Jump to content

Photo

Help with undetected virus?

virus trojan InjectorBHO

  • Please log in to reply
9 replies to this topic

#1 Apexcalibur

Apexcalibur

    Bit

  • Members
  • 5 posts

Posted 03 June 2013 - 08:01 PM

I found what I'm quite sure is a virus, but not sure how to remove it. I was just strolling through my HDD when I spotted a suspicious Configuration Settings file. There's also a log file and a User Jscript file that I'm fairly sure wasn't there before. This was in the settings configuration.

 

[Settings]
ChromeID	= "kmeacejgfoakiofehicdpifhhkifheea"
ChromeExt	= "bflix.crx"
ChromeVer	= 1.0
IEPlugin	= "InjectorBHO.dll"
FFID		= "info@thebflix.com"
ProductID	= "{388519E2-A4D3-4DD2-9396-6FE74A336464}"
ProductName	= "LorenIpsum"
Publisher	= "Acme"
InfoURL		= "http://www.acme.com"
RemoveURL	= "http://50onred.com/"

[IEPlugin]
clsid="{8CB77D97-966B-4364-9B95-93B3DC148113}"
progid="Injector.BHO"
shortname="InjectorBHO"
version=1
bgpage="background.html"
contentscript="content.js"

 I Googled InjectorBHO with not much help but this page

http://www.systemloo...m_filename.html

I also ran Avira AntiVirus with a full scan, but no viruses found relating to this. I know that this virus also changed some registry files as I've gotten several blue screens occasionally when booting up. Some sites said it's an info stealer but right now I'm just hoping for a way to remove all traces as I'm paranoid to log in to any websites. Thank you in advance for those who took the time to read and help!  :) (I'm also new here.. so hello everyone!)



#2 Guest_ElatedOwl_*

Guest_ElatedOwl_*
  • Guests

Posted 03 June 2013 - 08:08 PM

Do you have a folder called TheBflix somewhere near your root? (Someone mentioned C:\ProgramData\TheBFlix)

 

What browser are you using atm?



#3 Guest_ElatedOwl_*

Guest_ElatedOwl_*
  • Guests

Posted 03 June 2013 - 08:40 PM

Since you appear to have logged I'll leave some info here for you.

 

It looks like this attempts to make itself a browser plugin to hijack your browser.

If you don't see any plugins listed under IE/chrome this may have just been downloaded but never ran. (usually they'd try to execute the code through a java/flash exploit, it could have potentially been downloaded but never run)

 

If you do have strange plugins or your browsers are acting fishy, try downloading and running malwarebytes.

If the file creation date on the file you posted above is recent and you'd consider yourself adept with computers, run a scan with combofix. It is by and far the best virus removal tool I've ever used, however, you need to be able to interpret the log files and be aware of the false-positives its capable of producing. If you don't know what you're doing, don't run this unless someone asks you to.

 

Per usual until you're sure you're safe do not log into anything important, or anything that uses the same password as something important.



#4 Apexcalibur

Apexcalibur

    Bit

  • Members
  • 5 posts

Posted 03 June 2013 - 11:42 PM

Sorry, using a shared family laptop. I checked that directory and the Windows directory, but i didn't find a TheBflix folder. I use Chrome, but I didn't have any strange plug-ins. Neither did Mozilla which I rarely use. The settings file was created 2/16/2012. Wow. Didn't realize that.. And I haven't had any registry errors on bootup until just these past few months.. I'm not great with computers, but I know more than the Average Joe for sure. Well I'm guessing I shouldn't run ComboFix since you said only if the creation date was recent. 

 

Aaaaand I guess it's far too late to avoid logging into anything  :mellow:



#5 Guest_ElatedOwl_*

Guest_ElatedOwl_*
  • Guests

Posted 03 June 2013 - 11:53 PM

well, from what I understand the browser extensions just hijack and send you to random sites so it'd be apparent.

you're probably* fine, but just in case I'd run a malwarebytes scan.



#6 Apexcalibur

Apexcalibur

    Bit

  • Members
  • 5 posts

Posted 04 June 2013 - 06:19 PM

I haven't noticed anything weird with sites, but I shall run the scan later tonight and post an update immediately after.



#7 Apexcalibur

Apexcalibur

    Bit

  • Members
  • 5 posts

Posted 05 June 2013 - 06:02 AM

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.04.01

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Tony! :: SABY-PC [administrator]

6/5/2013 1:10:28 AM
mbam-log-2013-06-05 (01-10-28).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 620003
Time elapsed: 2 hour(s), 42 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8C0F3668-6EB5-499D-9BC5-8666CD28A926} (PUP.wxDfast) -> No action taken.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 2
C:\ProgramData\wxDfast (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\data (PUP.wxDfast) -> Quarantined and deleted successfully.

Files Detected: 8
C:\Users\Tony!\Downloads\program installers\Programs\FLV_Media_Player.exe (Trojan.Repacked) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\background.html (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\content.js (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\hjakmojkcnhgipgkkbiempkfdndcnlah.crx (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\settings.ini (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\data\content.js (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\data\epoch (PUP.wxDfast) -> Quarantined and deleted successfully.
C:\ProgramData\wxDfast\data\jsondb.js (PUP.wxDfast) -> Quarantined and deleted successfully.

(end)

Wasn't fully sure whether to attach the log or copy paste. Besides that, only issue that stayed was that registry key.



#8 Guest_ElatedOwl_*

Guest_ElatedOwl_*
  • Guests

Posted 05 June 2013 - 02:24 PM

Copy and paste is fine. Looks like you should be all clean and good to go now.  :)

Let us know if you have any more issues.



#9 Apexcalibur

Apexcalibur

    Bit

  • Members
  • 5 posts

Posted 05 June 2013 - 10:39 PM

Thank you very much! And will do!



#10 Champion of Cyrodiil

Champion of Cyrodiil

    Gigabyte

  • Members
  • 776 posts
  • LocationVirginia

Posted 06 June 2013 - 12:08 PM

Who knows what else could be lurking that was missed.  If you are seriously concerned about your private data, I would consider backing up images, docs and music.  Then use a linux boot disc to clear your MBR (where rootkits like to hide).

 

Then popping in the ole' windows disc and do a format + clean install.  Don't forget to backup your drivers if you have them.

 

It is overkill, but it is the only way to guarantee a clean system.  Infected firmware is a whole different issue and is likely not infected since most malware depends on automated delivery and infection, which is not feasible with firmware root kit.

 

At the end of the day, virus scanning and cleaning tools are only as good as their definitions and the timing of release vs. zero day virus.







Also tagged with one or more of these keywords: virus, trojan, InjectorBHO