Results 1 to 5 of 5

Thread: trojan downloader conhook

  1. #1
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default trojan downloader conhook

    Let me start off saying that I'm 30 miles from town, with a 24Kbps dial up connex. I ordered a copy of W2K SP4 from microsoft, rather than waiting 12 hrs to dl it from winupdate. I came across this site, and DL'd Spybot and HJT. Just to be more prepared to ask for help.
    IF the DL'n and scan'n can be kept to a min, I'd appreciate it. Online scans sometimes take 30-40 mins. With such a slow hookup,and this dang trojan eating up what little bandwidth I've got, any programs that are zipped would be helpfull.

    I've noticed that this trojan is changing its dll's as I try to remove it.

    Thanks a BUNCH in advance.

    HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:06:29 PM, on 12/5/2005
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\csrss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\csrss.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINNT\System32\taskmgr.exe
    C:\WINNT\explorer.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.thedieselstop.com/ubbt...=&Board=73idi1
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D9558BDD-44BB-4379-B20C-0EEDCDF84407}: NameServer = 209.244.0.3 209.244.0.4
    O20 - Winlogon Notify: iiiif - C:\WINNT\SYSTEM32\iiiif.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINNT\csrss.exe

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi Jed
    Welcome to the forum

    Is your Spysweeper the current version and updated ?

    Reboot into safe mode and delete this file at only this location

    C:\WINNT\csrss.exe

    while still in safe mode run SpyBot then Sweeper
    and have them fix anything found

    Reboot back to normal , once back make and post another log

    Why dont we see an antivirus program ?

  3. #3
    Junior Member
    Join Date
    Dec 2005
    Posts
    0

    Default

    Well, no Anti-Virus because I was waiting for my copy of W2K/SP4. Guess what was in the mail yesterday.
    I started with a fresh reload of Win2k W/ SP4, Norton System Works, AdAware SE, and Spybot S&D.
    Things seem to be runnin pretty well, now. I'm getting about 21 Kbps for downloads, again. I got Spybot S&D in about 25 mins.:p I sure miss my cable modem, I had in town.

    After deleted csrss.exe in safe mode, my computer would not boot. ??

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Im confused, is the pc running well or not bootable ?
    Did you delete the correct csrss.exe, it is of cource lagitamat if in the system32 folder

    PS i would take the time to download install update and scan with an antivirus program, (not just an online scan) before installing SP4.

    If possible zip up and attach this file to your next reply
    C:\WINNT\SYSTEM32\iiiif.dll

  5. #5
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,708

    Default

    Due to lack of a response this topic will be archived.
    If you need the topic reopened please pm me.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •