Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: "David H. Lipman" <DLipman~nospam~@Verizon.Net>
- Date: Thu, 17 May 2007 16:25:11 -0400
From: <ToddAndMargo@xxxxxxxxxxx>
| Hi All,
|
| Warning: I tend to be long winded. Please read everything.
| I AM NOT INFECTED.
|
| I enjoy removing viruses manually (by hand). That
| is the purpose of this question. How would I remove
| this guy BY HAND (MANUALLY)? (And, yes, I am too
| easily amused.)
|
| I came across a customer who was infected with what Kaspersky
| calls Trojan-Downloader.Win32.ConHook.bd and Trend calls
| adw_agent.oxa. I security erased infcms.dll and removed
| its registry entries with Bart PE. The customer is no longer
| infected.
|
| By the way, Kaspersky does remove this virus but Trend's
| PC-cillin does not. Trend tells you to do it by hand and gives
| you directions that do not work:
| REGSVR32 infcms.dll /U from safe mode
| http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_AGENT.OXA
|
| Before removing this guy with Bart PE, I booted into safe
| mode, opened regedit, and attempted to remove its registry entries:
|
| REGEDIT4
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
| \Winlogon\Notify\INFcms]
| "Asynchronous"=dword:00000000
| "Dllname"="INFcms.dll"
| "Impersonate"=dword:00000000
| "Startup"="NotifyStartup"
| "Shutdown"="NotifyShutdown"
|
| The virus would put the entry back within two seconds.
|
| I tried deleting c:\windows\system32\INFcms.dll, but
| it had a file lock on it.
|
| I opened ProcessExplorer, it showed INFcms.dll was part
| of winlogon. I could not figure out how to stop INFcms.dll
| without kill winlogon. I even tried killing winlogon, but
| got me the blue screen of death.
|
| Then I used Bart PE and rescanned with Kaspersky
| to make sure the customer was safe. (I always
| scan afterwards as a safety measure.)
|
| Question: had I NOT had Bart PE available and wanted to remove
| this turkey by hand, how would I have done it? (NO SCANNERS
| PLEASE -- WHERE IS THE FUN IN THAT!)
|
| Many thanks,
| -T
The Conhook a Trojan (aka; Klone Trojan), it is *NOT A VIRUS* and it protects its
Winlogon/Notify Key.
Boot into the "Recovery Console". Login as Administrator.
Delete; c:\windows\system32\INFcms.dll
Reboot into Normal Mode.
Delete the Registry key...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFcms
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
.
- Follow-Ups:
- Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: ToddAndMargo
- Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- References:
- How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- From: ToddAndMargo
- How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Prev by Date: Re: Is Pandora Music Radio Legit?
- Next by Date: Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Previous by thread: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Next by thread: Re: How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
- Index(es):
Relevant Pages
|
