• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guest Cyril

Hacker Defender

20 posts in this topic

Rickiedee,

 

I received your E-Mail and its going to be necessary for you to register in the new forum.

 

Until we get the fix for this thing, it would be a good idea to keep the computer in question disconnected from the internet.... This is a trojan program with backdoors all over the place and it is hard to say what it can do to your system and what information it will steal from you....

 

We need to download "Hijack This" to a "Diskette" or "CD Rom"

 

If you do not have access to an unifected computer I will E-Mail you the file.

 

If you have access to an uninfected computer go to'Hijack This!' (the link is at the bottom of the page).

 

 

File

Open

click "extract to regular folder"

name your diskette or cd rom

 

When the "Hijack This" Icon appears on your screen right click on your mouse and go to rename.

 

Change the File name to whatever you like ie: "Hacker This".

 

Take the "CD" or "Diskette to the Infected PC".

Press start>right click your mouse to explore>point to the "CD" or "Diskette".

Double click on "Hacker This".

Do a scan and post your log here.

Share this post


Link to post
Share on other sites

i got someone to send me the file over the net and he renamed it b4 sendin it to me...i then burnt it to a cd and it still wouldnt let me run it!!! so i went into safe mode and the program compiled the following log, if it is of any help to you...

 

Logfile of HijackThis v1.97.7

Scan saved at 2:51:15 PM, on 5/17/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Documents and Settings\Pat\My Documents\patsshittyass.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hgmewe.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hgmewe.outhost.info/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hgmewe.outhost.info/sp.php

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O1 - Hosts: 213.159.118.228 collections.inhost.info

O1 - Hosts: 213.159.118.228 collections.inhost2.info

O1 - Hosts: 213.159.118.228 1-se.com

O1 - Hosts: 213.159.118.228 58q.com

O1 - Hosts: 213.159.118.228 aifind.cc

O1 - Hosts: 213.159.118.228 aifind.info

O1 - Hosts: 213.159.118.228 allneedsearch.com

O1 - Hosts: 213.159.118.228 approvedlinks.com

O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com

O1 - Hosts: 213.159.118.228 awebfind.biz

O1 - Hosts: 213.159.118.228 best.royalsearch.net

O1 - Hosts: 213.159.118.228 cracks.am

O1 - Hosts: 213.159.118.228 default-homepage-network.com

O1 - Hosts: 213.159.118.228 find.microgirls.com

O1 - Hosts: 213.159.118.228 find4u.net

O1 - Hosts: 213.159.118.228 freshvideogals.com

O1 - Hosts: 213.159.118.228 i-lookup.com

O1 - Hosts: 213.159.118.228 ie-search.com

O1 - Hosts: 213.159.118.228 in.webcounter.cc

O1 - Hosts: 213.159.118.228 itseasy.us

O1 - Hosts: 213.159.118.228 just.find-itnow.com

O1 - Hosts: 213.159.118.228 link.startmake.com

O1 - Hosts: 213.159.118.228 mysearchnow.com

O1 - Hosts: 213.159.118.228 nativehardcore.com

O1 - Hosts: 213.159.118.228 qwertysearch123.biz

O1 - Hosts: 213.159.118.228 search.ieplugin.com

O1 - Hosts: 213.159.118.228 search.psn.cn

O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com

O1 - Hosts: 213.159.118.228 searchcentrix.com

O1 - Hosts: 213.159.118.228 searchmyrequest.com

O1 - Hosts: 213.159.118.228 super-spider.com

O1 - Hosts: 213.159.118.228 t.rack.cc

O1 - Hosts: 213.159.118.228 teen-biz.com

O1 - Hosts: 213.159.118.228 teenhqpics.com

O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net

O1 - Hosts: 213.159.118.228 webcoolsearch.com

O1 - Hosts: 213.159.118.228 wmmse.com

O1 - Hosts: 213.159.118.228 www.008i.com

O1 - Hosts: 213.159.118.228 www.2fastsearch.net

O1 - Hosts: 213.159.118.228 www.8095.com

O1 - Hosts: 213.159.118.228 www.alfa-search.com

O1 - Hosts: 213.159.118.228 www.boredlife.com

O1 - Hosts: 213.159.118.228 www.couldnotfind.com

O1 - Hosts: 213.159.118.228 www.cracks.am

O1 - Hosts: 213.159.118.228 www.daum.net

O1 - Hosts: 213.159.118.228 www.dreamwiz.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find-itnow.com

O1 - Hosts: 213.159.118.228 www.find4u.net

O1 - Hosts: 213.159.118.228 www.firstbookmark.com

O1 - Hosts: 213.159.118.228 www.gajai.com

O1 - Hosts: 213.159.118.228 www.hand-book.com

O1 - Hosts: 213.159.118.228 www.hao123.com

O1 - Hosts: 213.159.118.228 www.hotsearchbox.com

O1 - Hosts: 213.159.118.228 www.hotwebsearch.com

O1 - Hosts: 213.159.118.228 www.hugesearch.net

O1 - Hosts: 213.159.118.228 www.iquicksearch.com

O1 - Hosts: 213.159.118.228 www.lookfor.cc

O1 - Hosts: 213.159.118.228 www.maxxxhosters.com

O1 - Hosts: 213.159.118.228 www.naver.com

O1 - Hosts: 213.159.118.228 www.nkvd.us

O1 - Hosts: 213.159.118.228 www.novafuck.com

O1 - Hosts: 213.159.118.228 www.ohcorea.com

O1 - Hosts: 213.159.118.228 www.omega-search.com

O1 - Hosts: 213.159.118.228 www.onet.pl

O1 - Hosts: 213.159.118.228 www.power-search.info

O1 - Hosts: 213.159.118.228 www.rightfinder.net

O1 - Hosts: 213.159.118.228 www.search-1.net

O1 - Hosts: 213.159.118.228 www.search-and-go.com

O1 - Hosts: 213.159.118.228 www.search-dot.com

O1 - Hosts: 213.159.118.228 www.search-space.com

O1 - Hosts: 213.159.118.228 www.searchforge.com

O1 - Hosts: 213.159.118.228 www.searching-the-net.com

O1 - Hosts: 213.159.118.228 www.searchv.com

O1 - Hosts: 213.159.118.228 www.searchxl.com

O1 - Hosts: 213.159.118.228 www.seznam.cz

O1 - Hosts: 213.159.118.228 www.slotch.com

O1 - Hosts: 213.159.118.228 www.spidersearch.com

O1 - Hosts: 213.159.118.228 www.startium.com

O1 - Hosts: 213.159.118.228 www.therealsearch.com

O1 - Hosts: 213.159.118.228 www.ttjj.com

O1 - Hosts: 213.159.118.228 www.viewpornkey.com

O1 - Hosts: 213.159.118.228 www.wazzupnet.com

O1 - Hosts: 213.159.118.228 www.websearch.com

O1 - Hosts: 213.159.118.228 www.windowws.cc

O1 - Hosts: 213.159.118.228 www.xgmm.com

O1 - Hosts: 213.159.118.228 xwebsearch.biz

O1 - Hosts: 213.159.118.228 yourbookmarks.ws

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll

O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll

O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe

O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: Natural Reader (HKLM)

O9 - Extra button: ICQ Pro (HKLM)

O9 - Extra 'Tools' menuitem: ICQ (HKLM)

O9 - Extra button: Nocs Bar (HKLM)

O9 - Extra 'Tools' menuitem: Nocs Bar (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll

O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgrooves.com/nsv/nsvplayx_vp6_mp3.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: Domain = sympatico.ca

O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: NameServer = 192.168.2.1

Edited by rickiedee

Share this post


Link to post
Share on other sites

Rickidee,

 

Please search for the following files:

 

1)- Start

2)- Search

3)- Files or Folders

4)- Search for Files or Folders Named

 

Then type in the names. If a file comes up click once on the icon and copy down the directory.

 

hxdefdrv.sys

svhost.exe - do not confuse with svchost.exe

winunins.ini

winuins.exe

sachost.exe

inatjoy.dll

trj4j6js.exe

motkrtin.dll

witadr.dll

ddd.exe

 

If there is anyway you get access to a Windows disk it will make the entire process easier and quicker.

Share this post


Link to post
Share on other sites

i did a search and nothing came up...hxdefdrv.sys is usually in c:\windows but everytime i reboot my computer my antivirus deletes it automatically

Share this post


Link to post
Share on other sites

Rickidee,

 

Go to the command prompt Start>Run>CMD.

 

Go to the Windows Directory cd\windows

 

Display Files dir/p

 

See if you see these files:

 

hxdefdrv.sys

svhost.exe - do not confuse with svchost.exe

winunins.ini

winunins.exe

 

I can see svhost.exe in "Hijack This" so I know thats there.

Edited by Cyril

Share this post


Link to post
Share on other sites

Rickiedee,

 

Apparantly it looks like you are going to have to get a startup CD's to remove this trojan. It seems that in the XP platform the Trojan Downloader file is only visable from booting from the CD.

 

I am going to try to break the trojan with empty files to see if that will clear up this problem.

 

1)- Go to the Command Promt - start>run>cmd

2)- Go to windows directory - cd\windows

3)- Create empty Hxdefdrv.sys file

 

Copy Con hxdefdrv.sys

Echo off

Cls

Press the "F6" key ( You should receive a message 1 file copied )

 

4)- Create empty winunins.exe file

 

Copy Con winunins.exe

Echo off

Cls

Press the "F6" key ( You should receive a message 1 file copied )

 

5)- Create empty svhost.exe file.

 

Copy Con svhost.exe

Echo off

Cls

Press the "F6" key ( You should receive a message 1 file copied )

 

6)- Create empty inatjoy.dll

 

cd\windows\system32

Copy Con inatjoy.dll

Echo off

Cls

Press the "F6" key ( You should receive a message 1 file copied )

 

7)- Reboot

 

Let me know if this works.

Edited by Cyril

Share this post


Link to post
Share on other sites

ok um how do u create an empty file in the command prompt? second, wut is copy con? and 3rd, do i need the windows startup disc for this? and by the windows startup disc do u mean boot disc? or the actual setup disc?

Share this post


Link to post
Share on other sites

This is the procedure to create an empty file named hxdefdrv.sys

 

1)- Left click once on Start Button at bottom left of your PC.

2)- Left click once on Run

3)- Type in cmd in the field and left click ok

 

4)- At this point you should see the "c:\" prompt and probably the directory that your in will be after it: For example:

 

"c:\My Documents>"

 

At the ">" type in cd\windows and press "enter"

 

5)- The bottom of your screen should read c:\windows>

type in the following lines - you will not see the "c:\" prompt key again until after you press the "F6" key. Each time you press enter the cursor will drop one line.

 

A)- Type In Copy con hxdefdrv.sys "Press Enter"

B )- If the PC asks "Do you want to overwrite file press "Y"

C)- Echo off "Press Enter"

D)- Cls "Press Enter"

E)- Press the "F6" key from the keys above your normal typewritter keyboard. After you press the "F6" key you get this symbol "^Z" one file copied.

 

Continue each numbered step for each file as I've detailed above.

Edited by Cyril

Share this post


Link to post
Share on other sites

Your second quesition "What is copy con" - Its the process of copying commands to your console.

 

In layman's terms its how you create files.

 

As for the Startup Disk's we need to be able to boot from the CD. If you have a boot disk that should be fine.

Share this post


Link to post
Share on other sites

If your not still in the windows directory please navigate back using the instructions I gave you before.

 

Your screen should have the following prompt:

 

c:\windows>

 

Type in dir/p and a series of files will appear and will stop when your page is full:

 

Look for the following files:

 

winunins.exe

winunins.ini

svhost.exe

 

Press enter to view the next page.

 

I'm assuming from your post you were able to create the file:

 

hxdefdrv.sys

Edited by Cyril

Share this post


Link to post
Share on other sites

yes i wuz able to copy hxdefdrv.sys and inatjoy.dll...and i looked once again and i did not find the winunins.ini, svhost.exe and the winunins.ini files...and i wuz in the windows directory the whole time i wuz tryingto copy the files...

Share this post


Link to post
Share on other sites

Rickidee,

 

Sorry for the delay I'll be back to you tommorow.

Edited by Cyril

Share this post


Link to post
Share on other sites

k thanx ill try and get the startup discs...in the meantime i will be as patient as possible, thanx again for your help peace.

Share this post


Link to post
Share on other sites

Rickidee,

 

On the "Windows XP" platform it is possible to save information in two ways. The newer version uses "Windows NT File System" commonly referred to as "NTFS". The older method used the "File Allocation Table" commonly referred to as "FAT" files. If you are using "FAT" files it is possible to create a boot disk which will boot into "DOS" and bypass "Windows". At this point we can manually delete the "Rootkit Trojan " that is preventing us seeing the files in question.

 

Please use the following proceedure to determine if you have "FAT" files.

 

1)- From your Desktop double click the My Computer icon.

2)- Right click on your C drive

3)- Choose Properties

4)- Look for the "File System" entry. (It'll either say NTFS or FAT32)

Edited by Cyril

Share this post


Link to post
Share on other sites
Rickidee,

 

On the "Windows XP" platform it is possible to save information in two ways. The newer version uses "Windows NT File System" commonly referred to as "NTFS". The older method used the "File Allocation Table" commonly referred to as "FAT" files. If you are using "FAT" files it is possible to create a boot disk which will boot into "DOS" and bypass "Windows". At this point we can manually delete the "Rootkit Trojan " that is preventing us seeing the files in question.

 

Please use the following proceedure to determine if you have "FAT" files.

 

1)- From your Desktop double click the My Computer icon.

2)- Right click on your C drive

3)- Choose Properties

4)- Look for the "File System" entry. (It'll either say NTFS or FAT32)

i have a fat32 system

Share this post


Link to post
Share on other sites

:D Ok

 

You need to get a diskette and put it in your floppy drive ( I'm assuming "A" drive). Then do the following.

 

1)- "Click on" Start

2)- "Click on" Run

3)- "Type in" CMD

4)- "Type in" CD\ "Press Enter"

5)- "Type in" SYS a: "Press Enter"

5)- "Type in" a: "Press Enter"

(Make sure the a/: is now your prompt)

6)- "Type in" copy c:\command.com "Press Enter"

Edited by Cyril

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0