HELP!!! Virus, possibly Spybot?

Thanks chaslang, I'll try that. Is there a way I can update my McAfree definitions without going to their website, as it crashes during the registration. Is there a link on this site similar to what IMOG said about Norton updates?

As I've said, McAfree does find the hxdefdrv.sys but we want it to find the 'Mother File' so to speak?

 

I tried the link to Hijack This but explorer gets closed straight away. It does that on every helpful page I try to go to - thats why I've been using another computer to post here.

 

! ! ! ! GUYS, I THINK I'VE DONE IT ! ! ! !

Right, I'll talk you through what I've done...

As I've mentioned before, I have been running a program called DiamondCS Process Guard (free version) which protects programs from rootkit virii, which is what my virus is. This trial version allows you to protect one program.

It finally clicked in my head that the reason I couldn't find the infected registry files in safe mode was because the virus wasn't active in safe mode, so the only way I could get to them in order to delete them was by accessing Regedit in normal mode, which until now has been disabled by the virus.

So I set DCSPG to protect Regedit and whilst doing this, noticed that there was a list of programs that had been run. Lokking down this list I saw the illusive SVHOST.EXE and therefore changed its setting of 'allow' to 'block always'.

Then when I ran Regedit, it worked and was not terminated by the virus. I then located the 2 files I needed to remove and exited. At that point I also deleted the svhost.exe file in C:\Windows\Prefetch\ and replaced the hosts file in ...System32\Drivers\etc\. (although this has been replaced again.)

Hopefully after a reboot, all the symptoms will have been cleared. Please don't let this be false optimism!

 

I've been trying to re install an uncorrupt version of Norton but for some reason it won't install Norton AntiVirus, or at least Norton Systemworks doesn't recognise its installed. I was weary of going on the internet without this.

I noticed that the cexi file was in one of the same registry lists that I deleted the two main entries from, so I moved the file from the target folder (system32) rather than delete the registry because that way I could put it back if it was important. I have since deleted the file.

In reference to the doai file, I tracked it down, terminated the process and deleted it as well.

None the less, I am still finding hxdefdrv.sys in the windows folder after every reboot even after removing cexi & doai.

I will now download Spybot and Hijack This and post back the results when done. Any ideas/comments in the meantime would be appreciated.

 

Damn, It still won't let me download Hijack This or Spybot. They download butI get the message 'cannot read from source disk' at 99%. I've tried loads of different places but none will work.

 

I could download the file from the link in post #59 so its only spy-related stuff that is the problem.

I'm going to try to download in Safe mode with networking but don't think I'll have a connection.

I have followed all the points on the last link you posted, but I will try again.

 

I'm currently running the online TM scan again but there has been no change.

I disabled the Process Guard and went through the points again but it hasn't made any difference.

I don't need to worry about the hosts file as it has been fine since I deleted the 2 registry files. I do still keep getting hxdefdrv.sys appear and I can't understand why if I have removed the registry files that are supposed to put it there. There's no sign of svhost.exe being run, even after disabling Process Guard.

What I am really concerned about is when I try to cleansweep my temporary files, 430kb come back immediately. It says this is made up of 3 files in internet history. No matter how many times I hit 'clean' it keeps coming back. Seems very suspicious to me, especially as I read somewhere that this is where virii like to hide. Could this be what is reproducing hxdefdrv.sys?

Anyway, its 2:30am here in England so I'm calling it a night. Thanks for your help and no doubt we'll continue this tomorrow!

 

Wow, a lot to catch up on here... Another way to accomplish this would be to create a hosts file in another directory then set its attributes to "read only", and copy and paste it into its proper directory.

If I've got the time, I will try to catch up on this thread later.

If either of you are interested, you may also want to take a look here, as there may be something that gives you another useful idea:

http://www.ocforums.com/showthread.php?t=307720

 

This morning I searched the registry for hxdefdrv.sys as suggested but no results. I then searched for svhost and found there was another entry the same as the 2 before, this time in HKEY_USERS/software/microsoft/windows/current version/run/ so I deleted this one but still after a reboot the hxdefdrv.sys was in my windows folder.

I decided to open up hxdefdrv.sys with notepad to see if I could make sense of any of it. Amongst the gobbly gook was reference to...

C:\drv\objfre\i386\driver.pdb
IoCreateDevice ntoskrnl.exe (isn't that something to do with boot up?)
objfre\i386\driver.sys

and alot of things that sound like commands, for example...

ReferenceObjectByHandle
KeattachProcess
LookupProcessByProcessID
...plus many more

Mean anything to you guys? I'm going to have a go at deleting the index.dat files mentioned in IMOG's link.

BTW IMOG, since I removed the first two registry entries, I'm no longer having problems with the hosts file.

 

I've just searched the registry for 'hack' and there's loads of folders and files refering to...

HACKERDEFENDER100
HACKERDEFENDERDRV100
ImageTasks that mention hxdefdrv.sys and winunins.exe (mentioned in this link http://forums.devshed.com/archive/t-148783 ).

I didn't want to delete all the folders because I didn't really know what I was doing but i deleted everything that mentioned hxdefdrv.sys and winunins.exe. I don't know why they didn't come up when I searched hxdefdrv.sys before, probably because they're not part of the entry name.

Anyway, I've just rebooted and Objectdock has loaded for the first time and there's no sign of hxdefdrv.sys!!!!!

All I need to know now is should I delete all the folders named HACKERDEFENDER100 and HACKERDEFENDERDRV100 from the registry?

I'm now going to see if I have completely rid of the symptoms, for example, I'll try and download Hijack This and Spybot.

 

All is well!!! I can download anything I choose.

If you guys can let me know what I should do about the remaining HACKERDEFENDER100 related registry folders and files. I want to make sure I'm rid of this for good.

Thanks for all your help by the way!!!!

I'm a happy bunny, just in time for the weekend!!!

 

Now that I've got Hijack This, can you please check through it for anything I shouldn't have. I see that doai.exe is there...


Edit by chaslang: Inline log changed to attachment.

 

Shauno, it is too late now, but in the future do not post your hijack logs like this... Post them as a text attachment. Major Attitude will fix that post for you, but it would be nice to reduce his workload for simple things like this. It might be useful for you to read the sticky guides here which explain these sorts of things (stickys are at the top of the list of threads in this forum).

MG seems to be attempting to not contribute to the problem of destroying search engine spyware inquiries (googleing and finding nothing but pages and pages of hijackthis logs can be annoying).

 

You will want to attempt removal of some of those items in the hijackthis log... Anything that looks sketchy which you didn't install or configure.

At a glance... The 016 line with the eroticaccess link needs to go. The line right above that with x.exe in it needs to go also. I think Chaslang told you to get rid of doai.exe earlier too, so that line can go also (that line represents a command in your registry which attempts to execute that file at startup).

There's more likely, but thats just from a glance - I'm sure if you look you can recognize some things that don't belong. Slap anything that looks as shifty as a politician in a sorority house.