HELP!!! Virus, possibly Spybot?

Hi there,

Please help me. I came off the internet last night and went to run Spybot, only to find the entire folder had been deleted. I then went to run Norton One Button Check but it was terminated straight away, and the shortcut to its Anti Virus utility was a dead link. It also corrupted Objectdock and whenever I tried to get on to a useful website like Spybot's homepage, internet explorer closed. I downloaded Spybot via P2P but the virus removed it immediately. A copy of it that I had on CD resulted in a 'file not found' message.

This morning I opened (rather than saved) Trend Micro Sysclean which resulted in 5 infections being cleared but this had no effect on my situation.

I then tried McAfee online free scan which found the following:

242503_.exe212 (Downloader-DA)
nuqlbu.546 (StartPage-AX)
oyouhk.a95 (StartPage-AX)
rmnigh.713 (StartPage-AX)
skyxyo.7bo (StartPage-AX)
srmkix.131 (StartPage-AX)
tnhbga.050 (StartPage-AX)
uucynu.w80 (StartPage-AX)
yopqck.884 (StartPage-AX)

I manually removed the StartPage files and that stopped a problem where my homepage was changed and favourites added without my consent, but I could not find the Downloader-DA to remove that.

I then installed McAfee Anti Virus and this found nothing. Every time I attempt to download Spybot or Hijack This, I receive a message at 99% saying it cannot read from souce disk. To add to this, Regedit will not start either.

Please help, I need my computer and need to solve this ASAP.

 

quick enough for you?

Detailed removal instructions there - that is what you are infected with, or possibly another variant of that strain. Following the instructions there should alleviate the symptoms you are seeing.

 

I really appreciate your help - I'll do as it says and let you know if it worked. Thanks again.

 

I've just done a scan with McAfree anti virus in safe mode (Norton still not working) and it came up with 2 unwanted programs called porn.gen and a trojan called He4Hook.sys (file name hxdefdrv.sys). I deleted them all and did it again to check they've gone. No sign of Trojan Simcss. What should my next step be? I don't want to alter the registry files as directed for the Simcss Trojan if it is the wrong one.

 

Hi Shauno,

IMOG will probably take issue with this , but you should start here:READ ME FIRST: Basic Spyware, Trojan And Virus Removal .

Follow the instructions carefully.
Note the steps that you are able to complete and also note the ones that give you problems. That way, the experts will be able to fix you up in a more timely manner! Also, give computer specs - OS etc. . . along with further symptoms.

Good luck

PP

 

Ahhh, we got a sharp cookie here - I like that. Ahf, I've got no issues, that guide is a good one, it just has a shortcoming here and there. Good eye though.

Anyways, back to the facts and the problems we know that need solved (lets fix what we have before we try to find more).

1) What is the date on the mcafee definitions used?

2) You have/had multiple infections. Downloader-DA will attempt to kill valid processes in order to maintain self preservation. This is the second infection you have now: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html

You should manually double check to make sure the remnants of those infection are gone. Follow the removal instructions for each to see if you can find anything they describe as part of these infections.

For good measure, check your host file to see if there are any entries there. Navigate to C:\WINDOWS\system32\drivers\etc and open hosts with notepad.

 

Apologies for my n00bulosity, as I unknowingly exceeded the five minute edit time frame, and here is the amended, more accurate version of part of my previous post:

2) You have/had multiple infections. Downloader-DA will attempt to kill valid processes in order to maintain self preservation. Following is the second infection you have/had: http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html

You should manually double check to make sure the remnants of those infections are gone. Follow the removal instructions for each to see if you can find anything they describe as part of these infections.

3) Check to see if you are experiencing any symptoms like you were previously. The second infection has been reported by others and similar symptoms were experienced with downloading certain files.

4) For good measure, check your host file to see if there are any entries there. Navigate to C:\WINDOWS\system32\drivers\etc and open hosts with notepad.

5) Seeing as you have these infections, you likely also have some spyware which may not be causing such major problems, but would still be good to remove. Update and run spybot and adaware - safe mode will ensure you get everything on the first try.

 

You can't be serious... If he isn't running 2000 or XP then he has larger problems than the infections. I bet he can figure out that the windows directory and winnt are interchangeable also.

Sometimes things are unneccesarily over-complicated when all that is needed are simple solutions and explanations.

BTW, you don't need to bother running stinger if you have virus scan which is operational.

 

Care to square off sweetheart? (kidding, lighten up)

You have a false understanding about stinger. Stinger is simply a compact collection of detections/removals for the most prominent virii in the wild, intended as a troubleshooting tool for when full blown virus scan is broken or otherwise not operational. There is nothing that stinger recognizes which mcafee will not. Or are you trying to tell me that mcafee has detections/removal routines for virii which it includes in its stinger package, but withholds from its "full blown" application?

There is also nothing stinger detects which norton does not... There is an exception to this rule however. It would be possible for stinger to have a detection which norton does not in the singular circumstance of a new huge virus outbreak, which mcafee recognizes before norton does. This would only be in a temporary timeframe - If Mcafee had detections out for prominent virii for any considerable time before Norton recognized it, they would be promptly smeared all over the intarweb.

Finally, talk about sticking your foot in your mouth! Who is assuming anything? I seriously thought you were kidding about the OS version. Instead of you ASSUMING I didn't do my homework or that I don't know what I'm talking about, you should check the system requirements of the applications he is running. Sometimes doing some quick homework can save everyone time and embarassment.

I am open to wagers if you'd like to place a bet on whether or not he is running w2k/xp?

I may come across as too relaxed, but keep in mind this is a hobby. Being relaxed doesn't mean I'm not thorough.

 

Sorry for not mentioning it but yes, I'm using XP Pro. This He4Hook.sys keeps coming back after its been deleted by McAfee (located in C:\Windows) and when ever I do a clean sweep of my temporary files I notice 434kb automatically return immediately. I ran Panda online scan last night and it found 1 infection which it said it dealt with (although I didn't see its name). I still can't install or download Spybot or Hijack This. Would it be any help if I ran 'services.msc' and gave you a list of what I see? or maybe a list from task manager? Anyway, I'll continue to try things you've mentioned so far. Continued thanks to both of you.

 

Also, I have managed to install a trial version of DiamondCS Process Guard and on restart it is telling me that svchost.exe (C:\Windows\System32\svchost -k imgsvc) is trying to be run for the first time. Should I block it?

 

This is the list of sites in the host file: (I haven't been on those porn sites!)

213.159.118.228 collections.inhost.info
213.159.118.228 collections.inhost2.info
213.159.118.228 1-se.com
213.159.118.228 58q.com
213.159.118.228 aifind.cc
213.159.118.228 aifind.info
213.159.118.228 allneedsearch.com
213.159.118.228 approvedlinks.com
213.159.118.228 auto.ie.searchforge.com
213.159.118.228 awebfind.biz
213.159.118.228 best.royalsearch.net
213.159.118.228 cracks.am
213.159.118.228 default-homepage-network.com
213.159.118.228 find.microgirls.com
213.159.118.228 find4u.net
213.159.118.228 freshvideogals.com
213.159.118.228 i-lookup.com
213.159.118.228 ie-search.com
213.159.118.228 in.webcounter.cc
213.159.118.228 itseasy.us
213.159.118.228 just.find-itnow.com
213.159.118.228 link.startmake.com
213.159.118.228 mysearchnow.com
213.159.118.228 nativehardcore.com
213.159.118.228 qwertysearch123.biz
213.159.118.228 search.ieplugin.com
213.159.118.228 search.psn.cn
213.159.118.228 searchbar.findthewebsiteyouneed.com
213.159.118.228 searchcentrix.com
213.159.118.228 searchmyrequest.com
213.159.118.228 super-spider.com
127.0.0.1 hard-virgins.com
127.0.0.1 www.hard-virgins.com
127.0.0.1 petite-virgins.biz
127.0.0.1 wwww.petite-virgins.biz
127.0.0.1 only-virgins.com
127.0.0.1 www.only-virgins.com
213.159.118.228 t.rack.cc
213.159.118.228 teen-biz.com
213.159.118.228 teenhqpics.com
213.159.118.228 tits.hardcore4ever.net
213.159.118.228 webcoolsearch.com
213.159.118.228 wmmse.com
213.159.118.228 www.008i.com
213.159.118.228 www.2fastsearch.net
213.159.118.228 www.8095.com
213.159.118.228 www.alfa-search.com
213.159.118.228 www.boredlife.com
213.159.118.228 www.couldnotfind.com
213.159.118.228 www.cracks.am
213.159.118.228 www.daum.net
213.159.118.228 www.dreamwiz.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find4u.net
213.159.118.228 www.firstbookmark.com
213.159.118.228 www.gajai.com
213.159.118.228 www.hand-book.com
213.159.118.228 www.hao123.com
213.159.118.228 www.hotsearchbox.com
213.159.118.228 www.hotwebsearch.com
213.159.118.228 www.hugesearch.net
213.159.118.228 www.iquicksearch.com
213.159.118.228 www.lookfor.cc
213.159.118.228 www.maxxxhosters.com
213.159.118.228 www.naver.com
213.159.118.228 www.nkvd.us
213.159.118.228 www.nova****.com
213.159.118.228 www.ohcorea.com
213.159.118.228 www.omega-search.com
213.159.118.228 www.onet.pl
213.159.118.228 www.power-search.info
213.159.118.228 www.rightfinder.net
213.159.118.228 www.search-1.net
213.159.118.228 www.search-and-go.com
213.159.118.228 www.search-dot.com
213.159.118.228 www.search-space.com
213.159.118.228 www.searchforge.com
213.159.118.228 www.searching-the-net.com
213.159.118.228 www.searchv.com
213.159.118.228 www.searchxl.com
213.159.118.228 www.seznam.cz
213.159.118.228 www.slotch.com
213.159.118.228 www.spidersearch.com
213.159.118.228 www.startium.com
213.159.118.228 www.therealsearch.com
213.159.118.228 www.ttjj.com
213.159.118.228 www.viewpornkey.com
213.159.118.228 www.wazzupnet.com
213.159.118.228 www.websearch.com
213.159.118.228 www.windowws.cc
213.159.118.228 www.xgmm.com
213.159.118.228 xwebsearch.biz
213.159.118.228 yourbookmarks.ws

 

Before I do that, I've just completed a scan with Norton in safe mode and have opened Regedit to try and find the path:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HackerDefenderxxx

which is what I am told to do on this page:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html

But the only file in the Services folder is '(Default)' type REG_SZ. No sign of the HackerDefenderxxx entry. What do I do now? Shall I delete the entries from my host file and then reboot in normal mode? There's obviously something on the registry but I don't want to change it if I'm not certain its the virus - especially as every attempt to back up my registry fails.

 

I have McAfee Anti Virus 8 and Norton 2002. Until recently, Norton had been updated regularly but during this problem I have had to reinstall so I don't know if the updates are still there. I am unable to get updates as LiveReg is terminated by the virus and McAfee goes to a page that says an error has occured (possibly the virus too?) So the latest Virus definitions I have must be the default that comes with McAfee 8.0. Although both have found and deleted the virus but it comes back on every reboot. Also, symptoms don't change after virus deletion / before reboot. Is there a way of connecting to the initernet in safe mode as I can't at the moment.

 

Which do you suggest I keep on? McAfee is the most recent and works in normal mode so I guess that would be best.

 

Sorry, i'm commuting between two computers and not refreshing before i post.

McAfee Engine no. 4.2.60 (although I found this out from the readme, as the system try icon vanished as soon as my mouse got to it)

I'll try the online Trend Micro now...

 

Right, online Trend Micro found nothing, but this might be because McAfee found and deleted the hxdefdrv.sys during the TM scan. It doesn't seem to matter how many times it gets found and deleted as it always comes back. I'll re-read through the notes about the network service.

 

Once you start insulting people, especially those who work so hard here to help others, your post will be deleted. Like this.

 

This particular link refers exactly to my problem

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACDEF.D&VSect=T

but neither of the entries i'm told to delete (below) appear to be there.

(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Network Service = "<this malware’s path and file name> -sr –0"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Network Service = "<this malware’s path and file name> -sr –0")

The link goes on to list 6 modified entries - what do I do with these? delete (http://aiua<BLOCKED>outhost.info/?

I've never used Regedit before and as I say, any attempt to backup the registry failed, but I'm willing to go ahead with what you guys tell me to do because there's obviously something there thats reproducing this hxdefdrv.sys file.

Also, I did a search for 'svhost' and found this: SVHOST.EXE-2153A0E5

(C:\Windows\Prefetch\SVHOST.EXE-2153A0E5)

This looks suspicious to me but I don't know anything! Is this related to the virus and should I delete it? I suppose it'll probably come straight back after the next reboot though

 

Attached is a host file which you can simply extract and copy to your %system%/system32/drivers/etc directory to correct the entries which the virus created.

I have a larger hosts file which blocks many advertisers, but I could not compress it enough to post it here as an attachment.

You can attempt to delete the svhost.exe file you found, but if it is engaged by a process you will not be able to delete it. The URL entries you find in the registry are always safe to remove, so you can also get rid of of that http:// you last asked about.

Anything the documentation I linked you to in #7 or chaslang linked you to in #17 is ok to remove. Just be careful in regedit, and only make changes which you mean to - no accidental clicks or deletes, and you will have no problems.

 

Thanks, I'll try that. Chaslang did say that they'll probably come back unless the virus is completely removed, but its worth a try.

I also checked those 6 registry files from the previous link but none of them were there.

Any opinion on the SVHOST.EXE... file I found. Is this virus related or just a system file with a similar name?

 

Nevermind the svhost file... It's fine... Its in the prefetch, and thats why it has the apparently random string appended to the end of its extension name. Deleting it wouldn't hurt as its just in the prefetch, but its not part of any infections.

I will offer what I can later, I've got to run out. Can you confirm that you have no traces of anything the documentation says that these infections will leave behind?

 

As an admin, I respect your decision to delete my post. Such is a judgement call one has to make in your position.

I would just like to note that I made no criticism of chaslang - I criticized the methods he was using and that fits under the forum rules from my understanding. I think those methods were giving this guy the run around. I had said nothing about any specific members character or otherwise, just illustrated how the way he's going about things could be improved.

If one can't criticize substandard methods, it is difficult to improve. I'm dissapointed this place seems so determined to treat me like I'm a n00b and trying to be mean to anyone.

I insulted no one. If someone is insulted due to the fact that I recognized their methods as substandard, that is not a fault of my own. I said nothing about Chaslang.

Progressively, I will keep this advice of yours MA, in mind for future interactions and be more careful about what I say now that I see how things are run around here. I'm not being facetious, I mean this sincerely. Different forums, different ways of doing things, and I can respect that.

cheers

 

I'm afraid the hosts file you gave me is replaced with the 'infected' one within 30 seconds. I'm really stuck. McAfee has deleted hxdefdrv.sys again but still no change in symptoms. The suggested registry files are not there to be deleted and I haven't got a clue what to do next.

 

Unfortunately it won't let me download it.

 

Give me a minute, I'll try and put it on disk from another computer, then see if I can do it in safe mode

 

Yep, I disabled system restore a while ago. I don't seem to be having any problems in safe mode. I'll provide you with the task manager list in a sec.

 

tskmgr.exe
procguard.exe
ATnotes.exe
PCLEScheduler.exe
cexi.exe
doai.exe
ctfmon.exe
McVSEscn.exe
McSheild.exe
mcvsshld.exe
explorer.exe
mcregwiz.exe
wuauclt.exe
realsched.exe
wbload.exe
iPodService.exe
sdmcp.exe
MsPMSPSv.exe
svchost.exe
dragdiag.exe
jusched.exe
iTunesHelper.exe
mcvsrte.exe
fppdis2a.exe
DCSUserProt.exe
ati2evxx.exe
qttask.exe
spoolsv.exe
svchost.exe
LwbWheel.exe
svchost.exe
svchost.exe
svchost.exe
Isass.exe
services.exe
winlogon.exe
csrss.exe
InCD.exe
smss.exe
rundll32.exe
System
system Idle Process

 

I don't think I have any problems in safe mode with networking either. The list in my previous post is from task manager straight after boot up in normal mode.

 

I killed them, then got McAfee to delete the hxdefdrv.sys (which I prompt by entering the windows folder), went into C:\Windows\Prefatch and found that SVHOST file was back so I deleted that again, then I went into ...drivers\etc\host and replaced it with the clean host file. Then I tried to run Norton but still it is terminated and again the host file was replaced by the bad one

...so no luck.

 

I've not heard of XoftSpy before. I thought mcregwiz.exe was something related to McAfree, possibly McAfree Registration Wizard (which I have to go through when trying to upgrade definition but the html crashes) I'll terminate and see what happens.

 

no change