DeepDive
August 7, 2008 on 8:05 pm | In Malware analysis | 197 CommentsA strange one this. Discovered in June 2006 according to McAfee, but still active. That makes it a dinosaur in malware country. I happened across it looking for something different, but that person only had an aftereffect caused by the (incomplete) removal by McAfee and couldn’t provide me with a sample. But another victim found that thread and contacted me.
His girlfriends computer was infected and he was a big help figuring out this infection.
You can read our dialogue here.
After registering the helper.dll provided by fylraen I found the description by McAfee to be pretty accurate.
The infection can be recognized by this line in a HijackThis log
O2 – BHO: Browser Helper Object – {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} – C:Program FilesCommonhelper.dll
or by user complaining about explorer opening the folder %programfiles%Common after boot which could contain files called helper.dll and helper.sig
Total Uninstall log:
My Computer
===============
File System
===============
(+)(FOLDER) C:Program FilesCommon
(+)(FILE) helper.dll = 22:08 30-07-08 278540 bytes
Registry
===============
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHOCurVer
(+)(REG VAL) (Default) = ‘main.BHO.1’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHOCLSID
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO.1
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO.1CLSID
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTAppID{A0E1054B-01EE-4D57-A059-4D99F339709F}
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTAppIDmain.DLL
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}VersionIndependentProgID
(+)(REG VAL) (Default) = ‘main.BHO’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}TypeLib
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}Programmable
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}ProgID
(+)(REG VAL) (Default) = ‘main.BHO.1’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}InprocServer32
(+)(REG VAL) ThreadingModel = ‘Apartment’
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}
(+)(REG VAL) (Default) = ‘IBHO’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}TypeLib
(+)(REG VAL) Version = ‘1.0’
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid32
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG VAL) (Default) = ‘main 1.0 Type Library’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0HELPDIR
(+)(REG VAL) (Default) = ‘C:Program FilesCommon’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0FLAGS
(+)(REG VAL) (Default) = ‘0’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0 win32
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) NoExplorer = 1
(+)(REG VAL) (Default) = ”
My proposed fix:
Please download Brute Force Uninstaller .
- Right click the downloaded BFU folder, and choose Extract All
- Click “Next”
- In the box to choose where to extract the files to,
- Click “Browse”
- Click on the + sign next to “My Computer”
- Click on “Local Disk (C:) or whatever your primary drive is
- Click “Make New Folder”
- Type in BFU
- Click “Next”, and Uncheck the “Show Extracted Files” box and then click “Finish”.
RIGHT-CLICK HERE and choose “Save As” (in IE it’s “Save Target As”) in order to download DeepDive Remover.
Save it in the same folder you made earlier (c:BFU).
Then, please go to Start > My Computer and navigate to the C:BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Behind the scriptline to execute field click the folder icon and select DeepDive.bfu
- Press Execute and let the program do it’s job. (Do not be startled as your taskbar will disappear for a little while.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
- A notepad file called BFUlogdeepdive.txt will be created on the systemdrive (usually the location will be C:BFUlogdeepdive.txt). Post the content of that file please.
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^