Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis Logs <- looking to remove trojan win32/conhook.d

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby the myth » April 7th, 2008, 12:53 pm

i`m running on vista and since a few days ago it began to close the explorer and reopen, i try to search smthing in a folder, by the time i got to the 2nd subfolder it would close again... this doesn`t happens all the time.. just every now and then...

that`s what i get for allowing my gf to use my computer....

anyway... here is the LOG.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:12, on 07.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\RtHDVCpl.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\system32\rundll32.exe
D:\Windows\system32\rundll32.exe
D:\Windows\System32\wsqmcons.exe
D:\Windows\system32\conime.exe
D:\Windows\system32\taskeng.exe
D:\Windows\explorer.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\wuauclt.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSServer] rundll32.exe D:\Users\Myth\AppData\Local\Temp\cBsPGWQK.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe D:\Users\Myth\AppData\Local\Temp\xxyvsSJA.dll,c
O4 - HKCU\..\Run: [a46b4dde] rundll32.exe "D:\Users\Myth\AppData\Local\Temp\oastdxtn.dll",b
O4 - HKCU\..\Run: [MS Juan] rundll32 "D:\Users\Myth\AppData\Local\Temp\eaeqeqqk.dll",run
O4 - HKCU\..\Run: [BMef89057a] Rundll32.exe "D:\Users\Myth\AppData\Local\Temp\xlhgqmkd.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8242 bytes
the myth
Active Member
 
Posts: 6
Joined: April 7th, 2008, 12:38 pm
Advertisement
Register to Remove

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby Shaba » April 10th, 2008, 4:21 am

Hi the myth

You have no antivirus installed so we start with this:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

After that, please post back a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby the myth » April 10th, 2008, 2:31 pm

i just installed AVG Antivirus and did a scan on the windows partition.

it said it removed some threats but trojan conhook.d wasn`t in the list...

here`s the fresh hijack report:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:34:12, on 07.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
D:\Windows\system32\Dwm.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\RtHDVCpl.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\system32\rundll32.exe
D:\Windows\system32\rundll32.exe
D:\Windows\System32\wsqmcons.exe
D:\Windows\system32\conime.exe
D:\Windows\system32\taskeng.exe
D:\Windows\explorer.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\wuauclt.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Windows\system32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! ¤u¨ă¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] D:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSServer] rundll32.exe D:\Users\Myth\AppData\Local\Temp\cBsPGWQK.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe D:\Users\Myth\AppData\Local\Temp\xxyvsSJA.dll,c
O4 - HKCU\..\Run: [a46b4dde] rundll32.exe "D:\Users\Myth\AppData\Local\Temp\oastdxtn.dll",b
O4 - HKCU\..\Run: [MS Juan] rundll32 "D:\Users\Myth\AppData\Local\Temp\eaeqeqqk.dll",run
O4 - HKCU\..\Run: [BMef89057a] Rundll32.exe "D:\Users\Myth\AppData\Local\Temp\xlhgqmkd.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8242 bytes
the myth
Active Member
 
Posts: 6
Joined: April 7th, 2008, 12:38 pm

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby Shaba » April 11th, 2008, 3:50 am

Hi

Your HijackThis log is old.

Please re-scan with HijackThis and post a fresh HijackThis log :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby the myth » April 11th, 2008, 11:42 am

lol, i had just made the scan ... dunnow why it gave me the old log... (i accidentally renamed the shortcut... but didn`t do anything else... ) right now every time i scanned it gave me the date of the first log....

i reinstalled hijackthis and here`s a new log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:04, on 11.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
D:\Windows\system32\taskeng.exe
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\RtHDVCpl.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Scroll Mouse\MouseElf.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\YPOPs\ypops.exe
D:\Program Files\Azureus\Azureus.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\AVG\AVG8\avgtray.exe
D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Windows\system32\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mouseElf] D:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MS Juan] rundll32 "D:\Users\Myth\AppData\Local\Temp\eaeqeqqk.dll",run
O4 - HKCU\..\Run: [MSServer] rundll32.exe D:\Users\Myth\AppData\Local\Temp\byXQGwTm.dll,#1
O4 - HKCU\..\Run: [cmds] rundll32.exe D:\Users\Myth\AppData\Local\Temp\hgGwtqOI.dll,c
O4 - HKCU\..\Run: [BMef89057a] Rundll32.exe "D:\Users\Myth\AppData\Local\Temp\wdxkygdh.dll",s
O4 - HKCU\..\Run: [a46b4dde] rundll32.exe "D:\Users\Myth\AppData\Local\Temp\paqwfyeo.dll",b
O4 - HKCU\..\RunOnce: [x64setup] cmd.exe /Q /c If EXIST "%programfiles%\VistaCodecPack\icons\icons64.dll" REG ADD HKCU\Software\GNU\ffdshow\default /v isSubtitles /t REG_DWORD /d 1 /f
O4 - HKCU\..\RunOnce: [x64setup2] cmd.exe /Q /c If EXIST "%programfiles%\VistaCodecPack\icons\icons64.dll" regsvr32.exe /S "%programfiles%\VistaCodecPack\filters\MatroskaSplitter.ax"
O4 - HKCU\..\RunOnce: [x64setup1] cmd.exe /Q /c If EXIST "%programfiles%\VistaCodecPack\icons\icons64.dll" REG ADD HKCU\Software\GNU\ffdshow_audio /v ac3 /t REG_DWORD /d 15 /f
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 8830 bytes
the myth
Active Member
 
Posts: 6
Joined: April 7th, 2008, 12:38 pm

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby Shaba » April 11th, 2008, 11:53 am

Hi

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby the myth » April 11th, 2008, 12:17 pm

when i ran the Hijack this again it gave me the old report, i reinstalled and here is the hijack log:


Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:15:43, on 11.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
D:\Windows\system32\taskeng.exe
D:\Windows\system32\Dwm.exe
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\RtHDVCpl.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Scroll Mouse\MouseElf.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Windows Media Player\wmpnscfg.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\YPOPs\ypops.exe
D:\Program Files\Azureus\Azureus.exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\AVG\AVG8\avgtray.exe
D:\Windows\system32\conime.exe
D:\Windows\Explorer.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mouseElf] D:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7545 bytes



Combofix Log


ComboFix 08-04-10.9 - Myth 2008-04-11 19:05:36.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6000.0.1250.1.1033.18.139 [GMT 3:00]
Running from: D:\Users\Myth\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-11 to 2008-04-11 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-11 16:10 --------- d-----w D:\Users\Myth\AppData\Roaming\Azureus
2008-04-11 16:02 --------- d-----w D:\Program Files\YPOPs
2008-04-11 11:31 --------- d---a-w D:\ProgramData\TEMP
2008-04-11 10:50 --------- d-----w D:\ProgramData\Fashion Solitaire 1.2
2008-04-10 21:42 --------- d-----w D:\Program Files\DomPlayer
2008-04-10 21:39 --------- d-----w D:\ProgramData\avg8
2008-04-10 21:38 --------- d-----w D:\Program Files\Java
2008-04-10 21:34 --------- d-----w D:\Program Files\Common Files\Java
2008-04-10 21:33 --------- d-----w D:\Program Files\VistaCodecPack
2008-04-10 19:44 --------- d-----w D:\Users\Myth\AppData\Roaming\Thunderbird
2008-04-10 19:44 --------- d-----w D:\Users\Myth\AppData\Roaming\Talkback
2008-04-10 19:44 --------- d-----w D:\Program Files\Mozilla Thunderbird
2008-04-10 17:33 96,520 ----a-w D:\Windows\system32\drivers\avgldx86.sys
2008-04-10 17:33 67,080 ----a-w D:\Windows\system32\drivers\avgwfpx.sys
2008-04-10 17:33 12,424 ----a-w D:\Windows\system32\drivers\avgrkx86.sys
2008-04-10 17:33 10,520 ----a-w D:\Windows\System32\avgrsstx.dll
2008-04-10 17:32 --------- d-----w D:\Program Files\AVG
2008-04-10 16:50 --------- d-----w D:\ProgramData\Azureus
2008-04-10 16:50 --------- d-----w D:\Program Files\Azureus
2008-04-10 16:16 --------- d-----w D:\Program Files\Scroll Mouse
2008-04-09 23:54 --------- d-----w D:\Users\Myth\AppData\Roaming\App Launcher Gadget
2008-04-09 19:43 --------- d-----w D:\ProgramData\Spybot - Search & Destroy
2008-04-09 16:39 --------- d-----w D:\Program Files\Microsoft Games
2008-04-09 16:35 --------- d-----w D:\Program Files\Yahoo!
2008-04-09 00:12 --------- d-----w D:\Program Files\Windows Mail
2008-04-07 16:33 --------- d-----w D:\Program Files\Trend Micro
2008-04-07 16:23 --------- d-----w D:\Program Files\Spybot - Search & Destroy
2008-04-02 13:43 --------- d-----w D:\Users\Myth\AppData\Roaming\Jane s Hotel Family Hero
2008-04-02 11:59 --------- d-----w D:\Users\Myth\AppData\Roaming\Oberon Games
2008-04-02 11:59 --------- d-----w D:\ProgramData\Oberon Games
2008-04-02 11:52 --------- d-----w D:\Program Files\bfgclient
2008-04-01 15:52 --------- d-----w D:\ProgramData\FLEXnet
2008-04-01 15:42 --------- d-----w D:\Program Files\Common Files\Adobe
2008-04-01 15:40 --------- d-----w D:\ProgramData\ALM
2008-04-01 15:33 --------- d-----w D:\Program Files\QuickTime
2008-04-01 15:25 --------- d-----w D:\Program Files\Bonjour
2008-04-01 15:23 --------- d-----w D:\Program Files\Common Files\Macrovision Shared
2008-04-01 15:02 --------- d-----w D:\Program Files\DAEMON Tools Lite
2008-04-01 14:50 174 --sha-w D:\Program Files\desktop.ini
2008-04-01 14:45 --------- d-----w D:\Program Files\Windows Sidebar
2008-04-01 14:45 --------- d-----w D:\Program Files\Windows Defender
2008-04-01 14:45 --------- d-----w D:\Program Files\Windows Calendar
2008-04-01 14:43 717,296 ----a-w D:\Windows\system32\drivers\sptd.sys
2008-04-01 14:42 --------- d-----w D:\Users\Myth\AppData\Roaming\DAEMON Tools
2008-04-01 14:38 --------- d-----w D:\Users\Myth\AppData\Roaming\Yahoo!
2008-04-01 14:38 --------- d-----w D:\ProgramData\Yahoo!
2008-04-01 13:14 --------- d-----w D:\Users\Myth\AppData\Roaming\Winamp
2008-04-01 13:13 --------- d-----w D:\Users\Myth\AppData\Roaming\MusicIP
2008-04-01 13:13 --------- d-----w D:\Program Files\Winamp
2008-04-01 13:12 --------- d-----w D:\Program Files\SpeedSim
2008-04-01 13:09 87,040 ----a-w D:\Windows\System32\msoert2.dll
2008-04-01 13:09 39,424 ----a-w D:\Windows\System32\ACCTRES.dll
2008-04-01 13:09 205,824 ----a-w D:\Windows\System32\msoeacct.dll
2008-04-01 13:08 704,000 ----a-w D:\Windows\System32\PhotoScreensaver.scr
2008-04-01 13:08 67,584 ----a-w D:\Windows\System32\wlanhlp.dll
2008-04-01 13:08 542,720 ----a-w D:\Windows\System32\sysmain.dll
2008-04-01 13:08 502,784 ----a-w D:\Windows\System32\wlansvc.dll
2008-04-01 13:08 47,104 ----a-w D:\Windows\System32\wlanapi.dll
2008-04-01 13:08 297,984 ----a-w D:\Windows\System32\wlansec.dll
2008-04-01 13:08 290,816 ----a-w D:\Windows\System32\wlanmsm.dll
2008-04-01 13:08 258,232 ----a-w D:\Windows\system32\drivers\acpi.sys
2008-04-01 13:08 24,064 ----a-w D:\Windows\System32\wtsapi32.dll
2008-04-01 13:08 2,923,520 ----a-w D:\Windows\explorer.exe
2008-04-01 13:06 194,560 ----a-w D:\Windows\System32\WebClnt.dll
2008-04-01 13:06 110,080 ----a-w D:\Windows\system32\drivers\mrxdav.sys
2008-04-01 13:05 49,664 ----a-w D:\Windows\System32\csrsrv.dll
2008-04-01 13:05 376,320 ----a-w D:\Windows\System32\winsrv.dll
2008-04-01 13:02 41,984 ----a-w D:\Windows\system32\drivers\monitor.sys
2008-04-01 13:02 1,060,920 ----a-w D:\Windows\system32\drivers\ntfs.sys
2008-04-01 13:01 414,208 ----a-w D:\Windows\System32\msscp.dll
2008-04-01 13:01 374,456 ----a-w D:\Windows\System32\mcupdate_GenuineIntel.dll
2008-04-01 12:58 45,112 ----a-w D:\Windows\system32\drivers\pciidex.sys
2008-04-01 12:58 3,504,696 ----a-w D:\Windows\System32\ntkrnlpa.exe
2008-04-01 12:58 3,470,392 ----a-w D:\Windows\System32\ntoskrnl.exe
2008-04-01 12:58 211,000 ----a-w D:\Windows\system32\drivers\volsnap.sys
2008-04-01 12:58 21,560 ----a-w D:\Windows\system32\drivers\atapi.sys
2008-04-01 12:58 17,464 ----a-w D:\Windows\system32\drivers\intelide.sys
2008-04-01 12:58 154,624 ----a-w D:\Windows\system32\drivers\nwifi.sys
2008-04-01 12:58 109,624 ----a-w D:\Windows\system32\drivers\ataport.sys
2008-04-01 12:58 104,448 ----a-w D:\Windows\System32\DWWIN.EXE
2008-04-01 12:57 8,704 ----a-w D:\Windows\System32\hcrstco.dll
2008-04-01 12:57 8,704 ----a-w D:\Windows\System32\hccoin.dll
2008-04-01 12:57 5,888 ----a-w D:\Windows\system32\drivers\usbd.sys
2008-04-01 12:57 38,400 ----a-w D:\Windows\system32\drivers\usbehci.sys
2008-04-01 12:57 23,040 ----a-w D:\Windows\system32\drivers\usbuhci.sys
2008-04-01 12:57 224,768 ----a-w D:\Windows\system32\drivers\usbport.sys
2008-04-01 12:57 192,000 ----a-w D:\Windows\system32\drivers\usbhub.sys
2008-04-01 12:57 1,191,936 ----a-w D:\Windows\System32\msxml3.dll
2008-04-01 12:56 803,328 ----a-w D:\Windows\system32\drivers\tcpip.sys
2008-04-01 12:56 24,064 ----a-w D:\Windows\System32\netcfg.exe
2008-04-01 12:56 22,016 ----a-w D:\Windows\System32\netiougc.exe
2008-04-01 12:56 216,632 ----a-w D:\Windows\system32\drivers\netio.sys
2008-04-01 12:56 167,424 ----a-w D:\Windows\System32\tcpipcfg.dll
2008-04-01 12:55 1,327,104 ----a-w D:\Windows\System32\quartz.dll
2008-04-01 12:54 9,728 ----a-w D:\Windows\System32\LAPRXY.DLL
2008-04-01 12:54 57,856 ----a-w D:\Windows\System32\SLUINotify.dll
2008-04-01 12:54 566,784 ----a-w D:\Windows\System32\SLCommDlg.dll
2008-04-01 12:54 39,936 ----a-w D:\Windows\System32\slcinst.dll
2008-04-01 12:54 351,232 ----a-w D:\Windows\System32\SLUI.exe
2008-04-01 12:54 33,280 ----a-w D:\Windows\System32\slwmi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="D:\Program Files\Windows Sidebar\sidebar.exe" [2008-04-01 15:50 1232896]
"Yahoo! Pager"="D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"DAEMON Tools Lite"="D:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 11:30 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="D:\Program Files\Windows Defender\MSASCui.exe" [2008-04-01 16:03 1006264]
"RtHDVCpl"="RtHDVCpl.exe" [2007-04-04 05:53 4431872 D:\Windows\RtHDVCpl.exe]
"Skytel"="Skytel.exe" [2007-04-04 12:22 1822720 D:\Windows\SkyTel.exe]
"NvSvc"="D:\Windows\system32\nvsvc.dll" [2006-11-28 09:12 90191]
"NvCplDaemon"="D:\Windows\system32\NvCpl.dll" [2006-11-28 09:12 7757824]
"NvMediaCenter"="D:\Windows\system32\NvMcTray.dll" [2006-11-28 09:12 81920]
"Acrobat Assistant 8.0"="D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"Adobe_ID0EYTHM"="D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 16:40 1884160]
"mouseElf"="D:\PROGRA~1\SCROLL~1\MouseElf.EXE" [2005-12-16 10:00 438364]
"AVG8_TRAY"="D:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-10 20:32 1177368]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

D:\Users\Myth\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
YPOPs.lnk - D:\Program Files\YPOPs\YPOPs.exe [2008-04-10 22:57:44 1331200]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B2D3D556-E727-4A37-A14F-17BDB4AD7F26}"= UDP:D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{3AD61E1C-8869-475A-B85F-5711D8E067B9}"= TCP:D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{D56B4236-F304-45F7-8F62-47BD474F33A4}"= UDP:D:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{73C8883B-9F23-4BD2-92C1-EBABFA0B5A6B}"= TCP:D:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"TCP Query User{E4B61A8A-0031-4D41-A903-35E5EC3ED9C6}D:\\program files\\mozilla firefox\\firefox.exe"= UDP:D:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{7569A064-9533-42DF-8574-1E5E0C89C051}D:\\program files\\mozilla firefox\\firefox.exe"= TCP:D:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{3DAADBF0-53CD-4059-A443-D28320786D44}D:\\program files\\java\\jre1.6.0_05\\bin\\java.exe"= UDP:D:\program files\java\jre1.6.0_05\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{6A1C3A62-E923-4DFC-AD06-5C870A9438EB}D:\\program files\\java\\jre1.6.0_05\\bin\\java.exe"= TCP:D:\program files\java\jre1.6.0_05\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{8DA8BA2E-7746-44D5-87E6-7CB27458BED7}D:\\windows\\system32\\java.exe"= UDP:D:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{1E17A236-9700-4FC2-910A-04896FA4B333}D:\\windows\\system32\\java.exe"= TCP:D:\windows\system32\java.exe:Java(TM) Platform SE binary
"{3F0FEC7B-B901-4E35-AB9E-8524462ABA7A}"= UDP:3703:Adobe Version Cue CS3 Server
"{9048D8E7-D2AD-4135-88DB-EFD59F71514E}"= UDP:3704:Adobe Version Cue CS3 Server
"{4AD49C7E-FBE4-4437-A3EC-0ED1C872A057}"= UDP:50900:Adobe Version Cue CS3 Server
"{A9FC87BA-1C63-426B-983A-139C268BF5F2}"= UDP:50901:Adobe Version Cue CS3 Server
"{7C4AE3FE-A034-4DC4-BAF6-7BFE12BECA27}"= UDP:D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{F9A967B6-4D46-49DF-9878-E45D6EAFEE4E}"= TCP:D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{B9D2F7AC-C07E-4F79-BCED-7B8AC156BC04}D:\\program files\\java\\jre1.6.0_05\\bin\\java.exe"= UDP:D:\program files\java\jre1.6.0_05\bin\java.exe:Java(TM) Platform SE binary
"UDP Query User{B95FD180-0A3F-4150-8B03-95E1EB55169D}D:\\program files\\java\\jre1.6.0_05\\bin\\java.exe"= TCP:D:\program files\java\jre1.6.0_05\bin\java.exe:Java(TM) Platform SE binary
"TCP Query User{3F1AC8BC-19A3-42B7-B208-74573668C2D8}D:\\program files\\mozilla firefox\\firefox.exe"= UDP:D:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AF073EC5-D416-4FA9-A7DC-D9B4E220618C}D:\\program files\\mozilla firefox\\firefox.exe"= TCP:D:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{EB39ADED-7F63-4A62-999E-0A028654F13C}G:\\games\\ugrd2\\speed2.exe"= UDP:G:\games\ugrd2\speed2.exe:SPEED2
"UDP Query User{5E1C9A54-1FFA-4616-9898-106F01F98562}G:\\games\\ugrd2\\speed2.exe"= TCP:G:\games\ugrd2\speed2.exe:SPEED2
"TCP Query User{F8BB5C67-CED6-467C-9EDC-8B85D3FF6E46}D:\\program files\\azureus\\azureus.exe"= UDP:D:\program files\azureus\azureus.exe:Azureus
"UDP Query User{E8C7468F-DE42-4823-BDF3-DFD2B67A38A7}D:\\program files\\azureus\\azureus.exe"= TCP:D:\program files\azureus\azureus.exe:Azureus
"{636771A2-4FB3-41AA-B759-BDE2D992BA4A}"= D:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
"{50195A81-4F14-4ECC-876B-FAE469432DDB}"= D:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"{8E0E7C0C-EC8C-4991-841A-EE3F2D3ABE09}"= D:\Program Files\AVG\AVG8\avgnsx.exe:avgnsx.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R0 AvgRkx86;avgrkx86.sys;D:\Windows\system32\Drivers\avgrkx86.sys [2008-04-10 20:33]
R1 AvgLdx86;AVG AVI Loader Driver x86;D:\Windows\system32\Drivers\avgldx86.sys [2008-04-10 20:33]
R2 avg8emc;AVG8 E-mail Scanner;D:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-10 20:32]
R2 avg8wd;AVG8 WatchDog;D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-10 20:32]
R2 SBSDWSCService;SBSD Security Center Service;D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 AvgWfpX;AVG8 Firewall Driver x86;D:\Windows\system32\Drivers\avgwfpx.sys [2008-04-10 20:33]
R3 genmcmn;Scroll Mouse Driver;D:\Windows\system32\DRIVERS\gmfiltr.sys [2004-09-15 09:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 19:10:53
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-11 19:12:36
ComboFix-quarantined-files.txt 2008-04-11 16:12:21
The system cannot find message text for message number 0x2379 in the message file for Application.
The system cannot find message text for message number 0x2379 in the message file for Application.
.
2008-04-10 22:52:43 --- E O F ---
the myth
Active Member
 
Posts: 6
Joined: April 7th, 2008, 12:38 pm

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby Shaba » April 11th, 2008, 12:23 pm

Hi

Open HijackThis, click do a system scan only and checkmark this:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)
    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)
    Image
  • Now click on the Save as Text button
  • Savethe file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby the myth » April 11th, 2008, 4:44 pm

here are the files... those were 4 long hours.... (remember that i`m running vista on D:\ not C! if that matters...))

hijack logs


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:43:29, on 11.04.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
D:\Windows\system32\taskeng.exe
D:\Windows\system32\Dwm.exe
D:\Windows\Explorer.EXE
D:\Program Files\Windows Defender\MSASCui.exe
D:\Windows\RtHDVCpl.exe
D:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
D:\Program Files\Scroll Mouse\MouseElf.exe
D:\Program Files\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\DAEMON Tools Lite\daemon.exe
D:\Windows\System32\rundll32.exe
D:\Program Files\Scroll Mouse\EMouse.exe
D:\Program Files\YPOPs\YPOPs.exe
D:\Program Files\Windows Sidebar\sidebar.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Program Files\Internet Explorer\ieuser.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Windows\system32\taskeng.exe
D:\Program Files\Azureus\Azureus.exe
D:\Windows\system32\SearchFilterHost.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Windows\system32\DllHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - D:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Skytel] Skytel.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE D:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "D:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] D:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [mouseElf] D:\PROGRA~1\SCROLL~1\MouseElf.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] D:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: YPOPs.lnk = ?
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - D:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - D:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - D:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - D:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 7794 bytes



kaspersky online report


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 11, 2008 11:38:52 PM
Operating System: Microsoft Windows Vista Professional, (Build 6000)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/04/2008
Kaspersky Anti-Virus database records: 698130
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 335131
Number of viruses found: 9
Number of infected objects: 34
Number of suspicious objects: 0
Duration of the scan process: 03:16:18

Infected Object Name / Virus Name / Last Action
C:\Boot\BCD Object is locked skipped
C:\Boot\BCD.LOG Object is locked skipped
C:\boot.ini Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Myth\Local Settings\Temp\hsperfdata_Myth\1160 Object is locked skipped
C:\Documents and Settings\Myth\Local Settings\Temp\NERO13390\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\NTDETECT.COM Object is locked skipped
C:\ntldr Object is locked skipped
C:\pagefile.sys Object is locked skipped
C:\Program Files\Adobe\Adobe Device Central CS3\AMT\AUMProduct.cer Object is locked skipped
C:\Program Files\Azureus\.install4j\installation.log Object is locked skipped
C:\Program Files\Common Files\SWF Studio\FileSys.dll Object is locked skipped
C:\Program Files\Common Files\SWF Studio\SysInfo.dll Object is locked skipped
C:\Program Files\ESET\infected\DHY0W4CA.NQF Infected: not-a-virus:AdWare.Win32.SaveNow.bv skipped
C:\Program Files\InstallShield Installation Information\{6BE2A4A4-99FB-48ED-AE1E-4E850389F804}\Setup.ilg Object is locked skipped
C:\Program Files\Mozilla Firefox\uninstall\uninstall.update Object is locked skipped
C:\WINDOWS\Debug\UserMode\userenv.log Object is locked skipped
C:\WINDOWS\diagerr.xml Object is locked skipped
C:\WINDOWS\diagwrn.xml Object is locked skipped
C:\WINDOWS\Minidump\Mini033008-01.dmp Object is locked skipped
C:\WINDOWS\Minidump\Mini033008-02.dmp Object is locked skipped
C:\WINDOWS\repair\autoexec.nt Object is locked skipped
C:\WINDOWS\repair\config.nt Object is locked skipped
C:\WINDOWS\repair\default Object is locked skipped
C:\WINDOWS\repair\ntuser.dat Object is locked skipped
C:\WINDOWS\repair\sam Object is locked skipped
C:\WINDOWS\repair\secsetup.inf Object is locked skipped
C:\WINDOWS\repair\security Object is locked skipped
C:\WINDOWS\repair\setup.log Object is locked skipped
C:\WINDOWS\repair\software Object is locked skipped
C:\WINDOWS\repair\system Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.sav Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.sav Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\system.sav Object is locked skipped
C:\WINDOWS\system32\config\TempKey.LOG Object is locked skipped
C:\WINDOWS\system32\config\userdiff Object is locked skipped
C:\WINDOWS\system32\config\userdiff.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wpa.bak Object is locked skipped
C:\WINDOWS\Tasks\AppleSoftwareUpdate.job Object is locked skipped
C:\WINDOWS\Tasks\MP Scheduled Scan.job Object is locked skipped
D:\Program Files\Adobe\Adobe Device Central CS3\AMT\AUMProduct.cer Object is locked skipped
D:\ProgramData\avg8\AvgAm\avgam.lck Object is locked skipped
D:\ProgramData\avg8\emc\Log\emc.log Object is locked skipped
D:\ProgramData\avg8\Log\avgam.log Object is locked skipped
D:\ProgramData\avg8\Log\avgcore.log Object is locked skipped
D:\ProgramData\avg8\Log\avglng.log Object is locked skipped
D:\ProgramData\avg8\Log\avgns.log Object is locked skipped
D:\ProgramData\avg8\Log\avgrs.log Object is locked skipped
D:\ProgramData\avg8\Log\avgsched.log Object is locked skipped
D:\ProgramData\avg8\Log\avgui.log Object is locked skipped
D:\ProgramData\avg8\Log\avgwd.log Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Feeds Cache\index.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\UsrClass.dat{841400c4-ff46-11dc-81f7-0019dba55ccf}.TM.blf Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\UsrClass.dat{841400c4-ff46-11dc-81f7-0019dba55ccf}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows\UsrClass.dat{841400c4-ff46-11dc-81f7-0019dba55ccf}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows Defender\FileTracker\{56F1C3A9-CCB4-4A33-A016-D6955A4DAF86} Object is locked skipped
D:\Users\Myth\AppData\Local\Microsoft\Windows Sidebar\Settings.ini Object is locked skipped
D:\Users\Myth\AppData\Local\Mozilla\Firefox\Profiles\t4hj1qeh.default\Cache\_CACHE_001_ Object is locked skipped
D:\Users\Myth\AppData\Local\Mozilla\Firefox\Profiles\t4hj1qeh.default\Cache\_CACHE_002_ Object is locked skipped
D:\Users\Myth\AppData\Local\Mozilla\Firefox\Profiles\t4hj1qeh.default\Cache\_CACHE_003_ Object is locked skipped
D:\Users\Myth\AppData\Local\Mozilla\Firefox\Profiles\t4hj1qeh.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Users\Myth\AppData\Local\Temp\FXSAPIDebugLogFile.txt Object is locked skipped
D:\Users\Myth\AppData\Local\VirtualStore\Program Files\YPOPs\ypops.log Object is locked skipped
D:\Users\Myth\AppData\Roaming\Microsoft\Windows\Cookies\index.dat Object is locked skipped
D:\Users\Myth\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\cert8.db Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\formhistory.dat Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\history.dat Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\key3.db Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\parent.lock Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\search.sqlite Object is locked skipped
D:\Users\Myth\AppData\Roaming\Mozilla\Firefox\Profiles\t4hj1qeh.default\urlclassifier2.sqlite Object is locked skipped
D:\Users\Myth\NTUSER.DAT Object is locked skipped
D:\Users\Myth\ntuser.dat.LOG1 Object is locked skipped
D:\Users\Myth\ntuser.dat.LOG2 Object is locked skipped
D:\Users\Myth\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf Object is locked skipped
D:\Users\Myth\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
D:\Users\Myth\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
D:\Windows\Debug\PASSWD.LOG Object is locked skipped
D:\Windows\Debug\sam.log Object is locked skipped
D:\Windows\Debug\WIA\wiatrace.log Object is locked skipped
D:\Windows\Logs\CBS\CBS.log Object is locked skipped
D:\Windows\Logs\DPX\setupact.log Object is locked skipped
D:\Windows\Logs\DPX\setuperr.log Object is locked skipped
D:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe.config Object is locked skipped
D:\Windows\Panther\UnattendGC\diagerr.xml Object is locked skipped
D:\Windows\Panther\UnattendGC\diagwrn.xml Object is locked skipped
D:\Windows\Panther\UnattendGC\setupact.log Object is locked skipped
D:\Windows\Panther\UnattendGC\setuperr.log Object is locked skipped
D:\Windows\security\database\secedit.sdb Object is locked skipped
D:\Windows\SoftwareDistribution\EventCache\{7F0E0B68-8ABE-4F6E-AB16-3A6B2599C884}.bin Object is locked skipped
D:\Windows\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
D:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 Object is locked skipped
D:\Windows\System32\catroot2\edb.log Object is locked skipped
D:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
D:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
D:\Windows\System32\config\COMPONENTS Object is locked skipped
D:\Windows\System32\config\COMPONENTS.LOG1 Object is locked skipped
D:\Windows\System32\config\COMPONENTS.LOG2 Object is locked skipped
D:\Windows\System32\config\DEFAULT Object is locked skipped
D:\Windows\System32\config\DEFAULT.LOG1 Object is locked skipped
D:\Windows\System32\config\DEFAULT.LOG2 Object is locked skipped
D:\Windows\System32\config\SAM Object is locked skipped
D:\Windows\System32\config\SAM.LOG1 Object is locked skipped
D:\Windows\System32\config\SAM.LOG2 Object is locked skipped
D:\Windows\System32\config\SECURITY Object is locked skipped
D:\Windows\System32\config\SECURITY.LOG1 Object is locked skipped
D:\Windows\System32\config\SECURITY.LOG2 Object is locked skipped
D:\Windows\System32\config\SOFTWARE Object is locked skipped
D:\Windows\System32\config\SOFTWARE.LOG1 Object is locked skipped
D:\Windows\System32\config\SOFTWARE.LOG2 Object is locked skipped
D:\Windows\System32\config\SYSTEM Object is locked skipped
D:\Windows\System32\config\SYSTEM.LOG1 Object is locked skipped
D:\Windows\System32\config\SYSTEM.LOG2 Object is locked skipped
D:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.0.regtrans-ms Object is locked skipped
D:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.1.regtrans-ms Object is locked skipped
D:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.2.regtrans-ms Object is locked skipped
D:\Windows\System32\config\TxR\{250834b7-750c-494d-bdc3-da86b6e2101a}.TxR.blf Object is locked skipped
D:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TM.blf Object is locked skipped
D:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000001.regtrans-ms Object is locked skipped
D:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000002.regtrans-ms Object is locked skipped
D:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000003.regtrans-ms Object is locked skipped
D:\Windows\System32\config\TxR\{250834B7-750C-494d-BDC3-DA86B6E2101B}.TMContainer00000000000000000004.regtrans-ms Object is locked skipped
D:\Windows\System32\drivers\sptd.sys Object is locked skipped
D:\Windows\System32\LogFiles\Scm\SCM.EVM Object is locked skipped
D:\Windows\System32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
D:\Windows\System32\restore\MachineGuid.txt Object is locked skipped
D:\Windows\System32\spool\SpoolerETW.etl Object is locked skipped
D:\Windows\System32\wbem\AutoRecover\9B2AE30BDA2ED3E7E1378B8770C99C54.mof Object is locked skipped
D:\Windows\System32\wbem\Logs\WMITracing.log Object is locked skipped
D:\Windows\System32\wbem\Repository\INDEX.BTR Object is locked skipped
D:\Windows\System32\wbem\Repository\MAPPING1.MAP Object is locked skipped
D:\Windows\System32\wbem\Repository\MAPPING2.MAP Object is locked skipped
D:\Windows\System32\wbem\Repository\OBJECTS.DATA Object is locked skipped
D:\Windows\System32\winevt\Logs\Application.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\DFS Replication.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\HardwareEvents.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Internet Explorer.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Key Management Service.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Networking%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-ReliabilityAnalysisComponent%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Resolver%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Leak-Diagnostic%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-UAC-FileVirtualization%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Security.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\Setup.evtx Object is locked skipped
D:\Windows\System32\winevt\Logs\System.evtx Object is locked skipped
D:\Windows\Tasks\SCHEDLGU.TXT Object is locked skipped
D:\Windows\WindowsUpdate.log Object is locked skipped
D:\Windows\winsxs\x86_microsoft-windows-n..n_service_datastore_31bf3856ad364e35_6.0.6000.16386_none_cef7ceb03914a67f\dnary.xsd Object is locked skipped
G:\H\$BadClus Object is locked skipped
G:\H\$UpCase Object is locked skipped
G:\old D\Bit Comet Downloads\mp3finder.exe/data0011 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
G:\old D\Bit Comet Downloads\mp3finder.exe Inno: infected - 1 skipped
G:\old D\kit\kit new\passsword\ca_setup.exe/WISE0017.BIN Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
G:\old D\kit\kit new\passsword\ca_setup.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
G:\old D\kit\kit new\passsword\ca_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
G:\old D\kit\kit new\passsword\ca_setup.exe WiseSFX: infected - 3 skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1\LsaExtRelease\LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1\PwDumpRelease\LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1\PwDumpRelease\pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1\PwserviceRelease\LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1\PwserviceRelease\pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1.zip/LsaExtRelease/LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1.zip/PwDumpRelease/LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1.zip/PwDumpRelease/pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1.zip/PwserviceRelease/LsaExt.dll Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1.zip/PwserviceRelease/pwservice.exe Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
G:\old D\kit\kit new\passsword\pwdump6-1.4.1.zip ZIP: infected - 5 skipped
G:\old D\kit\kit new\passsword\rainbowcrack-1.2-win.zip/rainbowcrack-1.2-win/rcrack.exe Infected: not-a-virus:PSWTool.Win32.Rainbow.12.a skipped
G:\old D\kit\kit new\passsword\rainbowcrack-1.2-win.zip/rainbowcrack-1.2-win/rtdump.exe Infected: not-a-virus:PSWTool.Win32.Rainbow.12.a skipped
G:\old D\kit\kit new\passsword\rainbowcrack-1.2-win.zip/rainbowcrack-1.2-win/rtgen.exe Infected: not-a-virus:PSWTool.Win32.Rainbow.12.a skipped
G:\old D\kit\kit new\passsword\rainbowcrack-1.2-win.zip/rainbowcrack-1.2-win/rtsort.exe Infected: not-a-virus:PSWTool.Win32.Rainbow.12.a skipped
G:\old D\kit\kit new\passsword\rainbowcrack-1.2-win.zip ZIP: infected - 4 skipped
G:\old D\old desktop\Fundamente\Fundamente\Laborator1\OvariantaMaiBuna\PROBL12L.EXE Infected: Virus.DOS.Tupas.j skipped
G:\old D\old desktop\Fundamente.zip/Fundamente/Laborator1/OvariantaMaiBuna/PROBL12L.EXE Infected: Virus.DOS.Tupas.j skipped
G:\old D\old desktop\Fundamente.zip ZIP: infected - 1 skipped
G:\old D\old desktop\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\old D\old desktop\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\old D\old desktop\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\old D\old desktop\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
G:\old D\old desktop\mirc631.exe NSIS: infected - 4 skipped
G:\stick2\an1\Mate_Info\Alg_Mate_Info.rar/Alg_Mate_Info/Ex_Pas/FIBO.EXE Infected: Virus.DOS.Tupas.j skipped
G:\stick2\an1\Mate_Info\Alg_Mate_Info.rar RAR: infected - 1 skipped

Scan process completed.
the myth
Active Member
 
Posts: 6
Joined: April 7th, 2008, 12:38 pm

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby Shaba » April 12th, 2008, 4:43 am

Hi

Delete these:

G:\old D\old desktop\Fundamente
G:\old D\old desktop\Fundamente.zip
G:\stick2\an1\Mate_Info\Alg_Mate_Info.rar
G:\old D\Bit Comet Downloads\mp3finder.exe

Empty Recycle Bin.

Still problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: HijackThis Logs <- looking to remove trojan win32/conhook.d

Unread postby Shaba » April 17th, 2008, 3:52 am

Due to Lack of Response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 29 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware