Can't get rid of Trojan horse....

Discussion in 'Trojan Defence Suite' started by Shijnu, May 6, 2004.

Thread Status:
Not open for further replies.
  1. Shijnu

    Shijnu Guest

    I run AVG and I keep getting this virus Trojan Horse BackDoor.hacdef.C and I can't seem to get rid of it no way no how. I don't know if its that virus that is causing me to reboot like crazy. I open realplayer, and go to library then it reboots. I open up a game it reboots. Or when I remove it to "the vault" with AVG it gives me a CD-ROM error and still reboots on realplayer. I don't know how to get rid of it. If any one could help me, I would be very very grateful. :D

    Another thing is when I right click on a shortcut on my desktop it makes the screen flash then it reloads everything on my screen. Not a reboot but a reload of whats on my desktop including my task bar.
     
  2. Shijnu

    Shijnu Guest

    Oh it was found in C:\Windows\HXDEFDRV.SYS
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Shijnu, Please zip & submit that file to submit@diamondcs.com.au
    Then download TDS3 & the latest radius file from www.diamondcs.com.au
    Inconfiguration enable all of the scan options and do a full scan, this will take time but will be the best possible check that no more Trojans are on your system.

    HTH Pilli
     
  4. Shijnu

    Shijnu Guest

    hmmm....ok....... I tried to zip it, I use winace and well.....after the first 20 minutes, I figured it wouldn't work. The file is only 4kb big.....bah. Then I used TDS-3 with the radius and it coudln't find it. I even went to the file itself and told it to scan that file alone. I don't know what I'm doing wrong. :(
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hithere Shijnu, did you close your other scanner like AVG during the scanning with TDS?
    Rather important so it can reach the file.
    You did manage to submit it to DiamondCS in the end?
    If zipping is a problem send it in just like that, or another way is --carefully for not making mistakes-- rightclick on the file to change it's name like the exe into tmp for instance.
    If the file is running you will not be able to do so and get error warnings.
    Can you kill it from the running processes in the TDS Process List or if not with contr+alt+del?
    You can do it in safe mode if necessary if you don't know how to get the file stopped. (Edited: this would need a reboot which should be avoided if possible)
    With TDS for instance you might see it in the running processes list and kill it from there before you're able to zip or rename it, so you have several options (there are more if none of those helped yet).

    You most probably are not doing anything wrong at all. Your file might be a new variant, so forwarding it and waiting for expert analysis is so very important to know next steps.

    Alias of the name is Troj/hacdef-084 among others, has several names.
    http://www.sophos.com/virusinfo/analyses/trojhacdef084.html
    and http://www.pestpatrol.com/pestinfo/b/backdoor_hacdef.asp
    It's a rootkit, so follow expert advice to get rid of it, at least starting with sending in the nasty.
     
    Last edited: May 10, 2004
  6. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Hello Shijnu!

    I ran McAffee for a year, and then was an AVG user for quite a while. I occassionally ran across similar problems as yours. Since installing NOD32, it's been able to handle anything it's come across. I think you'll be surprised by the difference. You might consider "upgrading" too. :)
     
  7. Dardasaba

    Dardasaba Registered Member

    Joined:
    Feb 16, 2004
    Posts:
    38
    Location:
    Israel
    You're in real deep s***t there my friend.
    That is a rootkit, I never had to remove a rootkit, but from my understanding, the only way to do it is a complete reinstall of windows.

    For info about rootkits and how to remove them, read:
    http://www1.umn.edu/oit/security/WindowsRootkits.pdf
     
  8. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    If ONLY the SYS file is being detected, then you do have a serious problem - a patched / unknown variant of Hacker Defender (unknown is VERY bad of course)

    Since the AV is stopping it though, you should be ok :)
    Click start > go to RUN and type regedit
    Click OK

    Now go to EDIT > FIND, or press CTRL F

    Search for HXDEF and click OK

    You should find something like this on the left, a key (looks like a folder) called HXDEF100 or something like that. The location is important, you need to find a driver entry which will be in

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

    If you do find the key HXDEFxxxxxxxxx then delete it. DONT reboot, please send us a log from ASViewer here

    http://www.diamondcs.com.au/index.php?page=asviewer

    Make sure it is showing all autostarts as per the options to show drivers etc, in the menu
     
  9. e30ernest

    e30ernest Registered Member

    Joined:
    May 10, 2004
    Posts:
    1
    I emailed the zip file. I have the exact same problem. I am now running TDS-3. Hopefully I can resolve this without re-formatting. There are a lot of important software in this PC. I am also running AVG free edition.
     
  10. --?--

    --?-- Guest

  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Consider installing Process Guard to prevent rootkit installs altogether

    Try the rootkit detector, but it probably uses hashes still in which case it wont detect a modified variant :(
     
  12. Sea8

    Sea8 Guest

    I got my harddisk unplug scan using another PC, this is what Etrust Antivirus found:

    G:\WINDOWS\Help\svhost.exe Backdoor/HackDef.084.Driver
    G:\WINDOWS\hxdefdrv.sys Win32/HacDef.084.A.Trojan
    G:\WINDOWS\svhost.exe Backdoor/HackDef.084.Driver
    G:\WINDOWS\winunins.exe Backdoor/HackDef.084.Driver
    G:\WINDOWS\winunins.ini INI.HacDef

    and 67 files in WINDOWS\system32 folder infested by JS.CSSPopup.H Trojan.
    72 Trojan infested files in total, before that Etrust and TDS-3 could only detect 1 Trojan - hxdefdrv.sys, now my PC is running normally.
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  14. JXL

    JXL Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    4
    Hey guys been following this thread cause its a Trojan my friend had and that we had no end of problem with so reinstall was the quickest easiest option. I do regular ghosts of his drive so it was very quickly fixed.

    But now I have just found AVG popped up the Trojan.Dialer 9.N which is newer than what my friend had but i won't to know how to kill this without recloning. I went to the Temporary Internet folder where it was located and deleted everything there but i did this before with my friend and resident scanner still kept popping it up so my guess is that it is still lurking around on here somewhere.

    I ran AVG Norton, Adware and Spybot didn't pick it up in the scan only AVG picked it up in resident scanner.

    I've downloaded and installed TDS-3 (i'm in Perth too great to know quality products are being manufactured here) and CWShredder and neither picked up anything.

    I've got my hickjack this log.

    Logfile of HijackThis v1.97.7
    Scan saved at 1:16:11 PM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Downloads\programs\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Anonymization.Net (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.3028009259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------

    Can you tell me if anything is there and i noticed in my Task manager i have 4?!? instances running of svchost (not svhost which was on there till i stopped it and it rebooted my machine with that RPC protocol thing) but after i stopped svhost doesn't say in the USER NAME tab whether its a LOCAL, SYSTEM process.

    Anyone have anything else i can try and is there any other information needed.

    THanks in advance.
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, you had AVG running during the other scans and with creating HJT. AVG and other scanners (except TDS) should be closed completely when scanning with any other scanner. TDS doesn't have other resident protection then the exec protection which is no running process hiding files etc, only blocks them if they would try to erun, so no problem for other scanners. AVG has the habit to protect it's finds and hide them for other scanners.
    This is why we recommend to close the AVG completely by opening it's GUI, uncheck all there is and close it, then doing your otther scans and your scanners should pick up the nasty.
    Can you post back scanresults without AVG running please?
    All your scanners should pick it up now and you should be able to remove it with TDS too, for instance.
    IF TDS would say "suspicious" or "possible" alert, please submit the file (zipped if possible) to submit@diamondcs.com.au unless it's just a double extension. If it's one TDS has a positive identification for no need to send it in unless you doubt. In any doubt always submit.

    Looking forward to your next results!

    Oh, and you might like to use Port Explorer to see what the svchost instances are connected to, if the own task manager doesn't tell enough yet?
    Could be your live update, scanners, music players, that kind of things.
     
  16. JXL

    JXL Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    4
    Hey Jooske

    THanks for the reply,
    i shutdown AVG and this is what the hijack file pulled up
    -----------------------------
    Logfile of HijackThis v1.97.7
    Scan saved at 3:28:41 PM, on 7/13/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Personal Firewall\NISUM.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
    C:\Program Files\ProcessGuard Free\dcsuserprot.exe
    C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\sstray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\D-Tools\daemon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
    C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\wap\wap.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Downloads\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
    O4 - HKLM\..\Run: [AS01_Netgear] C:\Program Files\NETGEAR\WG311 Wireless Smart Configuration\Utility\NetgearAG.exe -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - Startup: Process Guard Free.lnk = C:\Program Files\ProcessGuard Free\procguard.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Anonymization - C:\WINDOWS\System32\sys32.htm
    O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O9 - Extra button: Anonymization.Net (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.3028009259
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    ----------------------------------

    I've run TDS, Norton, Adware and S&D and they all didn't pull up anything but from my experience with Dialer.9.U it was somehow still resident. On my friends system it would even mask the cwshredder program making it invisible.

    But from my hijack file do you think i'm out in the clear?
    My task manager is now showing the USER NAME tab but i still have 4 instances of svchost.exe, 2 as a SYSTEM, 1 as Network service and 1 as Local service. But as you mentioned before it could be from somthing like irc or winmx but i don't have anything running, is there something else that is causing the problem??

    I've got all the demo versions of DiamondCS just got to find a way to find $132 for a fellow Aust company.

    THanks.
     
  17. JXL

    JXL Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    4
    Also i noticed that most of the viruses i beeen having problems with consist of it somehow modifiying my exe files which makes my virus scanner delete the file. I remember one virus that i got off Kazaa that went around making every exe file i had unusable. Even when Norton picked it up in its resident scanner it still managed to infect like 60% of the system.

    Is there a better way to force all exe files to be unmodified??

    OH one more thing I've had no end of trouble with System restore it just freezes my computer everytime it gets used either by me manually or by another program like an install so i've turned it off.

    Could this be another virus modifying it?
     
    Last edited: Jul 13, 2004
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Do you see AVG and Norton AntiVirus are not closed during creating your HJT log? :) There is a newer HJT scanner, btw, you might even see more with that! [thread]15913[/thread]
    *edit: just discovered it leads still to the version you have, investigating where to get the 1.98.0 as even Merijn's page indicates your version 1.97.7 http://www.spywareinfoforum.com/~merijn/downloads.html *

    Did TDS really with today's new update not show you any infections (with the AVG really completely closed this time!)

    BTW: get the programs one by one, if that suits you better!
     
    Last edited: Jul 13, 2004
  19. tj500

    tj500 Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    1
    I'm glad I came across this thread. I have been struggling with my moms computer for a while. After reading the posts above I know that I have this exact problem. [the spontanious reboots and shuts down various programs]

    I should be able to fix it now with this information but my question is what do I do to prevent this in the future?

    My computer is protected by a hardware firewall/router and zonealarm personal firewall. I have Norton AV and a registeredversion of TDS-3 installed (with execution protection enabled.)

    I can't figure how this happend... I update these programs regularly. I update Norton/TDS almost daily. Windows is always patched etc.

    I'd love to know how this happend. --Or at least an idea of what precautions to take in the future.


    Thanks in advance.
    tj
     
  20. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi TJ, there is an interesting thread "How did i get infected in the first place"
    https://www.wilderssecurity.com/showthread.php?t=27971

    Did you --if the system is really clean-- also look at ProcessGuard and Port Explorer?
    ProcessGuard to protect your programs and files and Port Explorer to see all connections and aneble you to check and kill what is suspicious?
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  22. Gor

    Gor Guest

    Hello all,

    i have got the same problem, running AVG & Agnitum Outpost 1.0
    I have received spontanious reboots the last few weeks untill today i discovered the Trojan Horse Dialer .9.N with AVG. I got thae problem (I think) simultaniously with another one, the Directwebsearch / about: blank hijacker. Apparently, I'm not an expert, both are caused by a security leak in Microsofts JVM.
    When i tried checking manually for Dialer.9.N and some other viruses like var1[1].exe, d_tony2[1].exe among others in C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files I received two spontanious reboots.
    After the reboot my Agnitum Outpost, which operates in Block Most mode, was disables both times! A log file called 'jusched.log' in my C:\Documents and Settings\[username]\Local Settings\Temp folder had the following message:
    Wed Jul 21 23:49:00 2004 :: Received shutdown signal

    This sounds like the trojan horse is still functioning although my AVG can't find any virus anymore...

    Also 2 other files keep reappearing in my Temp folder when i delete them: hsperfdata_[username] and set282.tmp file.

    There is some correspondance about this file at:
    http://www.talkaboutprogramming.com/group/comp.lang.java.machine/messages/16430.html

    "From its name, I would presume it contains performance tracking
    information to help it hotspot optimise. Hotspot does not remember
    this from incarnation to incarnation, hence the temp file."

    I read somewhere the JVM security leak can make your system vulnerable. There is a security patch and JVM removal instruction for XP Pro available, but I'm using Win2000 pro.

    Any help on solving this issue would be really apreciated!!
     
Thread Status:
Not open for further replies.