BHO trojan downloader conhook.gen could not be removed

[tajino]

Hi, I've tried all way to remove the BHO trojan downloader conhook.gen infected a few days ago, but none works, the trojan is still there

Suspected :
O2 - BHO: (no name) - {B5B27B22-B2C5-430C-953E-F1327AEA3C97} - c:\windows\system32\ghccghc.dll
O20 - Winlogon Notify: gvtfvqdm - C:\WINDOWS\SYSTEM32\ghccghc.dll

I tried removing it by checking O2 and O20 and do fix checked but it still comes back. Scanning with AVG, AVG AntiSpyware, SpybotSD, and Ad-Aware returns clean result

Did a scan of the "ghccghc.dll" in visustotal returns
---------------------------------------------------
AhnLab-V3 2007.6.11.0 06.11.2007 no virus found
AntiVir 7.4.0.32 06.11.2007 TR/Dldr.ConHook.Gen
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.09.2007 no virus found
AVG 7.5.0.467 06.10.2007 no virus found
BitDefender 7.2 06.11.2007 no virus found
CAT-QuickHeal 9.00 06.09.2007 no virus found
ClamAV devel-20070416 06.10.2007 no virus found
DrWeb 4.33 06.10.2007 no virus found
eSafe 7.0.15.0 06.10.2007 no virus found
eTrust-Vet 30.7.3707 06.09.2007 no virus found
Ewido 4.0 06.10.2007 no virus found
FileAdvisor 1 06.11.2007 no virus found
Fortinet 2.85.0.0 06.11.2007 no virus found
F-Prot 4.3.2.48 06.08.2007 no virus found
F-Secure 6.70.13030.0 06.11.2007 W32/BHO.QG
Ikarus T3.1.1.8 06.11.2007 no virus found
Kaspersky 4.0.2.24 06.11.2007 no virus found
McAfee 5049 06.08.2007 no virus found
Microsoft 1.2503 06.11.2007 no virus found
NOD32v2 2321 06.10.2007 no virus found
Norman 5.80.02 06.08.2007 W32/BHO.QG
Panda 9.0.0.4 06.11.2007 Suspicious file
Prevx1 V2 06.11.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.11.2007 no virus found
TheHacker 6.1.6.131 06.08.2007 no virus found
VBA32 3.12.0 06.10.2007 no virus found
VirusBuster 4.3.23:9 06.10.2007 no virus found
Webwasher-Gateway 6.0.1 06.11.2007 Trojan.Dldr.ConHook.Gen
---------------------------------------------------

Please help. Thanks.

here is my HijackThis Log.

---------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:37:05 PM, on 2007-06-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\AutoHotkey\AutoHotkey.exe
C:\Program Files\stickies\stickies.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ap/ap/en/gen/default.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B5B27B22-B2C5-430C-953E-F1327AEA3C97} - c:\windows\system32\ghccghc.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: AutoHotkey.lnk = C:\Program Files\AutoHotkey\AutoHotkey.exe
O4 - Startup: stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5773D71-C578-4720-BA08-E7DD4663D90F}: NameServer = 10.0.0.2
O20 - Winlogon Notify: gvtfvqdm - C:\WINDOWS\SYSTEM32\ghccghc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RAID Storage Manager Agent (RAIDStorAgent) - Dell - c:\Program Files\Dell\RAID Storage Manager\StorServ.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 4133 bytes
---------------------------------------------------

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Looks like you have a Vundo infection, here's some information about this junk for your benefit: Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks...q=winfixer+msn
http://www.revenews.com/wayneporter/...l_network_now/

See this information: http://forums.spybot.info/showpost.p...80&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< Java is VERY outdated and likely the reason you are infected. Download the newest version and uninstall all old versions in Add Remove Programs.

Please read and follow the directions carefully, those that do have few problems removing this infection.

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

[tashi]

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.