hxdef.exe - Dangerous

hxdef.exe

Jeff's Story:

My PC had gotten a bad rootkit that my ISP antivirus software (powered by McAfee) could not detect, nor could fix.

I sought a solution on the Internet and discovered your product and tried out the trial.

You quickly found the rootkit and SAVED my PC!

I haven't had any problems since, and I'm extremely grateful.

Free Download

Manual removal instructions:

hxdef.exe
W32.Lovgate.R@mm is a variant of W32.Lovgate@mm.
It is a mass-mailing worm that attempts to email itself to all the email addresses that it finds on the computer.
The "sender" of the email is spoofed, and the subject line and message body of the email vary.
Also known as W32/Lovgate.x@MM, I-Worm.LovGate.w

Copies itself as these files:
%System%\Hxdef.exe

Adds the values:
"Hardware Profile"="%System%\hxdef.exe
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Adds the value: "SystemTra"="%Windir%\Systra.exe"
to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

Adds the values:
"run"="RAVMOND.exe"
to the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

May create the subkey:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ZMXLIB1

Stops the following services: Rising Realtime Monitor Service, Symantec Antivirus Server, Symantec Client.
Scans all the computers on the local network, and uses the following passwords to attempt to log in as "Administrator."
Starts an FTP server on a random port, no authentication required, which means that the infected computer is accessible to anyone.
Creates the file, Autorun.inf, in the root folder of all the drives, except the CD-ROM drives, and copies itself as Command.com into that folder.

Scans all the drives, if the drive type is removable or mapped or the drive type is fixed with a drive letter greater than E.
The worm will do the following on all the found drives:
Attempts to rename the extension on all .exe files to .zmx.
Sets the attributes to Hidden and System on these files.
Copies itself as the original file name.
For example, if the worm finds OriginalFile.exe, it will be renamed to OriginalFile.zmx. The worm will then copy itself as OriginalFile.exe.

Attempts to spread to other computers by exploiting the DCOM RPC vulnerability (described in Microsoft Security Bulletin MS03-026) using TCP port 135.
Scans the system WAB file, temporary Internet files, and all the fixed and ram disks, and it sends itself to all the email addresses it found.
Uses its own SMTP engine to send itself to the email addresses that it finds in step 25 and 26.

Automatic removal:
Use RegRun Startup Optimizer to remove it from startup.

Remove hxdef.exe now!