BleepingComputer.com: How to delete conhost.exe virus?

I need some advice in trying to delete the conhost.exe
Since this virus had infiltrated my computer, I can not be able to go to any websites even though my internet is still running.

This post has been edited by hamluis: 07 July 2011 - 09:24 AM
Reason for edit: Moved from XP to Am I Infected.

conhost.exe is a legit process: http://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/
Why do you call it a virus?

It is a virus, it goes by that name. I have it on my desktop and I'm trying to find solutions online. I need help, too. It's located under the c:/Documents and Settings/Owner/ApllicationsData/Microsoft folder. I moused over and it said it came from a company called CRATE JEWISH. I keep getting cycbot backdoor messages that keep trying to run the program, but Norton is blocking them. What should I do, as I have not found anything OnLine as of yet.

That location is not right indeed.

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:

• Report IE Proxy Settings
  
• List content of Hosts
  
• List IP configuration
  
• List last 10 Event Viewer log
  
• List Users, Partitions and Memory size

Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): http://www.malwarebytes.org/products/malwarebytes_free to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

should I do everything you said from regular start up, or safemode?

Security Check:

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Norton 360
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java™ 6 Update 17
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 9.4.5
Out of date Adobe Reader installed!
Mozilla Firefox (x86 en-US..) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Norton ccSvcHst.exe
``````````End of Log````````````


MINITOOLBOX


MiniToolBox by Farbar
Ran by Owner (administrator) on 06-07-2011 at 19:47:33
Microsoft Windows XP Service Pack 3 (X86)

***************************************************************************


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= End of IE Proxy Settings ========================
=============== Hosts content: ============================================

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

=============== End of Hosts ==============================================

================= IP Configuration: =======================================

# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection 2"

set address name="Local Area Connection 2" source=dhcp
set dns name="Local Area Connection 2" source=dhcp register=PRIMARY
set wins name="Local Area Connection 2" source=dhcp


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : MachineHead

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Hybrid

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : NETGEAR GA311 Gigabit Adapter

Physical Address. . . . . . . . . :

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . :

Subnet Mask . . . . . . . . . . . :

Default Gateway . . . . . . . . . :

DHCP Server . . . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 68.190.192.35

71.9.127.107

68.116.46.115

Lease Obtained. . . . . . . . . . : Wednesday, July 06, 2011 7:31:29 PM

Lease Expires . . . . . . . . . . : Thursday, July 07, 2011 7:31:29 PM

Server:
Address: 68.190.192.35

Name: google.com
Addresses: 74.125.224.81, 74.125.224.82, 74.125.224.84, 74.125.224.83
74.125.224.80



Pinging google.com [74.125.224.80] with 32 bytes of data:



Reply from 74.125.224.80: bytes=32 time=19ms TTL=54

Reply from 74.125.224.80: bytes=32 time=19ms TTL=54



Ping statistics for 74.125.224.80:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 19ms, Maximum = 19ms, Average = 19ms

Server: vip01rvsdca.rvsd.ca.charter.com
Address: 68.190.192.35

Name: yahoo.com
Addresses: 98.137.149.56, 209.191.122.70, 67.195.160.76, 69.147.125.65
72.30.2.43



Pinging yahoo.com [69.147.125.65] with 32 bytes of data:



Reply from 69.147.125.65: bytes=32 time=95ms TTL=49

Malwarebytes' Anti-Malware 1.44
Database version: 3691
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/6/2011 7:59:10 PM
mbam-log-2011-07-06 (19-59-10).txt

Scan type: Quick Scan
Objects scanned: 109800
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

MiniToolbox log is incomplete.

I'll try to redo, right now its doing the GMER scan on the desktop.

One more thing, initially I had an NAV scan going and it detected the virus - cohost.exe - and it allowed me the option to "fix" so I did. And, the cohost.exe is no longer in the documents and settings folder. So, I'm not sure if the results will reflect that.

We'll see...

Ok, so after a few hours it's finally done.

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-07-06 22:53:45
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250410AS rev.3.AAC
Running: 8eipcc2j.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\pwldipob.sys


---- System - GMER 1.0.15 ----

SSDT 89F45C50 ZwAlertResumeThread
SSDT 89F3DC18 ZwAlertThread
SSDT 89EF1B20 ZwAllocateVirtualMemory
SSDT 89FF6E68 ZwAssignProcessToJobObject
SSDT 898FC8C0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB366E710]
SSDT 89EEAD60 ZwCreateMutant
SSDT 89EE0958 ZwCreateSymbolicLinkObject
SSDT 89ECE050 ZwCreateThread
SSDT 8A06C4D8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB366E990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB366EEF0]
SSDT 89F42078 ZwDuplicateObject
SSDT 89EBCCC0 ZwFreeVirtualMemory
SSDT 89EE0060 ZwImpersonateAnonymousToken
SSDT 89F50038 ZwImpersonateThread
SSDT 89E96DC8 ZwLoadDriver
SSDT 89EDFB50 ZwMapViewOfSection
SSDT 89ED9E08 ZwOpenEvent
SSDT 89FD7800 ZwOpenProcess
SSDT 89F8F8A0 ZwOpenProcessToken
SSDT 89ED5F30 ZwOpenSection
SSDT 89FA85A0 ZwOpenThread
SSDT 89FFA220 ZwProtectVirtualMemory
SSDT 89F7CE08 ZwResumeThread
SSDT 89F872C0 ZwSetContextThread
SSDT 8A129C78 ZwSetInformationProcess
SSDT 89839160 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB366F140]
SSDT 89ED93F8 ZwSuspendProcess
SSDT 89F52DF8 ZwSuspendThread
SSDT 89F76A70 ZwTerminateProcess
SSDT 89F82DF8 ZwTerminateThread
SSDT 89F893A8 ZwUnmapViewOfSection
SSDT 89EEC0B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes JMP D2DAF8E7
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5F543A0, 0x59FFE5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[2472] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

Looks good

Let's double check...

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can download, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

i have the same problem and was wondering if i can post my results as well for help to remove it i need to get rid of it

I have the same problem here and I was wondering if I can post up my results to see if it is completely gone. Thanks!