Killed the Backdoor.Haxdoor Trojan

Phew! What a night. A client running XP Home called me to say that he had received a few warnings from Avast, but now it had stopped working and many other applications no longer responded. In addition, most anti-virus websites resolved to a new page with the message, “This is the Plesk default page.” This machine runs the latest Avast!, plus ZoneAlarm and sits behind a router/firewall. GerryR to the rescue.

I discovered that his Task Manager had been disabled and that Regedit would run, but all registry keys and data strings were not editable or deletable. Curiously, they could still be renamed, which helped me get the Task Manager back. No files could be downloaded from the web and no online AV products could be installed.

By examining files on the system and the various registry keys that run files and services, I found references to the following trojans:
Trojan.dropper
Troj_Tib.AI
Backdoor.w32/Rbot-QE

Files that I found and knew to be malicious:
kernels8.exe
xpupdate.exe
vxgame1.exe (along with 2, 4 & 6)
Image1.gif.exe

I cleaned out these files easily, since they don’t hide themselves very well. The system still showed no improvement, so I knew I was dealing with at least one hidden process.

Downloaded and ran RootKitRevealer from http://www.sysinternals.com/Utilities/RootkitRevealer.html. It showed 8 files and processes hidden from the Windows API - among them two files named QZ.DLL and QZ.SYS.

I Googled the filenames and discovered Haxdoor for the first time. (I always wanted to fight a rootkit!) Now I knew its name, but how to go about killing it?

I Googled some more and found Haxfix at http://users.telenet.be/marcvn/tools/haxfix.exe. It automates the removal process and cleans everything out after a reboot. Google is your friend.

So it appears that one trojan got in, disabled most of the security and then allowed a chain of other Trojans to be downloaded. All this appeared to happen in one day. Although Avast! did sound one alarm very early in the infection, it wasn’t up to the task of dealing with these Trojans.

I hope the links to RootKitRevealer and Haxfix will be useful to others. Good hunting!

Next time try to rename taskmanager.exe and regedit.exe.
Or better create a copy of them.

copy regedit.exe regedit.com
copy regedit taskmanager.exe taskmanager.com

And then try to run the com versions.

That should work since that malware effects .exe’s

And (no offence) but since avast warned, I think the user did not take the apropiate acction.

I also (like avast) must ring a warning bell here.
Rootkit revealers can indeed be very handy tools, but the only thing they do is reveal things.
Not everything they reveal is harmfull.
It is still up to the user to find out if something is harmfull or not, and when it is… how to deal with it.
I would say the SysInternals RootKit Revelear is a very good and trustfull tool.
Feel free to download it and have a peek behind the scene’s.
But when it comes to interprete what it is showing, leave it to the experts.
Tools like this are not for the average user to use.