Jump to content


Photo

hxdefdrv.sys freaks me out


  • This topic is locked This topic is locked
3 replies to this topic

#1 kenji

kenji

    Member

  • New Member
  • Pip
  • 2 posts

Posted 19 May 2004 - 10:55 AM

From yesterday, I was bothered by a hacdef 084 trojan. I can't
download hijackthis or CWShredder to my PC. After renaming hijackthis,
I copied it to my pc. I scaned my pc and got the log as follows. It's really annoying that I can't download anti-trojan software anymore. My
OS is win2000. And the online virus scan indicated my pc was
infected by hxdefdrv.sys( trojan hacdef 084). Even after get rid of it,
the trojan reappear after reboot. This trojan really haunts me.

Any help will be appreciated!

---------------------------------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 23:43:49, on 2004-5-19
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
D:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe


O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O3 - Toolbar: ????? - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: AdobeWeb.log
O4 - Startup: ~
O4 - Global Startup: ntuser.pol
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

#2 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 May 2004 - 01:37 AM

There appears to be lines missing from the log - Please rerun HijackThis and when you save the log, click on "Edit" => "Select All" in notepad, then "Edit" => "Copy" and post the log in it's entirety.

Please make sure that you create a new directory c:\HJT and move the HijackThis.exe file into that directory and only run it from there.

In the mean time, the following should be deleted in HijackThis:
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FLASHGET\jccatch.dll (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FLASHGET\fgiebar.dll (file missing)

I am not familiar with the following but they do not sit right with me:
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: AdobeWeb.log
O4 - Startup: ~
O4 - Global Startup: ntuser.pol
Delete them (After making sure you are running HijackThis from C:\HJT - In the event that we need to restore the entries after the fact).

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 20 May 2004 - 09:09 AM

These entires:
O4 - Startup: NTUSER.DAT
O4 - Startup: ntuser.dat.LOG
O4 - Startup: ntuser.ini
O4 - Startup: AdobeWeb.log
O4 - Startup: ~
O4 - Global Startup: ntuser.pol
May be okay - I was informed that you are running the Japanese version of Windows so you can leave them be :)

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 04 October 2004 - 02:10 AM

Due to no response, I am closing this thread.

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button