Author Topic: Trojan.BHO virus keeps reappearing ? ? . . .  (Read 3297 times)

Offline JG98258

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Trojan.BHO virus keeps reappearing ? ? . . .
« on: April 11, 2009, 06:31:21 PM »
Good afternoon Avast forum- following your advice I've been periodically running Avast, Superantispyware, and Antimalware. In the Antimalware scans, I keep getting the same 2 registry keys as being infected. The logfile is posted below:

Malwarebytes' Anti-Malware 1.36
Database version: 1964
Windows 5.1.2600 Service Pack 3

4/11/2009 10:03:32 AM
mbam-log-2009-04-11 (10-03-22).txt

Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 152889
Time elapsed: 24 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> No action taken.

Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
___________________________________

These 2 registry keys are listed in the Quarantine section of MBAM for each time I've done a scan, about 6 times in the last 3 months. The vendor listed is "Trojan.BHO". Also in this quarantine list is a file listed as Trojan.Agent in the vendor, a file named "helper.sig" in the C:\Program Files\Common directory.

My question is- if I've been doing the "delete on reboot" that MBAM suggests, why do these 2 keys keep showing up in new scans? I'm wondering if somehow a trojan is still on my computer and keeps reinstalling itself.


Thanks for your help.





Offline Spiritsongs

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1761
  • Ad-aware orientated Support forum(s)
    • Personal Message (Offline)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #1 on: April 11, 2009, 07:16:15 PM »
 :)  Hi :

 The Results shown in the Malwarebytes Log say "No action taken", which
 most likely means Malwarebytes did NOT remove the "infections" . You should
 run another Malwarebytes scan, then : At this point you should click on the Show Results button.


A screen displaying all the malware that the program found will be shown

You should now click on the Remove Selected button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.


When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.


You can now exit the MBAM program.
For the Best in what counts in Life :
www.tacf.org

Offline JG98258

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #2 on: April 11, 2009, 08:55:30 PM »
Thanks for the help Spiritsongs- I have been having MBAM remove the 2 registry keys, then having it reboot the computer, and exiting the program after reboot. It seems to me the registry keys would then not come up if I do another scan, but they do. . . and they are listed in the Quarantine list multiple times. . . am I not understanding something about how MBAM works?

Also, it seems MBAM does not automatically reboot the computer after I hit the "remove infected files" now. Maybe I need to reinstall it.

Offline micky77

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
    • Personal Message (Offline)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #3 on: April 11, 2009, 10:30:14 PM »
Scan in safe mode,then remove keys in safe mode
I Sandboxie

Offline Spiritsongs

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1761
  • Ad-aware orientated Support forum(s)
    • Personal Message (Offline)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #4 on: April 12, 2009, 05:27:10 AM »
 :)  Hi :

 I have had 1 Malwarebytes.org Advisor tell me it is NOT recommended to run
 their Anti-Malware program in "Safe Mode" .

 IF you have followed my previous "instructions" on HOW to properly use the
 Malwarebytes Anti-Malware program and you still get the "No Action taken"
 in the "Log", then I recommend you seek assistance on the malwarebytes.org
 Forums at www.malwarebytes.org/forums/ , specifically in their "General
 Malwarebytes' Anti-Malware Forum" .
For the Best in what counts in Life :
www.tacf.org

Online DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69205
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Online)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #5 on: April 12, 2009, 12:52:27 PM »
What reason was given and where is the reference as I too would be interested to see it ?

Kind of makes a mockery of allowing MBAM to be installed in safe mode.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Spiritsongs

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1761
  • Ad-aware orientated Support forum(s)
    • Personal Message (Offline)
MBAM "Safe Mode" Scan(s) !?
« Reply #6 on: April 12, 2009, 07:47:51 PM »
 :)  Hi David :

 The following is a Private message I received from a Malware Removal
 Specialist named "TeMerc" several months ago after he went to work on the
 MBAM Support Forums :

 "I've only just become aware of the difference of scanning with MBAM using the quick scan method. essentially, there is one, it takes much longer to do a full scan, but it won't find anything more than a 'quick' scan will. Quick scans look in all the critical places that malware can hide. If new areas are found, they're added ASAP. Also, just in case, safe mode scans are not recommended either. Due to the simple fact that malware tends to hide in safe mode or rather, not start. So it's almost a given that MBAM will miss malware if safe mode scanning is done. It must be able to scan all modules which run to find them. And in the interest of full disclosure: http://www.temerc.com/forums/viewtopic.php?f=1&t=6315 

 Hope that's been helpful .

 Tom  "   

 
« Last Edit: April 12, 2009, 07:57:05 PM by Spiritsongs »
For the Best in what counts in Life :
www.tacf.org

Offline micky77

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
    • Personal Message (Offline)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #7 on: April 12, 2009, 08:03:53 PM »
The reason for scanning in safe mode, is not to detect malware, but to make it easier to remove malware, that was not removed successfully in normal mode.
I Sandboxie

Offline Spiritsongs

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1761
  • Ad-aware orientated Support forum(s)
    • Personal Message (Offline)
Safe Mode scanning
« Reply #8 on: April 12, 2009, 08:09:16 PM »
 :)  Hi Micky :

 How is One going to be able to "remove" malware that is NOT able to be
 "detected" !? As far as I was informed, ask for further details on the MBAM
 Support Forums .
For the Best in what counts in Life :
www.tacf.org

Offline micky77

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1049
  • Trust no program
    • Personal Message (Offline)
Re: Trojan.BHO virus keeps reappearing ? ? . . .
« Reply #9 on: April 12, 2009, 08:24:01 PM »
Its common knowledge that security programs ,that cannot remove malware in normal mode advise using safe mode.
« Last Edit: April 12, 2009, 08:26:50 PM by micky77 »
I Sandboxie

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now