Unable to downlaod Hijackthis..EXE invisible

I have an NT 4.0 workstation laptop..I recently acquried some form of the HIJACK Trojan. I have used several utils to clean the computer (both virus and trojan) and so far I have found that both viruses and trojans were present on my comp. The utils cleaned some viruses and trojans, but I am still unable to download HIJACKTHIS or CWShredder to the machine. If I can manage to downlaod it from a site I get an error that the file was not found. The other thing that happens is, when the webpage with the .ZIP or .EXE(say,HIJACKTHIS.ZIP OR CWShredder.EXE)tries to load...it fails and all the browsers close themselves out. I downloaded TDS PRO today and it found two more trojans ROOTKIT.HACKER DEFENDER 0.8.4(sys). There are two instances of the same trojan, but the associated file names are different...hxdefdrv.sys and hxdefdrv.sys.tcf...

Apparently just cleaning them off of the machine isn't enough and I need to track down whatever is keeping me from downloading HIJACKTHIS and CWShredder...I will hold off on cleaning the trojans until I have heard something....I could use some major help here...

Thanks

 

it turns out that NT 4.0 does not have a safe mode setting..I know that safe mode is typically F8 but it never worked so I researched it think something else might be wrong. That's where I am now...I tried sharing a drive out on the network and trying to run the .EXE remotly, but HIJACKTHIS does not allow you to choose a drive....Let me know what you think...

OAZ

 

Thanks for the advice. CWShredder did work..when the trojan tried to shut it down it opened itself up with a random string...it removed something that look like a variation of Google and one other thing...it was moving too fast for me to record. I ran CWShredder multiple times and it kept going back to the same two things and taking them off. I then tried running hijackthis and still no go...The renaming to .com was successful at first but by the time my mouse pointer got to the okay button, the trojan shut down the HJT window. CWShredder did move A TON of jscript files to the recycle bin the first time it ran...subseqent rins revealed an empty Recycle Bim although the program said it was removing stuff. But I am still better off now than I was yesterday so at this rate I may have this thing licked soon. Any other help would be greatly apprecatied...Let me tell you something I found and I will wait to hear an opnion on it. It came from a paper written by MSoft engineers...


1) Take the dir /s /a command and output it to a file..this will pick up all infected files plus normal ones...

2) Now reboot to a point where the windows componets are unable to load (I assume that's DOS but they were not very clear). At the DOS prompt issue the same command(dir /s /a)...Now you have a "clean" file list..not infectious files should be present and the fact that the trojan files are hidden is irrelevant..
** If you are reading this and want to try it an don't know how to output a file to DOS using this command here it goes..this way you won't have to waste time looking it up: dir /s /a >> "C:\Dirty.txt" should do it... try it with and without the quotes.


3) Use Windiff.exe to compare the "dirty" file and "clean" files against one another and the trojan files should be revealed. Windiff and be downloaded from Msoft's website...Happy Hunting!!!

If this good info, then at the very minimum someone else who is having this problem can benefit(God knows I wouldn't wish this on anyone else). But trying to boot to DOS on NT 4.0 without the CD is like trying to find the GUT. I read that there are only 3 files required for a DOS boot disk..boot.ini, ntdetect and and one more..I forget the name. Anyway when I tried to build the disk....no dice. Got a non system disk error.

If there are anymore suggestions, please keep them coming....thanks..

 

Everyone,

I happt to report that by the end of the Presidential debate last night I had fixed my trojan problem. I used a combonation of the technique that I previously mentioned as well as some other methods..booting to DOS (Since I didn't have the NT 4 CD) and using a couple of different Dos commands. After using the windiff method to find the hxdefdrv.sys file and hxdefdrv.ini file...it was matter of uncloaking the winunins files as well as svhost file. The lattter was the most difficult to get rid of because I didn't see it in Windows or at a DOS prompt(clean boot). It was a combobation of method and hit or miss, but I think I can document it enough that I can help someone else if they find themselves in this situation. it also turns out that it was not neccessary for me to rename the extention of Cwshredder (.EXE TO .COM) but rather change the name of the program itself (HIJACKTHIS to HI). The advice that chaslang gave me unquestionably put me on the right path..big shouts out to CHASLANG..Thanks..hope I can return the favor someday...


If you feel I can be of some help in helping you resolve this situation..do not hesitate to send me a message here. I check the boards often....

Thanks for everbody's help..thanks again M.A...

This matter is closed....