Hi, my system recently picked up Win32.ConHook.ah and I can't seem to find a way to remove it. Both Adaware personal and Spybot S&D detect it, then say they have fixed the problem, but an immediate re-scan detects the problem as still being present. Spybot S&D resident is blocking it from modifying my registry, but I still can't seem to remove it.

Does anybody have any suggestions as to how I can remove the problem for good?

Hi there.

Did you run a Spybot-S&D scan in safe mode?

1) Reboot your computer into SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, begin tapping F8.
Instead of Windows loading as normal, a menu should appear.
Select the first option, to run Windows in Safe Mode.

2) Open Spybot-S&D while still in safe mode.

Close all browsers, check for problems and fix everything found in red
Repeat until no more items are found in red


a) Close Spybot-S&D
b) Reboot back into Windows

If the answer to the above is yes, or if it did not resolve the problem, follow the procedure in this link:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

A helper will advise you when available. Regards.

I would like to add:

Nomad_Disaster:

There appears to be several detections for Win32.ConHook.ah (cookie, Trojan as well as a detection listed in beta). Please post a log of the actual detection(s) you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.
Thanks

Okay, thanks for the swift responses, as requested I am moving this thread to the Malware forums, i'll post the logs and other information there.

Same problem here.
win32.conhook.ah won't go away!!!

Ran "HiJackThis", and found the address in Spybot corresponded to a file in the "02" section of HiJackThis. Also corresponds to the file vundofix.exe wanted to eliminate... c:\windows\system32\igfdlv.dll among others.

I also found a thread on the dell forum discussing this problem, pointing people to run this vundofix.exe program.

Ran Vundofix it in Safe Mode, it removed some files, and I THINK it's fixed. Re-ran Vundofix and Spybot S&D and no infections were detected. (FINALLY! This took me a full day to track down!)

So the short of it - try running Vundofix.exe (use Safe Mode). That may fix your problem!!
http://www.atribune.org/content/view/24/2/

{breathes sigh of relief}

PS I think it helped that I took the suspect computer off the internet. I think this Vundo program may have been trying to download new viruses/spyware as I was trying to remove them. pesky. stubborn. ugh.
done.

Hello.

Malware removal advice in given here: Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

md usa spybot fan also requested more information.

While Atribune's tool is used in our HJT forum, we make an analysis before giving advice. ;)