SoftWAR.100

Windows XP. No anti-virus program. Installing PC-Cillin. Internet Connection box keeps popping up. After being on the Internet for a while, Internet Explorer announces it will shut down in one minute and then shuts down. Cannot get Task Manager to come up. Ran Ad-Aware and removed 4 objects. Ran Trojan Hunter, and it identified port 1207 as open, thanks to SoftWAR.100, ydekfgs.exe. Ran HJT, and log follows. I recognize Hazafibb, but I thought that was associated with Trojan Horse Dyfica.

Logfile of HijackThis v1.97.7
Scan saved at 3:44:43 PM, on 7/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\WINDOWS\System32\ydekjfgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\rasautou.exe
C:\Documents and Settings\TerryS\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mwt.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mwt.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Provided by MWT.NET
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.mwt.net/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKLM\..\Run: [_Hazafibb] C:\WINDOWS\System32\ydekjfgs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.mwt.net/

 

Did another HJT scan and fixed:
O4 - HKLM\..\Run: [_Hazafibb] C:\WINDOWS\System32\ydekjfgs.exe

Downloaded Damage Cleanup from TrendMicro. Hazafibb removed from registry (HKEY).

Installed, updated and ran PC-Cillin. Computer clean.

Turned System Restore on and set new Restore point.

Thanks. Thread closed.

SWCS