[Dshield] A few strange exe's

jayjwa jayjwa at atr2.ath.cx
Sat Jan 10 06:35:05 GMT 2004

On Fri, 9 Jan 2004, Paul Marsh wrote:

>   I've been working on an XP home edition for the last few hours having all kind of problems with it.
>   1.  The system was a default build from Dell, no SP's loaded..ugh
>   2.  No firewall running...ugh
>   3.  No Anti-virus...ugh, ugh
>   Had a bitch of a time getting Norton loaded on it just run a virus scan once I did it had about 15 instances of 5 different virus.  Had a bitch of a time loading Spy-bot also.  The long and the short of it is I found three strange exe's running.
>   igfxtray.exe
>   hkcmd.exe
>   Found some info on the above, original files are OK but some research points to trojan drop compromise.
>   wini32.exe can't find anything on this one, but as soon as I got it unloaded and removed from the system things started to improve.  Anyone know anything about it?  NAV did not detect any of them as being infected and spy-bot didn't find anything either.

igfxtray.exe = Found w/search on the internet, seems OK
wini32.exe = 40% sure I've seen this before as a trojan/virus/whatnot.
Hiding trojans are typically named "win****.exe". Not found w/search.

hkcmd.exe = "Application which implements Intel's HotKey command", found
on web w/search, seems OK

XP out of the box is a security nightmare.
On www.incidents.org is a link off the main page to a xpsurvivalguide.pdf,
which lists things you should do first. I've downloaded it, even though I
don't do Windows.

[jayjwa]RLF #37

More information about the list mailing list