Jump to content


Photo

SoftWAR.100 Trojan Horse


  • Please log in to reply
1 reply to this topic

#1 SWCS

SWCS

    Advanced Member

  • Full Member
  • PipPipPip
  • 131 posts

Posted 12 July 2004 - 03:58 PM

Windows XP. No anti-virus program. Will install PC-Cillin later. Internet Connection box keeps popping up. After being on the Internet for a while, Internet Explorer announces it will shut down in one minute and then shuts down. Cannot get Task Manager to come up. Ran Ad-Aware and removed 4 objects. Ran Trojan Hunter, and it identified port 1207 as open, thanks to SoftWAR.100, ydekfgs.exe. Ran HJT, and log follows. (Please note that I am in Boot Camp as a Trainee, but this is a live log, not a practice log. I recognize Hazafibb, but I thought that was associated with Trojan Horse Dyfica. I hope I don't get a warning for posting this live log. I'm trying to help out a client.)

Logfile of HijackThis v1.97.7
Scan saved at 3:44:43 PM, on 7/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\WINDOWS\System32\ydekjfgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\rasautou.exe
C:\Documents and Settings\TerryS\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mwt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mwt.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by MWT.NET
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mwt.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [_Hazafibb] C:\WINDOWS\System32\ydekjfgs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.mwt.net/

#2 SWCS

SWCS

    Advanced Member

  • Full Member
  • PipPipPip
  • 131 posts

Posted 16 July 2004 - 04:53 PM

Copied above log to Boot Camp/Check my post. I'll post my suggested fix there.

Edited by SWCS, 17 July 2004 - 10:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button