General discussion

Locked

solution hxdefdrv.sys

By galehickey2 ·
Solution that worked for me-
delete hxdefdrv.sys from the windows folder and then from recycle bin-
go into command prompt and type in NET STOP HACKERDEFENDER100 and hit enter-
ABOUT 45 seconds will pass and you will get a message "The service is not responding to the control function."
Reboot and hxdefdrv.sys sis not come back.

This conversation is currently closed to new comments.

13 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by TheChas In reply to solution hxdefdrv.sys

Great.

Glad to see you found a fix.

I will keep this post in mind.

Chas

Collapse -

by galehickey2 In reply to

Poster rated this answer.

Collapse -

by encripted_bit In reply to solution hxdefdrv.sys

Part(I)

I was hacked by this application when I opened a web page in Internet Explorer.
Here is some information on hxdefdrv.sys (HACKERDEFENDER) and the removal instructions.

After noticing that something was wrong, I disconnected my pc off the Internet.

I noticed these changes to my system:

-There was a new shortcut in my desktop, with the name Start and this target:
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.casinopalazzo.com/index.php?sourceid=100455

-After searching for the files created today, I found these new files in C:\Winnt\
.23052004.exe <-- The name of this file is the date of tomorrow
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

-The Internet Explorer Start Page was modified to
http://rjgzvd.outhost.info/

-When trying to execute RegEdit.exe, this application was closed almost immediately.

-I deleted the file hxdefdrv.sys. After restarting the PC, the file had been recreated.

-To avoid the creation of this file again, open a command prompt and execute NET STOP HACKERDEFENDER100
Notice that this is the name of the service in the winunins.ini file (See winunins.ini below)

If the service is in memory, about 45 seconds will pass and you will get a message "The service is not responding to the control function.
If the service is not in memory, you will be told so.

After removing the service from memory, the hxdefdrv.sys file does not appear again when restarting the PC. Nevertheless, the application is still in memory, so that doesn't solve the problem completely.

Please, note that this service is not listed in the Task Manager, because it hides itself, some other services and files.

-I restarted my PC in safe mode and found another file in C:\Winnt
.svhost.exe
.winunins.exe
.winunins.ini

Collapse -

by galehickey2 In reply to

Poster rated this answer.

Collapse -

by encripted_bit In reply to solution hxdefdrv.sys

(Part II)
-When searching for the files modified today, I found that the file
C:\WINNT\system32\drivers\etc\hosts
had been modified to that shown here:

213.159.118.228 collections.inhost.info
213.159.118.228 collections.inhost2.info
213.159.118.228 1-se.com
213.159.118.228 58q.com
213.159.118.228 aifind.cc
213.159.118.228 aifind.info
213.159.118.228 allneedsearch.com
213.159.118.228 approvedlinks.com
213.159.118.228 auto.ie.searchforge.com
213.159.118.228 awebfind.biz
213.159.118.228 best.royalsearch.net
213.159.118.228 cracks.am
213.159.118.228 default-homepage-network.com
213.159.118.228 find.microgirls.com
213.159.118.228 find4u.net
213.159.118.228 freshvideogals.com
213.159.118.228 i-lookup.com
213.159.118.228 ie-search.com
213.159.118.228 in.webcounter.cc
213.159.118.228 itseasy.us
213.159.118.228 just.find-itnow.com
213.159.118.228 link.startmake.com
213.159.118.228 mysearchnow.com
213.159.118.228 nativehardcore.com
213.159.118.228 qwertysearch123.biz
213.159.118.228 search.ieplugin.com
213.159.118.228 search.psn.cn
213.159.118.228 searchbar.findthewebsiteyouneed.com
213.159.118.228 searchcentrix.com
213.159.118.228 searchmyrequest.com
213.159.118.228 super-spider.com

Collapse -

by galehickey2 In reply to

Poster rated this answer.

Collapse -

by encripted_bit In reply to solution hxdefdrv.sys

127.0.0.1 hard-virgins.com
127.0.0.1 www.hard-virgins.com
127.0.0.1 petite-virgins.biz
127.0.0.1 wwww.petite-virgins.biz
127.0.0.1 only-virgins.com
127.0.0.1 www.only-virgins.com
213.159.118.228 t.rack.cc
213.159.118.228 teen-biz.com
213.159.118.228 teenhqpics.com
213.159.118.228 tits.hardcore4ever.net
213.159.118.228 webcoolsearch.com
213.159.118.228 wmmse.com
213.159.118.228 www.008i.com
213.159.118.228 www.2fastsearch.net
213.159.118.228 www.8095.com
213.159.118.228 www.alfa-search.com
213.159.118.228 www.boredlife.com
213.159.118.228 www.couldnotfind.com
213.159.118.228 www.cracks.am
213.159.118.228 www.daum.net
213.159.118.228 www.dreamwiz.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find-itnow.com
213.159.118.228 www.find4u.net
213.159.118.228 www.firstbookmark.com
213.159.118.228 www.gajai.com
213.159.118.228 www.hand-book.com
213.159.118.228 www.hao123.com
213.159.118.228 www.hotsearchbox.com
213.159.118.228 www.hotwebsearch.com
213.159.118.228 www.hugesearch.net
213.159.118.228 www.iquicksearch.com
213.159.118.228 www.lookfor.cc
213.159.118.228 www.maxxxhosters.com
213.159.118.228 www.naver.com
213.159.118.228 www.nkvd.us
213.159.118.228 www.novafuck.com
213.159.118.228 www.ohcorea.com
213.159.118.228 www.omega-search.com
213.159.118.228 www.onet.pl
213.159.118.228 www.power-search.info
213.159.118.228 www.rightfinder.net
213.159.118.228 www.search-1.net
213.159.118.228 www.search-and-go.com
213.159.118.228 www.search-dot.com
213.159.118.228 www.search-space.com
213.159.118.228 www.searchforge.com
213.159.118.228 www.searching-the-net.com
213.159.118.228 www.searchv.com
213.159.118.228 www.searchxl.com
213.159.118.228 www.seznam.cz
213.159.118.228 www.slotch.com
213.159.118.228 www.spidersearch.com
213.159.118.228 www.startium.com
213.159.118.228 www.therealsearch.com
213.159.118.228 www.ttjj.com
213.159.118.228 www.viewpornkey.com
213.159.118.228 www.wazzupnet.com
213.159.118.228 www.

Collapse -

by galehickey2 In reply to

Poster rated this answer.

Collapse -

by encripted_bit In reply to solution hxdefdrv.sys

(Part IV)
213.159.118.228 www.websearch.com
213.159.118.228 www.windowws.cc
213.159.118.228 www.xgmm.com
213.159.118.228 xwebsearch.biz
213.159.118.228 yourbookmarks.ws

-After opening RegEdit, I found svhost.exe in the path:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-I found on the Internet, the site of the developers of this application in the url:
http://www.megasecurity.org/trojans/h/hackerdefender/Hackerdefender1.00.html
There you can get a better idea of its functionality

When I opened the winunins.ini file, I found this information -among other- in the [Settings] section:
ServiceName=HackerDefender100
DriverFileName=hxdefdrv.sys


To remove this application:
-Restart the PC in safe mode

-Open RegEdit and delete the keys:
1)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Network Service"="C:\\WINNT\\svhost.exe -sr -1"

-Delete these files frm C:\Winnt\
.23052004.exe
.hxdefdrv.sys
.sezzbc.ig2
.vzcdaq.2nh

- In RegEdit, find and Edit every Key containing ".outhost.", leaving them blank. I.e. The key
Default_Page_URL reads "http://ykkgcg.outhost.info/". Right click on it, select modify, delete the text and select OK. Please, note that you should look for ".outhost." I have noticed that The first part ("ykkgcg") is variable.

-Edit the host file, deleting everything and leaving only this line:
127.0.0.1 localhost

-Restart Windows in normal mode. Everything should be ok now. :-)

Collapse -

by galehickey2 In reply to

Poster rated this answer.

Back to Windows Forum
13 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums