Jump to content


Hacker Defender


  • This topic is locked This topic is locked
19 replies to this topic

#1 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 16 May 2004 - 10:49 PM

Rickiedee,

I received your E-Mail and its going to be necessary for you to register in the new forum.

Until we get the fix for this thing, it would be a good idea to keep the computer in question disconnected from the internet.... This is a trojan program with backdoors all over the place and it is hard to say what it can do to your system and what information it will steal from you....

We need to download "Hijack This" to a "Diskette" or "CD Rom"

If you do not have access to an unifected computer I will E-Mail you the file.

If you have access to an uninfected computer go to'Hijack This!' (the link is at the bottom of the page).


File
Open
click "extract to regular folder"
name your diskette or cd rom

When the "Hijack This" Icon appears on your screen right click on your mouse and go to rename.

Change the File name to whatever you like ie: "Hacker This".

Take the "CD" or "Diskette to the Infected PC".
Press start>right click your mouse to explore>point to the "CD" or "Diskette".
Double click on "Hacker This".
Do a scan and post your log here.

#2 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 17 May 2004 - 01:39 PM

i got someone to send me the file over the net and he renamed it b4 sendin it to me...i then burnt it to a cd and it still wouldnt let me run it!!! so i went into safe mode and the program compiled the following log, if it is of any help to you...

Logfile of HijackThis v1.97.7
Scan saved at 2:51:15 PM, on 5/17/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Pat\My Documents\patsshittyass.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hgmewe.outhost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://hgmewe.outhost.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://hgmewe.outhost.info/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 213.159.118.228 collections.inhost.info
O1 - Hosts: 213.159.118.228 collections.inhost2.info
O1 - Hosts: 213.159.118.228 1-se.com
O1 - Hosts: 213.159.118.228 58q.com
O1 - Hosts: 213.159.118.228 aifind.cc
O1 - Hosts: 213.159.118.228 aifind.info
O1 - Hosts: 213.159.118.228 allneedsearch.com
O1 - Hosts: 213.159.118.228 approvedlinks.com
O1 - Hosts: 213.159.118.228 auto.ie.searchforge.com
O1 - Hosts: 213.159.118.228 awebfind.biz
O1 - Hosts: 213.159.118.228 best.royalsearch.net
O1 - Hosts: 213.159.118.228 cracks.am
O1 - Hosts: 213.159.118.228 default-homepage-network.com
O1 - Hosts: 213.159.118.228 find.microgirls.com
O1 - Hosts: 213.159.118.228 find4u.net
O1 - Hosts: 213.159.118.228 freshvideogals.com
O1 - Hosts: 213.159.118.228 i-lookup.com
O1 - Hosts: 213.159.118.228 ie-search.com
O1 - Hosts: 213.159.118.228 in.webcounter.cc
O1 - Hosts: 213.159.118.228 itseasy.us
O1 - Hosts: 213.159.118.228 just.find-itnow.com
O1 - Hosts: 213.159.118.228 link.startmake.com
O1 - Hosts: 213.159.118.228 mysearchnow.com
O1 - Hosts: 213.159.118.228 nativehardcore.com
O1 - Hosts: 213.159.118.228 qwertysearch123.biz
O1 - Hosts: 213.159.118.228 search.ieplugin.com
O1 - Hosts: 213.159.118.228 search.psn.cn
O1 - Hosts: 213.159.118.228 searchbar.findthewebsiteyouneed.com
O1 - Hosts: 213.159.118.228 searchcentrix.com
O1 - Hosts: 213.159.118.228 searchmyrequest.com
O1 - Hosts: 213.159.118.228 super-spider.com
O1 - Hosts: 213.159.118.228 t.rack.cc
O1 - Hosts: 213.159.118.228 teen-biz.com
O1 - Hosts: 213.159.118.228 teenhqpics.com
O1 - Hosts: 213.159.118.228 tits.hardcore4ever.net
O1 - Hosts: 213.159.118.228 webcoolsearch.com
O1 - Hosts: 213.159.118.228 wmmse.com
O1 - Hosts: 213.159.118.228 www.008i.com
O1 - Hosts: 213.159.118.228 www.2fastsearch.net
O1 - Hosts: 213.159.118.228 www.8095.com
O1 - Hosts: 213.159.118.228 www.alfa-search.com
O1 - Hosts: 213.159.118.228 www.boredlife.com
O1 - Hosts: 213.159.118.228 www.couldnotfind.com
O1 - Hosts: 213.159.118.228 www.cracks.am
O1 - Hosts: 213.159.118.228 www.daum.net
O1 - Hosts: 213.159.118.228 www.dreamwiz.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find-itnow.com
O1 - Hosts: 213.159.118.228 www.find4u.net
O1 - Hosts: 213.159.118.228 www.firstbookmark.com
O1 - Hosts: 213.159.118.228 www.gajai.com
O1 - Hosts: 213.159.118.228 www.hand-book.com
O1 - Hosts: 213.159.118.228 www.hao123.com
O1 - Hosts: 213.159.118.228 www.hotsearchbox.com
O1 - Hosts: 213.159.118.228 www.hotwebsearch.com
O1 - Hosts: 213.159.118.228 www.hugesearch.net
O1 - Hosts: 213.159.118.228 www.iquicksearch.com
O1 - Hosts: 213.159.118.228 www.lookfor.cc
O1 - Hosts: 213.159.118.228 www.maxxxhosters.com
O1 - Hosts: 213.159.118.228 www.naver.com
O1 - Hosts: 213.159.118.228 www.nkvd.us
O1 - Hosts: 213.159.118.228 www.novafuck.com
O1 - Hosts: 213.159.118.228 www.ohcorea.com
O1 - Hosts: 213.159.118.228 www.omega-search.com
O1 - Hosts: 213.159.118.228 www.onet.pl
O1 - Hosts: 213.159.118.228 www.power-search.info
O1 - Hosts: 213.159.118.228 www.rightfinder.net
O1 - Hosts: 213.159.118.228 www.search-1.net
O1 - Hosts: 213.159.118.228 www.search-and-go.com
O1 - Hosts: 213.159.118.228 www.search-dot.com
O1 - Hosts: 213.159.118.228 www.search-space.com
O1 - Hosts: 213.159.118.228 www.searchforge.com
O1 - Hosts: 213.159.118.228 www.searching-the-net.com
O1 - Hosts: 213.159.118.228 www.searchv.com
O1 - Hosts: 213.159.118.228 www.searchxl.com
O1 - Hosts: 213.159.118.228 www.seznam.cz
O1 - Hosts: 213.159.118.228 www.slotch.com
O1 - Hosts: 213.159.118.228 www.spidersearch.com
O1 - Hosts: 213.159.118.228 www.startium.com
O1 - Hosts: 213.159.118.228 www.therealsearch.com
O1 - Hosts: 213.159.118.228 www.ttjj.com
O1 - Hosts: 213.159.118.228 www.viewpornkey.com
O1 - Hosts: 213.159.118.228 www.wazzupnet.com
O1 - Hosts: 213.159.118.228 www.websearch.com
O1 - Hosts: 213.159.118.228 www.windowws.cc
O1 - Hosts: 213.159.118.228 www.xgmm.com
O1 - Hosts: 213.159.118.228 xwebsearch.biz
O1 - Hosts: 213.159.118.228 yourbookmarks.ws
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Freedom Popup Killer - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
O2 - BHO: Freedom BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
O2 - BHO: (no name) - {BF55256A-3B3B-11D2-B05B-000001145917} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Network Service] C:\WINDOWS\svhost.exe -sr -1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Natural Reader (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Nocs Bar (HKLM)
O9 - Extra 'Tools' menuitem: Nocs Bar (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .midi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.orbitalgr...ayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: Domain = sympatico.ca
O17 - HKLM\System\CCS\Services\Tcpip\..\{F10F1913-7DF7-4312-A29F-3C6A582E7C91}: NameServer = 192.168.2.1

Edited by rickiedee, 17 May 2004 - 01:54 PM.


#3 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 17 May 2004 - 02:22 PM

Rickidee,

Please search for the following files:

1)- Start
2)- Search
3)- Files or Folders
4)- Search for Files or Folders Named

Then type in the names. If a file comes up click once on the icon and copy down the directory.

hxdefdrv.sys
svhost.exe - do not confuse with svchost.exe
winunins.ini
winuins.exe
sachost.exe
inatjoy.dll
trj4j6js.exe
motkrtin.dll
witadr.dll
ddd.exe

If there is anyway you get access to a Windows disk it will make the entire process easier and quicker.

#4 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 17 May 2004 - 03:36 PM

i did a search and nothing came up...hxdefdrv.sys is usually in c:\windows but everytime i reboot my computer my antivirus deletes it automatically

#5 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 17 May 2004 - 06:03 PM

Rickidee,

Go to the command prompt Start>Run>CMD.

Go to the Windows Directory cd\windows

Display Files dir/p

See if you see these files:

hxdefdrv.sys
svhost.exe - do not confuse with svchost.exe
winunins.ini
winunins.exe

I can see svhost.exe in "Hijack This" so I know thats there.

Edited by Cyril, 17 May 2004 - 06:05 PM.


#6 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 17 May 2004 - 07:38 PM

none of those files are showing up man i looked a million times!

Edited by rickiedee, 17 May 2004 - 07:39 PM.


#7 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 17 May 2004 - 11:16 PM

Rickiedee,

Apparantly it looks like you are going to have to get a startup CD's to remove this trojan. It seems that in the XP platform the Trojan Downloader file is only visable from booting from the CD.

I am going to try to break the trojan with empty files to see if that will clear up this problem.

1)- Go to the Command Promt - start>run>cmd
2)- Go to windows directory - cd\windows
3)- Create empty Hxdefdrv.sys file

Copy Con hxdefdrv.sys
Echo off
Cls
Press the "F6" key ( You should receive a message 1 file copied )

4)- Create empty winunins.exe file

Copy Con winunins.exe
Echo off
Cls
Press the "F6" key ( You should receive a message 1 file copied )

5)- Create empty svhost.exe file.

Copy Con svhost.exe
Echo off
Cls
Press the "F6" key ( You should receive a message 1 file copied )

6)- Create empty inatjoy.dll

cd\windows\system32
Copy Con inatjoy.dll
Echo off
Cls
Press the "F6" key ( You should receive a message 1 file copied )

7)- Reboot

Let me know if this works.

Edited by Cyril, 17 May 2004 - 11:44 PM.


#8 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 18 May 2004 - 08:50 AM

ok um how do u create an empty file in the command prompt? second, wut is copy con? and 3rd, do i need the windows startup disc for this? and by the windows startup disc do u mean boot disc? or the actual setup disc?

#9 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 18 May 2004 - 10:03 AM

This is the procedure to create an empty file named hxdefdrv.sys

1)- Left click once on Start Button at bottom left of your PC.
2)- Left click once on Run
3)- Type in cmd in the field and left click ok

4)- At this point you should see the "c:\" prompt and probably the directory that your in will be after it: For example:

"c:\My Documents>"

At the ">" type in cd\windows and press "enter"

5)- The bottom of your screen should read c:\windows>
type in the following lines - you will not see the "c:\" prompt key again until after you press the "F6" key. Each time you press enter the cursor will drop one line.

A)- Type In Copy con hxdefdrv.sys "Press Enter"
B )- If the PC asks "Do you want to overwrite file press "Y"
C)- Echo off "Press Enter"
D)- Cls "Press Enter"
E)- Press the "F6" key from the keys above your normal typewritter keyboard. After you press the "F6" key you get this symbol "^Z" one file copied.

Continue each numbered step for each file as I've detailed above.

Edited by Cyril, 18 May 2004 - 10:07 AM.


#10 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 18 May 2004 - 10:12 AM

Your second quesition "What is copy con" - Its the process of copying commands to your console.

In layman's terms its how you create files.

As for the Startup Disk's we need to be able to boot from the CD. If you have a boot disk that should be fine.

#11 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 18 May 2004 - 12:07 PM

k um winunins.exe wuz in use and could not be copied, and same for svhost.exe

#12 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 18 May 2004 - 01:40 PM

If your not still in the windows directory please navigate back using the instructions I gave you before.

Your screen should have the following prompt:

c:\windows>

Type in dir/p and a series of files will appear and will stop when your page is full:

Look for the following files:

winunins.exe
winunins.ini
svhost.exe

Press enter to view the next page.

I'm assuming from your post you were able to create the file:

hxdefdrv.sys

Edited by Cyril, 18 May 2004 - 01:41 PM.


#13 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 18 May 2004 - 04:35 PM

yes i wuz able to copy hxdefdrv.sys and inatjoy.dll...and i looked once again and i did not find the winunins.ini, svhost.exe and the winunins.ini files...and i wuz in the windows directory the whole time i wuz tryingto copy the files...

#14 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 18 May 2004 - 06:20 PM

Reboot and come back to this directory and see if the files are there now.

#15 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 18 May 2004 - 06:30 PM

nope still not there

#16 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 18 May 2004 - 11:07 PM

Rickidee,

Sorry for the delay I'll be back to you tommorow.

Edited by Cyril, 18 May 2004 - 11:23 PM.


#17 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 18 May 2004 - 11:17 PM

k thanx ill try and get the startup discs...in the meantime i will be as patient as possible, thanx again for your help peace.

#18 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 19 May 2004 - 11:56 AM

Rickidee,

On the "Windows XP" platform it is possible to save information in two ways. The newer version uses "Windows NT File System" commonly referred to as "NTFS". The older method used the "File Allocation Table" commonly referred to as "FAT" files. If you are using "FAT" files it is possible to create a boot disk which will boot into "DOS" and bypass "Windows". At this point we can manually delete the "Rootkit Trojan " that is preventing us seeing the files in question.

Please use the following proceedure to determine if you have "FAT" files.

1)- From your Desktop double click the My Computer icon.
2)- Right click on your C drive
3)- Choose Properties
4)- Look for the "File System" entry. (It'll either say NTFS or FAT32)

Edited by Cyril, 19 May 2004 - 12:15 PM.


#19 rickiedee

rickiedee

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 19 May 2004 - 12:19 PM

Rickidee,

On the "Windows XP" platform it is possible to save information in two ways. The newer version uses "Windows NT File System" commonly referred to as "NTFS". The older method used the "File Allocation Table" commonly referred to as "FAT" files. If you are using "FAT" files it is possible to create a boot disk which will boot into "DOS" and bypass "Windows". At this point we can manually delete the "Rootkit Trojan " that is preventing us seeing the files in question.

Please use the following proceedure to determine if you have "FAT" files.

1)- From your Desktop double click the My Computer icon.
2)- Right click on your C drive
3)- Choose Properties
4)- Look for the "File System" entry. (It'll either say NTFS or FAT32)

i have a fat32 system

#20 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 19 May 2004 - 12:35 PM

:D Ok

You need to get a diskette and put it in your floppy drive ( I'm assuming "A" drive). Then do the following.

1)- "Click on" Start
2)- "Click on" Run
3)- "Type in" CMD
4)- "Type in" CD\ "Press Enter"
5)- "Type in" SYS a: "Press Enter"
5)- "Type in" a: "Press Enter"
(Make sure the a/: is now your prompt)
6)- "Type in" copy c:\command.com "Press Enter"

Edited by Cyril, 19 May 2004 - 12:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button