I run AVG and I keep getting this virus Trojan Horse BackDoor.hacdef.C and I can't seem to get rid of it no way no how. I don't know if its that virus that is causing me to reboot like crazy. I open realplayer, and go to library then it reboots. I open up a game it reboots. Or when I remove it to "the vault" with AVG it gives me a CD-ROM error and still reboots on realplayer. I don't know how to get rid of it. If any one could help me, I would be very very grateful. :D

Another thing is when I right click on a shortcut on my desktop it makes the screen flash then it reloads everything on my screen. Not a reboot but a reload of whats on my desktop including my task bar.

Oh it was found in C:\Windows\HXDEFDRV.SYS

Hi Shijnu, Please zip & submit that file to submit@diamondcs.com.au
Then download TDS3 & the latest radius file from www.diamondcs.com.au
Inconfiguration enable all of the scan options and do a full scan, this will take time but will be the best possible check that no more Trojans are on your system.

HTH Pilli

hmmm....ok....... I tried to zip it, I use winace and well.....after the first 20 minutes, I figured it wouldn't work. The file is only 4kb big.....bah. Then I used TDS-3 with the radius and it coudln't find it. I even went to the file itself and told it to scan that file alone. I don't know what I'm doing wrong. :(

Hithere Shijnu, did you close your other scanner like AVG during the scanning with TDS?
Rather important so it can reach the file.
You did manage to submit it to DiamondCS in the end?
If zipping is a problem send it in just like that, or another way is --carefully for not making mistakes-- rightclick on the file to change it's name like the exe into tmp for instance.
If the file is running you will not be able to do so and get error warnings.
Can you kill it from the running processes in the TDS Process List or if not with contr+alt+del?
You can do it in safe mode if necessary if you don't know how to get the file stopped. (Edited: this would need a reboot which should be avoided if possible)
With TDS for instance you might see it in the running processes list and kill it from there before you're able to zip or rename it, so you have several options (there are more if none of those helped yet).

You most probably are not doing anything wrong at all. Your file might be a new variant, so forwarding it and waiting for expert analysis is so very important to know next steps.

Alias of the name is Troj/hacdef-084 among others, has several names.
http://www.sophos.com/virusinfo/analyses/trojhacdef084.html
and http://www.pestpatrol.com/pestinfo/b/backdoor_hacdef.asp
It's a rootkit, so follow expert advice to get rid of it, at least starting with sending in the nasty.

-{ Quote: "I run AVG and I keep getting this virus...." }-
Hello Shijnu!

I ran McAffee for a year, and then was an AVG user for quite a while. I occassionally ran across similar problems as yours. Since installing NOD32, it's been able to handle anything it's come across. I think you'll be surprised by the difference. You might consider "upgrading" too. :)

You're in real deep s***t there my friend.
That is a rootkit, I never had to remove a rootkit, but from my understanding, the only way to do it is a complete reinstall of windows.

For info about rootkits and how to remove them, read:
http://www1.umn.edu/oit/security/WindowsRootkits.pdf

If ONLY the SYS file is being detected, then you do have a serious problem - a patched / unknown variant of Hacker Defender (unknown is VERY bad of course)

Since the AV is stopping it though, you should be ok :)
Click start > go to RUN and type regedit
Click OK

Now go to EDIT > FIND, or press CTRL F

Search for HXDEF and click OK

You should find something like this on the left, a key (looks like a folder) called HXDEF100 or something like that. The location is important, you need to find a driver entry which will be in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

If you do find the key HXDEFxxxxxxxxx then delete it. DONT reboot, please send us a log from ASViewer here

http://www.diamondcs.com.au/index.php?page=asviewer

Make sure it is showing all autostarts as per the options to show drivers etc, in the menu

I emailed the zip file. I have the exact same problem. I am now running TDS-3. Hopefully I can resolve this without re-formatting. There are a lot of important software in this PC. I am also running AVG free edition.

I would recommend to use RegdatXP in order figure out whether there are any cloaked autostart entries on your system.

Moreover, you can try to use the rootkit detector from 3WDesign ( http://www.3wdesign.es/security/descarga.php?u=82pxv20n ).

Further instructions on how to get rid of Windows rootkits can be found here:

http://scheinsicherheit.funpic.de/rootkits.htm

Consider installing Process Guard to prevent rootkit installs altogether

Try the rootkit detector, but it probably uses hashes still in which case it wont detect a modified variant :(

I got my harddisk unplug scan using another PC, this is what Etrust Antivirus found:

G:\WINDOWS\Help\svhost.exe Backdoor/HackDef.084.Driver
G:\WINDOWS\hxdefdrv.sys Win32/HacDef.084.A.Trojan
G:\WINDOWS\svhost.exe Backdoor/HackDef.084.Driver
G:\WINDOWS\winunins.exe Backdoor/HackDef.084.Driver
G:\WINDOWS\winunins.ini INI.HacDef

and 67 files in WINDOWS\system32 folder infested by JS.CSSPopup.H Trojan.
72 Trojan infested files in total, before that Etrust and TDS-3 could only detect 1 Trojan - hxdefdrv.sys, now my PC is running normally.

Good that you found them, scanning with another pc or online is a good idea;
please also post your HijackThis log to see if all is back to normal
http://www.wilderssecurity.com/showthread.php?t=15913 and the AutoStartViewer http://www.diamondcs.com.au/index.php?page=asviewer

More specific description and removal instructions are in the beginning of this thread. glad you cleansed out a lot!

still would advise to please change all your passwords.

Hey guys been following this thread cause its a Trojan my friend had and that we had no end of problem with so reinstall was the quickest easiest option. I do regular ghosts of his drive so it was very quickly fixed.

But now I have just found AVG popped up the Trojan.Dialer 9.N which is newer than what my friend had but i won't to know how to kill this without recloning. I went to the Temporary Internet folder where it was located and deleted everything there but i did this before with my friend and resident scanner still kept popping it up so my guess is that it is still lurking around on here somewhere.

I ran AVG Norton, Adware and Spybot didn't pick it up in the scan only AVG picked it up in resident scanner.

I've downloaded and installed TDS-3 (i'm in Perth too great to know quality products are being manufactured here) and CWShredder and neither picked up anything.

I've got my hickjack this log.

Logfile of HijackThis v1.97.7
Scan saved at 1:16:11 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Downloads\programs\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Anonymization.Net (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - [url]http://www.pestscan.com/scanner/ppctlcab.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - [url]http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.3028009259[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

--------------------------------------

Can you tell me if anything is there and i noticed in my Task manager i have 4?!? instances running of svchost (not svhost which was on there till i stopped it and it rebooted my machine with that RPC protocol thing) but after i stopped svhost doesn't say in the USER NAME tab whether its a LOCAL, SYSTEM process.

Anyone have anything else i can try and is there any other information needed.

THanks in advance.

Hi there, you had AVG running during the other scans and with creating HJT. AVG and other scanners (except TDS) should be closed completely when scanning with any other scanner. TDS doesn't have other resident protection then the exec protection which is no running process hiding files etc, only blocks them if they would try to erun, so no problem for other scanners. AVG has the habit to protect it's finds and hide them for other scanners.
This is why we recommend to close the AVG completely by opening it's GUI, uncheck all there is and close it, then doing your otther scans and your scanners should pick up the nasty.
Can you post back scanresults without AVG running please?
All your scanners should pick it up now and you should be able to remove it with TDS too, for instance.
IF TDS would say "suspicious" or "possible" alert, please submit the file (zipped if possible) to submit@diamondcs.com.au unless it's just a double extension. If it's one TDS has a positive identification for no need to send it in unless you doubt. In any doubt always submit.

Looking forward to your next results!

Oh, and you might like to use Port Explorer to see what the svchost instances are connected to, if the own task manager doesn't tell enough yet?
Could be your live update, scanners, music players, that kind of things.

Hey Jooske

THanks for the reply,
i shutdown AVG and this is what the hijack file pulled up
-----------------------------
Logfile of HijackThis v1.97.7
Scan saved at 3:28:41 PM, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ProcessGuard Free\dcsuserprot.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\wap\wap.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Anonymization.Net (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - [url]http://www.pestscan.com/scanner/ppctlcab.cab[/url]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - [url]http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB[/url]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [url]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.3028009259[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

----------------------------------

I've run TDS, Norton, Adware and S&D and they all didn't pull up anything but from my experience with Dialer.9.U it was somehow still resident. On my friends system it would even mask the cwshredder program making it invisible.

But from my hijack file do you think i'm out in the clear?
My task manager is now showing the USER NAME tab but i still have 4 instances of svchost.exe, 2 as a SYSTEM, 1 as Network service and 1 as Local service. But as you mentioned before it could be from somthing like irc or winmx but i don't have anything running, is there something else that is causing the problem??

I've got all the demo versions of DiamondCS just got to find a way to find $132 for a fellow Aust company.

THanks.

Also i noticed that most of the viruses i beeen having problems with consist of it somehow modifiying my exe files which makes my virus scanner delete the file. I remember one virus that i got off Kazaa that went around making every exe file i had unusable. Even when Norton picked it up in its resident scanner it still managed to infect like 60% of the system.

Is there a better way to force all exe files to be unmodified??

OH one more thing I've had no end of trouble with System restore it just freezes my computer everytime it gets used either by me manually or by another program like an install so i've turned it off.

Could this be another virus modifying it?

Do you see AVG and Norton AntiVirus are not closed during creating your HJT log? :) There is a newer HJT scanner, btw, you might even see more with that! 15913
*edit: just discovered it leads still to the version you have, investigating where to get the 1.98.0 as even Merijn's page indicates your version 1.97.7 http://www.spywareinfoforum.com/~merijn/downloads.html *

Did TDS really with today's new update not show you any infections (with the AVG really completely closed this time!)

BTW: get the programs one by one, if that suits you better!

I'm glad I came across this thread. I have been struggling with my moms computer for a while. After reading the posts above I know that I have this exact problem. [the spontanious reboots and shuts down various programs]

I should be able to fix it now with this information but my question is what do I do to prevent this in the future?

My computer is protected by a hardware firewall/router and zonealarm personal firewall. I have Norton AV and a registeredversion of TDS-3 installed (with execution protection enabled.)

I can't figure how this happend... I update these programs regularly. I update Norton/TDS almost daily. Windows is always patched etc.

I'd love to know how this happend. --Or at least an idea of what precautions to take in the future.


Thanks in advance.
tj

Hi TJ, there is an interesting thread "How did i get infected in the first place"
http://www.wilderssecurity.com/showthread.php?t=27971

Did you --if the system is really clean-- also look at ProcessGuard and Port Explorer?
ProcessGuard to protect your programs and files and Port Explorer to see all connections and aneble you to check and kill what is suspicious?

Maybe you guys like to try the new updated HJT version http://www.wilderssecurity.com/showthread.php?t=12516
1.98.0
for me it works fine, it might show you even more.

Hello all,

i have got the same problem, running AVG & Agnitum Outpost 1.0
I have received spontanious reboots the last few weeks untill today i discovered the Trojan Horse Dialer .9.N with AVG. I got thae problem (I think) simultaniously with another one, the Directwebsearch / about: blank hijacker. Apparently, I'm not an expert, both are caused by a security leak in Microsofts JVM.
When i tried checking manually for Dialer.9.N and some other viruses like var1[1].exe, d_tony2[1].exe among others in C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files I received two spontanious reboots.
After the reboot my Agnitum Outpost, which operates in Block Most mode, was disables both times! A log file called 'jusched.log' in my C:\Documents and Settings\[username]\Local Settings\Temp folder had the following message:
Wed Jul 21 23:49:00 2004 :: Received shutdown signal

This sounds like the trojan horse is still functioning although my AVG can't find any virus anymore...

Also 2 other files keep reappearing in my Temp folder when i delete them: hsperfdata_[username] and set282.tmp file.

There is some correspondance about this file at:
http://www.talkaboutprogramming.com/group/comp.lang.java.machine/messages/16430.html

"From its name, I would presume it contains performance tracking
information to help it hotspot optimise. Hotspot does not remember
this from incarnation to incarnation, hence the temp file."

I read somewhere the JVM security leak can make your system vulnerable. There is a security patch and JVM removal instruction for XP Pro available, but I'm using Win2000 pro.

Any help on solving this issue would be really apreciated!!