bds hacdef

hello
i have a backdoor virus which i think is called bds hacdef. i have not been able to download hijackthis. it seems like the virus is stopping any attempt for me to get the program.

instead i have used TDS. TDS found a Spy.DBE file in my system32 folder called bdeinstall.exe

also my anti virus program found a file assoicated with the trojan

C:\WINNT\HXDEFDRV.SYS

Contains a signature of the (dangerous) backdoor program BDS/HacDef.073.B.1 Backdoor server programs

i thought after deleting those 2 files that i had solved my virus problem but after i restarted my pc i found the HXDEFDRV.SYS again

can anyone help me?

 

Hi alim

I'm new here and not sure if I'm able to post links to 3rd party sites. I have found some information for you here which concerns the trojan you have, and gives help and advice on removing it. Good luck

 

Hi,

In C:\WINNT see if you can find HXDEF.INI
If you can, just delete it and reboot, the rootkit requires this file. Once you do that you should be able to clean up with your antivirus

The problem here is that the rootkit hides from Windows, the antivirus driver can see the HXDEF driver and stop it from loading but it should also be removing it - if it doesnt then you might need to remove it manually. You can email support if you are still having problems

 

Hi there, i was just googling in our forum for a few recent cases,
https://www.wilderssecurity.com/showthread.php?p=223735#post223735
https://www.wilderssecurity.com/showthread.php?p=178165#post178165

 

also this might help

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.E

 

Before anything i would follow Gavin's advice to get the nasty file away to disarm and stop the nasty in it's traces before doing anything else.
Except for a deep scan with fully updated TDS of course (with every other scanner and resident protection temporary closed to give TDS full access to every file)
Since you have TDS, can you also look if your HOSTS file was changed?
TDS > System Analysis > View File > Network Hosts would bring you to the HOSTS file which you can edit if you like; if that has been illegaly changed and blocking security sites rename the HOSTS file so you have access again.

Please post back your experiences till here, so we can step you through this!

 

thanks for all your replys

i have been having a bit of a nightmare. i have been able to log in to windows in normal mode after i deleted a file that TDS found - c:\recycler\s-1-5...\dc2.sys

im going thru all the info now on a friends pc. i have had some luck finding and deleting files in regedit. the files that i have deleted are svhost.exe and also deleting the values keys linking to .outhost. the trendmirco site recommmends also searching for links in the registry to the files below,

.23052004.exe <-- The name of this file is the date of tomorrow
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

that is that next thing im going to try.

Gavin i have only been able to locate in winnt the file hxdefdrv.sys. i think that some of the trojans files are invisible even when i have set folder options to show invisble files.

can anyone recommend a program like hijackthis as i cant download/install it.

Jooske the host file was changed to something very simliar to the one in PepsiMaxs link.

thanks again

 

Before you delete anything, can you please be so kind aftr the TDS scan (don't forget to update it on the TDS site!) to rightclick on one of the alerts in the TDS bottom console and save to text, and paste that scandump.txt file into your next posting. Think it might be important to know the full paths too where files are located, so you delete the right files TDS might indicate too.
You are doing a fine job already.
To locate files, make sure folderoptions are set on showing everything and every file extension.
It surely helps to close temporary the scanners like AVG if you run that one to avoid that hiding nasty files from sight.
With the nasty files found and deleted first (and clean the recycle bin - and you might have to look another time in the safe mode if windows shows the wanted files now) the greatest danger must be over.

Yes hijackthis can be downloaded in message [thread]15913[/thread].
It could be a great help, and we work with AutoStartViewer too (from the DiamondCS site too).
Wonder if you do a search with windows if the files would show up.

 

the scan dump txt for hxdefdrv.sys is:

Scan Control Dumped @ 17:36:48 22-07-04
Positive Indentification: Rootkit.Hacker Defender 0.8.4 (sys)

File: c:\winnt\hxdefdrv.sys


To locate files, make sure folder options are set on showing everything and every file extension

just did this thanks. i can now find the recycler folder. inside both recycler bins is the hxdefdrv.sys file. i havent deleted it from winnt yet, so are they previous files that i have deleted?

also in my processes list is svhost.exe which i deleted from the registry. i cant end the process how can i delete it?

i have searched regedit for sezzbc, about 20 files were linked to it including the file vzcdaq.2nh - i deleted them all.

foolishly i didnt think of looking where they were linking to. i just wanted them off my pc as soon as poss

 

i found this info on PepsiMaxs link but i cant find winuins.ini
this is the file that kills hijackthis. but i cant find it. i did a search for it in regedit and found data values referencing:
trj
svhost
trjaj6js
winunins
.exe
hxdef

if i delete these entries and restart will that help?

the config file it uses to install/run itself is this (winunins.ini):

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINNT\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

 

Leaving this to Gavin or other expert again, at least you locate the files now!
If there files are somewhere re-created a reboot would bring them back, so does system-restore.
I think of this since you found files in the recyclebin; not sure if the nasty itself places them there too for some unknown reason.
You could also create an AutoStartViewer logfile (also from diamondCS site) with all options checked and send the log file of that one to support@diamondcs.com.au for good advice which entries to get from the AutoStart.
You find so many files, which extension has this one you named in the little list on top? winunins
Did you set your folder options to show also all extensions?

 

winuins.ini is a config file
the problem is that this config file is hiding all the files that i can use to get at it:

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

 

Which anti-virus are you using?

 

at the moment i have antivir. i tried to install bitdefender but with no luck. the installation stalled at starting services

i found some info on another forum about hxdefdrv.sys

it automatically recreates the hxdefdrv.sys file in /winnt which it uses to create a backdoor into your PC AFTER you delete it

maybe this was what was in the recycling bin

 

That was what i meant yes. Did you close antivir also completely with it's resident protection when you were searching for the files?
If you locate the files, you'll have to look in the running processes (Process List in TDS or Task Manager in windows) if they are running and kill them so you can delete them.

 

antivir is not in task manager and i have not started it up

 

Did not mean antivir in the taskmanager, the files which are part of the infection could have running processes

For antivir i don't know wether it has the same habit like AVP does in hiding files, but you should be able to find them in safe mode then!
If Gavin agrees i would love to advice you to delete all files involved with it, but it's most irritating you still don't have that ini file Gavin asked for in the first place.

BTW were you able to down;oad the HJiJackThis log in the meantime and are you familiar with it?

 

the only i can see that is infected is svhost.exe i tried to end process but access was denied

hijackthis is one of the names under hidden in the winunins.ini

i have hijackthis in a zip file in my drive, i have it on a CD and also a key drive. i just cant see it

so i havent had the pleasure of using it yet

the only thing that i think i can do is search the registry for all the filnames that i have found and remove them. hopefully this might distrupt winunins. do you think it might work?

 

If you are able to run the Recovery Console, then you can rename the ini file using the "Ren" command. Rename it to something else but don't delete it. Reboot normally and the ini file should be visible and the rootkit should not be active. Even if it is (because it is being somehow reinstalled at every boot), you will now have the ini file to read. This may work in Safe Mode too.

Nick

 

i have managed to removed the trojan, by creating an empty notepad file and saving it as winunins.ini in the winnt directory this overwrites the trojan config file. after restarting i could see the nasty files and also hijackthis and process explorer.

not sure if this is the most eligant way doing it? downside is that by wiping the config i could not get access to it to see what other files it pointed to.

i scaned the drive with hijackthis. i only found 3 entires that looked nasty, they had links to outhost.info. can i post my hijackthis log?

i then searched through the regsitry for these names:

outhost.info
svhost
winunins
hxdef
hack
hacker

i deleted alll references to them

when i tried to search in my harddrive for those names i noticed a new problem of my own making i think. i cant to a search in windows, i cant start TDS, in normal mode the active desktop is inactive, in the winnt directory no files are visible but the status bar says that there are hundreds of files there.

its seems that services will not start at startup. in process explorer the items in the services.exe tree are in pink is this normal?

i think that this was caused by previous attempts of mine to remove references of the trojan from the registry. instead of just deleting values i must have deleted some keys maybe. i remember deleting some labeled a, b, c, d, e, f.

 

I'm really not sure this moment what's best, so with deleting the ini file again the rootkit would not be able to run and you might be able to use your computer more or less normal again?
Did you also in the meantime create an AutoStartViwer log and sent it to support@diamondcs.com.au or post it here if you prefer, and why not the HJT log too, but forgive me i'm no HJT expert so i'm not able to work with your HJT log, but fortunately you can yourself as you just described.

Process Explorer? I think you mean Port Explorer?
pink or do you mean red (default) characters for HIDDEN connections?
Those can be part of the nasty, depending which they are.
Thinking, get rid of that ini file so the rootkit can't run anymore like Gavin described above and since you posted in the forum the many files associated to it you must be able to find them, once their processes are located and killed.

 

here is my autostartviewer log

DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Administrator@FELINE, 07-22-2004
c:\autoexec.bat
C:\CDROM\MSCDEX.EXE /D:MSCD00D /M:20
c:\winnt\system32\autoexec.nt
C:\WINNT\system32\mscdexnt.exe
C:\WINNT\system32\redir.exe
C:\WINNT\system32\dosx.exe
C:\WINNT\system32\nw16.exe
C:\WINNT\system32\vwipxspx.exe
c:\winnt\system32\config.nt
C:\WINNT\system32\himem.sys
c:\config.sys
C:\CDROM\SSCDROM.SYS /D:MSCD00D /V
c:\winnt\system.ini [drivers]
timer=timer.drv
c:\winnt\system.ini [boot]\shell
C:\WINNT\Explorer.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINNT\Explorer.exe
HKCR\vbsfile\shell\open\command\
"%1" %*
HKCR\vbefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe" "%1
HKCR\jsefile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINNT\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
mobsync.exe /logon
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
C:\WINNT\system32\internat.exe
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\^SetupICWDesktop
C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINNT\system32\NETSHELL.dll
C:\WINNT\System32\webcheck.dll
C:\WINNT\system32\stobject.dll
C:\WINNT\Tasks\songs.job
C:\Documents and Settings\Administrator\Desktop\current projects\vaudeville\songs.mov
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\AOL 6.0 Tray Icon.lnk
C:\Program Files\AOL 6.0\aoltray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Icons.lnk
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Iomega Startup Options.lnk
C:\Program Files\Iomega\Tools_NT\STARTNT.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
C:\Program Files\Microsoft Office\Office10\OSA.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Post-it® Software Notes Lite.lnk
C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Prevx Home.lnk
C:\Program Files\PREVX\Prevx Home\SAGUI.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Refresh.lnk
C:\Program Files\Iomega\Tools_NT\REFRESH.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Splash.lnk
C:\Program Files\Iomega\Tools_NT\SPLASH.EXE
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINNT\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINNT\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINNT\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINNT\system32\msafd.dll
C:\WINNT\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINNT\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINNT\system32\ie4uinit.exe
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINNT\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\AppleTalk\
C:\WINNT\System32\DRIVERS\sfmatalk.sys
HKLM\System\CurrentControlSet\Services\atalk\
C:\WINNT\System32\DRIVERS\atalk.sys
HKLM\System\CurrentControlSet\Services\atfsd\
C:\WINNT\System32\DRIVERS\atfsd.sys
HKLM\System\CurrentControlSet\Services\ATMsg\
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe -service
HKLM\System\CurrentControlSet\Services\Browser\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\dmserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Dnscache\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\HidUsb\
C:\WINNT\System32\DRIVERS\hidusb.sys
HKLM\System\CurrentControlSet\Services\IomegaAccess\
C:\Program Files\Iomega\Tools_NT\IOMEGAACCESS.EXE /S
HKLM\System\CurrentControlSet\Services\irda\
C:\WINNT\System32\DRIVERS\irda.sys
HKLM\System\CurrentControlSet\Services\KC180\
C:\WINNT\System32\Drivers\kcirusb.sys
HKLM\System\CurrentControlSet\Services\lanmanserver\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\Miramar AppleTalk File Server\
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSERVER.EXE
HKLM\System\CurrentControlSet\Services\Miramar AppleTalk Print Server\
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSPOOL.EXE
HKLM\System\CurrentControlSet\Services\NWCWorkstation\
C:\WINNT\System32\services.exe
HKLM\System\CurrentControlSet\Services\NwlnkIpx\
C:\WINNT\System32\DRIVERS\nwlnkipx.sys
HKLM\System\CurrentControlSet\Services\NwlnkNb\
C:\WINNT\System32\DRIVERS\nwlnknb.sys
HKLM\System\CurrentControlSet\Services\NwlnkSpx\
C:\WINNT\System32\DRIVERS\nwlnkspx.sys
HKLM\System\CurrentControlSet\Services\PackethSvc\
C:\WINNT\System32\PackethSvc.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINNT\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\PREVXAgent\
C:\Program Files\PREVX\Prevx Home\PXAgent.exe -f -af
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\RemoteRegistry\
C:\WINNT\system32\regsvc.exe
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINNT\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINNT\system32\MSTask.exe
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\StiSvc\
C:\WINNT\system32\stisvc.exe
HKLM\System\CurrentControlSet\Services\SVKP\
\??\C:\WINNT\System32\SVKP.sys
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINNT\system32\services.exe
HKLM\System\CurrentControlSet\Services\WinMgmt\
C:\WINNT\System32\WBEM\WinMgmt.exe
HKLM\System\CurrentControlSet\Services\WMDM PMSP Service\
C:\WINNT\System32\mspmspsv.exe
HKLM\System\CurrentControlSet\Services\ZipToA\
C:\WINNT\System32\ZipToA.exe

can anyone see way no service are starting on pc?

process explorer is a program that gives you more in depth info into processes than task manager. it also was hidden by the nasty config file
i can post the log form this as well

 

Anything that could be helpful; the ASViewer log is rather complicated already;
did you handle the HJT log yourself in the meantime?

 

process explorer file looking at services.exe

Process PID CPU Description Company Name
System Idle Process 0 98
Interrupts n/a 1 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe 144 Windows NT Session Manager Microsoft Corporation
csrss.exe 168 Client Server Runtime Process Microsoft Corporation
winlogon.exe 188 Windows NT Logon Application Microsoft Corporation
services.exe 216 Services and Controller app Microsoft Corporation
PackethSvc.exe 496 Virtual Adapter Service America Online, Inc.
ATMSG.EXE 528 PC MACLAN Messenger Miramar Systems Inc.
ATSERVER.EXE 596 PC MACLAN File Server Miramar Systems Inc.
ATSPOOL.EXE 648 PC MACLAN Print Server Miramar Systems Inc.
PXAgent.exe 668 Prevx Agent Prevx Ltd.
regsvc.exe 692 Remote Registry Service Microsoft Corporation
stisvc.exe 716 Still Image Devices Monitor Microsoft Corporation
mspmspsv.exe 736 WMDM PMSP Service Microsoft Corporation
ZIPTOA.EXE 764
lsass.exe 228 LSA Executable and Server DLL (Export Version) Microsoft Corporation
explorer.exe 800 Windows Explorer Microsoft Corporation
AcroTray.exe 824 AcroTray Adobe Systems Inc.
IMGICON.EXE 844 IMGICON Iomega Corp.
procexp.exe 864 1 Sysinternals Process Explorer Sysinternals

Process: services.exe Pid: 216

Type Name
Desktop \Default
Directory \KnownDlls
Directory \BaseNamedObjects
Directory \Windows
Event \BaseNamedObjects\userenv: User Profile setup event
Event \BaseNamedObjects\SC_AutoStartComplete
Event \BaseNamedObjects\SvcctrlStartEvent_A3752DX
Event \BaseNamedObjects\ScNetDrvMsg
Event \BaseNamedObjects\DHCPNEWIPADDRESS
Event \BaseNamedObjects\PnP_No_Pending_Install_Events
Event \BaseNamedObjects\DmioLoaded
Event \BaseNamedObjects\ReSyncKernel
Event \BaseNamedObjects\DmAdminStop
Event \BaseNamedObjects\LDMAdmin
Event \Device\DmControl\VxKernel2VoldEvent
Event \LanmanServerAnnounceEvent
Event \BaseNamedObjects\wkssvc: MUP finished initializing event
Event \BaseNamedObjects\WkssvcToAgentStartEvent
Event \BaseNamedObjects\WkssvcToAgentStopEvent
Event \BaseNamedObjects\AgentToWkssvcEvent
File C:\WINNT\system32
File \Device\WMIServiceDevice
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\scerpc
File \Device\NamedPipe\scerpc
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\svcctl
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe1
File \Device\NamedPipe\net\NtControlPipe1
File C:\WINNT\system32\config\AppEvent.Evt
File C:\WINNT\system32\config\SecEvent.Evt
File C:\WINNT\system32\config\SysEvent.Evt
File C:\WINNT\Registration\R0000000000cc.clb
File \Device\Tcp
File \Device\Tcp
File \Device\Ip
File \Device\Ip
File \Device\Ip
File \Device\NamedPipe\DhcpClient
File \Device\NamedPipe\svcctl
File \Device\Tcp
File \Device\NetBt_Wins_Export
File \Device\NetBt_Wins_Export
File \Device\NamedPipe\ntsvcs
File \Device\Ip
File C:\WINNT\system32\drivers\etc
File \Device\Tcp
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe2
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe3
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe5
File \Device\LanmanRedirector
File \Device\LanmanDatagramReceiver
File \Device\LanmanServer
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\svcctl
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe6
File \Device\NamedPipe\net\NtControlPipe7
File \Device\NwRdr
File \Device\NwRdr
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe8
File \Device\NamedPipe\net\NtControlPipe0
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe10
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\SecondaryLogon
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe11
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\net\NtControlPipe12
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\ntsvcs
File \Device\LanmanDatagramReceiver
File \Device\NamedPipe\ntsvcs
File \Device\NamedPipe\WMIEP_320
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Locale
Key HKLM\SYSTEM\ControlSet001\Control\Nls\Language Groups
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\Order
Key HKLM\SYSTEM\ControlSet001\Control\ServiceGroupOrder
Key HKLM\SYSTEM\ControlSet001\Control\ServiceCurrent
Key HKLM\SYSTEM\ControlSet001\Services\EVENTLOG
Key HKLM
Key HKCR
Key HKLM\SOFTWARE\MICROSOFT\COM3
Key HKU
Key HKLM\SOFTWARE\MICROSOFT\COM3
Key HKCR\CLSID
Key HKCR
Key HKLM\SOFTWARE\MICROSOFT\COM3
Key HKLM\SOFTWARE\MICROSOFT\COM3
Key HKLM\SOFTWARE\MICROSOFT\COM3
Key HKCR\CLSID
Key HKCR
Key HKU\.DEFAULT
Key HKLM\SOFTWARE\MICROSOFT\Tracing\RASAPI32
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
Key HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
Key HKLM\SYSTEM\ControlSet001\Services\Dhcp\Parameters\Options
Key HKLM\SYSTEM\ControlSet001\Services
Key HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DNSRegisteredAdapters
Key HKLM\SYSTEM\ControlSet001\Services\Browser\Parameters
Key HKLM\SYSTEM\ControlSet001\Enum
Key HKLM\SYSTEM\ControlSet001\Services
Key HKLM\SYSTEM\ControlSet001\Services\lanmanserver\Parameters
Key HKLM\SYSTEM\ControlSet001\Control\CLASS
Key HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
Key HKLM\SYSTEM\ControlSet001\Services\LanmanWorkstation\Parameters
Mutant \NlsCacheMutant
Mutant \BaseNamedObjects\RasPbFile
Mutant \BaseNamedObjects\PnP_Init_Mutex
Port \RPC Control\ntsvcs
Port \ErrorLogPort
Port \XactSrvLpcPort
Process PackethSvc.exe(496)
Process ATMSG.EXE(52
Process ATSERVER.EXE(596)
Process ATSPOOL.EXE(64
Process PXAgent.exe(66
Process regsvc.exe(692)
Process stisvc.exe(716)
Process mspmspsv.exe(736)
Process ZIPTOA.EXE(764)
Process <Non-existant Process>(200)
Section \BaseNamedObjects\__R_0000000000cc_SMem__
Thread services.exe(216): 240
Thread services.exe(216): 308
Thread services.exe(216): 312
Thread services.exe(216): 316
Thread services.exe(216): 320
Thread services.exe(216): 100
Thread services.exe(216): 420
Thread services.exe(216): 428
Thread services.exe(216): 432
Thread services.exe(216): 456
Thread services.exe(216): 456
Thread services.exe(216): 464
Thread services.exe(216): 468
Thread services.exe(216): 472
Thread services.exe(216): 476
Thread services.exe(216): 460
Thread services.exe(216): 480
Thread services.exe(216): 316
Thread services.exe(216): 876
Thread services.exe(216): 560
Thread services.exe(216): 584
Thread services.exe(216): 624
Thread services.exe(216): 636
Thread services.exe(216): 660
Thread services.exe(216): 676
Thread services.exe(216): 700
Thread services.exe(216): 776
Thread services.exe(216): 780
Thread services.exe(216): 316
Thread services.exe(216): 808
Token NT AUTHORITY\SYSTEM
Token FELINE\Administrator
Token NT AUTHORITY\SYSTEM
WindowStation \Windows\WindowStations\Service-0x0-3e7$
WindowStation \Windows\WindowStations\Service-0x0-3e7$

 

heres me hijackthis report. my services arent starting at logon

Logfile of HijackThis v1.97.7
Scan saved at 23:12:07, on 22/07/2004
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\PackethSvc.exe
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATMsg.exe
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSERVER.EXE
C:\Program Files\Miramar\PC MACLAN for Windows 2000\ATSPOOL.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
C:\WINNT\System32\taskmgr.exe
C:\unzipped\procexpnt\procexp.exe
C:\unzipped\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\blank.htm
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: AOL 6.0 Tray Icon.lnk = C:\Program Files\AOL 6.0\aoltray.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools_NT\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools_NT\STARTNT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSN2Lite\Psn2Lite.exe
O4 - Global Startup: Prevx Home.lnk = C:\Program Files\PREVX\Prevx Home\SAGUI.exe
O4 - Global Startup: Refresh.lnk = C:\Program Files\Iomega\Tools_NT\REFRESH.EXE
O4 - Global Startup: Splash.lnk = C:\Program Files\Iomega\Tools_NT\SPLASH.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.trendmicro-europe.com/housecall/Xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINNT\system32\yddsrm.m23



...help...