Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

BHO'S THAT DON'T GO AWAY


  • Please log in to reply
7 replies to this topic

#1 deango

deango

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 05 June 2005 - 01:11 PM

Hi. This is kind of a repost as I didn't get back to the forum before my question went into archives.
These two BHO's keep showing up in HiJackThis scans. I follow the path for each one in the registry, delete the folder from the left-hand tree, turn off System Restore and reboot. They both appear in HiJackThis on reboot. First one is AdShield which is a popup blocker I uninstalled a year ago and the other is malware known as UBMON. There is no file, so I don't think they are a danger, but would still like to get them out of the registry.
I use AVG Anti-Virus, AdAwareSE, SpyBot, SpywareBlaster, CW Shredder and HiJack This. I update daily and upgrade to a newer version of each one when ever available. I only turn off the system restore AFTER I have removed the BHO's from the Registry and BEFORE I reboot, so that the BHO's will not be in any future System Restore that I might instigate. I turn the System Restore back on first thing after I reboot.

O2 - BHO: (no name) - {7559B76E-0222-4d77-9499-CCE9EB4EDC2F} - (no file)
O2 - BHO: (no name) - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - (no file)
Thanks for any advise you can give. deango

BC AdBot (Login to Remove)

 


#2 tg1911

tg1911

    Lord Spam Magnet


  • Members
  • 19,274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:SW Louisiana
  • Local time:07:46 PM

Posted 05 June 2005 - 02:34 PM

You should not try to fix anything with HJT, unless you have been properly trained in it's use.
HJT is a tool used to locate "problems".
The removal of these "problems" is sometimes much more involved, than just having HJT fix it.
The improper use of HJT could also cause damage to your system.

I suggest you post a HJT log for our Team to examine.
They'll take you through the fix, step by step.

Read the pinned post in the HijackThis forum, here
Please read, and follow, all directions carefully.

Then, run a log, and post it in the HJT forum, at this link. Do not, fix anything, yet.
A member, of the HJT Team, will help you out.
It may take a while to get a response, because the HJT Team are very busy. Please, be patient, these people are volunteers. They will help you out, as soon as possible.

NOTE:
Once you have made the post, please, DO NOT make another post in the HJT forum, until it has been responded to by a member of the HJT Team. The first thing they look for, when looking for logs to reply to, is 0 replies. If you make another post, there will be 1 reply. The team member, glancing over the replies, might assume someone is already helping you out, and will not respond. So, just make your post, and let it sit there, until a team member responds. This way you will be taken care of, in the most timely manner.
MOBO: GIGABYTE GA-MA790X-UD4P, CPU: Phenom II X4 955 Deneb BE, HS/F: CoolerMaster V8, RAM: 2 x 1G Kingston HyperX DDR2 800, VGA: ECS GeForce Black GTX 560, PSU: Antec TruePower Modular 750W, Soundcard: Asus Xonar D1, Case: CoolerMaster COSMOS 1000, Storage: Internal - 2 x Seagate 250GB SATA, 2 x WD 1TB SATA; External - Seagate 500GB USB, WD 640GB eSATA, 3 x WD 1TB eSATA

Become a BleepingComputer fan: Facebook

#3 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:07:46 PM

Posted 05 June 2005 - 08:04 PM

To add to what tg1911 said;

You can either post an HJT log as a new topic, or if this problem is a continuation of the previous, you can PM (personal message) your original helper and ask him/her to reopen your older topic.

Some of those BHO CLSID's can be tenacious, but if the associated file is gone they won't be actually running.
Derfram
~~~~~~

#4 Enthusiast

Enthusiast

  • Members
  • 5,898 posts
  • OFFLINE
  •  
  • Location:Florida, USA
  • Local time:08:46 PM

Posted 05 June 2005 - 08:18 PM

Try this:

BHODemon:

This program can list all of the BHOs in Internet Explorer and advise you as to whether they are to be considered dangerous or not while giving you the ability to disable any that you do not want or need.

http://www.definitivesolutions.com/bhodemon.htm

#5 madestmax

madestmax

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 06 June 2005 - 02:22 AM

Sorry! If you don't break it first, then you can't learn how to fix it. If it's a company computer then get support. If it's you'r personal. Then have fun.
But as to you'r problem. Sounds like a hidden file or reg entry you can't find with a different name. Thats why I love regshot.

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 15 June 2005 - 11:00 AM

Hi deango,

We don't archive posts so I'm not sure why you couldn't find your previous, there have been some glitches on the board for short periods of time, but it is here:
http://www.bleepingcomputer.com/forums/ind...topic=20153&hl=

Also for anyone who is interested, your HijackThis log is here:
http://www.bleepingcomputer.com/forums/ind...ST&f=22&t=20781

I only turn off the system restore AFTER I have removed the BHO's from the Registry and BEFORE I reboot, so that the BHO's will not be in any future System Restore that I might instigate. I turn the System Restore back on first thing after I reboot.

I believe you have misunderstood Leurgy's advice in this post. If you turn off System Restore, you should do it after you reboot to make the changes to the registry.

This would be the procedure in the correct order:

1. Make sure you have a backup to the registry. I.E., make sure System Restore is on, and as a redundant safeguard make a manual backup. You mentioned in another thread having Erunt installed. That's even better than a manual backup as it is supposed to be the most complete.

2. Make your changes to the registry. Delete keys, change values, etc.

3. Reboot.

4. Make new backups to the registry. In the case of System Restore, turn it off, reboot, then turn it back on again--how to do that has already been outlined, or you can refer to our tutorial Windows XP System Restore Guide. That will delete all previous restore points and create a new, clean one.

When you know you have a clean system is the best time to make a backup to the registry. Making a clean backup with ERUNT at this time would be a good idea.

Just to let you know that System Restore is not responsable for those reg keys hanging on. SR is just a backup and won't restore those keys unless you run SR and do a restoration.

With ERUNT's backup you could do it the way you describe, but you won't have SR to fall back on in case of problems and SR is much easier to use. The extra parts of the registry that ERUNT backs up are not commonly modified.

Now to get back to your main issue. The reason those BHO's won't be removed from the registry is probably becuse they are being protected by one of your security programs. It has become common for antispyware programs to include modules that will prevent changes to the registry. It doesn't distinguish between good changes and bad changes, at least in the case of BHO's.

So work with ddeerrff in your HijackThis thread and he will help you with that. And when you have been given a clean bill of health, then purge System Restore and make your clean backups.

The thing about people

is they change

when they walk away.--Mipso


#7 deango

deango
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:46 PM

Posted 15 June 2005 - 11:25 AM

Thanks PapaKid. Your a prince. Will follow up with Defram at HJT and look in on the website recommended by Entuhsiast. Thanks again! deango

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,649 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:46 PM

Posted 15 June 2005 - 11:38 AM

You're welcome, deango. :thumbsup:

One more thing, not to knock Entusiast's advice, but I would hold off on installing BHOdemon for now. HijackThiis and derfram can deal with the problems and when you get that straightened out, then look to install it.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users