Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: ToddAndMargo@xxxxxxxxxxx
- Date: 17 May 2007 13:58:07 -0700
On May 17, 1:25 pm, "David H. Lipman" <DLipman~nosp...@xxxxxxxxxxx>
wrote:
From: <ToddAndMa...@xxxxxxxxxxx>
| Hi All,
|
| Warning: I tend to be long winded. Please read everything.
| I AM NOT INFECTED.
|
| I enjoy removing viruses manually (by hand). That
| is the purpose of this question. How would I remove
| this guy BY HAND (MANUALLY)? (And, yes, I am too
| easily amused.)
|
| I came across a customer who was infected with what Kaspersky
| calls Trojan-Downloader.Win32.ConHook.bd and Trend calls
| adw_agent.oxa. I security erased infcms.dll and removed
| its registry entries with Bart PE. The customer is no longer
| infected.
|
| By the way, Kaspersky does remove this virus but Trend's
| PC-cillin does not. Trend tells you to do it by hand and gives
| you directions that do not work:
| REGSVR32 infcms.dll /U from safe mode
| http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_A...
|
| Before removing this guy with Bart PE, I booted into safe
| mode, opened regedit, and attempted to remove its registry entries:
|
| REGEDIT4
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
| \Winlogon\Notify\INFcms]
| "Asynchronous"=dword:00000000
| "Dllname"="INFcms.dll"
| "Impersonate"=dword:00000000
| "Startup"="NotifyStartup"
| "Shutdown"="NotifyShutdown"
|
| The virus would put the entry back within two seconds.
|
| I tried deleting c:\windows\system32\INFcms.dll, but
| it had a file lock on it.
|
| I opened ProcessExplorer, it showed INFcms.dll was part
| of winlogon. I could not figure out how to stop INFcms.dll
| without kill winlogon. I even tried killing winlogon, but
| got me the blue screen of death.
|
| Then I used Bart PE and rescanned with Kaspersky
| to make sure the customer was safe. (I always
| scan afterwards as a safety measure.)
|
| Question: had I NOT had Bart PE available and wanted to remove
| this turkey by hand, how would I have done it? (NO SCANNERS
| PLEASE -- WHERE IS THE FUN IN THAT!)
|
| Many thanks,
| -T
The Conhook a Trojan (aka; Klone Trojan), it is *NOT A VIRUS* and it protects its
Winlogon/Notify Key.
Boot into the "Recovery Console". Login as Administrator.
Delete; c:\windows\system32\INFcms.dll
Reboot into Normal Mode.
Delete the Registry key...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFcms
Now that, I did not think of. Very sneaky. Thank you.
.
- Follow-Ups:
- Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: David H. Lipman
- Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- References:
- How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: ToddAndMargo
- Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: David H. Lipman
- How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Prev by Date: Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Next by Date: Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Previous by thread: Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Next by thread: Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Index(es):
Relevant Pages
|
|
