PDA

View Full Version : Trojan Downloader Conhook



snyderjt
2006-08-08, 09:17
I need any help you can offer to get rid of this trojan and any other spyware/viruses I may have. Here are my logs. Thanks in advance.

steamwiz
2006-08-08, 23:07
Hi

So What is telling you Trojan Downloader Conhook ?

There's nothing in the Pandascan ...

This looks as though it could be ....

O2 - BHO: (no name) - {4E86A50B-A7FF-4cae-B8B7-28A13B6D46F0} - C:\WINDOWS\system32\IR4IER.dll
O20 - Winlogon Notify: IR4IER - C:\WINDOWS\SYSTEM32\IR4IER.dll

I see you have EWIDO, and as far as I am aware EWIDO will delete Trojan Downloader Conhook

Run EWIDO and update it .... then boot to safemode

scan with EWIDO and SAVE the log...

Boot back to normal mode..

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


O2 - BHO: (no name) - {4E86A50B-A7FF-4cae-B8B7-28A13B6D46F0} - C:\WINDOWS\system32\IR4IER.dll
O2 - BHO: (no name) - {a8874c5b-900a-4751-9054-8565879f9f92} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1452/ftp.coupons.com/r3302/cpbrkpie.cab

O20 - Winlogon Notify: IERCOI - IERCOI.dll (file missing)
O20 - Winlogon Notify: IR4IER - C:\WINDOWS\SYSTEM32\IR4IER.dll


Post a new hijackthis log + the EWIDO log

steam

snyderjt
2006-08-10, 10:31
Hi Steam,

Originally the program Spysweeper was finding and telling me the Trojan Downloader Conhook was on my computer. Don't know why Pandascan didn't find it.
Anyway, did all the things you requested. Ewido found the Trojan. BTW, I couldn't get Ewido to update. Don't know if that is a problem with the program I downloaded or a problem with my computer. I did not fix anything using Ewido.
Also ran the HJT and it fixed all except the first 02 line and the second 20 line. They actually look to me like they are related.

Anyway, I'll wait for any further assistance you may have. Thank you.
Here are the Ewido log & the HJT log.

steamwiz
2006-08-11, 00:32
HI

How did you try to update ewido ?

1. From the main ewido screen, click on update in the left menu, then click the Start update button.

2. After the update finishes (the status bar at the bottom will display "Update successful")

If you can't update this way ...You may need to manually update the definitions which you can get HERE (http://www.ewido.net/en/download/updates/)

Then...

Please run ewido in safemode again and post the new ewido log ...

If this (C:\WINDOWS\SYSTEM32\IR4IER.dll) doesn't show up in the new ewido scan & get deleted, then we'll try to remove it a different way...

steam

snyderjt
2006-08-11, 06:57
Hi Steam,

1. I tried to update ewido from the main screen using the update button. The program keeps giving me the message that it cannot find the server. Because of this, I just manually downloaded the updates. They are included in the ewido folder.

2. I ran ewido in safe mode again, but I still didn't delete anything.

Here are the two logs again.

Thanks.

JT

steamwiz
2006-08-11, 23:42
Hi

Please run Ewido again & this time let it clean/delete all it finds...

Then ...

Please go here :-

http://virusscan.jotti.org/

Upload this file from your computer :-


C:\WINDOWS\SYSTEM32\IR4IER.dll

copy & paste the above bold line into the "File to upload and scan" box...

or click the browse button and browse to the file on your computer...

Then click the submit button


Post back the results

cheers

steam

tashi
2006-08-17, 15:23
Still with us snyderjt?

snyderjt
2006-08-18, 08:18
Sorry Tashi,

Just had to be away from the computer for a few days. I'll now go ahead and do the things that were last requested by steamwiz. Thanks.

JT

snyderjt
2006-08-18, 09:18
Steam,

Sorry it took so long to reply to your last message. But here it is.
I did all that you requested. Here are the new logs.

JT

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1

File to upload & scan:
Service
Service load: 0% 100%

File: IR4IER.dll
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 a0658ee29201a624202d59bd2c25ad4c
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found DLOADER.Trojan (probable variant)
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 15Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by donations (in random order) from: Stormbyte Technologies LLC, The ClamAV project, James Love, Gideon Pertzov, Malcolm Murray, Nigel Thomas, Wendy Dickerson, Anthony Midmore, "ethereal", Mark Rubins, Steve S., Eric Johansen, Eric Schechter, Paul Bokel, Wilders Security, Wilfried Lilie, Prevx, SonicWALL, Lance Mueller, Ewido networks, and some people who prefer to remain anonymous... many thanks to all!

Statistics
Last file scanned at least one scanner reported something about: amele.exe, detected by:

Scanner Malware name
AntiVir Dropper/mIRC-1702286.A dropper
ArcaVir Trojan.Downloader.Webdown.10
Avast Win32:Trojan-gen. {Other}
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web IRC.Flood
F-Prot Antivirus virus dropper
Fortinet IRC/Kelebek.S!tr.bdr
Kaspersky Anti-Virus Backdoor.Win32.mIRC-based
NOD32 X
Norman Virus Control Smalldrp.CST
UNA X
VirusBuster X
VBA32 Backdoor.IRC.Kelebek.s


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.





Frequently asked questions - Feedback - Privacy policy



Page generated by JTPL

Copyright © 2004-2005 Jordi Bosveld <jotti@jotti.org>

steamwiz
2006-08-18, 21:13
Hi

Please run ewido again and let it clean/delete the 3 entries it found, then run it again and make sure you get a clean log ... if it isn't clean, then post the log again...

Then please go here and upload the same file you uploaded to jotti...

http://www.virustotal.com/flash/index_en.html

click the browse button and browse to the file on your computer :-

C:\WINDOWS\SYSTEM32\IR4IER.dll

Please post the results

steam

snyderjt
2006-08-20, 08:22
Hi Steam,

Here are the results from virustotal and my most recent HJT log.
When I ran the ewido scan it did not turn up anything.
Waiting for the next move.

Thanks
JT

STATUS: FINISHEDComplete scanning result of "IR4IER.dll", received in VirusTotal at 08.20.2006, 07:14:51 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.3 08.18.2006 no virus found
Authentium 4.93.8 08.19.2006 no virus found
Avast 4.7.844.0 08.18.2006 no virus found
AVG 386 08.18.2006 no virus found
BitDefender 7.2 08.20.2006 no virus found
CAT-QuickHeal 8.00 08.18.2006 no virus found
ClamAV devel-20060426 08.20.2006 no virus found
DrWeb 4.33 08.19.2006 DLOADER.Trojan
eTrust-InoculateIT 23.72.101 08.18.2006 no virus found
eTrust-Vet 30.3.3026 08.18.2006 Win32/Darksma!generic
Ewido 4.0 08.19.2006 no virus found
Fortinet 2.77.0.0 08.20.2006 no virus found
F-Prot 3.16f 08.18.2006 no virus found
F-Prot4 4.2.1.29 08.19.2006 no virus found
Ikarus 0.2.65.0 08.18.2006 no virus found
Kaspersky 4.0.2.24 08.20.2006 no virus found
McAfee 4832 08.18.2006 no virus found
Microsoft 1.1560 08.17.2006 no virus found
NOD32v2 1.1715 08.18.2006 no virus found
Norman 5.90.23 08.18.2006 no virus found
Panda 9.0.0.4 08.19.2006 Suspicious file
Sophos 4.08.0 08.19.2006 no virus found
Symantec 8.0 08.20.2006 no virus found
TheHacker 5.9.8.195 08.18.2006 no virus found
UNA 1.83 08.18.2006 no virus found
VBA32 3.11.0 08.18.2006 no virus found
VirusBuster 4.3.7:9 08.19.2006 no virus found


Aditional Information
File size: 34304 bytes
MD5: a0658ee29201a624202d59bd2c25ad4c
SHA1: 6d230d0751ac48c92eecb0e81670d388c6253c7a

steamwiz
2006-08-20, 21:21
Hi

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com

O2 - BHO: (no name) - {4E86A50B-A7FF-4cae-B8B7-28A13B6D46F0} - C:\WINDOWS\system32\IR4IER.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

O20 - Winlogon Notify: IR4IER - C:\WINDOWS\SYSTEM32\IR4IER.dll



Reboot, run hijackthis and post a new log ...

In post #3 you said ...


Originally the program Spysweeper was finding and telling me the Trojan Downloader Conhook was on my computer.


Could you not remove it with spysweeper ?
did spysweeper give you the name and/or location of the file ?
Is spysweeper still finding it ?

steam

tashi
2006-08-25, 21:35
snyderjt still with us?

tashi
2006-08-29, 09:48
:scratch:

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.