August 7, 2008 on 8:05 pm | In Malware analysis | 197 Comments

A strange one this. Discovered in June 2006 according to McAfee, but still active. That makes it a dinosaur in malware country. I happened across it looking for something different, but that person only had an aftereffect caused by the (incomplete) removal by McAfee and couldn’t provide me with a sample. But another victim found that thread and contacted me.
His girlfriends computer was infected and he was a big help figuring out this infection.
You can read our dialogue here.

After registering the helper.dll provided by fylraen I found the description by McAfee to be pretty accurate.

The infection can be recognized by this line in a HijackThis log
O2 – BHO: Browser Helper Object – {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} – C:Program FilesCommonhelper.dll
or by user complaining about explorer opening the folder %programfiles%Common after boot which could contain files called helper.dll and helper.sig

Total Uninstall log:

My Computer

File System
(+)(FOLDER) C:Program FilesCommon
(+)(FILE) helper.dll = 22:08 30-07-08 278540 bytes

(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG VAL) (Default) = ‘main.BHO.1’
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTAppID{A0E1054B-01EE-4D57-A059-4D99F339709F}
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}VersionIndependentProgID
(+)(REG VAL) (Default) = ‘main.BHO’
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}Programmable
(+)(REG VAL) (Default) = ‘main.BHO.1’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}InprocServer32
(+)(REG VAL) ThreadingModel = ‘Apartment’
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}
(+)(REG VAL) (Default) = ‘IBHO’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}TypeLib
(+)(REG VAL) Version = ‘1.0’
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid32
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG VAL) (Default) = ‘main 1.0 Type Library’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0HELPDIR
(+)(REG VAL) (Default) = ‘C:Program FilesCommon’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0FLAGS
(+)(REG VAL) (Default) = ‘0’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0win32
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) NoExplorer = 1
(+)(REG VAL) (Default) = ”

My proposed fix:

Please download Brute Force Uninstaller .

  • Right click the downloaded BFU folder, and choose Extract All
  • Click “Next”
  • In the box to choose where to extract the files to,
  • Click “Browse”
  • Click on the + sign next to “My Computer”
  • Click on “Local Disk (C:) or whatever your primary drive is
  • Click “Make New Folder”
  • Type in BFU
  • Click “Next”, and Uncheck the “Show Extracted Files” box and then click “Finish”.

RIGHT-CLICK HERE and choose “Save As” (in IE it’s “Save Target As”) in order to download DeepDive Remover.
Save it in the same folder you made earlier (c:BFU).

Then, please go to Start > My Computer and navigate to the C:BFU folder.

  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon icon and select DeepDive.bfu
  • Press Execute and let the program do it’s job. (Do not be startled as your taskbar will disappear for a little while.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
  • A notepad file called BFUlogdeepdive.txt will be created on the systemdrive (usually the location will be C:BFUlogdeepdive.txt). Post the content of that file please.

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^