Problems with Trojan_Downloader_Conhook

Hey, I'm Ellen, this is my first post blahblah I'm just looking for some good help. This is pretty long but hopefully detailed enough for someone to fix my problem...

I have had recurring problems with the trojan Trojan_Downloader_Conhook. I use Webroot Spy Sweeper and it has detected this trojan numerous times and quarentines it but each time it returns. I have a feeling it is also responsible for numerous distracting popups I have been victim of as of late. Also now when I log onto my username, there is always the "system32" folder open even though I have never gone to open it myself, and that seems suspicious.

Computer Specs
I got some of these off the sticker on that came on my laptop that I never peeled off. Hah. Some of this may be extra info but I'm not even sure what some of it means or if it's necessary. Like this page said, there's no such thing as too much info......

From System Properties under My Computer
Microsoft Windows XP
Home Edition
Version 2002
Service Pack 2
480MB of RAM

Off Sticker
HP Pavilion dv1040us
Intel Pentium M Processor 725 (1.6GHz, 2MB L2 cache, 400MHz FSB)
512MB memory
60GB hard drive

As of now, I am in Normal Boot Mode and System Restore is on.

I ran all the steps on the READ AND RUN ME FIRST page, and the program who came remotely close to identifying the trojan was Bitdefender, which ultimately failed at disinfecting/deleting it. Also, Panda ActiveScan told me I was infected.

If anyone can offer any help, it would be appreciated. Attached to this post are the logs from CounterSpy (it wasn't recommended to use WindowsDefender with SP2?), Panda Active Scan, and BitDefender. I will post the HijackThis log in a reply to this because I can only fit 3 attachments. Hah.

Wow that's long. If I somehow missed anything, please tell me and I'll do my best to get it for you. In advance -- Thanks for the help!

 

Here's the HijackThis log file, in case it's necessary.

 

Download
- Pocket Killbox

Using Add or Remove Programs in the Control Panel; uninstall the following:
ViewPoint (Everything)
WeatherBug
WildTangent

<< The installed version of Java on this compter is out-dated. Install Java Runtime Environment (JRE) 5.0 Update 7 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

It's 11:30PM where I am, I'm heading off to bed but I'll be right back here in the morning completing this. Thanks for the quick response.

 

Hmm.
I started to follow your steps, I went to Add/Remove Programs and got rid of "Viewpoint MediaPlayer" (there was no Weatherbug or WildTangent to delete. eh), and then I updated all my Java stuff. But, I ran into a problem while trying to use HijackThis.

I checked those files ^^ and clicked the 'Fix Checked' button, to which HijackThis responded something about closing internet explorer because it was removing a Browser Helper Object. So, I closed the IE window and clicked ok but at that point Spy Sweeper and CounterSpy popped up telling me that WINLogin.exe was attempting to install a BHO. This, for some reason caused HijackThis to just quit. So, I blocked the BHO thing through both SpySweepr and Counter Spy and tried HijackThis again (the files had not been deleted because it closed?) but the same happened again. Should I allow this BHO? Disable SpySweeper and Counter Spy while I run HijackThis? I don't want to go any further until this is solved in case I mess something up. Hah. Thanks for your patience.
--Ellen

 

Disable SpySweeper and CounerSpy. Exit them completely, they are blocking the fix by HijackThis.

 

HijackThis is still just quitting before it finshes (I exited SpySweeper and CounterSpy), and when I rerun it these lines ^^ are still present. Should I just continue on with the Pocket Killbox steps.....?

 

Follow the directions for Running WinPfind by OldTimer.

I'm going to try a different approach, instead of using HJT+Killbox.

Post WinPFind.txt when finished.

 

Hm..it's storming here, and the power is sketchy so I think I'll continue this tomorrow. Thanks for your help.

 

WinPFind log attached.

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Reboot to Safe Mode.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot to Normal Mode.

Post a fresh HijackThis log.

 

HijackThis log.

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Post a fresh HijackThis log

 

Everything actually worked this time...yay.
Fresh hijackthis log.

 

couple more entries need to be removed.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot and post a fresh HijackThis log.

 

Well, I tried to delete both the files, and HijackThis just quit like it was doing before (SpySweper and Counter Spy are shut down). So, I tried deleting just the second file, and I think that worked. But I'm pretty sure it nevere deleted

because everytime I tried it just quit out...

HijackThis log attached.

 

Download and install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

To take ownership of the key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the regitry key.
• Click-on Security in the Menu
• Select Take Ownership
• Locate the Key with the value of /s
  
• Now right click on the key and select Delete (let me know if you receive any error messages )
• Exit RegistrarLite

Reboot

Post a fresh HijackThis log

 

Blah.

Should I just go and delete that thing anyways...?

 

Don't download from the author's site. Download from a MG mirror.

 

HijackThis log

 

The registry key is still there. DId you delete it?

 

Hm...thinking I did something wrong, I went back and tried again......it turned out the same.

 

Follow the directins for the following:
Using GetRunKey

Using ShowNew

Post runkey.txt and newfiles.txt when finished.

 

Both files attached...sorry for the delay

 

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot

Post a fresh HijackThis log.

 

hijackthis log

 

This line is still there:
O4 - HKCU\..\Run: [] /s

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the line. Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Post a fresh HijackThis log

 

Umm...I'm still having that problem that when I try to delete that file, HijackThis just quits. I posted a log anyways, but I think it still has that file anyways.

 

I just noticed a syntax error in a previous registry patch

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop.

Close Notepad.

Reboot to Safe Mode.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Reboot to Normal Mode.

Post a fresh HijackThis log.

 

School-starting crap. Sorry...quite a delay for a simple log.

 

Complete exit Spy Sweeper, it may be blocking the fix.

Now fix this line with HijackThis:
O4 - HKCU\..\Run: [] /s

Reboot

Post a fresh HijackThis log.

 

ughh sorry this is so late. hyjackthis is still quitting on me when i try to delete that one thing. on the other hand, my computer is running better

 

Let's try this new tool out: Sophos Anti-Rootkit 1.1

If it finds something, try to fix them, then attach a log. There will be no log if nothing is found.

 

I guess I'm just incompetent at keeping up with this. my next post will like in November. ha. my computer's running slow again and that Sophos program didn't find anything but it did give a warning that it couldn't flush drive "//.C." or something like that. I also attached a HijackThis log because something may have changed in the 2 weeks I forgot to be running that program.

 

You have both Spy Sweeper and CounterSpy running on your computer. You only really need one active Anti-Spyware application. Spy Sweeper is the better of the 2 programs. Uninstall CounterSpy unless you have the paid version, if that is teh case then just keep it from loading at system start.

What does that do for your sytem performance?

 

It didn't make that much of a difference. hmm.

this is a random question, but I have SpySweeper installed...is that enough or should I also use McAfee (I can get it for free through my Comcast stuff).

 

Sorry, for taking so long in getting back to you. I've been really busy over the last couple of weeks. As real life has required a lot of attention of late.

SpySweeper is not an Anti-Virus application it is an Anti-Spyware Application.

See How to Protect yourself from malware! for our reccomendations.