Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Jul 07, 2007 | Updated Sep 15, 2017

Trojan:Win32/Conhook.C

Detected by Microsoft Defender Antivirus

Aliases: Adware-Virtumundo (McAfee) Generic Downloader.ab (McAfee) Vundo (McAfee) Vundo.dll (McAfee) W32/ConHook.AL (Norman) W32/Vundo.gen1 (Norman) Mal/Behav-027 (Sophos) Troj/ConHook-O (Sophos) Trojan.Adclicker (Sunbelt Software) Trojan.Awax (Sunbelt Software) Trojan-Downloader.Gen (Sunbelt Software) Virtumonde (Sunbelt Software) Downloader (Symantec) Trojan.Adclicker (Symantec) Trojan.Awax (Symantec) Adware_.70E1C72E (Trend Micro) TROJ_VUNDO.BB (Trend Micro) TSPY_Vundo (Trend Micro)

Summary

Trojan:Win32/Conhook.C attempts to download content from a remote Web site. Trojan:Win32/Conhook.C injects its code into running processes which could, depending on configuration, allow the Trojan to bypass permission-based firewalls in order to gain Internet access.
To recover manually from infection by Trojan:Win32/Conhook.C, perform the following steps:
  • Disconnect from the Internet.
  • Identify the Trojan filename using the registry.
  • Delete the Trojan registry entry.
  • Restart the computer.
  • Delete the Trojan files from your computer.
  • Restart the computer.
  • Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Identify the Trojan filename using the registry

To identify the Trojan filename using the registry
  1. On the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to key:
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B0022F2A-1E0A-47D6-9B97-6EA471031820}
  4. Write down the name found in the value "InprocServer32".

Delete the Trojan registry entry

To delete the Trojan registry entry
  1. If Registry Editor is running skip to item 3 below, otherwise on the Start menu, click Run.
  2. Type regedit and click OK.
  3. In the left pane, navigate to the key:
    HKEY_CLASSES_ROOT\CLSID
  4. In the right pane, right-click the following value, if it exists: {B0022F2A-1E0A-47D6-9B97-6EA471031820}
  5. Click Delete and click Yes to delete the value.
  6. In the left pane, navigate to the key:
    HKEY_LOCAL_MACHINE\Software\Classes\CLSID\
  7. In the right pane, right-click the following value, if it exists: {B0022F2A-1E0A-47D6-9B97-6EA471031820}
  8. Click Delete and click Yes to delete the value.
  9. In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
  10. In the right pane, right-click the following value, if it exists: {B0022F2A-1E0A-47D6-9B97-6EA471031820}
  11. Click Delete and click Yes to delete the value.
  12. Close the Registry Editor.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Delete the Trojan files from your computer

To delete the Trojan files from your computer
  1. Click Start, and click Run.
  2. In the Open field, type %windir%\System32.
  3. Click OK.
  4. Click View and click Details.
  5. Click Name to sort files by name.
  6. Delete the Trojan file name obtained from "Identify the Trojan filename using the registry" instructions above.
  7. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  8. Click Yes to confirm the deletion.

Restart the computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

You should not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us