Win32:BHO-R

[MareJordan]

I am struggling over here!!  I really need to be doing something with this trojan ...  WIN32:BHO-R !!
I have been researching and looking for removal of this pest, but too over whelming for this county gal! I would appreciate a walk through in smacking this pest !!

So far, what I have done ... I am installed with WindowsXP. - I am upgraded to Avast 4.7.  I have scanned thoroughly on scheduled boot scan in safe mode.
Daily thorough scans with Avast. - I have downloaded and scanned with a-squared Anti-Malware 2.1.
Deleting internet temp files daily (hopefully in the right locations!).

 After reading some of these forums (really like your remarks DavidR), looks like I made a mistake of deleting the viruses in the Avast Chest. I am getting about 25 win32:BHO-R detections daily (with numerous unwanted pop-ups), which are beening detected in C:\Docume~1\Owner\LOCALS~1\Temp. And yes, my firewall is up and running.

I have been using Avast for a few years, it's a wonderful tool, and have recommended this to others. But, I think we have a new bug here?  .... I would be grateful for quidance .. Marian

[FreewheelinFrank]

Hi MareJordan,

Please run scans with the following:

AVG Anti-Spyware: (Requires Win2000/XP)

http://www.ewido.net/en/

Spybot Search & Destroy:

http://www.safer-networking.org/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Please post a HijackThis! log if none of these works:

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Good luck!

[Spiritsongs]

   Hi MareJordan :

     I recommend the FREE version of "SUPERantispyware" available from www.superantispyware.com
     instead of "Spybot" since its quality has fallen in recent months .

[DavidR]

I have to say my trial of SuperAntiSpyware has come to and end and it is no longer on my system. It froze on two successive scans totally locking my system. I had to resort to a 5 second press of the power button to force as tidy a shut-down as possible.

I'm now trying Spyware Terminator and my first impressions aren't impressed, it didn't give me a warm feeling of security, I have totally disabled the resident protection to use it as on-demand only. But, delving into its settings there are many setting options that aren't easy to understand what they might or might not do and I don't like that one bit.

[MareJordan]

Thank you for all the leads into trying to fix my sick computer!!  It is taking a very long time to download the softwares, and scanning.  I will let you know of the progress later...  Again, thank you!!

[Spiritsongs]

   Hi DavidR :

     What "trial" of SUPERantispyware" were you using, the "Pro" version ? Were you using the
     latest ver 3.3 or the prior ver 3.2 ?  Did you ask for help on their Support Forums at :
     http://forums.superantispyware.com ?

[DavidR]

I had been using the free version (just for normal usage no barrage of malware samples) for about a month, can't recall what version. I reported the problem on the uninstall questionnaire form, but I didn't take any time to check out the forum.

[MareJordan]

Ok Everyone!!  Update of my progress...   
I took me a 3 hr nap, and got back to this experience of trying to be a real Technician!! It has been a real slow progress of downloading, as this pest [Win32:BHO-R] keeps disturbing me!! He popped up 13 times to say "Hi" to be after the second scan!! Then froze my computer up too!!

What I managed to get done:
Downloaded and scanned with the following:
 1. a-squared Anti-Malware 2.1
 2. AVG Anti-Spyware
 3. Sybot Search & Destroy [spybotsd14.exe]
 4. Ad-Aware SE Personal

Results?  That pest is still popping up at me!!

Frank suggested me to post a HijackThis!.. That may be interesting, as I don't if I am smart to figure that one out!!
Let you know if I need some brain assistance.

Later ...  Marian

[Lisandro]

Results?  That pest is still popping up at me!!

Did you follow all the suggestions posted here?
http://forum.avast.com/index.php?topic=24699.msg205956#msg205956

[MareJordan]

I am back, still frustrated, sorry...  I did take the following suggestion, and still having Avast telling me that it is still detecting virus ...   win32:BHO-R

Did you follow all the suggestions posted here?
http://forum.avast.com/index.php?topic=24699.msg205956#msg205956


I will try and see if I can do   HijackThis. After deleting temp files, scanning with Spywares, Avast is still detecting the virus at the beginning of the bootup. It is down to about 5 detections, where is was up as much as 20 detections before! I must have a root somewhere?  ..  Thanks for the guidance so far .. Mare

[FreewheelinFrank]

Try a couple of rootkit scanners:

http://www.freewarefiles.com/downloads_counter.php?programid=22524

http://www.f-secure.com/blacklight/

The link I posted for HijackThis! has some screen shots to help you through posting a log if that fails.

[MareJordan]

Thanks Frank!!

I did download http://www.freewarefiles.com/downloads_counter.php?programid=22524, scanned it. And again, the Avast warned me with 3 detections for ''Win32:BHO-R" virus. I can not believe I am having problems getting rid of this one virus!
 When I run a scan with Avast, it tells me I have no infections, so supposely, when I get noticed from Avast, I am putting them 'Chest' and doesnt get reconized during the scan?
 The Original location they are coming from is: C:/DOCUME~1\Owner\LOCALS~1\Temp .   31 detections just for Nov 29th !

I have linked into HijackThis. I am stuck!!  I did download the .exe and Icon is on my desktop.
I am now where I am told to [Start] the program. 
I double clik on the Icon, pops up [Open File - Security Warning] dialog box, I clik on [Run], pops up [WinZip Self-Extractor - hijackis_sfx.exe] dialog box..    Does this tell me that I don't have a winzip software installed in my computer?    Guess I go searching again!! 

[MareJordan]

LogfileOfHijackThis v1.99.1
Scan saved at 8:48:46 PM, on 11/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Registry Cleaner\RCSystemTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Corel\Office7\Dad7\QUICK.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\HijackThis.exe

[Continue on next page.]

[MareJordan]

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\companion\Installs\cpn3\yt.dll
O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Wireless Optical Mouse\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [RCSystemTray] C:\Program Files\Registry Cleaner\RCSystemTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: Corel Desktop Application Director.LNK = C:\Corel\Office7\Dad7\QUICK.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Post Image to Blog - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
O8 - Extra context menu item: Tag This Image - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
O8 - Extra context menu item: Upload All Images to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
O8 - Extra context menu item: Upload Image to ImageShack - res://C:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.ctctel.com/
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://toolbar.imageshack.us
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{070B5D4F-B732-48E6-B93E-4F9AE8CC58B0}: NameServer = 72.20.64.11 72.20.64.12
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


I did it!!  Maybe you can help me find out what is bugging me now?  I just rebooted, and Avast just warned me with 8 virus detections.. all being win32:BHO-R

[FreewheelinFrank]

Well done!

You seem to be running HijackThis! from a temporary folder:

Remember that Hijackthis must be run in an own folder. Only if Hijackthis run in an own folder it will create backups!

You need to extract HijackThis! to its own folder.

First go to Control Panel>Add/Remove and uninstall the following programs if found:

UCSearch, SoftwareOnline, MyWebSearch.

EDIT: Disable AVG Anti-Spyware's monitoring if it is running, so that it does not interfere with HijackThis!:
Right-click the system tray icon and uncheck real time protection.

When you've done that, run HijackThis! again and tick the following entries (if they are still there), click on 'fix' and reboot:

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB

UCSearch:

http://www.castlecops.com/atxlist-1362.html

O4 - HKCU\..\Run: [SOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRA~1\SOFTWA~2\soproc.exe -pack RegSoAlertWxLiteNnAj

SoftwareOnline:

http://www.liutilities.com/products/wintaskspro/processlibrary/soproc/

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZU

MyWebSearch

http://www.pchell.com/support/mywebsearch.shtml

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

(Redundant entries)

I also need you to check one file. Can you please submit this file:

C:\PROGRA~1\CAMDEV~1\CAMUNZ~1\cuz.exe

to VirusTotal and report if any of the scanners identify it as malware?

http://www.virustotal.com/en/indexf.html

EDIT: I think this may be the CAM UnZip program running from a temporary file. If so you need to install it into its own folder, See Steps to Downloading another choice ZIP Utility Program File here:

http://vcclearns.vcc.ca/html/downloadsftw.html

Good luck!

EDIT:

I also recommend you run the Microsoft MS Java removal tool:

http://www.majorgeeks.com/download4158.html

And then install Sun Java:

http://www.java.com/en/download/index.jsp