Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Backdoor.HacDef.C 1

Status
Not open for further replies.
Happo

Happo

IS-IT--Management
Sep 28, 2002
188
AU
This particularly nastie little puppy made it's way on to my machine somehow. Initially it slowed the system to a crawl but I turned off Sys Restore and booted in safe mode and Symantec told me the virus had been 'cleaned'. However, I still can't access or download certain programs (Spybot & HijackThis), this infection apparently uses 'API Hooks'(Help)? I believe it's comes under the category of 'NT Rootkit', it used to be on this site it would seem 'they' have finally found out and suspended the site. My AV scan (AVG) runs at 5 every morning and I wake up every morning to 'Virus Found!" Backdoor.Hacdef.C' Anyone know of a solution?

Thanks in advance,
Daniel.
 
Sort by date Sort by votes
Happo,

I've run into this beast before. You'll definately want to turn off system restore and empty your recycle bin first.

Then check out C:/windows/system32/drivers/etc/hosts and make sure that the only uncommented line is:

127.0.0.1 localhost

Scroll down and make sure that there's no additional info below that line.

You say that you have both AVG and some Symantec Anti-Virus product. Update the Symantec Anti-Virus and then run a full scan.

Wishdiak
 
Upvote 0 Downvote
Wishdiak, ta
Then check out C:/windows/system32/drivers/etc/hosts

## Copyright (c) 1993-2001 Microsoft Corp.
#
# This file has been automatically generated for use by Microsoft Internet
# Connection Sharing. It contains the mappings of IP addresses to host names
# for the home network. Please do not make changes to the HOSTS.ICS file.
# Any changes may result in a loss of connectivity between machines on the
# local network.
#

#192.168.0.1 koodoz.mshome.net # 2008 6 5 13 10 7 3 394

Symantec, AVG and Mcafee all find the same thing - virus detected in file C:\WINDOWS\HXDEFDRV.SYS, Trojan Horse Backdoor.Hacdef.C, cannot be cleaned/removed, file is still infected.
I can manually delete the file but it is back the next time I restart... I hate this thing
Thanks.
 
Upvote 0 Downvote
I just ran across this little bugger last week. There are 2 hidden services you need disable through recovery console also
before you can get it cleaned out.

I found info here


here

and here



Good luck this one is really nasty.


Bill

<<<<< Hi I'm a telephone technician running a test on your telephone lines. To complete the test please dial nine (9), zero (0), pound sign (#) and hang up. >>>>>
 
Upvote 0 Downvote
Click to expand...

That's the very one. After doing the fix, I still couldn't get Windows Updates or AntiVirus Definitions.

I spent a few wasted hours trying to figure out why I couldn't update AntiVirus Definitions before I noticed that the hosts file had blank lines and then more info that had scrolled off the screen.

That was a lesson learned the hard way.

Wishdiak
 
Upvote 0 Downvote
Good news is I can now run HJT - log is below, cheers
Spybot has also reappeared for the first time in a while, maybe AVG (current AV) finally found a fix and included it in their updates because I haven't changed anything - Thanks for the help guys


Logfile of HijackThis v1.97.7
Scan saved at 18:59:46, on 14/09/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Spy Sweeper\SpySweeper.exe
C:\Program Files\Panorama\Panorama.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads (Applications)\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///D:/HTML/quicklinks/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {498B122B-BC1B-73C6-8003-64550DA7291F} - C:\WINDOWS\System32\glguje.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: Panorama.lnk = C:\Program Files\Panorama\Panorama.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O16 - DPF: Yahoo! Pool 2 - O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{796B8FE5-374C-41F8-BD86-FD41109BA873}: NameServer = 203.194.56.150 203.194.27.57
 
Upvote 0 Downvote
Resolution:

All the standard disclaimers (I'm not an expert, you may want to confirm with others, etc.)

Take all normal precautions (back up registry, run adaware, run SBSD, disable system restore, etc.), then . . .

Check and fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {498B122B-BC1B-73C6-8003-64550DA7291F} - C:\WINDOWS\System32\glguje.dll (file missing)


The R0 line below is interesting. From what I can find, it refers to a Windows ME program, but I see you’re running XP. Did you upgrade? From what I can tell, it shouldn’t be needed on an XP system, but you may want to get confirmation elsewhere:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm

And lastly, the O17 line refers to Asia Pacific Network Information Centre. If this has nothing to do with your ISP, I would get rid of it as well. (WhoIs information below):
O17 - HKLM\System\CCS\Services\Tcpip\..\{796B8FE5-374C-41F8-BD86-FD41109BA873}: NameServer = 203.194.56.150 203.194.27.57





OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.RIPE.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to Comment:
RegDate: 1994-04-05
Updated: 2004-03-30


Anyone see anything I missed?

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
Happo,

In researching this guy, I found that you've had this problem before (thread779-900419). Did you never completely get rid of it, or has it recurred for some reason? If linno's fix didn't work I'd like to know so I don't refer back to it.

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
jbrackett,
The previous problem you are referring to was on a different pc. Also my first post was probably in the wrong forum, so I didn't continue it. linney's solution worked on that comp. (or at least I thought so) but not on the current one - don't know why. But after your query I contacted the owner of the first pc and although the symptoms of slow performance etc are gone he still has hxdefdrv.sys on his comp. and can't access or download HJT or Spybot. So, from what I can gather linneys fix does get rid of the main issues, the rest is mainly academic.A trip around there with my new bag of tricks may help, even though I still don't know a great deal about this thing. I wish I could give you more info but XP problems are not my forte and this thing is certainly way out of my league. I think it was Montgomery who said 'There is only one thing more powerful than information - misinformation'.

adios amigos
 
Upvote 0 Downvote
All right, then there's some info that might help you at the following:

and the last entry at:

Let me know if any of this helps and/or solves the problem completely.

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
Here's another site that claims to have the solution:

"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."

"Trent the Uncatchable" in The Long Run by Daniel Keys Moran
 
Upvote 0 Downvote
This is just getting rediculous! After all this research and effort (by many ppl) Backdoor.HacDef.C no longer appears HOWEVER, I now have something called Backdoor.HacDef.2.AA which can't be removed either, I as yet have not been able to find out much about this other one. It is resident in three files and 'cannot be cleaned/removed - file is still infected', I will post more info when I get home tonight. I also contracted I-Worm.Netsky but that was fairly easily removed with a tool from Grisoft. Oh, and I do have AV, Firewall (ZA) and sp2, don't really know what is happening.

Daniel.
 
Upvote 0 Downvote
Backdoor.HacDef.2.AA is resident in the following files (According to AVG)
C:\Windows\Svhost.exe
C:\Windows\Winunins.exe
C:\Windows\Help\Svhost.exe

btw if you are wondering why I am only using AVG I have also had some network problems with McAfee & Symantec so it is a temporary measure. I am going to run HJT and post it as another thread with a reference to this one, hope that is 'acceptable'...
 
Upvote 0 Downvote
Happo,

What kind of network problems with McAfee & Symantec? Were you unable to run them on the infected machine?

The time that I had to remove this bug, I ran into a situation where the usual AntiVirus tools would not work.

What I did, following was to shut off system restore, reboot from the CD, delete the offending files (which were not in just one directory), modify the hosts file, and then run HJT and delete entries.

The hosts file is where I got tripped up, because it looked fine at first glance, but scrolling down showed entries that shouldn't have been there.

Once I figured that out, it was a piece of cake.

Wishdiak
 
Upvote 0 Downvote
C:\Windows\Svhost.exe
C:\Windows\Winunins.exe
C:\Windows\Help\Svhost.exe

Are you able to find and delete those files?

-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?
 
Upvote 0 Downvote
Sorry guys, I am really busy at work right now and can't find a moment to do anything else, thanks for all your help but this one is on the backburner for the time being, like the next few weeks, computer appears to be working fine, just finds about 4 viruses (and counting..) every morning. Will update if I have any revelations or a final solution, catcha around...
Daniel.
 
Upvote 0 Downvote
Update - Removed Reg entries as per jbrackett above. Removed AVG and installed McAfee, McAfee found and 'removed' "HackerDefender" virus, subsequent scans are clean for the first time in months, virus appears to be gone - here we go again...
Thanks again,
d.
 
Upvote 0 Downvote
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top