Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Haxdoor Trojan/ps.a3d

Started by crowfoot , Sep 01 2005 10:18 AM

  • This topic is locked This topic is locked

#1
crowfoot
Posted 01 September 2005 - 10:18 AM

crowfoot

    Member

  • Member
  • PipPip
  • 14 posts
I have "Watcher" installed on my computer and it's flagged this ps.a3d file which Google tells me is the Haxdoor Trojan.

I've downloaded the HSFIX tool, ran the hsfix.bat, but the report doesn't show any problems or items fixed.

The "Watcher" program is still running and I haven't attempted to do anything with the several items showing in it's report.

Here are the items that "Watcher" identifies and the list of options available in the Program:

Registry entry "HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\ShellServiceObjectDelayLoad\WebCheck" (WebCheck (InprocServer32=C:\WINDOWS\SYSTEM\WEBCHECK.DLL) - CLSID={E6FB5E20-DE35-11CF-9C87-00AA005127ED}) :
Entry was changed to <WebCheck (InprocServer32=) - CLSID={E6FB5E20-DE35-11CF-9C87-00AA005127ED}>


File C:\WINDOWS\SYSTEM\ps.a3d :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\SYSTEM\p3.ini :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\SYSTEM\klogini.dll :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\SYSTEM\avpu32.dll :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File C:\WINDOWS\ShellIconCache (hidden) :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


File c:\hslog :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'

File c:\BOOTLOG.PRV (hidden) :
File was created

Available actions for this item: 'Confirm', 'Disable', 'Remove'


As well I am including an Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:19:44 AM, on 9/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\WATCHER\WATCHER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\HIJACK THIS\HIJACKTHIS NEW 062505.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rense.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 60.48.219.112:8080
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.../7_1/home.html"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\b0diltfu.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Watcher logon time.lnk = C:\Program Files\watcher\watcher.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...ebscan_ansi.cab

Any help or insight you can offer on this problem would be very much appreciated.

Thanks,

Crowfoot

Edited by crowfoot, 01 September 2005 - 10:40 AM.

  • 0

Advertisements

#2
don77
Posted 10 September 2005 - 09:17 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi crowfoot
Sorry for the delay in response if your still looking for help with this issue please post back a fresh HJT log please,
If you have resolved if you would let us know please,

Thanks and again sorry for the late reply
  • 0

#3
crowfoot
Posted 11 September 2005 - 01:30 AM

crowfoot

    Member

  • Topic Starter
  • Member
  • PipPip
  • 14 posts
Hello Don77,

Yes, I managed to resolve this matter on my own and should have advised you of that rather than wasting your time on this thread.

My apologies and thanks for the reply.

Regards,

Crowfoot
  • 0

#4
don77
Posted 11 September 2005 - 08:40 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Great to hear ! No problem, Not a waste of my time, Again sorry for the late reply,
As this topic appears to be resolved it will now be closed, Should you need it reopened please pm a member of the staff with a link to this topic,

Good luck
Don
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP