konoorequug.exe removed, but keeps returning

Print-vriendelijke versieStuur deze pagina doorPDF version

Last week a client phoned me complaining about slow startups and a slow internet connection on his Windows XP SP3 computer.
Malware was suspected.

I went there to see what could be wrong.
It occurred to me that there was a lot of harddisk activity on bootup, like some software was installed before the logon screen occurred. I know this because in larger corporate networks the same thing occurs when distributing software via Group Policies.

So I ran Malwarebytes' Anti Malware and it came up with these infected files:

  • C:\WINDOWS\system32\konoorequug.exe (Trojan.FakeAlert) -> Delete on reboot.
  • C:\System Volume Information\_restore{ECA7A8CE-0208-47F7-9BE3-C27AE99BAA28}\RP1027\A0545976.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • C:\System Volume Information\_restore{ECA7A8CE-0208-47F7-9BE3-C27AE99BAA28}\RP1027\A0545984.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • C:\WINDOWS\system32\voutooj.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
  • C:\WINDOWS\system32\System.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
So after a restart of the computer all malware should have been removed.

But it wasn't!
After the restart the system booted slowly and a lot of harddisk activity was detected, like before.
Ran Malwarebytes' Anti Malware again and the same konoorequug.exe showed up again!

So, further investigation was neccessary.

I ran Spybot Search & Destroy and it found this malware registry-key:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\TaskMan
I cannot recall the name Spybot gave it, but I had to investigate this registry key.
There it was: This key contained the StringValue "C:\Documents and Settings\\Application Data\yftza.exe"!
This unknown program was executed each time before the Logon User Interface was loaded!

Now removal was easy:

The computer showed up clean and the case was closed.

Just wanted to share this solution with you.
Good luck an happy computing :-)

Post new comment

The content of this field is kept private and will not be shown publicly.
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Enter the characters shown in the image.