We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Trojan:Win32/Conhook.C
Aliases: Adware-Virtumundo (McAfee) Generic Downloader.ab (McAfee) Vundo (McAfee) Vundo.dll (McAfee) W32/ConHook.AL (Norman) W32/Vundo.gen1 (Norman) Mal/Behav-027 (Sophos) Troj/ConHook-O (Sophos) Trojan.Adclicker (Sunbelt Software) Trojan.Awax (Sunbelt Software) Trojan-Downloader.Gen (Sunbelt Software) Virtumonde (Sunbelt Software) Downloader (Symantec) Trojan.Adclicker (Symantec) Trojan.Awax (Symantec) Adware_.70E1C72E (Trend Micro) TROJ_VUNDO.BB (Trend Micro) TSPY_Vundo (Trend Micro)
Summary
-
Disconnect from the Internet.
-
Identify the Trojan filename using the registry.
-
Delete the Trojan registry entry.
-
Restart the computer.
-
Delete the Trojan files from your computer.
-
Restart the computer.
-
Take steps to prevent re-infection.
Disconnect from the Internet
Identify the Trojan filename using the registry
-
On the Start menu, click Run.
-
Type regedit and click OK.
-
In the left pane, navigate to key:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{B0022F2A-1E0A-47D6-9B97-6EA471031820} -
Write down the name found in the value "InprocServer32".
Delete the Trojan registry entry
-
If Registry Editor is running skip to item 3 below, otherwise on the Start menu, click Run.
-
Type regedit and click OK.
-
In the left pane, navigate to the key:
HKEY_CLASSES_ROOT\CLSID -
In the right pane, right-click the following value, if it exists: {B0022F2A-1E0A-47D6-9B97-6EA471031820}
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key:
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\ -
In the right pane, right-click the following value, if it exists: {B0022F2A-1E0A-47D6-9B97-6EA471031820}
-
Click Delete and click Yes to delete the value.
-
In the left pane, navigate to the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
-
In the right pane, right-click the following value, if it exists: {B0022F2A-1E0A-47D6-9B97-6EA471031820}
-
Click Delete and click Yes to delete the value.
-
Close the Registry Editor.
Restart the computer
-
On the Start menu, click Shut Down.
-
Select Restart from the drop-down list and click OK.
Delete the Trojan files from your computer
-
Click Start, and click Run.
-
In the Open field, type %windir%\System32.
-
Click OK.
-
Click View and click Details.
-
Click Name to sort files by name.
-
Delete the Trojan file name obtained from "Identify the Trojan filename using the registry" instructions above.
-
On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
-
Click Yes to confirm the deletion.
Restart the computer
-
On the Start menu, click Shut Down.
-
Select Restart from the drop-down list and click OK.