Troj/Haxdoor-O

Please follow the instructions for removing Trojans.

Troj/Haxdoor-O is a member of the Troj/Haxdoor family of backdoor Trojans for the Windows platform that provide unauthorised remote access to the infected computer.

The installation executable for Troj/Haxdoor-O drops the following Trojan files to the Windows system folder (not all of these files may be installed under Windows 95/98/ME):

cm.dll
draw32.dll
hm.sys
klogini.dll
memlow.sys
p2.ini
vdnt32.sys
wd.sys

(where klogini.dll and p2.ini are log text files.)

In order to be able to run automatically when Windows starts up, Troj/Haxdoor-O sets the following registry entries on NT-based versions of Windows where the the service name and driver name correspond to the created service and driver:

Winlogon Notify:
name = draw32
path = draw32.dll
notifyfunction = "MedManager"
Service process:
servicename = memlow
displayname = "LMMngr"
imagepath = "memlow.sys "
Driver:
drivername = vdnt32
displayname = "MemDRV"
imagepath = "vdnt32.sys"

Troj/Haxdoor-O sets a number of registry entries including the following:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\draw32\
DllName
Startup
Impersonate
Asynchronous
MaxWait

HKLM\SYSTEM\ControlSet001\Control\
Impersonate
StackSize
Session Manager\Memory Management\EnforceWriteProtection

HKLM\SYSTEM\ControlSet001\Services\memlow\
Type
Start
ErrorControl
ImagePath
DisplayName
Security\
Security\Security

HKLM\SYSTEM\ControlSet001\Services\vdnt32\
Type
Start
ErrorControl
ImagePath
DisplayName
Security
Security\Security

HKLM\SYSTEM\CurrentControlSet\Control\
Impersonate
StackSize
Session Manager\Memory Management\EnforceWriteProtection

HKLM\SYSTEM\CurrentControlSet\Services\memlow\
Type
Start
ErrorControl
ImagePath
DisplayName
Security\
\Security\Security

HKLM\SYSTEM\CurrentControlSet\Services\vdnt32\
Type
Start
ErrorControl
ImagePath
DisplayName
Security\
Security\Security