Troj/ConHook-B

Windows 2000

You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.

• At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
• Before you edit the registry, you should make a backup. Select the 'HKEY_LOCAL_MACHINE on local machine' window. Select 'HKEY_LOCAL_MACHINE'. On the 'Registry' menu, click 'Save Subtree As'. Save the registry subtree as Backup.
• Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
• Select \<Trojan_entry>
• On the Security menu select 'Permissions'
• In 'Permissions for...' deselect 'Allow inheritable permissions from parent to propagate to this object'
• In the Security dialog, click 'Remove'
• Click 'OK'
• Click 'Yes' to deny everyone access to the key
• Close the registry editor.

Follow the Safe Mode with Command Prompt instructions for removing Trojans.

Re-open the registry editor to delete the Trojan registry entries.

• At the taskbar, click Start|Run. Type 'REGEDT32' and press Return. The registry editor opens.
• Select SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
• Select \<Trojan_entry>
• On the Security menu select 'Permissions'
• In 'Permissions for...' select 'Allow inheritable permissions from parent to propagate to this object'
• Click 'OK'
• On the Edit menu select 'Delete'
• Click 'Yes' to delete the key
• Close the registry editor.

Windows XP/2003

You will first need to prevent use of the following registry entry, if it is present. Please read the warning about editing the registry.

• At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
• Before you edit the registry, you should make a backup. Select 'My Computer'. On the 'File' menu, click 'Export'. Save your registry as Backup.
• Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
• Right-click '<Trojan_entry>'
• Select 'Permissions'
• In the 'Permissions for...' dialog, click 'Advanced'
• In the 'Advanced Security Settings for...' dialog, deselect 'Inherit from parent the permission entries that apply to child objects.'
• In the Security dialog, click 'Remove'
• Click 'OK'
• Click 'Yes' to deny everyone access to the key
• Click 'OK'
• Close the registry editor.

Follow the Safe Mode with Command Prompt instructions for removing Trojans.

Re-open the registry editor to delete the Trojan registry entries.

• At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
• Select HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
• Right-click '<Trojan_entry>'
• Select 'Permissions'
• In the 'Permissions for...' dialog, click 'Advanced'
• In the 'Advanced Security Settings for...' dialog, select 'Inherit from parent the permission entries that apply to child objects.'
• Click 'OK' twice
• Right-click '<Trojan_entry>'
• Select 'Delete'
• Click 'Yes' to delete the key
• Close the registry editor.

Troj/ConHook-B is a Trojan for the Windows platform.

The Trojan attempts to download and run further malicious code without the user's knowledge.

Troj/ConHook-B drops the component REQ.DLL in the Windows system folder.

The following registry entries are created to run code exported by req.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\
DllName =
<system>\req.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\req\
Impersonate =
0

The dropped file req.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKCR\CLSID\[1C044AAD-7955-4CBD-8175-501A165C4E5D]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\[1C044AAD-7955-4CBD-8175-501A165C4E5D]