Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Haxdoor Trojan/ps.a3d


  • This topic is locked This topic is locked

#1
crowfoot

crowfoot

    Member

  • Member
  • PipPip
  • 14 posts
I have "Watcher" installed on my computer and it's flagged this ps.a3d file which Google tells me is the Haxdoor Trojan.

I've downloaded the HSFIX tool, ran the hsfix.bat, but the report doesn't show any problems or items fixed.

The "Watcher" program is still running and I haven't attempted to do anything with the several items showing in it's report.

Here are the items that "Watcher" identifies and the list of options available in the Program:

Registry entry "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\ShellServiceObjectDelayLoad\WebCheck" (WebCheck (InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL) - CLSID={E6FB5E20-DE35-11CF-9C87-00AA005127ED}) :
Entry was changed to <WebCheck (InprocServer32=) - CLSID={E6FB5E20-DE35-11CF-9C87-00AA005127ED}>


File C:\WINDOWS\SYSTEM\ps.a3d :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\SYSTEM\p3.ini :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\SYSTEM\klogini.dll :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\SYSTEM\avpu32.dll :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\ShellIconCache (hidden) :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File c:\hslog :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'

File c:\BOOTLOG.PRV (hidden) :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


As well I am including an Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:44 AM, on 9/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\WATCHER\WATCHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Watcher logon time.lnk = C:\Program Files\watcher\watcher.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab

Any help or insight you can offer on this problem would be very much appreciated.

Thanks,

Crowfoot

Edited by crowfoot, 01 September 2005 - 10:40 AM.

  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi crowfoot
Sorry for the delay in response if your still looking for help with this issue please post back a fresh HJT log please,
If you have resolved if you would let us know please,

Thanks and again sorry for the late reply
  • 0

#3
crowfoot

crowfoot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello Don77,

Yes, I managed to resolve this matter on my own and should have advised you of that rather than wasting your time on this thread.

My apologies and thanks for the reply.

Regards,

Crowfoot
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great to hear ! No problem, Not a waste of my time, Again sorry for the late reply,
As this topic appears to be resolved it will now be closed, Should you need it reopened please pm a member of the staff with a link to this topic,

Good luck
Don
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP