Jump to content


Photo

Hacker defender, hxdefdrv.sys and CWS


  • This topic is locked This topic is locked
17 replies to this topic

#1 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 18 May 2004 - 03:09 PM

Continued from previous forum:

http://www.spywarein...hacker defender

Cyril was working on this a few days ago but I had to go out of town on the 15th.
My son was reading the various hacker defender topics and tried a few things suggested in the forums. The affected PC has improved greatly. I can now get Hijack this to work from the desktop. CWShredder no longer detects cws.googlems. Outhost info seems to be gone along with the 89
O1 - Hosts: 213.159.118.228 ( various names ) .

Hxdefdrv.sys however reappears after each bootup DESPITE repeated deletions with Killbox and AVG antivirus. Spybot shotcuts and directories remain hidden.
My original CWShredder desktop item now shows but occasional it disappears.

I have 2 pcs at home with Windows XP. They both came with recovery disks and not the Windows XP Installation disc. I called a # of friends but everybody seems to have XP restore or XP recovery disks. I can't get seem to track down an orginal XP Installation disc. I am hoping you guys can rid Hacker Defender through a windows approach.

Here is the latest HJT log taken from regular mode desktop. I can also provide a safe mode HJT log if required.

Logfile of HijackThis v1.97.7
Scan saved at 5:35:52 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Computer\Desktop\JOHN\yuck.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ass\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Metacrawler Toolbar - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\ultrabar.dll
O3 - Toolbar: IE Reader - {3C24A589-43D7-4CA2-AACE-30424985B955} - C:\Program Files\LatestSoft\Internet Explorer Reader\VoiceBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [svchosts] svchosts.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000un...mCity3TeleX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...358/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

Edited by duke9106, 18 May 2004 - 03:53 PM.


#2 HighTide

HighTide

    Member

  • New Member
  • Pip
  • 1 posts

Posted 18 May 2004 - 03:23 PM

This is how I did a manual removal - quite safe if you have the adrenalline going :p

Now I got u Sucker!!

How to get rid of HackerDefender100 by HighTide :)

First turn off System Restore in sytem properties!

With or without a Virus scanner loaded (just ignore the 'you have a virus.

blah blah' messages)

1) Searh boot drive for *.ini containing 'hidden'
Sort the files by size and pick on any suspiciously named 1kb or so sized

file, open it with notepad and look at it, you will see [Hidden Table] and

more about HackerDefender100 - you have the config file for the trojan now.

*This table hides the files listed from explorer and DOS so you cannot spot

virus components or install patches easily.

2) search for each file in the [Hidden Table] section and delete only the FOES

[Hidden Table]
*FOES
inatjoy.dll (c:\WINDOWS\system32\)
motkrtin.dll (not found)
witadr.dll (c:\WINDOWS\system32\)
winunins.exe (c:\WINDOWS\)
svhost.exe (c:\WINDOWS\ and c:\WINDOWS\HELP\)
*FRIENDS
CWShredder* (c:\WINDOWS\Prefetch\)
HijackThis* (not found)
ProceXP* (not found)
Spybot* (not found)
msconfig* (C:\WINDOWS\PCHealth\HelpCtr\Binaries)


Ok now heres the tricky bit because some of these files you cant delete while

Windows has them in memory.
You have to remove the files you can, and delete the registry keys then

re-start, this way the trojan cannot function and the last files can be

deleted.

Clicks START then Run 'Regedit /v'
Press CTRL-F to search the registry for each of the hidden keys in the [Hidden

RegKeys] section and delete them.
If you cannot delete the registry key (Access Denied) then RIGHT-click key and

click Permissions..
Set Full Control to Allow everyone rights

[Hidden RegKeys]
HackerDefender100
*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\HackerDefend

er100
*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\HackerDefend

er100
LEGACY_HACKERDEFENDER100
*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HACKERDEFENDER100
LEGACY_HACKERDEFENDERDRV100
*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_HACKERDEFENDERDRV100
HackerDefender100
*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HackerDefender100
HackerDefenderDrv100
*HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100
*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HACKERDEFENDERDR

V100
HackerDefenderDrv100
*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HackerDefenderDrv100


In the [Settings] section, you will see a key DriverFileName=hxdefdrv.sys,

delete this file (C:\WINDOWS\hxdefdrv.sys)

It is now GONE and will not return from HELL!

Cya

#3 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 18 May 2004 - 03:40 PM

Thanks. I will wait for one of the experts here to review your fix before I proceed. I hope it works as this hacker defender pest is driving me insane.

#4 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 18 May 2004 - 04:07 PM

Hi Duke,

1)- Put the recovery disks in the PC and boot to the cd.
2)- You should have d:> on your screen if thats your "CD" Drive.
3)- Type c: "enter"
4)- Type cd\windows "enter"
5)- dir/p "enter"
6)- Your screen will fill with files. Look for the following files.

winunins.exe
winunins.ini
hxdefdrv.sys

7)- cd\windows\system32 "press enter"
8)- dir/p "enter" again your screen will fill with files
9)- look for inatjoy.dll

#5 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 18 May 2004 - 05:13 PM

Cyril: I have a Recovery CD Media which is for the ALC Open Computer. I can't locate the recocery CD for the affected computer which is a different computer.

I first put this disc in the unaffected computer ( ALC Open ) and booted from D drive. A screen came up stating I have 5 seconds to press R for recovery or the PC will continue to windows. I pressed R. A new screen appeared giving 3 choices.

Press R for standard system recovery options.

Press F to format and perform a full system recovery

Press Q to quit and boot the O/S on hard disk.

I pressed R and got the message " Fatal System Error. System has been shut down.

I tried again. Same results.

I went to the affected computer. It will not boot from the CD recovery disc. It simply boots from the hard drive. Tried everything. Guess I need to adjust the BIOS settings in order for it to boot from the CD rom but I know nothing about this procedure. Irregardless it's not going to work based on the above.

Wish I had a Windows XP installation disc but no luck in tracking one down.

#6 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 18 May 2004 - 10:14 PM

Hi Cyril :)

duke9106

Might as well clean up that log a bit first.

Place a check mark in HijackThis (yuck.exe in your case I believe) and click "fix checked" I don't see svchosts.exe (notice the trailing s on the file name) in running processes but it could be hidden by the root kit (hxdef).

O4 - HKLM\..\RunServices: [svchosts] svchosts.exe

If you did not do this, tick it also.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

All of these (they are broken)
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

Can you get regedit to run ? If not how about regedt32 ? (Go to start run and type one of those bold names into the box, the registry editor window should pop up).

I have a procedure which should disable the hxdef root kit. It has not been tested on a live infection. Let me know if you are willing to try it out. The fix HighTide posted will probably not work as the ini file in question will most likely be hidden by the root kit.

#7 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 18 May 2004 - 10:40 PM

Guys: Many thanks to all of you, my computer is working perfect again. I followed WinHelp2002 instructions at the following thread:

http://www.spywarein...p?showtopic=505

From The "Command Prompt" (type)

NET STOP HACKERDEFENDER100 (press Enter)

I was finally able to find and delete all the following items & all registry items.
HACKERDEFENDER100
hxdefdrv.sys
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe (not "svchost.exe")
trj4j6js.exe
ddd.exe

Ran Mcafee and rebooted. Desktop items for CWSHREDDER and SPYBOT are back.
Ran AVG, Mcafee, Spybot, CWshrdeer & everything is clean. Here is my latest HJT log : Let me know if it looks clean. I am mailing a donation tomorrow for your great work. Thanks again.

Logfile of HijackThis v1.97.7
Scan saved at 1:06:16 AM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\ass\SpybotSD.exe
C:\Documents and Settings\Computer\Desktop\JOHN\johnny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ass\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Metacrawler Toolbar - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\ultrabar.dll
O3 - Toolbar: IE Reader - {3C24A589-43D7-4CA2-AACE-30424985B955} - C:\Program Files\LatestSoft\Internet Explorer Reader\VoiceBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [svchosts] svchosts.exe
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...s/yinst0401.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {69F497FB-5082-4EA4-9305-9E19F20A2BFF} (MaxisSimCity3TeleX Control) - http://simcity3000un...mCity3TeleX.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/t...nfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {CAFEEFAC-0014-0000-0003-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...358/mcfscan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab

#8 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 06:34 AM

My computer is now working perfect guys. Should I still go ahead and fix the following HJT items as mentioned by rand1038:

O4 - HKLM\..\RunServices: [svchosts] svchosts.exe

If you did not do this, tick it also.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

All of these (they are broken)
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -

Edited by duke9106, 19 May 2004 - 08:34 AM.


#9 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 19 May 2004 - 08:27 AM

Yes, go ahead and fix those. The 04 is a reference to a malicious app, the 06 is not malicious in and of itself it just locks acess to internet options from within internet explorer (you can still get to them through the control panel) and the 016's are just broken and should be cleaned up.

Good job finding the fix !!

#10 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 09:57 AM

Yes, go ahead and fix those. The 04 is a reference to a malicious app, the 06 is not malicious in and of itself it just locks acess to internet options from within internet explorer (you can still get to them through the control panel) and the 016's are just broken and should be cleaned up.

Good job finding the fix !!

Should i fix all 16's or just the 2 pertaining to O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment )

Only one problem I encountered since the fix . msconfig hasn't worked from the run menu since the hacker defender infection & I still get the message windows can't find msconfig.

MSCONFIG was hidden before by hacker defender but it is now back on my system at this location "C:\WINDOWS\system32\dllcache\msconfig.exe".

When i enter C:\WINDOWS\system32\dllcache\msconfig.exe on Run it works perfect. When i enter msconfig I still get the message windows can't find msconfig.
This is no big deal but I would like it to run with the msconfig command.

Do you guys want me to post another HJT log after the fixes ? Everything seems to be working perfect now.

#11 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 06:37 PM

I found a way to get msconfig to work. I created a shortcut for C:\WINDOWS\system32\dllcache\msconfig.exe and pasted it in C:\WINDOWS.

msconfig now works from the run command.

Everything now works perfect. I can access all antispyware sites. Cwshredder, spybot, Hijackthis and msconfig now all appear and work perfectly.

WinHelp2002 instructions at the following thread WORKED perfect for ridding the hacker defender pest and enabling me to see all the hidden files which would not show before. Thank-you WinHelp2002.

http://www.spywarein...p?showtopic=505

Would somebody follow-up my last post before I sign off. You guys are great as various computer repair companies over the phone (never heard of hacker defender) stated I have no choice but to format. I have hundreds of programs/games put on for the past 2 years and all is saved thanks to you guys.

A special thanks to Cyril who stated repeatedly we will get a fix for this hacker defender/CWS pest.

Edited by duke9106, 19 May 2004 - 06:44 PM.


#12 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 19 May 2004 - 08:45 PM

You should find msconfig.exe in c:\windows\PCHealth\HelpCtr\Binaries. If it is not there, copy it from the dllcache and paste it there. The one in the cache is a compressed backup, you can then delete the shortcut in c:\windows.

You can remove any of the 016 items you like, if they are needed you will be prompted to download them again when you visit the site that uses them. None of the ones you had in the log you posted are malicious, just the broken java ones..

Go ahead and reboot after you finish with the HijackThis fixes and then post one more fresh log so we can make sure it is all still clean.

#13 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 09:32 PM

Many thanks rand1038:

Here is my final HJT LOG unless you find something wrong:

Logfile of HijackThis v1.97.7
Scan saved at 11:51:09 PM, on 5/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Computer\Desktop\JOHN\HijackThis.exe
C:\WINDOWS\System32\regsvr32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Metacrawler Toolbar - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\ultrabar.dll
O3 - Toolbar: IE Reader - {3C24A589-43D7-4CA2-AACE-30424985B955} - C:\Program Files\LatestSoft\Internet Explorer Reader\VoiceBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\dllcache\msconfig.exe /auto
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

#14 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 19 May 2004 - 09:56 PM

C:\WINDOWS\System32\regsvr32.exe

That is a valid location for that file but it does not usually appear in running processes. Were you performing an install or some other activity while running HijackThis ?

Just to be on sure it is ok, check the properties. The one on my machine shows the following.

Under the general tab
Size: 9.50 KB (9,728 bytes)
Size on disk: 12.0 KB (12,288 bytes)

Under the version tab
File Version: 5.1.2600.0
Description:Microsoft© Register Server
Copyright Microsoft Corporation. All rights reserved.

If you copied msconfig to the proper folder you can tick this entry in hijackthsi and "fix checked"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\dllcache\msconfig.exe /auto

Other than that, your log is clean.

To be on the safe side you should change all your passwords, the infection you had can be used to launch a backdoor which may have allowed the person who installed that junk on your system to gain access to them.

#15 Guest_Cyril_*

Guest_Cyril_*
  • Guests

Posted 19 May 2004 - 10:27 PM

:D Thanks for the kind words Duke - I glad to see everything worked out.

#16 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 10:34 PM

C:\WINDOWS\System32\regsvr32.exe

That is a valid location for that file but it does not usually appear in running processes. Were you performing an install or some other activity while running HijackThis ?

Just to be on sure it is ok, check the properties. The one on my machine shows the following.

Under the general tab
Size: 9.50 KB (9,728 bytes)
Size on disk: 12.0 KB (12,288 bytes)

Under the version tab
File Version: 5.1.2600.0
Description:Microsoftİ Register Server
Copyright Microsoft Corporation. All rights reserved.

If you copied msconfig to the proper folder you can tick this entry in hijackthsi and "fix checked"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\dllcache\msconfig.exe /auto

Other than that, your log is clean.

To be on the safe side you should change all your passwords, the infection you had can be used to launch a backdoor which may have allowed the person who installed that junk on your system to gain access to them.

It's okay rand1038. I must have had an activity in process. It doesn't show now.
Under the general tab I had the same as you.
Size: 9.50 KB (9,728 bytes)
Size on disk: 12.0 KB (12,288 bytes)

Under the version tab
File Version: 5.1.2600.0
Description:Microsoftİ Register Server
Copyright Microsoft Corporation. All rights reserved.

I will copy msconfig to the proper folder later and tick entry as mentioned.

I will change passwords. This was the nastiest of pests. Thanks for the fix but I still don't know how to prevent it again. I always had latest windows updates and the best in antivirus/spyware programs.

This was likely downloaded through a Kazaa Lite download. I suspect 3d Studio Max as I downloaded it twice but the exe. ran but never gave me the program and this is when I got infected. My advice is to avoid illegal downloads from Kazaa.


This is my latest HJT log.

Logfile of HijackThis v1.97.7
Scan saved at 12:35:11 AM, on 5/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Computer\Desktop\JOHN\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metacrawler.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_0/home.html"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Computer\Application Data\Mozilla\Profiles\default\63dmyx65.slt\prefs.js)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Metacrawler Toolbar - {AACBDEE8-0813-4308-8121-94CB60848B2C} - C:\Program Files\MetacrawlerToolbar\ultrabar.dll
O3 - Toolbar: IE Reader - {3C24A589-43D7-4CA2-AACE-30424985B955} - C:\Program Files\LatestSoft\Internet Explorer Reader\VoiceBar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\system32\dllcache\msconfig.exe /auto
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [X-Cleaner Freeware] "C:\PROGRA~1\X-CLEA~1\XCLEAN~1.EXE" -turbo -autostart -NOREBOOT
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

#17 rand1038

rand1038

    Advanced Member

  • Retired Staff
  • PipPipPip
  • 105 posts

Posted 19 May 2004 - 10:44 PM

Avoiding Kazaa altogether is adviseable. Studies have shown that a high percentage of files on the Kazaa network are infected with viruses, worms and trojans.
Reference http://www.wired.com...n_story_related
Alternatives http://www.spywarein...m/articles/p2p/

Read How did I get infected in the first place and follow Tony's advice. He will tell you about some ways to make your computer more secure and link to some excellent free tools to help with that.

#18 duke9106

duke9106

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2004 - 11:09 PM

Avoiding Kazaa altogether is adviseable.  Studies have shown that a high percentage of files on the Kazaa network are infected with viruses, worms and trojans. 
Reference http://www.wired.com...n_story_related
Alternatives http://www.spywarein...m/articles/p2p/

Read How did I get infected in the first place and follow Tony's advice.  He will tell you about some ways to make your computer more secure and link to some excellent free tools to help with that.

Thanks rand1038. I now know how bad Kazaa can be. My anti virus programs has kicked in dozens of times with warnings but i continued to be stubborn thinking Mcafee and AVG would catch all. I was wrong. They did not catch this latest variant of Hacker Defender in combination with many trogans.

I wish you guys would pin a topic about this. I am certain this latest hacker defender in combination with various trogans is from Kazaa.

You guys fixed my computer to perfection. I have 2 years of programs and games for my son and I, which you kept alive.

Your volunteer work here is greatly appreciated.

Donation on the way to this superb site.

Edited by duke9106, 20 May 2004 - 09:01 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button