Thread: Unable to remove Win32/Conhook.C Trojan...etra.txt
View Single Post
Old 05-08-2007, 06:17 PM   #3 (permalink)
jnklein21
Registered User
 
Join Date: May 2007
Posts: 6
OS: XP


Re: Unable to remove Win32/Conhook.C Trojan...etra.txt
Hello Amateur,

Here is the log from ComboFix




"HP_Owner" - 2007-05-08 18:56:54 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Program Files\Mozilla Firefox\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hpbqctwa.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2007-04-08 to 2007-05-08 ))))))))))))))))))))))))))))))))))


2007-05-07 19:02 <DIR> d-------- C:\Deckard
2007-05-07 15:24 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-05-07 15:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-07 14:44 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-07 14:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-04 14:45 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Slide
2007-04-19 20:08 81,024 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-04-19 20:08 105,856 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-04-19 20:06 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-04-19 07:40 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-09 00:05:30 -------- d-----w C:\Program Files\Plaxo
2007-05-07 19:18:48 -------- d-----w C:\Program Files\WildTangent
2007-05-07 19:15:51 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Viewpoint
2007-05-07 19:15:01 -------- d-----w C:\Program Files\Viewpoint
2007-05-05 18:14:26 -------- d-----w C:\Program Files\Slide
2007-03-19 02:38:39 -------- d-----w C:\Program Files\Common Files\Companion Wizard
2007-03-18 19:23:46 -------- d-----w C:\Program Files\Symantec
2007-03-18 19:23:00 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-03-18 19:21:05 -------- d-----w C:\DOCUME~1\HP_Owner\APPLIC~1\Lavasoft
2007-03-17 21:49:53 -------- d-----w C:\Program Files\Common Files\SysProtect
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}"="C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll"
"{AA58ED58-01DD-4d91-8333-CF10577473F7}"="c:\program files\google\googletoolbar1.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"AlcxMonitor"="ALCXMNTR.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"tgcmd"="\"C:\\Program Files\\Support.com\\BellSouth\\hcenter.exe\" /starthidden /tgcmdwrapper"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1137780968\\ee\\AOLSoftware.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Google Desktop Search"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"OneCareUI"="\"C:\\Program Files\\Microsoft Windows OneCare Live\\winssnotify.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Aim6"=""
"PlaxoUpdate"="C:\\Program Files\\Plaxo\\2.12.1.1\\PlaxoHelper.exe -a"
"RealPlayer"="\"C:\\Program Files\\Real\\RealPlayer\\realplay.exe\" /RunUPGToolCommandReBoot"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\0\0
Security Packages kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP




[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\0\0
LocalService Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService DnsCache\0\0
DcomLaunch DcomLaunch\0TermService\0\0
rpcss RpcSs\0\0
imgsvc StiSvc\0\0
termsvcs TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{8751701e-337e-11db-afc7-0011d8a48236}]
Shell\AutoRun\command K:\setupSNK.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Quick Scan.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\MP Scheduled Signature Update.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-08 19:07:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-08 19:11:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-08 19:11




thanks again,
James
jnklein21 is offline