trojan conhook a

have just done a scan with Trend Micro and it found this trojan in 2 files it says its not cleanable…any advice appreciated…

infected files…C:\windows\system32\req.dll
C:\1.exe

thanks guys

Hi Suszannah,

This is download trojan. look here for instructions:
http://www.bullguard.com/forum/10/DownloadTrojan-windowssystem32_14598.html
The reg.dll and 1.exe work together to get passwords.
The tricky thing is you require a clean reg.dll file to put back later, because windows need it in explorer to open up new windows. The nastiness of new viruses is they use files that are indispensable for a normal windows function, so clear out the virus and your windows won’t properly function.

greetings,

POLONUS

  1. If they weren’t detected by avast (I assume they wern’t?), then if you can zip and password protect (‘virus’, will do) the suspect file/s and send it to virus @ avast.com (no spaces).

Give a brief outline of the problem, the fact that you believe it to be an undetected trojan and include the password in the body of the email. Some info on the avast version and VPS number you are using will also help.

  1. Google is your friend if you have a query search for the reg.dll and 1.exe or ‘trojan conhook a’ should return information, probably how polonus found the information.

You need to run hijackthis and find the entries for either reg.dll and 1.exe (they have to be run so they should be detected by HJT), fixing the entries wil remove the registry entries and stop it running (then they can be deleted without being regenerated.
Download HiJackThis.zip - HJT Information HiJackThis Tutorial
For an on-line analysis - HiJackThis Log file - On-line Analysis
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Thank you both…no Avast did not pick up on these, it was only because I had niothing to do that I run a Trend Micro scan, not because I suspected anything wrong…I was hoping the solution would be a little easier though…this looks really daunting… :frowning:

Nothing daunting, download HJT, visit the Tutorial site, print out the information if necessary (you don’t want to be on-line or have your browser open when running HJT.

Then take it a step at a time.

have used hjt, but can’t see it in there??? out of the 13 different A/V on Jotti 5 found nothing including Avast, the other 8 picked them up…just want to get rid of them the easiest way… ::slight_smile:

Hi David
I’m attaching Sus’s HJT logfile. She sent it to me thru AIM. ;D

why can I not see that log file

Rightclick on it and then choose either download or open.

bob its working now… for some reason earlire it was trying to save as a php file no matter what i did… and yep i was logged in

Because it has been posted as a .log file you have to download it (firefox won’t open it online), as a .txt attachment you should be able to open it.

David… yeah I got it… It was just some weird quirk earlier when I tried to do it and it kept saying the filename was php. Did exactly the same thing when I logged in this time and it downloaded it as it should. I dont see anything in her log about that virus… I sent her instructions via email to help her find and zip them up and email them to avast…

There are a few Unknown entries acording to HJT’s on-line analysis, saved below, check if they are known by Suz.

http://hijackthis.de/logfiles/1c05a94df56bcd740db7484b91d614b0.html

Unfortunately there is a lot there I have no idea about not knowing if they are down to how AoHell works or what is running on Suz’s system that should be there.

As has been said reg.dll and 1.exe aren’t listed so I would suggest switching off system restore and delete them both.

David… yes exactly … I also sent her some directions on how to get rid of them both should she run into problems with that. I chose to ignore those entrys in the HJT for now as they do not appear to have anything to do with the vrus… for now she should take care of that first.

The actual virus related files arent showing up at all on her log.
I know that C:\windows\system32\req.dll should be listed in HJT as a #20 but it’s not on her log???

Dear DavidR,

First she must make it visible the dll’s of the virus, e.g. req.dll. Maybe if she has it there, she can delete it first in the registry, and then delete it, or in that phase let her run killbox. David, you better explain Suszannah how to make this dll visible in XP, how to disable reinstall (which automatically else restores the situation) , how to put XP in safe mode, and return to the normal situation afterwards. Every trojan removal sheet gives that instruction loud and clear and step by step. These must be our houserules. Later when she got rid of the downloader virus or the req.dll trojan, which probably came along with the free viewer she installed, I am not sure. I cannot warn enough against installing freeware from non-trusted sources. Lively dangerous practice. You may get yourself in big trouble. Later when she has cleared out the virus, then she can take care of the ad- en spyware in the log (run Ad-aware, Spybot S&D, bazooka) , but that is a next issue. FSCapture.exe may be safe, but where has she downloaded it from, aha?. Did she scan every zip before installing. But the HJ logfile is n’t that hopeless, I should think (apart from the toolbar). Please explain here step by step how to proceed, and things will be all-right,

kindest regards from,

polonus

Thank you all for advice much appreciated…have taken the easy way out, although I didn’t realise I could do it this way…

searched in files and folders for the 2 files, which luckily were easy enough to locate, next deleted them, re-booted and ran Trend Micro again…which showed clear…I have learned a lot from this,
how to do a hjt log, and find it after… :slight_smile:
how to zip files up, I knew how to unzip them… :slight_smile:

Now I just want to know where the flipping things came from???
And how long they have been there??

Hi Suszannah,

Well you have to put it to the litmus test now, restart your comp, then look for the these there filies again. If they have not reappeared, I congratulate you on doing it right. How to do a HJT log and save it later, download HJT, put it in temp, scan it, make an empty program file, named HijackThis, unzip it there, make a shortcut from there to your desktop and run the first option, scan and together with that you will get a notepad text file on the screen, save this textfile under the name for to-day as HijackThis May 24th of 2005.log in My Documents, where you have create an empty file named My Logs. The log text can be taken to forums and helpful people through a procedure normally known as “cut and paste”. You know how to do that, don’t you? Good luck.

For David this site proofs what you say about google, it is a special to look for security problems there: Niktoogle . Use it to your advantage: http://net-security.org/software.php?id=493 Or maybe you already have it on board. All the best, and fare Thee well,

polonus

Suz… sorry I had to run out on you but glad to see you understood my emails… Knew you could do it :slight_smile:

Polonus… yep… I also told her about killbox “just in case”

Dear Con,

With igfxsrvc.dll I do not know why the German HJT analyzer makes a hit on this one, because it is the Intel Graphic Accelerator module helper, and according to my knowledge no spyware. Can you copy that.

Have a nice day,

polonus

PS. It is shimmerin’ dusk now here on this side of the Atlantic, we are nearing night, I am some 20 kilometers of the North Sea coast, near Rotterdam, and some 30 kilometers from Utrecht in the other direction.