hxdefdrv.sys a lot of problems..

Hi, now i have a lot of problems, posibly a worm, i believe that, because every time i boot the system, the avg antivirus show an alert:

Trojan Horse Backdoor.Hacdef.C
is found in file
C:\WINDOWS\hxdefdrv.sys

well, if i run avg, the file is deleted, but every time i boot i`ts the same problem.
Theres more, that worm don`t let me run msconfig, don`t let me download hijack this, and others few things. I ran under safe boot and use hjt to delete some things. Now i can use msconfig, but still the problem with hjt, i can run it but can´t save log.
Please help me, i`m very strange about this stuff.
Thanks Andrés.
*I speak spanish, so sorry my bad english.

**if is necessary to view the hjt log, maybe i can save it on safe boot

Hi tallerlego.

I can't find much info on that trojan. It's been a few days, have you had any luck?

Tom

I was hacked by this application when I opened a web page in Internet Explorer.
Here is some information on hxdefdrv.sys (HACKERDEFENDER) and the removal instructions.

After noticing that something was wrong, I disconnected my pc off the Internet.

I noticed these changes to my system:

-There was a new shortcut in my desktop, with the name Start and this target:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

URL

-After searching for the files created today, I found these new files in C:\Winnt\
.23052004.exe <-- The name of this file is the date of tomorrow
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

-The Internet Explorer Start Page was modified to
URL

-When trying to execute RegEdit.exe, this application was closed almost immediately.

-I deleted the file hxdefdrv.sys. After restarting the PC, the file had been recreated.

-To avoid the creation of this file again, open a command prompt and execute NET STOP

HACKERDEFENDER100
Notice that this is the name of the service in the winunins.ini file (See winunins.ini below)

If the service is not in memory, about 45 seconds will pass and you will get a message "The

service is not responding to the control function.
If the service is not in memory, you will be told so.

After removing the service from memory, the hxdefdrv.sys file does not appear again when

restarting the PC. Nevertheless, the application is still in memory, so that doesn't solve the

problem completely.

Please, note that this service is not listed in the Task Manager, because it hides itself, some

other services and files.

-I restarted my PC in safe mode and found another file in C:\Winnt
.svhost.exe
.winunins.exe
.winunins.ini

-When searching for the files modified today, I found that the file
C:\WINNT\system32\drivers\etc\hosts
had been modified to that shown here:

213.159.118.228 collections.inhost.info
213.159.118.228 collections.inhost2.info
213.159.118.228 1-se.com
213.159.118.228 58q.com
213.159.118.228 aifind.cc
213.159.118.228 aifind.info
213.159.118.228 allneedsearch.com
213.159.118.228 approvedlinks.com
213.159.118.228 auto.ie.searchforge.com
213.159.118.228 awebfind.biz
213.159.118.228 best.royalsearch.net
213.159.118.228 cracks.am
213.159.118.228 default-homepage-network.com
213.159.118.228 find.microgirls.com
213.159.118.228 find4u.net
213.159.118.228 freshvideogals.com
213.159.118.228 i-lookup.com
213.159.118.228 ie-search.com
213.159.118.228 in.webcounter.cc
213.159.118.228 itseasy.us
213.159.118.228 just.find-itnow.com
213.159.118.228 link.startmake.com
213.159.118.228 mysearchnow.com
213.159.118.228 nativehardcore.com
213.159.118.228 qwertysearch123.biz
213.159.118.228 search.ieplugin.com
213.159.118.228 search.psn.cn
213.159.118.228 searchbar.findthewebsiteyouneed.com
213.159.118.228 searchcentrix.com
213.159.118.228 searchmyrequest.com
213.159.118.228 super-spider.com
127.0.0.1 hard-virgins.com
127.0.0.1 URL
127.0.0.1 petite-virgins.biz
127.0.0.1 wwww.petite-virgins.biz
127.0.0.1 only-virgins.com
127.0.0.1 URL
213.159.118.228 t.rack.cc
213.159.118.228 teen-biz.com
213.159.118.228 teenhqpics.com
213.159.118.228 tits.hardcore4ever.net
213.159.118.228 webcoolsearch.com
213.159.118.228 wmmse.com
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 xwebsearch.biz
213.159.118.228 yourbookmarks.ws

-After opening RegEdit, I found svhost.exe in the path:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-I found on the Internet, the site of the developers of this application in the url:
URL
There you can get a better idea of its functionality

When I opened the winunins.ini file, I found this information -among other- in the [Settings]

section:
ServiceName=HackerDefender100
DriverFileName=hxdefdrv.sys


To remove this application:
-Restart the PC in safe mode

-Open RegEdit and delete the keys:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-Delete these files frm C:\Winnt\
.23052004.exe
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

- In RegEdit, find and Edit every Key containing ".outhost.", leaving them blank. I.e. The key
Default_Page_URL reads "http://ykkgcg.outhost.info/". Right click on it, select modify, delete

the text and select OK. Please, note that you should look for ".outhost." I have noticed that The

first part ("ykkgcg") is variable.

-Edit the host file, deleting everything and leaving only this line:
127.0.0.1 localhost

-Restart Windows in normal mode. Everything should be ok now. :-)

Yo fui 'hackeado' por esta aplicacion cuando abri una pagina web en Internet Explorer.
Aqui esta alguna informacion sobre hxdefdrv.sys (HACKERDEFENDER) y las instrucciones para

removerlo.

Luego de notar que algo andaba mal, deconecte mi PC de la Internet.

Note estos cambios en mi PC:


-Habia un nuevo acceso directo en mi escritorio, con el nomre 'Start', apuntando a esta

direccion:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

URL

-Luego de buscar los archivos creados hoy, encontre estod archivos en C:\Winnt\
.23052004.exe <-- El nombre de este archivo es la fecha de mannana
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

-La pagina de inicio de Internet Explorer fue modificada a
URL

-Cuando trate de ejecutar RegEdit.exe, esta aplicacion fue cerrada cas inmediatamente.

-Borre el archivo hxdefdrv.sys. Tras reiniciar la PC, el archivo habia sido recreado.

-Para evitar la creacion de este archivo nuevamente, abra una ventana de MSDOS y ejecute
NET STOP HACKERDEFENDER100

Note que este es el nombre del servicio en el archivo winunins.ini file (Vea winunins.ini mas

abajo)

Si el servicio esta cargado en memoria, luego de 45 segundos, recibiras el mensaje "El servicio

no responde a la funcion de control.
Si el servicio no esta en memoria, seras notificado.

Luego de remover el servicio de la memoria, el archivo hxdefdrv.sys no aparecera nuevamente

cuando reinicies la PC. Sin embargo, ello por si solo no resuelve el problema completamente.

Por favor, note que este servicio no aparece listado en el Administrador de tareas, porque el se

oculta a si mismo, a otros servicios y archivos.

-Reinicie mi PC en modo a prueba de fallas. y encontre otros archivos en C:\Winnt
.svhost.exe
.winunins.exe
.winunins.ini

-Cuando busque los archivos modificados hoy, encontre que el archivo
C:\WINNT\system32\drivers\etc\hosts
habia sido modificado, al contenido mostrado aqui:

213.159.118.228 collections.inhost.info
213.159.118.228 collections.inhost2.info
213.159.118.228 1-se.com
213.159.118.228 58q.com
213.159.118.228 aifind.cc
213.159.118.228 aifind.info
213.159.118.228 allneedsearch.com
213.159.118.228 approvedlinks.com
213.159.118.228 auto.ie.searchforge.com
213.159.118.228 awebfind.biz
213.159.118.228 best.royalsearch.net
213.159.118.228 cracks.am
213.159.118.228 default-homepage-network.com
213.159.118.228 find.microgirls.com
213.159.118.228 find4u.net
213.159.118.228 freshvideogals.com
213.159.118.228 i-lookup.com
213.159.118.228 ie-search.com
213.159.118.228 in.webcounter.cc
213.159.118.228 itseasy.us
213.159.118.228 just.find-itnow.com
213.159.118.228 link.startmake.com
213.159.118.228 mysearchnow.com
213.159.118.228 nativehardcore.com
213.159.118.228 qwertysearch123.biz
213.159.118.228 search.ieplugin.com
213.159.118.228 search.psn.cn
213.159.118.228 searchbar.findthewebsiteyouneed.com
213.159.118.228 searchcentrix.com
213.159.118.228 searchmyrequest.com
213.159.118.228 super-spider.com
127.0.0.1 hard-virgins.com
127.0.0.1 URL
127.0.0.1 petite-virgins.biz
127.0.0.1 wwww.petite-virgins.biz
127.0.0.1 only-virgins.com
127.0.0.1 URL
213.159.118.228 t.rack.cc
213.159.118.228 teen-biz.com
213.159.118.228 teenhqpics.com
213.159.118.228 tits.hardcore4ever.net
213.159.118.228 webcoolsearch.com
213.159.118.228 wmmse.com
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 URL
213.159.118.228 xwebsearch.biz
213.159.118.228 yourbookmarks.ws

-Tras abrir RegEdit, encontre svhost.exe en estos lugares:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-Encontre en Internet, el sitio de los desarrolladores de esta aplicacion, en la direccion:
URL
Alli puedes obtener una mejor idea de su funcionalidad (La pagina esta en Ingles)

Cuando abri winunins.ini, encontre esta informacion -entre otra- en la seccion [Settings]:
ServiceName=HackerDefender100
DriverFileName=hxdefdrv.sys


Para remover esta aplicacion:
-Reinicia la PC en modo a prueba de fallos

-Abre RegEdit y borra las claves:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-Borra estos archivos de C:\Winnt\
.23052004.exe
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

- En RegEdit, busca y edita toda clave que contenga ".outhost.", dejando en blanco su contenido

leaving them blank. Por ejemplo, el contenido de la clave Default_Page_URL dice

"http://ykkgcg.outhost.info/".
Da click con el boton derecho, selecciona Modificar, borra el texto, selecciona Aceptar.
Por favor, nota que debes buscar ".outhost." He notado que la primera parte de la cadena

("ykkgcg") es variable.

-Edita el archivo host, borrando todo y dejando solo esta linea:
127.0.0.1 localhost

-Reinicia Windows en modo normal. Todo debe estar bien ahora. :-)

This is a serious pain this one - I wasted bloody hours fixing it.
Amongst other things mentioned above it:

a) kills various antivirus programs automatically
b) it automatically recreates the hxdefdrv.sys file in /winnt which it uses to create a backdoor into your PC AFTER you delete it
c) it creates some registry entries for Tcpip services which I could only find with Hijackthis (once I'd got rid of the other stuff manually that stopped Hijack this running) and ... it may also stuff around with your default windows stylesheet.

The registry entries identified by Hijackthis I got rid of were:

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AA55F8B-259A-49E7-A622-C72B9ECFE8FC}: NameServer = 10.0.0.2,10.0.1.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5BE61EE-69CC-4D01-A03A-6EE6ABC508B5}: NameServer = 194.72.9.55 194.74.65.85
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = mondaq.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{0599EC89-14BB-41EC-9409-7ACD6FEE6168}: NameServer = 10.0.0.2
O19 - User stylesheet: C:\WINNT\system32\vuodjr.af6

And the config file it uses to install/run itself is this (winunins.ini):

[Hidden Table]
inatjoy.dll
motkrtin.dll
witadr.dll
winunins.exe
winunins.ini
svhost.exe
CWShredder*
HijackThis*
ProceXP*
Spybot*
msconfig*

[Root Processes]
svhost.exe
trj4j6js.exe
winunins.exe

[Hidden Services]
HackerDefender*

[Hidden RegKeys]
HackerDefender100
LEGACY_HACKERDEFENDER100
HackerDefenderDrv100
LEGACY_HACKERDEFENDERDRV100

[Hidden RegValues]

[Startup Run]
C:\WINNT\svhost.exe -sr -0

[Free Space]

[Hidden Ports]

[Settings]
Password=qweqwe
BackdoorShell=ddd.exe
FileMappingName=_.-=[PokuS]=-._
ServiceName=HackerDefender100
ServiceDisplayName=Windows System Uninstaller
ServiceDescription=Microsoft System Service
DriverName=HackerDefenderDrv100
DriverFileName=hxdefdrv.sys

HERE IS THE ONLY WORKING SOLUTION

1. Boot from Windows installation CD-ROM
2. Choose Repair Control [R]
3. Choose the problematic Windows installation you want to fix.
4. At C:\Windows directory type in order the following commands:


attrib -r hxdefdrv.sys
del hxdefdrv.sys
attrib -r svhost.exe
del svhost.exe
attrib -r winunins.exe
del winunins.exe
attrib -r winunins.ini
del winunins.ini
cd system32
del inatjoy.dll


5.Restart the PC in safe mode

6. Open RegEdit and delete the keys:

a. [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\WINNT\svhost.exe -sr -1"


b. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\WINNT\svhost.exe -sr -1"

7. In RegEdit, find and Edit every Key containing ".outhost.", leaving them blank. I.e. The key
Default_Page_URL reads http://hzukcv.outhost.info/,http://hzukcv.outhost.info/}".



All now must be OK !

***Enjoy again your machine***

Solutions by the "life-jacket"

Hey life-jacket!
I must give you props. I spent hours working on this issue. I spend most of my time chasing crap like this. Peeps like you are an inspiration to IT peeps like me. People like you are too far and in between. You are the only person out of thousands that figured it out. kudos to you.

Damn, I spoke too soon. Still shows up. Lets see who can beat who to the fix.

OK found it. Lots of peeps will find that they have a HKEY_USER in the reg.

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\WINNT\svhost.exe -sr -1"

Then start over

im still finding them..


HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\SERVICES\HACKDEFENDERDRV100

Hi,

I managed to get rid of the hxdefdrv.sys file problem, this was due to a Trojan.
This one was clever because it was hidding some registries, files and processes.

To check if you have a Rootkit, please download the RootKit detector from www.3wdesign.es and run the rkdetector.exe file.
If you are lucky, it might give you the specific directory where the files are hidden.

I managed to install a free Anti Virus software called AVG antivirus, check the following site: http://www.grisoft.com/
After running it, it detected the Rootkit problem and cured my PC.

If you cannot run the command Regedit or download/run the AVG antivirus software or specific files such as CWshredder/Adaware/HijackThis/Spybot,
run the online AntiVirus software from http://www.pestscan.com/Scan.asp - It should tell you what other Trojan(s) your PC is infected with.
You might have to start your PC in safe mode and delete some registries calling the Trojan(s) files or perhaps start your PC in DOS and delete the specific files.

If this does not work, I was given this method which I haven't tried. Start your PC in recovery mode, then run the command listsvc, it will list all the services.
Look for a name such as HackerDefender or similar name. then run the command disable servicename,
Then, you can reboot your PC without this service and you should be able to delete the hxdefdrv.sys file.

PS: my OS is Windows 2000.

Good luck

Domingo