R
Roy
Hi;
I believe I picked this trojan up from ms spyware
beta,and It reappears, what should i do?
I believe I picked this trojan up from ms spyware
beta,and It reappears, what should i do?
I had the same problem, and this is how i got rid of the trojan.downloader.bho.
1. Download Process Explorer then extract it from the zip folder. http://www.sysinternals.com/Utilities/ProcessExplorer.html
2. Open Microsoft Anti-Spyware but DO NOT CLICK ON SCAN JUST YET.
3. Now run 'Process Explorer'
4. In Process Explorer look for these processes.. 'Explorer.exe/ Winlogon.exe/Rundll32.exe Right Click on these processes and select suspend.
5. Now Click Run Scan in Microsoft Anti-Spyware.
6. Choose to remove anything it finds.
7. When it asks you to reboot the computer, select NO. Instead you are going to press and hold the power button on your computer to manually turn it off. ( You have to manually turn it off because windows wont shut down without winlogon.exe running, and thats how the virus keeps coming back.)
Wait a few seconds then turn your computer back on and you should be free of the trojan.downloader.bho
Now open Microsoft anti-spyware and go to the quarentine folder and if theres anything in there , check it all and select remove. Now run another scan to make sure its gone. Which it should be, it worked for me.
Hope this helps.
1. Download Process Explorer then extract it from the zip folder. http://www.sysinternals.com/Utilities/ProcessExplorer.html
2. Open Microsoft Anti-Spyware but DO NOT CLICK ON SCAN JUST YET.
3. Now run 'Process Explorer'
4. In Process Explorer look for these processes.. 'Explorer.exe/ Winlogon.exe/Rundll32.exe Right Click on these processes and select suspend.
5. Now Click Run Scan in Microsoft Anti-Spyware.
6. Choose to remove anything it finds.
7. When it asks you to reboot the computer, select NO. Instead you are going to press and hold the power button on your computer to manually turn it off. ( You have to manually turn it off because windows wont shut down without winlogon.exe running, and thats how the virus keeps coming back.)
Wait a few seconds then turn your computer back on and you should be free of the trojan.downloader.bho
Now open Microsoft anti-spyware and go to the quarentine folder and if theres anything in there , check it all and select remove. Now run another scan to make sure its gone. Which it should be, it worked for me.
Hope this helps.
- Joined
- Aug 30, 2005
- Messages
- 2
- Reaction score
- 0
Thanks for the help
The procedure above worked for me although I did not find Rundll32.exe running on W2KSp4.
The DLL that was removed was hooked into:
HKLM\Software\Microsoft\WindowsNT\Winlogon\Notify\opnop
and that hook is still there. However, the .dll in the value DLLName (opnop.dll) is now gone.
MS Antispyware no longer reports the Trojan present.
Thanks for your post. This beast was "killing" me.
I'd really like to have its author in my sights.
-Wye
badkarma said:
The procedure above worked for me although I did not find Rundll32.exe running on W2KSp4.
The DLL that was removed was hooked into:
HKLM\Software\Microsoft\WindowsNT\Winlogon\Notify\opnop
and that hook is still there. However, the .dll in the value DLLName (opnop.dll) is now gone.
MS Antispyware no longer reports the Trojan present.
Thanks for your post. This beast was "killing" me.
I'd really like to have its author in my sights.
-Wye
The Rundll32.exe process will only be found in XP.
I take it youre refering to the shell execute hook the trojan dopped.
Open Microsoft Anti-spyware then Click Tools/Advanced Tools/ System Explorers/ Shell Execute Hooks.
It will list the shell execute hooks, and if there is malicious one it will be marked with a red X. You then you can select to block it.
I have 2 shell execute hooks C:\WINDOWS\system32\shell32.dll and c:\program files\microsoft antispyware\shellextension.dll. Running Windows XP Pro
Also after I ran Microsoft Anti-spyware I ran Registry Mechanic to delete any entries the trojan made and that Microsoft Anti-spyware did not find. Running Registry Mechanic may delete the hook entry you are talking about.
If you need to download Registry Mechanic You can download it here.
http://rapidshare.de/files/4549567/RegistryMechanic5.zip.html
I take it youre refering to the shell execute hook the trojan dopped.
Open Microsoft Anti-spyware then Click Tools/Advanced Tools/ System Explorers/ Shell Execute Hooks.
It will list the shell execute hooks, and if there is malicious one it will be marked with a red X. You then you can select to block it.
I have 2 shell execute hooks C:\WINDOWS\system32\shell32.dll and c:\program files\microsoft antispyware\shellextension.dll. Running Windows XP Pro
Also after I ran Microsoft Anti-spyware I ran Registry Mechanic to delete any entries the trojan made and that Microsoft Anti-spyware did not find. Running Registry Mechanic may delete the hook entry you are talking about.
If you need to download Registry Mechanic You can download it here.
http://rapidshare.de/files/4549567/RegistryMechanic5.zip.html
Last edited:
- Joined
- Aug 30, 2005
- Messages
- 2
- Reaction score
- 0
badkarma said:
No, I was talking about the "reinstall hook". The execute hooks apparently looked something like this:
Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E13DDE1-E013-47ec-9C4C-27C2F78BDD26}
That CLASS hook contained an execute link to the problem .DLL.
BUT, the hook I'm talkiing about was attached to the WINLOGON task as a NOTIFY activator.
I didn't save the registry entries but basically, each LOGON/LOGOFF caused the DLL to run making sure the beast was re-installed and active. I'm not sure if MS AntiSpyware ever saw this hook.
It would seem to have removed all the CLASS hooks and orphaned the NOTIFY hook.
BUT, I'm a coward and don't want to delete entries whose purpose I don't thoroughly understand.
Anyway, your procedure worked for me and I raise my glass to you.
Wye
- Joined
- Sep 1, 2005
- Messages
- 1
- Reaction score
- 0
Works!!!
Follow these instructions! Really works! Thanks!
Follow these instructions! Really works! Thanks!