Premium - 32bit) & found following

Haxdoor.BGN = Trojan
Unregmp2 = Worm

My antivirus (Kaspersky) does not detect them, only XoftSpy does. I don’t think I need to tell much here as some of you may have come across Haxdoor before (at least). Xoftspy deletes it but it comes back - an old story.

Now I believe many ppl have asked abt this virus here many times but I wanted to have a fresh response since I find it difficult to go through older threats & posts in it. Tend to get me confused.

I have tried the killbox. It doesn’t delete either file.

The locations of the two malware are:

Haxdoor.GBN = C:\windows\system32\win32tm.exe
Unregmp2 in C:\windows\system32\Unregmp2.exe

To check if a suspect file is malware, submit the file to VirusTotal for analysis.

If confirmed as malware by several scanners, you’ll need to submit the files to Kaspersky for analysis:

newvirus[at]kaspersky.com

They also have a support forum:

http://forum.kaspersky.com/index.php?act=idx

:wink:

Ok let me try

virus scan is not recognizing it as a virus. Only XoftSpy is :-\

File w32tm.exe received on 04.26.2008 11:57:39 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)

Antivirus Version Last Update Result
AhnLab-V3 2008.4.25.2 2008.04.25 -
AntiVir 7.8.0.10 2008.04.25 -
Authentium 4.93.8 2008.04.26 -
Avast 4.8.1169.0 2008.04.25 -
AVG 7.5.0.516 2008.04.25 -
BitDefender 7.2 2008.04.26 -
CAT-QuickHeal 9.50 2008.04.26 -
ClamAV 0.92.1 2008.04.26 -
DrWeb 4.44.0.09170 2008.04.26 -
eSafe 7.0.15.0 2008.04.21 -
eTrust-Vet 31.3.5736 2008.04.26 -
Ewido 4.0 2008.04.25 -
F-Prot 4.4.2.54 2008.04.25 -
F-Secure 6.70.13260.0 2008.04.26 -
FileAdvisor 1 2008.04.26 -
Fortinet 3.14.0.0 2008.04.26 -
Ikarus T3.1.1.26 2008.04.26 -
Kaspersky 7.0.0.125 2008.04.26 -
McAfee 5282 2008.04.25 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3056 2008.04.26 -
Norman 5.80.02 2008.04.25 -
Panda 9.0.0.4 2008.04.26 -
Prevx1 V2 2008.04.26 -
Rising 20.41.50.00 2008.04.26 -
Sophos 4.28.0 2008.04.26 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.26 -
TheHacker 6.2.92.293 2008.04.26 -
VBA32 3.12.6.5 2008.04.26 -
VirusBuster 4.3.26:9 2008.04.25 -
Webwasher-Gateway 6.6.2 2008.04.26 -

I’d say it’s probably a false positive identification by Xsoftspy then. You could send the files to them mentioning that they are identified as malware but that nothing on VirusTotal confirms their identification.

I have seen ppl remove this malware through HJT & KillBox. Any idea how it is done?

Well the file you submitted to VirusTotal is not malware, which means it’s probably a legitimate Windows file, which means you really don’t want to remove it.

Remove the crappy anti-spyware program that’s telling you these programs are malware instead.

Here are some trusted and reliable anti-spyware programs:

Ad-Aware Free

Spybot Search & Destroy

SUPERAntiSpyware Free

Hmm… I’ll download these but I still feel unsatisfied :frowning: This is a brand new laptop I have.

Btw XoftSpy started showing these 2 files from yesterday. Before that it didn’t show them. & my old laptop is also infested with the haxdoor.bgn in the same folder & file.

You need to contact Xsoftspy because they are telling you these files are malware.

Have you checked the other file at VirusTotal because it’s clear w32tm.exe is not malware.

Yes I checked the other file also & the virus total did not recognize it as a malware.

As for the XoftSpy, the company has stopped producing it as well as its update. But they r still providing the final update.

I think I should contact them.

Then you really need to contact the support people at Xsoftspy.

helpdesk@paretologic.com

I have emailed them.

Meanwhile I have gone through various forums with ppl having found at least haxdoor.BGN, in the same directory, with their xoftspy & their files have been recognized as malwares.

sandman1981, I don’t what start arguing, just share my personal experience. I don’t trust on Xoftspy company: false positives and not that good support. I think there are better (and free) products available to do this work, including avast itself.

The thing that is bugging me the most is that I found haxdoor.BGN on my older laptop (Acer 1640, WinXP) with Xoftspy. For a while it just set there in the directory (C:\windows\system32\w32tm) but in couple of days it blocked my system restore option, disabled “Hide Files” option (did not allow me to hide anything), disabled drag & drop option & did not allow me give password to my System. I removed the password & it replaced it with logon screen & disabled the logon option. God knows I found a way around to operate my windows.

I am just afraid this might happen to my new laptop as well. So far neither Haxdoor not Unregmp2 has done anything.

So, you can just try avast full scanning and also SuperAntispyware and/or SpywareTerminator scannings.
Also, consider, on-line scanning with Kaspersky and NOD32.

I just downloaded SuperAntiSpyWare. I’ll try it but I think XoftSpy will continue to irritate me.

As soon as this is resolved I’ll get rid of xoftspy & limewire which I believe is source of many viruses & spywares.

I think the same… Other P2P network are cleaner and safer. Also, don’t forget to set ashQuick.exe to scan your downloaded files through P2P :wink:

Will do that.

I just came across a forum bashing Xoftspy. May be my c:\windows\system32\w32tm.exe & c:\windows\system32\unregmp2.exe
are not effected by malware & Xoft has lost its mind.

I think that what Tech and others have been trying to tell you. The virustotal results would comfirm their opinions. False positive.