Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse HBO.FRK keeps infecting my system


  • Please log in to reply
13 replies to this topic

#1 solorize

solorize

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 08 October 2008 - 02:11 AM

Hi, for the past couple of days my AVG “free version” has been
finding the following Trojan: Trojan Horse BHO.FRK (as well as other various combinations of the 3
letters after the BHO.***), in various *.dll files within c:\windows\system32 folder.

I also ran SpyBot Search & Distroy, and a few other spyware programs and they picked up the
following to: Nebuler.BHO which I removed this morning.

But every time I reboot the pc, AVG keeps on finding more, they seem to be creating new files
each time it searches. So to me there still is an underlying problem hidden away on the machine.

Its getting to the point that I may just have to format the HD and reinstall
Win XP, but don’t really want to have to do this unless it’s the last resort.

If someone could help me out on how I can remove this it would be greatly
appreciated.

Regards

Mark

Edited by solorize, 08 October 2008 - 07:11 AM.

..:[ MD Photography ]:..
http://www.mdunn.co.nr

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 PM

Posted 08 October 2008 - 08:49 AM

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note:
-- If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

-- MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes (like Spybot's Teatimer), they may interfere with the fix or alert you after scanning with MBAM. Please disable such programs until disinfection is complete or permit them to allow the changes.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 08 October 2008 - 12:57 PM

Thanks for your reply.

I have run Malwarebytes and the log file is shown below:


Malwarebytes' Anti-Malware 1.28
Database version: 1244
Windows 5.1.2600 Service Pack 3

08/10/2008 18:53:44
mbam-log-2008-10-08 (18-53-44).txt

Scan type: Quick Scan
Objects scanned: 51258
Time elapsed: 4 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f7079576-4538-3e2c-8d50-8e4ce79a076e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f7079576-4538-3e2c-8d50-8e4ce79a076e} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Does this mean that it has now fully got rid of the Trojan or are there more things
I will need to do now?

Regards

Mark
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 PM

Posted 08 October 2008 - 01:21 PM

Is AVG still detecting anything?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 08 October 2008 - 03:01 PM

Hi again,


I left my PC for about 1hr while I cooked this evening,
and when I came back up I had the following AVG screen being displayed:

(I have had to split the screen capture into two parts as the info screen
would not let me display all items at once).

Part 1

Posted Image

Part 2

Posted Image

I then clicked on [] Remove threat as power user and then clicked the
[Remove Threats] button.


Also here is a part screen capture of my AVG Virus Vault, just showing
the Items flagged as "Infection":

Posted Image


Which shows all the various files its been affecting the past couple of days.


Regards

Mark

Edited by solorize, 08 October 2008 - 03:10 PM.

..:[ MD Photography ]:..
http://www.mdunn.co.nr

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:22 PM

Posted 08 October 2008 - 08:43 PM

And beside what is showing there are you having any more signs/symptoms of infection?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 09 October 2008 - 01:58 AM

As far as I saw yesterday when I used my IE it was behaving ok,
(previously when I clicked on a link to open in a new tab, it would load the
tab but not the webpage). But I only had the pc on for a couple of hours and
did not really use it other than to run Malwarebytes and AVG and read this forum.

Other than the symptoms above are there anymore tell tail signs I should
look out for?

Therefore I can not say 100% that there are no more problems, until I
use it for a longer duration.

My concern is that the infection seems to re-appear in :
C:\system volume information\_restore{******}

Are there any further steps I need to take to make sure it is all totally removed?

Also, can you tell me how dangerous is this infection is, i.e is it a keylogger that may
have logged my bank account details etc.?

The only Info I can find on the inet at the moment is:
Trojan Horse BHO.FRK

Regards

Mark

Edited by solorize, 09 October 2008 - 07:48 AM.

..:[ MD Photography ]:..
http://www.mdunn.co.nr

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,114 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:22 PM

Posted 09 October 2008 - 08:09 AM

Hello this one is considered a low level threat. Redirects forpurpose of advertising..
What you are still finding are living in the System Restore files and will be removed by remove them. Follow the next steps.

Now you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "Ok"
  • Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" Tab.
  • Click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista Users can refer to these links: Create a New Restore Point and Disk Cleanup.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 09 October 2008 - 04:07 PM

Hi Boopme,

Thanks for the info and how to clean up the Restore Point.

I have followed your instructions and it seems that the infection
has finally gone from my machine *phew*

I ran AVG Free and it has not shown any infections.

I will have a look again tomorrow when I get back from work
and run another scan just to make sure.



This infection has now got me thinking of getting a full "paid" version
of an Antivirus / internet security package. But I am not sure which one would
be the best to get. I was thinking about something like: "Kaspersky Internet Security" or "ESET Smart Security"

Do you have any advice on which AntiVirus package is the best to get?
as when serching on the inet different sites say different software is better than others.
So they are not really too much help.



Finally I would just like to say a big thankyou to all that have helped me with this post
to remove this infection.

Your time and effort it is very much appreciated.


Regards

Mark

Edited by solorize, 10 October 2008 - 02:14 AM.

..:[ MD Photography ]:..
http://www.mdunn.co.nr

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 PM

Posted 09 October 2008 - 05:51 PM

Independent comparatives of Anti-virus Software
click on the "Comparatives" link on the left
TopTen Review: 2007 Anti-virus Software

These types of comparative testing results will vary depending on who is doing the testing, what they are testing for, what versions of anti-virus software is being tested, etc. There are no universally predefined set of standards/criteria for testing and each test will yield different results. Thus, you need to look for detailed information about how the tests were conducted, the procedures used, and data results.

Choosing an anti-virus is a matter of personal preference, features offered, the amount of resources utilized, how it may affect system performance and what will work best for your system. A particular anti-virus that works well for one person may not work as well for another. You may need to experiment and find the one most suitable for your use. Another factor to consider is whether you want use a paid for product or free alternative. I prefer Eset NOD32 but Kaspersky is very good too.

Of course, you can always supplement your anti-virus by performing an Online Virus Scan.

Tips to protect yourself against malware and reduce the potential for re-infection:
• "Simple and easy ways to keep your computer safe".
• "How did I get infected?, With steps so it does not happen again!".
• "Hardening Windows Security - Part 1 & Part 2".
• "IE Recommended Minimal Security Settings" - "How to Secure Your Web Browser".
• "Use Task Manager to close pop-up messages to safely exit malware attacks"

• Avoid gaming sites, underground web pages, pirated software sites, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 10 October 2008 - 02:20 AM

Thanks for the info.

I will take your advice and download the trail versions and evaluate them
both, (not at the same time though).

I will be also interested to see if they pick up anything on my system after
this infection.


Regards,

Mark
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 PM

Posted 10 October 2008 - 07:59 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 solorize

solorize
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Berkshire UK
  • Local time:01:22 PM

Posted 11 October 2008 - 11:41 AM

Installed Kaspersky Internet Security trial last night and have
done a few scans now and nothing was detected.

So looks like my system is all clean now.

No more IE for me, Just 100% Firefox from now on.


Regards,

Mark
..:[ MD Photography ]:..
http://www.mdunn.co.nr

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,567 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:22 PM

Posted 11 October 2008 - 02:03 PM

:thumbsup:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users