Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conhook-k & C


  • Please log in to reply
4 replies to this topic

#1 hartwise

hartwise

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 28 June 2006 - 12:55 AM

Newbie Lady here...Thanks for viewing my post...

Have read posts on subject but all logs seem different, am using friends computer so I need to be extremely careful, plus am relative tech newbie so may be slow to reply as will have to get friend (admin) to enter or delete any code. I can however run scans and post logs as required...just dont want to enter code without consent.

Sophos description:

This section contains the description and advanced technical information
Troj/ConHook-K is a Trojan for the Windows platform.

The following registry entries are created to run code exported by the Trojan on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\atlS32

The Trojan is registered as a COM and Browser Help Object, creating the following registry entries to run itself on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
<Trojan filename>
RunDll32.exe "<path to Trojan executable>,Setup"

HKCR\CLSID\(4b1d0751-cb48-4265-a975-878be45145c6)\InprocServer32
(default)
<path to Trojan executable>

|Get reports on the latest virus threats delivered to your computer


as required by viewing forums :
Hp laptop WinXP SP2

[/b]Ran Pandasoft Scan


Incident Status Location

Adware:adware/commad Not disinfected c:\MTE3NDI6ODoxNg.exe
Adware:adware/secure32 Not disinfected c:\winxp\secure32.html
Adware:adware/cws.searchmeup Not disinfected c:\winxp\uniq
Adware:adware/whenusearch Not disinfected c:\program files\common files\WhenU
Dialer:dialer.asl Not disinfected hkey_classes_root\clsid\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.112.2o7.net/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.com.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.overture.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Hitslink Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[counter.hitslink.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[server.iad.liveperson.net/hc/63152693]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[server.iad.liveperson.net/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[server.iad.liveperson.net/hc/773362]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[server.iad.liveperson.net/hc/55278727]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.ad.sensismediasmart.com.au/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[ad.sensismediasmart.com.au/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[server.iad.liveperson.net/hc/26024123]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.247realmedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.bs.serving-sys.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.xmts.net/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.belnk.com/]
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Cynder\Application Data\Mozilla\Firefox\Profiles\j2wx4bs3.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@112.2o7[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@2o7[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@bravenet[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@bs.serving-sys[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@burstnet[1].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@casalemedia[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@doubleclick[2].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@mediaplex[2].txt
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@qksrv[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@questionmarket[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@server.iad.liveperson[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@serving-sys[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@statcounter[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Cynder\Cookies\cynder@zedo[1].txt

RAN HJT :

Logfile of HijackThis v1.99.1
Scan saved at 11:50:44 AM, on 28/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\WINXP\system32\fxssvc.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINXP\System32\igfxtray.exe
C:\WINXP\System32\hkcmd.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINXP\AGRSMMSG.exe
C:\WINXP\system32\rundll32.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hungersite.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - (no file)
O3 - Toolbar: (no name) - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINXP\System32\hkcmd.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {14C1B87C-3342-445F-9B5E-365FF330A3AC} (Hewlett-Packard Online Support Services) - http://h20278.www2.hp.com/HPISWeb/Customer...DataManager.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139021205140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1139021187515
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36064AD3-5B11-46F8-B049-5B3BFEC3912C}: NameServer = 203.0.178.191
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - C:\WINXP\System32\btxppanel.dll
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINXP\SYSTEM32\WgaLogon.dll
O21 - SSODL: fldrsys - {FBA540AC-372C-4FC9-AE00-02C1D0DC7826} - (no file)
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos AutoUpdate Service - Sophos plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINXP\system32\ZoneLabs\vsmon.exe



Then I tried Enwidio scan..laptop froze up was hanging up tried to restart window saying hidden fax window not responding then Xmax4PNP not responding clicked to end on both then froze up on logging off screen ,would not shut down till about 40 mins later. Please if you see the nasty buggers footprints above could you please highlight the offensive text for me to facilitate my learning process.

Q: I believe he is running both Sophos & Zonealarm....Does this create a conflict?
A;

Thank you
Hartwise

BC AdBot (Login to Remove)

 


#2 hartwise

hartwise
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 28 June 2006 - 01:12 AM

Ipig VPN is apparently a free encryption tool. Is it practicable to install this before the malware is removed or will conhook read my sign up password?

Not Sure if this is correct forum, Moderators please move if applicable.

Thank you

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:27 PM

Posted 01 July 2006 - 08:31 AM

Hey there Hartwise and welcome to BleepingComputer,

It looks as though you have solved the conhook problem for yourself as the infection is now gone! We just have a bit of clearing up to do.

Please delete the following files:

c:\MTE3NDI6ODoxNg.exe
c:\winxp\secure32.html

Please delete the following folders:

c:\winxp\uniq
c:\program files\common files\WhenU

Open notepad and copy and paste next in it:

sc delete MSSQL$SQLEXPRESS

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and let the program run.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {F8E5CA21-C27B-43e7-B2BE-4CA93C9F9A1F} - (no file)
O3 - Toolbar: (no name) - {70DE7956-479D-4eb7-8641-2B45774C350E} - (no file)
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O21 - SSODL: fldrsys - {FBA540AC-372C-4FC9-AE00-02C1D0DC7826} - (no file)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

In answer to your question, running Sophos and zone alarm should be no problem - one is a firewall and one is an anti-virus, so they should work together seamlessly. It is only when you have two of the same type of software running together that conflicts can occur, eg running two antivirus program simultaeneously. You have no visible conhook infection, so you should be safe to install Ipig VPN if you please.

Please reboot and post a new Hijackthis log,
David

#4 hartwise

hartwise
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:27 AM

Posted 01 July 2006 - 11:21 AM

Hey D-Troj,

Thanks for your response to my post, I think I missed the protocol by posting straight to HJT forum, then blew it again by posting a ps....which may have lead to the belief my post was being handled, learn by error & it sinks deep. ( I hope ).

I am using friends laptop and warnings have been appearing from sophos for past few months.re: Conhook- c....then past week or so Conhook K...thought we had got rid of probs but keep reappearing. Also was getting download windows from site called "Allesandro Di Cassini" to install software, this hasnt appeared for few weeks now as I tried to remove it. think its from porn, but its not my laptop so not sure..

Anyways, have had few vino's this evening, so neural function, little poor now and its 2am Sunday, so will get to your requests tomorrow sometime or Monday, if you wouldnt mind taking a look then. I am keen to learn what the items you told me to further remove , influence on the system and their origins. No printer at this locale,
so will bring another laptop tomorrow if convenient for friends, so I may refer to your instructions.

thanks so much for your assistance, very much apppreciated.

Hartwise

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:11:27 PM

Posted 01 July 2006 - 01:15 PM

Hey Hartwise,
Good to see that you have joined the HJT trainee team! :thumbsup:
I will get an email notification when you reply, so there's no rush, get it done when you have the time,
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users