How would I have manually removed Trojan-Downloader.Win32.ConHook.bd

How would I have manually removed Trojan-Downloader.Win32.ConHook.bd
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How would I have manually removed Trojan-Downloader.Win32.ConHook.bd ToddAndMargo 05-17-2007
Posted by on May 17, 2007, 2:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi All,

Warning: I tend to be long winded. Please read everything.
I AM NOT INFECTED.

I enjoy removing viruses manually (by hand). That
is the purpose of this question. How would I remove
this guy BY HAND (MANUALLY)? (And, yes, I am too
easily amused.)

I came across a customer who was infected with what Kaspersky
calls Trojan-Downloader.Win32.ConHook.bd and Trend calls
adw_agent.oxa. I security erased infcms.dll and removed
its registry entries with Bart PE. The customer is no longer
infected.

By the way, Kaspersky does remove this virus but Trend's
PC-cillin does not. Trend tells you to do it by hand and gives
you directions that do not work:
REGSVR32 infcms.dll /U from safe mode

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_AGENT.OXA

Before removing this guy with Bart PE, I booted into safe
mode, opened regedit, and attempted to remove its registry entries:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
\Winlogon\Notify\INFcms]
"Asynchronous"=dword:00000000
"Dllname"="INFcms.dll"
"Impersonate"=dword:00000000
"Startup"="NotifyStartup"
"Shutdown"="NotifyShutdown"

The virus would put the entry back within two seconds.

I tried deleting c:\windows\system32\INFcms.dll, but
it had a file lock on it.

I opened ProcessExplorer, it showed INFcms.dll was part
of winlogon. I could not figure out how to stop INFcms.dll
without kill winlogon. I even tried killing winlogon, but
got me the blue screen of death.

Then I used Bart PE and rescanned with Kaspersky
to make sure the customer was safe. (I always
scan afterwards as a safety measure.)

Question: had I NOT had Bart PE available and wanted to remove
this turkey by hand, how would I have done it? (NO SCANNERS
PLEASE -- WHERE IS THE FUN IN THAT!)

Many thanks,
-T


Posted by David H. Lipman on May 17, 2007, 4:25 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

| Hi All,
|
| Warning: I tend to be long winded. Please read everything.
| I AM NOT INFECTED.
|
| I enjoy removing viruses manually (by hand). That
| is the purpose of this question. How would I remove
| this guy BY HAND (MANUALLY)? (And, yes, I am too
| easily amused.)
|
| I came across a customer who was infected with what Kaspersky
| calls Trojan-Downloader.Win32.ConHook.bd and Trend calls
| adw_agent.oxa. I security erased infcms.dll and removed
| its registry entries with Bart PE. The customer is no longer
| infected.
|
| By the way, Kaspersky does remove this virus but Trend's
| PC-cillin does not. Trend tells you to do it by hand and gives
| you directions that do not work:
| REGSVR32 infcms.dll /U from safe mode
|
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_AGENT.OXA
|
| Before removing this guy with Bart PE, I booted into safe
| mode, opened regedit, and attempted to remove its registry entries:
|
| REGEDIT4
| [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
| \Winlogon\Notify\INFcms]
| "Asynchronous"=dword:00000000
| "Dllname"="INFcms.dll"
| "Impersonate"=dword:00000000
| "Startup"="NotifyStartup"
| "Shutdown"="NotifyShutdown"
|
| The virus would put the entry back within two seconds.
|
| I tried deleting c:\windows\system32\INFcms.dll, but
| it had a file lock on it.
|
| I opened ProcessExplorer, it showed INFcms.dll was part
| of winlogon. I could not figure out how to stop INFcms.dll
| without kill winlogon. I even tried killing winlogon, but
| got me the blue screen of death.
|
| Then I used Bart PE and rescanned with Kaspersky
| to make sure the customer was safe. (I always
| scan afterwards as a safety measure.)
|
| Question: had I NOT had Bart PE available and wanted to remove
| this turkey by hand, how would I have done it? (NO SCANNERS
| PLEASE -- WHERE IS THE FUN IN THAT!)
|
| Many thanks,
| -T

The Conhook a Trojan (aka; Klone Trojan), it is *NOT A VIRUS* and it protects its
Winlogon/Notify Key.

Boot into the "Recovery Console". Login as Administrator.

Delete; c:\windows\system32\INFcms.dll

Reboot into Normal Mode.

Delete the Registry key...
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFcms

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by on May 17, 2007, 4:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
wrote:
>
> | Hi All,
> |
> | Warning: I tend to be long winded. Please read everything.
> | I AM NOT INFECTED.
> |
> | I enjoy removing viruses manually (by hand). That
> | is the purpose of this question. How would I remove
> | this guy BY HAND (MANUALLY)? (And, yes, I am too
> | easily amused.)
> |
> | I came across a customer who was infected with what Kaspersky
> | calls Trojan-Downloader.Win32.ConHook.bd and Trend calls
> | adw_agent.oxa. I security erased infcms.dll and removed
> | its registry entries with Bart PE. The customer is no longer
> | infected.
> |
> | By the way, Kaspersky does remove this virus but Trend's
> | PC-cillin does not. Trend tells you to do it by hand and gives
> | you directions that do not work:
> | REGSVR32 infcms.dll /U from safe mode
> | http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ADW_A...
> |
> | Before removing this guy with Bart PE, I booted into safe
> | mode, opened regedit, and attempted to remove its registry entries:
> |
> | REGEDIT4
> | [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
> | \Winlogon\Notify\INFcms]
> | "Asynchronous"=dword:00000000
> | "Dllname"="INFcms.dll"
> | "Impersonate"=dword:00000000
> | "Startup"="NotifyStartup"
> | "Shutdown"="NotifyShutdown"
> |
> | The virus would put the entry back within two seconds.
> |
> | I tried deleting c:\windows\system32\INFcms.dll, but
> | it had a file lock on it.
> |
> | I opened ProcessExplorer, it showed INFcms.dll was part
> | of winlogon. I could not figure out how to stop INFcms.dll
> | without kill winlogon. I even tried killing winlogon, but
> | got me the blue screen of death.
> |
> | Then I used Bart PE and rescanned with Kaspersky
> | to make sure the customer was safe. (I always
> | scan afterwards as a safety measure.)
> |
> | Question: had I NOT had Bart PE available and wanted to remove
> | this turkey by hand, how would I have done it? (NO SCANNERS
> | PLEASE -- WHERE IS THE FUN IN THAT!)
> |
> | Many thanks,
> | -T
>
> The Conhook a Trojan (aka; Klone Trojan), it is *NOT A VIRUS* and it protects
its
> Winlogon/Notify Key.
>
> Boot into the "Recovery Console". Login as Administrator.
>
> Delete; c:\windows\system32\INFcms.dll
>
> Reboot into Normal Mode.
>
> Delete the Registry key...
> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFcms

Now that, I did not think of. Very sneaky. Thank you.



Posted by David H. Lipman on May 17, 2007, 5:32 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


>>
>> The Conhook a Trojan (aka; Klone Trojan), it is *NOT A VIRUS* and it protects
its
>> Winlogon/Notify Key.
>>
>> Boot into the "Recovery Console". Login as Administrator.
>>
>> Delete; c:\windows\system32\INFcms.dll
>>
>> Reboot into Normal Mode.
>>
>> Delete the Registry key...
>> HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\INFcms
|
| Now that, I did not think of. Very sneaky. Thank you.
|

YW :-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by Dustin Cook on May 17, 2007, 6:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
ToddAndMargo@verizon.net wrote in

> Hi All,
>
> Warning: I tend to be long winded. Please read everything.
> I AM NOT INFECTED.
>
> I enjoy removing viruses manually (by hand). That
> is the purpose of this question. How would I remove
> this guy BY HAND (MANUALLY)? (And, yes, I am too
> easily amused.)
>
> I came across a customer who was infected with what Kaspersky
> calls Trojan-Downloader.Win32.ConHook.bd and Trend calls
> adw_agent.oxa. I security erased infcms.dll and removed
> its registry entries with Bart PE. The customer is no longer
> infected.
>
> By the way, Kaspersky does remove this virus but Trend's
> PC-cillin does not. Trend tells you to do it by hand and gives
> you directions that do not work:
> REGSVR32 infcms.dll /U from safe mode
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=AD
> W_AGENT.OXA
>
> Before removing this guy with Bart PE, I booted into safe
> mode, opened regedit, and attempted to remove its registry entries:
>
> REGEDIT4
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
> \Winlogon\Notify\INFcms]
> "Asynchronous"=dword:00000000
> "Dllname"="INFcms.dll"
> "Impersonate"=dword:00000000
> "Startup"="NotifyStartup"
> "Shutdown"="NotifyShutdown"
>
> The virus would put the entry back within two seconds.
>
> I tried deleting c:\windows\system32\INFcms.dll, but
> it had a file lock on it.
>
> I opened ProcessExplorer, it showed INFcms.dll was part
> of winlogon. I could not figure out how to stop INFcms.dll
> without kill winlogon. I even tried killing winlogon, but
> got me the blue screen of death.

Hi T,

I've had limited success with the following trick regarding winlogon
hijacking...

instead of killing the winlogon process, suspend it. Then you might be
able to rename this bad dll. Upon rebooting the machine, since the file
has been renamed, the registry entry it made will not reload it.

> Then I used Bart PE and rescanned with Kaspersky
> to make sure the customer was safe. (I always
> scan afterwards as a safety measure.)


> Question: had I NOT had Bart PE available and wanted to remove
> this turkey by hand, how would I have done it? (NO SCANNERS
> PLEASE -- WHERE IS THE FUN IN THAT!)

Either the method mentioned above, or setting the pendingfilerenamekey in
the registry. Since you want to do it by hand :(, you can find the
registry location yourself as well.

Now, if the malware is properly setup, it'll have some defensive
abilities, and these tricks will not work. In those situations, a bart
disc is your friend and it's something you should keep on hand. *shrug*

> Many thanks,
> -T
>
>



--
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
email: bughunter.dustin@gmail.com.removethis
web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml


Similar ThreadsPosted
TrojanDownloader November 9, 2007, 10:23 am
Re: TrojanDownloader.ImLoad.100 June 26, 2005, 9:15 am
Trojan.Downloader.ConHook June 28, 2007, 9:34 pm
W32.alcra.c REMOVED FINALLY!!! August 1, 2006, 10:10 pm
Tell users how to restore files removed by MRT October 7, 2008, 12:06 pm
Virus removed webpages still restricted. Advice please October 7, 2005, 8:03 am
Tough I removed it, I do not know what it is: dllhost32 data resources September 8, 2006, 5:41 pm
Removed Norton Antivirus and can't connect to internet December 19, 2006, 7:23 pm
win32.sober.w or y November 23, 2005, 6:49 am
Exploit.Win32.WMF-PFV February 22, 2006, 9:35 am

The site map in XML format XML site map

Contact Us | Privacy Policy