I ran accross several topics for removing Trojan:Win32/Conhook.D infections.
I have Windows Defender installed and it identified the bug in the first place but would not remove it. After reading the posts I followed the instructions, so this is what I have sone so far:
Booted to Safe mode
Ran ATF and cleaned everything
Installed Hyjack this
Installed Combofix
Ran Combofix (log below)
Combofix rebooted into Normal mode
Ran Hyjack this (log below)
The Combofix found 'Anti Spyware Master' that was identified by Windows Defender and removed what appears to be the associated files. I am looking for further analysis of the log files to validate if the machine is clean. IE7 is running much better at this point.
Thanks in advance,
MarkedMan
ComboFix 08-04-22.5 - Administrator 2008-04-24 11:48:45.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.772 [GMT -7:00]
Running from: C:\MIS\Spyware Clean\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\AntiSpywareMaster
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\geBtQijj.dll
C:\WINDOWS\system32\gjyemltk.dll
C:\WINDOWS\system32\khfDsRHX.dll
C:\WINDOWS\system32\ktlmeyjg.ini
C:\WINDOWS\system32\misfwpkp.ini
C:\WINDOWS\system32\piqnvrfp.dll
C:\WINDOWS\system32\pkpwfsim.dll
C:\WINDOWS\system32\wvUnMeBR.dll
C:\WINDOWS\system32\wvUonnMc.dll
C:\WINDOWS\system32\XHRsDfhk.ini
C:\WINDOWS\system32\XHRsDfhk.ini2
E:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.
2008-04-24 11:43 . 2008-04-24 11:43 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 11:43 . 2008-04-24 11:43 <DIR> d-------- C:\MIS
2008-04-23 14:55 . 2007-06-28 08:43 <DIR> d--h----- C:\Documents and Settings\mark.levy\Application Data\Gtek
2008-04-23 14:55 . 2007-05-17 12:49 <DIR> d-------- C:\Documents and Settings\mark.levy\Application Data\ATI
2008-04-23 14:55 . 2008-04-24 11:57 1,024 --ah----- C:\Documents and Settings\mark.levy\ntuser.dat.LOG
2008-04-23 14:54 . 2008-04-23 14:55 <DIR> d-------- C:\Documents and Settings\mark.levy
2008-04-22 15:40 . 2008-04-22 15:40 <DIR> d-------- C:\Program Files\Windows Defender
2008-04-22 13:21 . 2008-04-23 14:56 109,738 --a------ C:\WINDOWS\BM4f11da52.xml
2008-04-22 13:08 . 2008-04-22 13:08 41,723 ---hs---- C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-04-22 13:08 . 2008-04-22 13:08 37,376 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-04-22 13:08 . 2008-04-22 13:12 37,376 --a------ C:\WINDOWS\mrofinu572.exe
2008-04-22 13:07 . 2008-04-22 13:10 <DIR> d-------- C:\Quarantine
2008-04-03 09:34 . 2008-04-03 09:34 88,475 --a------ C:\2008 Cell_phone_FAQ[1].pdf
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 22:53 --------- d-----w C:\Program Files\Yahoo!
2008-04-22 22:50 --------- d-----w C:\Documents and Settings\Lisa.Milanes\Application Data\Yahoo!
2008-04-22 22:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-03-07 18:36 --------- d-----w C:\Program Files\Windows Media Connect 2
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 08:12 90112]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-10-10 18:07 136768]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49 49152]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2008-01-24 20:50 111952]
"basicsmssmenu"="C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 17:21 169328]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 09:57 245760]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 19:28:24 258048]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-04 19:50:52 53248]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBtQijj]
geBtQijj.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4c22e9ce]
C:\WINDOWS\system32\pkpwfsim.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM4f11da52]
C:\WINDOWS\system32\piqnvrfp.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
--a------ 2007-05-17 12:13 61440 c:\dell\bldbubg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 03:20 122940 C:\WINDOWS\System32\DLA\DLACTRLW.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 18:29 49152 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2004-07-27 14:50 221184 C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2004-07-27 14:50 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
--a------ 2008-04-22 13:12 37376 C:\WINDOWS\mrofinu572.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2006-05-01 00:07 843776 C:\Program Files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2003-11-19 17:48 32881 C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2006-09-14 01:45]
R2 Basics Service;Basics Service;"C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe" [2007-10-09 17:21]
.
Contents of the 'Scheduled Tasks' folder
"2008-04-24 18:59:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 11:58:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\RealVNC\VNC4\winvnc4.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Network Associates\Common Framework\Mctray.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
.
**************************************************************************
.
Completion time: 2008-04-24 12:01:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 19:01:25
Pre-Run: 63,449,313,280 bytes free
Post-Run: 62,563,069,952 bytes free
140 --- E O F --- 2008-04-24 17:43:20
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:06:35 PM, on 4/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6070517
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00C7C2A0-8B82-11D1-8B57-00A0C98CD92B} (ActiveReports Viewer) - http://misnts18.dals...W2/arviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1183045324281
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = it.maxim-ic.internal
O17 - HKLM\Software\..\Telephony: DomainName = it.maxim-ic.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = it.maxim-ic.internal
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = it.maxim-ic.internal,maxim-ic.internal,maximhq.com,mxim.com,dalsemi.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = it.maxim-ic.internal,maxim-ic.internal,maximhq.com,mxim.com,dalsemi.com
O20 - Winlogon Notify: geBtQijj - geBtQijj.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe
--
End of file - 6399 bytes