DeepDive
August 7, 2008 on 8:05 pm | In Malware analysis | 197 CommentsA strange one this. Discovered in June 2006 according to McAfee, but still active. That makes it a dinosaur in malware country. I happened across it looking for something different, but that person only had an aftereffect caused by the (incomplete) removal by McAfee and couldn’t provide me with a sample. But another victim found that thread and contacted me.
His girlfriends computer was infected and he was a big help figuring out this infection.
You can read our dialogue here.
After registering the helper.dll provided by fylraen I found the description by McAfee to be pretty accurate.
The infection can be recognized by this line in a HijackThis log
O2 – BHO: Browser Helper Object – {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} – C:Program FilesCommonhelper.dll
or by user complaining about explorer opening the folder %programfiles%Common after boot which could contain files called helper.dll and helper.sig
Total Uninstall log:
My Computer
===============
File System
===============
(+)(FOLDER) C:Program FilesCommon
(+)(FILE) helper.dll = 22:08 30-07-08 278540 bytes
Registry
===============
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHOCurVer
(+)(REG VAL) (Default) = ‘main.BHO.1’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHOCLSID
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO.1
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTmain.BHO.1CLSID
(+)(REG VAL) (Default) = ‘{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}’
(+)(REG KEY) HKEY_CLASSES_ROOTAppID{A0E1054B-01EE-4D57-A059-4D99F339709F}
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTAppIDmain.DLL
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) AppID = ‘{A0E1054B-01EE-4D57-A059-4D99F339709F}’
(+)(REG VAL) (Default) = ‘Browser Helper Object’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}VersionIndependentProgID
(+)(REG VAL) (Default) = ‘main.BHO’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}TypeLib
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}Programmable
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}ProgID
(+)(REG VAL) (Default) = ‘main.BHO.1’
(+)(REG KEY) HKEY_CLASSES_ROOTCLSID{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}InprocServer32
(+)(REG VAL) ThreadingModel = ‘Apartment’
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}
(+)(REG VAL) (Default) = ‘IBHO’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}TypeLib
(+)(REG VAL) Version = ‘1.0’
(+)(REG VAL) (Default) = ‘{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid32
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTInterface{986A8AC1-AB4D-4F41-9068-4B01C0197867}ProxyStubClsid
(+)(REG VAL) (Default) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG VAL) (Default) = ‘main 1.0 Type Library’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0HELPDIR
(+)(REG VAL) (Default) = ‘C:Program FilesCommon’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0FLAGS
(+)(REG VAL) (Default) = ‘0’
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0
(+)(REG KEY) HKEY_CLASSES_ROOTTypeLib{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}1.0 win32
(+)(REG VAL) (Default) = ‘C:Program FilesCommonhelper.dll’
(+)(REG KEY) HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
(+)(REG VAL) NoExplorer = 1
(+)(REG VAL) (Default) = ”
My proposed fix:
Please download Brute Force Uninstaller .
- Right click the downloaded BFU folder, and choose Extract All
- Click “Next”
- In the box to choose where to extract the files to,
- Click “Browse”
- Click on the + sign next to “My Computer”
- Click on “Local Disk (C:) or whatever your primary drive is
- Click “Make New Folder”
- Type in BFU
- Click “Next”, and Uncheck the “Show Extracted Files” box and then click “Finish”.
RIGHT-CLICK HERE and choose “Save As” (in IE it’s “Save Target As”) in order to download DeepDive Remover.
Save it in the same folder you made earlier (c:BFU).
Then, please go to Start > My Computer and navigate to the C:BFU folder.
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Behind the scriptline to execute field click the folder icon and select DeepDive.bfu
- Press Execute and let the program do itβs job. (Do not be startled as your taskbar will disappear for a little while.)
- Wait for the complete script execution box to pop up and press OK.
- Press exit to terminate the BFU program.
- A notepad file called BFUlogdeepdive.txt will be created on the systemdrive (usually the location will be C:BFUlogdeepdive.txt). Post the content of that file please.
197 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Partizan follow up (false alarm):
The Partizan files I have are related to Greatis Software “Partizan – first Bootwatch Anti-Rootkit”. However, I mistakingly thought it was the adware/malware that makes unwanted changes to one’s browser and installs FindFM and CramToolbar.
More detailed info check here: http://www.spywaresignatures.com/details.php?spyware=partizan
Comment by Anthony — March 25, 2009 #
Thanks Anthony β
Comment by metallica — March 25, 2009 #
Hi Metallica,
I had the helper.sig file and your BFU worked. Thx. I also had McAfee buffer overflow beforehand. In my case, my company had a home version of McAfee that we installed on my wife’s computer. But when my company went to Symantec they stopped supporting it. So I uninstalled McAfee and installed the free AVG. Hope this info helps and thanks again, it was annoying π
Comment by Earl — March 31, 2009 #
Oh, the buffer overflow started, I believe, when the McAfee license period through the company expired.
Comment by Earl — March 31, 2009 #
My pleasure Earl,
Thanks for letting us know. π
Comment by metallica — March 31, 2009 #
I can’t find where it says extract all either. I don’t know where else I would find on my computer to unzip the file. Any suggestions?
Comment by Dana — April 4, 2009 #
Hi Dana,
If your Windows doesn’t have it built-in you can download and use something like IZarc
Comment by metallica — April 4, 2009 #
metallica;
Thank you for the free solution. I’m hooked!
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 9:38:37 AM, on 4/11/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 3420
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 2580
Success: ProcessKill iexplore.exe|1
Success: ProcessKillByPID 2276
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Success: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 9:39:17 AM.
Comment by Salukian — April 11, 2009 #
Thanks!! This is what I got
BFU v1.12.0
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 2:13:29 PM, on 4/11/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 1896
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 936
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Success: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 2:13:48 PM.
Comment by Thx4help — April 11, 2009 #
The file doesn”t pop-up anymore. Should I keep the BFU that was dowloaded? Is there any other use to it?
Thanks for all your info. It showed up for us a few days ago. The only thing that we did differently was that we logged on to Limewire one night and it was there the day after. I have no clue where it comes from other then that. Do you know what it’s purpose is?
Comment by Thx4help — April 11, 2009 #
Salukian and Thx4help you are both very welcome.
You can delete BFU.exe, it is only a parser for the script I wrote. There are other scripts for it but not very many.
Thnx4help, I think it tries to “spy” your login info for certain sites. The information is encrypted and saved in helper.sig. How or how often the information is retieved I do not know. Much less by whom or what they do with it.
Take care and protect you computers from malware. In that regard, using Limewire (or any other p2p) is not a good start.
Comment by metallica — April 11, 2009 #
I seem to have the same problem as everyone else in this blog, and I’m ready to proceed. I just have these questions:
1. Will this cleanup affect any other programs or systems on my computer? What other after-effects might I encounter?
2. How can I prevent it from reoccurring?
It seems to have started happening after my Norton Antivirus deleted a virus (dsound3dd.dll) from my computer April 8. I traced the infection to about April 2, when my son was watching something on Hulu.com. I disabled this BHO in Internet Explorer 7 through the “Manage Add-Ons” tool. I think in my case the DeepDive BHO is sending me pop-up ads whenever I started Internet Explorer 7–these have stopped since I disabled helper.dll, although I’m not sure what it’s doing behind the scenes. I will try your method and report back on results. Thanks.
Comment by michael — April 14, 2009 #
Hi michael,
1. The only thing you will notice is the folder no longer opening when you reboot.
2. There are several methods to protect your computer against malware. The basics would be a firewall, an antivirus and spywareprotection.
Comment by metallica — April 14, 2009 #
Here is my log. What do you think? (The folder is gone, and nothing popped up at reboot.)
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 8:56:58 PM, on 4/14/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 3128
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (operation failed)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Success: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FileDelete C:\Program Files\Common\helper.dll
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 8:57:11 PM.
Saved log output to C:\BFUlogdeepdive.txt
Comment by michael — April 15, 2009 #
Looks good michael π
Comment by metallica — April 15, 2009 #
I am not sure if this worked.
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 9:20:48 AM, on 4/18/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 800
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 3504
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (operation failed)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Success: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FileDelete C:\Program Files\Common\helper.dll
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 9:21:03 AM.
Comment by Dana — April 18, 2009 #
Looks like it did work Dana.
Problems?
Comment by metallica — April 19, 2009 #
Could you please check this? It seems to have worked – it stopped the Common folder with the helper.sig and _helper.sig files.
Don’t know where I got it but THANK YOU for your help!
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 3:20:04 PM, on 4/19/09
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 1700
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 3532
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 3:20:26 PM.
Comment by Griff — April 19, 2009 #
I’ve nothing but issues with my computer since Norton found but could not delete or quarantine the dsound3dd.dll downloader trojan. Hopefully this is the last of it.
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 3:23:07 PM, on 4/19/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 1948
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 828
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 3:24:03 PM.
Comment by Trina — April 19, 2009 #
Griff,
Looks good. π
Trina, so does yours but if you have other problems I think it’s better to have your log analyzed at GeeksToGo or one of the ASAP member sites
Comment by metallica — April 20, 2009 #
why does every website say that deep dive is spyware?
Comment by Kris — April 20, 2009 #
Thanks metallica for the help. Everything appears to be working now. Your solution for the common folder was the last of a few problems I was having. With this fixed I think I have everything worked out.
Comment by Trina — April 21, 2009 #
Kris, Tell me where I can install it and what it is for and I may change my mind. π
Trina, You’re welcome π
Comment by metallica — April 21, 2009 #
I hope this worked because McAfee and Stopzilla keep saying they have found the Deep Dive virus only to have it come back time and time again….
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 8:59:18 AM, on 5/1/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 2532
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 3988
Success: ProcessKill iexplore.exe|1
Success: ProcessKillByPID 3528
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 8:59:23 AM.
Saved log output to C:\BFUlogdeepdive.txt
Comment by Richie — May 1, 2009 #
Looks good Richie,
If it comes back, let me know and send me the full report of the program flagging it.
Comment by metallica — May 1, 2009 #
Metallica- when I got on my computer this morning-Stopzilla said it had found the deep dive virus again. What report would you like me to send you flagging it? Thanks for any help you can provide!
Comment by Richie — May 2, 2009 #
Hi Richie,
Let me know what Stopzilla reports exactly. The wording could be very important.
Comment by metallica — May 3, 2009 #
I’ve had it come back a few times- but don’t know exactly what you’re asking for on a report. It scans for viruses and finds deep dive and ask if I would like to remoe it. What should I be looking for? Thanks for all your help on this!
Richie
Comment by Richie — May 9, 2009 #
WEll. I would like to know exactly how it tells you that it found DeepDive.
And if it has happened again since you used my script.
Comment by metallica — May 9, 2009 #
It popped up this morning in a different way.
Here is the script-
Spyware Alert:
Stopzilla has just deleted and blocked the following infections:
DeepDive
Would you like to scan and remove now?
I hope this makes sense- Once again- thanks for your help on this.
Comment by Richie — May 11, 2009 #
The problem is that I can’t make out if StopZilla is reporting the removal or a new addition of DeepDive.
It may be better if you get help and have your log analyzed at GeeksToGo or one of the ASAP member sites
Comment by metallica — May 11, 2009 #
Thanks Metallica, I’ve been dealing with this stupid thing for three weeks now, and you are the only one who knew how to get rid of it perminantly. I think I got rid of it!! What do you think?
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 6:07:42 PM, on 5/14/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 12536
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 15940
Success: ProcessKill iexplore.exe|1
Success: ProcessKillByPID 23744
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (operation failed)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Success: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FileDelete C:\Program Files\Common\helper.dll
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 6:08:07 PM.
Comment by Stew — May 15, 2009 #
Sure looks like it Stew. π
Glad I could be of assistance.
Comment by metallica — May 15, 2009 #
Was having this problem for awhile my version of couterspy was clearing up the helper.dll while leaving the helper.sig and the folder behind. After about 5 days or so the problem would return so i used your method and it put all the files and folder into the recycle bin hopefully this is the end of the problem here is the log file i hope it looks good any feedback would be greatly appreciated thanks.
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 17:10:07, on 25/05/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 476
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 1412
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (operation failed)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Success: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FileDelete C:\Program Files\Common\helper.dll
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 17:10:42.
Comment by Alex — May 25, 2009 #
Looks good Alex. π
Comment by metallica — May 25, 2009 #
Thanks for the feedback much appreciated π
Comment by Alex — May 26, 2009 #
Followed your instructions. Seems okay. Can you verify? Thanks a million.
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 10:58:45 AM, on 6/15/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 1868
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 8608
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 10:58:49 AM.
Comment by Sal — June 15, 2009 #
Hi Sal,
Looks OK to me.
Glad I could help. π
Comment by metallica — June 15, 2009 #
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 1:12:44 PM, on 8/1/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 3436
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Failed: FolderDelete C:\Program Files\Common (folder not found)
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 1:12:54 PM.
Comment by Nikki — August 1, 2009 #
Hi Nikki,
That looks like nothing was changed. Did you already clean the computer beforehand?
Comment by metallica — August 1, 2009 #
BFU v1.12.0
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 4:04:53 PM, on 9/2/2009
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 3296
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 2780
Success: ProcessKill iexplore.exe|1
Success: ProcessKillByPID 3828
Success: ProcessKill iexplore.exe|1
Success: ProcessKillByPID 1556
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (operation failed)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Success: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573}
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO
Success: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FileDelete C:\Program Files\Common\helper.dll
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 4:05:07 PM.
Thanks for posting this, I tried it. Hope it works.
Comment by Sondie — September 2, 2009 #
Hi Sondie,
From the looks of it, it did work. π
Let me know if it didn’t.
Comment by metallica — September 3, 2009 #
I tried to download the Deep Dive remover. When I hit save target as it said cannot connect to server.
Comment by Harry — December 13, 2009 #
Hi Harry,
bfu.zip and deepdive.bfu are both still available.
Can you try downloading them on a clean computer and transfer them to the infected one, f.e. by usb-stick?
Comment by metallica — December 13, 2009 #
Here is the result log. Thanks for posting instructions on how to get rid this annoying problem.
BFU v1.12.0
Windows XP SP3 (WinNT 5.01.2600 SP3)
Script started at 9:32:57 PM, on 1/4/2010
Option Unload Explorer: Yes
Option Delete files to Recycle Bin: Yes
Success: ProcessKillByPID 884
Success: ProcessKill C:\WINDOWS\explorer.exe|1
Success: ProcessKillByPID 980
Success: ProcessKill iexplore.exe|1
Success: ProcessKillByPID 968
Success: ProcessKill iexplore.exe|1
Failed: DllUnregister C:\Program Files\Common\helper.dll|1 (file not found)
Failed: DllUnregister C:\Program Files\Common\_helper.dll|1 (file not found)
Failed: DllUnregister \main.dll|1 (file not found)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\main.DLL (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\AppID\{A0E1054B-01EE-4D57-A059-4D99F339709F} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{986A8AC1-AB4D-4F41-9068-4B01C0197867} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{8E3C68CD-F500-4A2A-8CB9-132BB38C3573} (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Classes\main.BHO.1 (key does not exist)
Failed: RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFD4AD01-58C1-47DB-A404-FBE00A6C5486} (key does not exist)
Success: FileDelete C:\Program Files\Common\helper.sig
Success: FolderDelete C:\Program Files\Common
Success: SystemRun C:\WINDOWS\explorer.exe||1
Script completed at 9:33:23 PM.
Comment by Dorsey — January 5, 2010 #
Looks good, Dorsey. π
Glad I could help.
Comment by metallica — January 5, 2010 #
Hi Fantastic post here. I have been hunting more info about this. Pleased I ran across this. I will bookmark it right now.
Comment by savino — August 24, 2011 #