Re: Win32.HacDef!INI

Discussion in 'malware problems & news' started by Nubius, May 11, 2005.

Thread Status:
Not open for further replies.
  1. Nubius

    Nubius Registered Member

    Joined:
    May 11, 2005
    Posts:
    7
    I recently had the pleasure of recieving Win32.HacDef!INI, as it is a rootkit trojan and has many other goodies installed with it im sure, it has totally screwed up my system. It has denied most of my system services. It has shut down all my security measures and denied access to most of my emails including online email accounts. Most of the sites i read on it are not much help as the dang files are invisible to my system. I find nothing in a search of regedit ... the only reason i know i have it is my ezAntivirus found it in a scan. It was to late at this point because I had rebooted and it activated.

    I was wondering what could be done to fix this issue short of a total system wipe and restore from disk?

    Any help would be greatly appreciated.
     
  2. Storm

    Storm Registered Member

    Joined:
    Nov 8, 2003
    Posts:
    46
    Hi Nubius!

    This is a real tough one (if your AV identified it correctly)...

    At first please download Rootkit Revealer from www.sysinternals.com
    and let it do a scan... this will show you the discrepancies between what you Windows can "see" and what is really there... so you can identify the rootkit files more accurately...

    If you want to do this alone (be extra careful, as you could wreck the system) you have to remove/delete the rootkit files... to be able to do this you have to either
    a) do it on foot by booting with you windows cd and delete the files from the recovery console
    b) try your luck with UnHackMe, a tool that can detect and remove hacker defender... see http://www.batchconverter.com/UnHackMe-download-19193.shtml

    Either way, if its files are removed (especially the configuration file, the INI), hacker defender is no longer able to hide itself and other malware, so you then should be able to do a normal scan (best done in safe mode) to remove the rest (I'm pretty sure, HD is not alone!).

    Be aware that HD can be accompanied by various other types of malware, so your security could already be compromised (all your passwords logged and other bad things)...

    If you don't feel sure, you can do this stuff, I'd suggest waiting for one of the highly skilled mods/helpers here, who can guide you far better that I can :D

    Good luck!

    Storm
     
  3. Nubius

    Nubius Registered Member

    Joined:
    May 11, 2005
    Posts:
    7
    thank you for the information and im currently working on checking those methods.

    asviewer log removed

    I used asviewer and this is what i found... it may be helpful.


    I will add more information as i obtain it.
     
  4. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  5. Nubius

    Nubius Registered Member

    Joined:
    May 11, 2005
    Posts:
    7
    im sorry about the post my bad, i have information from RootkitViewer which may be helpful, this trojan is acting very odd. Im showing seven places it is located when i scan with ezAntivirus. I am unable to manually get to those locations on the pc.

    I have the log from RootkitViewer but do not wish to post it without consent. Could you please advise if there is a place for this. I did not see it.

    thank you
     
  6. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  7. Nubius

    Nubius Registered Member

    Joined:
    May 11, 2005
    Posts:
    7
    thank you all for your time and i will do just that, this is a wonderful site and i will definitely keep this as a favorite. I will keep you all posted on the outcome and i hope the information will be helpful to future poor souls who happen to get this cursed booger! I am definitely getting some of the software this site links to.
     
  8. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi Nubius,

    In order to be sure that you're really infected by the free version of Hacker Defender, just clikck on the next link for downloading UnHackme:

    http://www.greatis.com/unhackme250b.exe

    Install it and run a scan.
    If UnHackme detects HD, then it can remove it.
    Make a scan again of your system on normal and Dos mode.

    For more information about your possible infection, take a look at these links which inform about sign of infection and also how to remove HD:

    http://desigeek.com/weblog/amit/archive/2004/05/04/219.aspx

    http://www.dshield.org/pipermail/unisog/2004-October/023770.html

    Then, if the infection is real, there is also a cleanup toll against HD, which could be found here (HDCleanup.msi):

    http://mother.itsp.purdue.edu/~wirges/resources/public/hacker_defender/


    Hope this helps,

    Regards
     
  9. Nubius

    Nubius Registered Member

    Joined:
    May 11, 2005
    Posts:
    7
    Update reference backdoor trojan.

    Hi everyone again. Sorry it took so long to update you reference my possible Win32.HacDef.INI rootkit infection.

    My pc was totally screwed up. I got help from gladiator forum as well as another one but it was to late. It was not a HacDef! trojan but may have been a variation of it. Antivirus software will sometimes misdiagnose HacDef so be vary careful. Us UnHackme to find out.

    In my case the infection had totally taken over my system and when I attempted to delete several infected files the virus somehow knew this and shut down my ability to go online completely. Im using a older pc of mine to get online.

    I am going to attempt to save several files on that pc as the music took me for ever to collect. :)

    My biggest advise i can give in the lesson is never think that you have good protection. I recommend several products including TDS-3 and a registery protection program.

    Im purchasing several of these on top of my firewall and anitvirus programs.

    Traditional methods are no longer working, and you need to stay cutting edge with security if you want to keep a healthy pc. Take care and have a great day fellas and thanks for the help you provide here. I will continue to read these forums and stay up to date on the security issues at hand.

    Later my friends.
    Nubius
    AKA Ted
     
  10. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hey Nubius,

    I have merged the thread you just recently started this AM....Update reference backdoor trojan....into this ongoing thread. We like to keep all our eggs in one basket as we continue to assist with a users problem.

    Regards,
    Bubba
     
Thread Status:
Not open for further replies.