Trojan-downloader.conhook

Hello everybody !

Some how my laptop is infected with what “PC Tools Spyware Doctor” calls Trojan-Downloader.ConHook

Bitdefender 2008 does not see it.

The symptoms are as follows; at start up some program or ****** overrules the privacy setting in “internet options “ and allows all cookies.

Left unchecked, it tries to open all kinds of web pages and download all kind Trojans ETC.

The following suspect registry values recreate themselves after deletion.

Threat Name - Trojan-Downloader.ConHook

Type - Registry Key

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-3213442940-3722362377-2370026465-1004\Software\Microsoft\MS Juan

Threat Name - Trojan-Downloader.ConHook

Type - Registry Value

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-3213442940-3722362377-2370026465-1004\Software\Microsoft\MS Juan, (Default)

Please help me remove this pest !

I will post the HighjackThis log next

Thanks

/applications/core/interface/file/attachment.php?id=1256" data-fileid="1256" rel="">hijackthis.rar

Find more posts tagged with

Comments

AndreiASM

Next time, simply paste the content of the log here. If you attach the file on Malware talk, only mods/sm/vr will be able to downloade it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:19 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ezSP_Px.exe
\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apvfb.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
\Program Files\UPHClean\uphclean.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\system32\mqsvc.exe
\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =  Internet Explorer provided by Andrei
O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - \Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Zoom &In  - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm
O8 - Extra context menu item: Zoom &Out  - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - \Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121775805920
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136462966394
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u3-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - \Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - \Spyware Doctor\swdsvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - \Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8091 bytes

soidog2

Next time, simply paste the content of the log here. If you attach the file on Malware talk, only mods/sm/vr will be able to downloade it.

Thanks, how about some suggestions on how to deal with the above !

farbar

Hi,

I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.

1-Try VundoFix first (instruction given below).

Download VundoFix by Atribune to your desktop.

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above instructions above, starting from "Click the

Scan for Vundo button" when VundoFix appears at reboot.

2. Then run hijackthis, close all open windows, run scan, check the following entry and click on fix:

O3 - Toolbar: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - (no file)

this one looks to me can be fixed also:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Andrei

3. Please post the contents of C:\vundofix.txt and a new HiJackThis log in this thread.

In case you have removed the infection and don't want to post the result remove vundofix and its .txt file from your system.

soidog2

Hi,

I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.

Will do and post

soidog2

Hi,

I think you have got a ConHook variant which hide itself from Hijackthis as I can't find any suspicious entry.

1-Try VundoFix first (instruction given below).

As you will see bellow, Vundofix found a few files and fixed them, together with Hijackthis the infestation might have been stopped.

Thanks, give me a few days to make sure.

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5

Old versions of java are exploitable and should be removed.

Scan started at 6:50:15 PM 12/29/2007

Listing files found while scanning....

C:\WINDOWS\system32\ciytkdgw.dll

C:\WINDOWS\system32\dqdoaxkk.ini

C:\WINDOWS\system32\fmlhjhtp.dll

C:\WINDOWS\system32\gteertqy.dll

C:\WINDOWS\system32\hiqlaoyk.dll

C:\WINDOWS\system32\kkxaodqd.dll

C:\WINDOWS\system32\ljhfe.dll

C:\WINDOWS\system32\nohvbchm.dll

C:\WINDOWS\system32\otbmaaeh.dll

C:\WINDOWS\system32\pthjhlmf.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ciytkdgw.dll

C:\WINDOWS\system32\ciytkdgw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dqdoaxkk.ini

C:\WINDOWS\system32\dqdoaxkk.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fmlhjhtp.dll

C:\WINDOWS\system32\fmlhjhtp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gteertqy.dll

C:\WINDOWS\system32\gteertqy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hiqlaoyk.dll

C:\WINDOWS\system32\hiqlaoyk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kkxaodqd.dll

C:\WINDOWS\system32\kkxaodqd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljhfe.dll

C:\WINDOWS\system32\ljhfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nohvbchm.dll

C:\WINDOWS\system32\nohvbchm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\otbmaaeh.dll

C:\WINDOWS\system32\otbmaaeh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pthjhlmf.ini

C:\WINDOWS\system32\pthjhlmf.ini Has been deleted!

Performing Repairs to the registry.

Done!

soidog2

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:54:01 PM, on 12/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\ezSP_Px.exe

\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Apoint\Apvfb.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\msdtc.exe

C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

\Program Files\UPHClean\uphclean.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\WINDOWS\system32\mqsvc.exe

\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.microsoft.com/microsoftupdate

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {15F4A2B3-3119-4658-98E2-EB7B3C53DCDD} - C:\WINDOWS\system32\ljhfe.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} - (no file)

O2 - BHO: InlineSearchHandleHotKeys Class - {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} - \Program Files\Core Services\Inline Search\InlineSearch.dll

O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll

O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - \Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O2 - BHO: (no name) - {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} - (no file)

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - \Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe

O4 - HKLM\..\Run: [sonyPowerCfg] C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "D:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "D:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')

O4 - .DEFAULT User Startup: E-Flyer.lnk = C:\Program Files\Sony\E-Flyer\E-Flyer.exe (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Zoom &In - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomin.htm

O8 - Extra context menu item: Zoom &Out - C:\Documents and Settings\Andrei Tudoran.MIRACLE\Application Data\TuneUp Software\TuneUp Utilities\Web\tuzoomout.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - \Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)

O14 - IERESET.INF: START_PAGE_URL=http://vaio-online.sony.com/

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121775805920

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136462966394

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O20 - Winlogon Notify: wvuusqp - wvuusqp.dll (file missing)

O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - \Spyware Doctor\svcntaux.exe

O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - \Spyware Doctor\swdsvc.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - \Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

End of file - 8840 bytes

farbar

Good work. Your Hijackthis log is much better now. It is showing the HBO items and the infected (and removed) Winlogon.

But to make sure I suggest the following steps:

· Remove old Java versions due to security vulnerability. Go to start-control panel- add or remove programs and uninstall/remove all old versions of Java (Java version 1.4.2.3 and 1.4.2.5).

· Find the "hoksfkyw.dll " (C:\WINDOWS\system32\hoksfkyw.dll). It may be hidden. Unhide it by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders, uncheck hide extensions for known file type, click on apply.

· Please make a copy, zip password protected (password: "infected") and send it to a new topic. It helps the future prevention when it is added to database. Read this for more information.

· Close all windows including this one. Run hijackthis, click "Do a system scan only", check the following item and click on fix ckecked.

O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll

· Then chek if the file is removed. If the file is not removed it maybe in use. In that case go to safe mode and remove "hoksfkyw.dll " manually.

· Run VundoBeGone to scan your computer. To do that:

1.Click here download VundoBeGone and place it to your desktop.

2. Run VundoBeGone.exe and follow the instruction, it finishes and restarts the computer, you may experience BSOD (blue screen), this is normal.

Restart computer manually if needed.

When it finishes it creates a log: VirtumundoBegone (VBG.txt) on your desktop.

Please post the log with a new hijackthis log.

At the next step when your system is totally clean we fix the leftover items of hijackthis.

soidog2

Good work. Your Hijackthis log is much better now. It is showing the HBO items and the infected (and removed) Winlogon.

But to make sure I suggest the following steps:

· Remove old Java versions due to security vulnerability. Go to start-control panel- add or remove programs and uninstall/remove all old versions of Java (Java version 1.4.2.3 and 1.4.2.5).

· Find the "hoksfkyw.dll " (C:\WINDOWS\system32\hoksfkyw.dll). It may be hidden. Unhide it by going to start-control panel- folder options- view- check display the contents of system folders, check show hidden files and folders, uncheck hide extensions for known file type, click on apply.

· Please make a copy, zip password protected (password: "infected") and send it to a new topic. It helps the future prevention when it is added to database. Read this for more information.

· Close all windows including this one. Run hijackthis, click "Do a system scan only", check the following item and click on fix ckecked.

O2 - BHO: {f7feb0eb-f21f-5409-0324-f7dd75448a8c} - {c8a84457-dd7f-4230-9045-f12fbe0bef7f} - C:\WINDOWS\system32\hoksfkyw.dll

· Then chek if the file is removed. If the file is not removed it maybe in use. In that case go to safe mode and remove "hoksfkyw.dll " manually.

· Run VundoBeGone to scan your computer. To do that:

OK here's where we are , after rebooting , my privacy settings were reset again. I ran Vundofix once again; it found and deleted the dll you were looking for, together with a couple of other ones.

VundoBeGone did not find anything.

I fixed the BHO's in Hijackthis , there are a couple of other ones without any files attached. Will wait for further instructions and post the new logs

soidog2

[12/30/2007, 15:25:16] - VirtumundoBeGone v1.5 ( "D:\Software downloads\VirtumundoBeGone.exe" )

[12/30/2007, 15:25:21] - Detected System Information:

[12/30/2007, 15:25:21] - Windows Version: 5.1.2600, Service Pack 2

[12/30/2007, 15:25:21] - Current Username: Andrei Tudoran (Admin)

[12/30/2007, 15:25:21] - Windows is in NORMAL mode.

[12/30/2007, 15:25:21] - Searching for Browser Helper Objects:

[12/30/2007, 15:25:22] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)

[12/30/2007, 15:25:22] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[12/30/2007, 15:25:22] - BHO 3: {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} ()

[12/30/2007, 15:25:22] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/30/2007, 15:25:22] - No filename found. Continuing.

[12/30/2007, 15:25:22] - BHO 4: {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} (InlineSearchHandleHotKeys Class)

[12/30/2007, 15:25:22] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)

[12/30/2007, 15:25:22] - BHO 6: {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} ()

[12/30/2007, 15:25:22] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/30/2007, 15:25:22] - No filename found. Continuing.

[12/30/2007, 15:25:22] - Finished Searching Browser Helper Objects

[12/30/2007, 15:25:22] - Finishing up...

[12/30/2007, 15:25:22] - Nothing found! Exiting...

[12/30/2007, 15:36:50] - VirtumundoBeGone v1.5 ( "D:\Software downloads\VirtumundoBeGone.exe" )

[12/30/2007, 15:36:52] - Detected System Information:

[12/30/2007, 15:36:52] - Windows Version: 5.1.2600, Service Pack 2

[12/30/2007, 15:36:52] - Current Username: Andrei Tudoran (Admin)

[12/30/2007, 15:36:52] - Windows is in NORMAL mode.

[12/30/2007, 15:36:52] - Searching for Browser Helper Objects:

[12/30/2007, 15:36:52] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)

[12/30/2007, 15:36:52] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)

[12/30/2007, 15:36:52] - BHO 3: {87FFAAC7-767C-4A6A-BA78-442DAE6F084F} ()

[12/30/2007, 15:36:52] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/30/2007, 15:36:52] - No filename found. Continuing.

[12/30/2007, 15:36:52] - BHO 4: {B6FFE2AE-4D12-451F-B457-FE6125FFB1CF} (InlineSearchHandleHotKeys Class)

[12/30/2007, 15:36:52] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)

[12/30/2007, 15:36:52] - BHO 6: {FC6AFFD0-D9EA-49E7-A724-B171DD7AE9B9} ()

[12/30/2007, 15:36:52] - WARNING: BHO has no default name. Checking for Winlogon reference.

[12/30/2007, 15:36:52] - No filename found. Continuing.

[12/30/2007, 15:36:52] - Finished Searching Browser Helper Objects

[12/30/2007, 15:36:52] - Finishing up...

[12/30/2007, 15:36:52] - Nothing found! Exiting...

soidog2

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5

Old versions of java are exploitable and should be removed.

Scan started at 8:54:37 AM 12/30/2007

Listing files found while scanning....

C:\WINDOWS\system32\hoksfkyw.dll

C:\WINDOWS\system32\ijdulmpl.ini

C:\WINDOWS\system32\lpmludji.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hoksfkyw.dll

C:\WINDOWS\system32\hoksfkyw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijdulmpl.ini

C:\WINDOWS\system32\ijdulmpl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lpmludji.dll

C:\WINDOWS\system32\lpmludji.dll Has been deleted!

Performing Repairs to the registry.

Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3

Old versions of java are exploitable and should be removed.

Java version is 1.4.2.5

Old versions of java are exploitable and should be removed.

Scan started at 10:38:39 AM 12/30/2007

Listing files found while scanning....

No infected files were found.

soidog2

Removed old java & will post Vundofix backup with the the infected files, remove the "bad" extension !

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:44:04 PM, on 12/30/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Unable to get Internet Explorer version!

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\msdtc.exe

C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\WINDOWS\System32\svchost.exe

\Program Files\UPHClean\uphclean.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\WINDOWS\system32\mqsvc.exe

\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Sony\HotKey Utility\HKserv.exe

C:\Program Files\Sony\VAIO Power Management\SPMgr.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\system32\ezSP_Px.exe

C:\Program Files\Apoint\Apvfb.exe

\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Sony\HotKey Utility\HKWnd.exe

C:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe