Registry Key 'Trojan.BHO' Keeps Returning?

Mackass · 17 May 2009 at 20:55

I've got this 'Trojan.BHO Registry Key' that keeps returning everytime I delete it, using SUPERAntiSpyware or Malwarebytes'.

This is the result from Malwarebytes':
Registry Keys Infected: 1
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{376892ae-1825-4e5f-9f85-23f9640051cc} (Trojan.BHO) -> No action taken.

No matter how many times I delete it, it keeps returning. Does anyone know how I can get rid of it permantly, without it returning?

Many thanks.

theheyes · 17 May 2009 at 21:25

Have you tried running said anti-malware tools in safemode? Sounds like something just keeps putting it back - you need to run some up-to-date antivirus too. The registry key itself is not the source of the problem.

miniyazz · 17 May 2009 at 21:31

Reinstall..

Cob · 17 May 2009 at 21:42

Did you disable system restore before running Malwarebytes?

Mackass · 17 May 2009 at 22:08

I've not yet tried running Malwarebytes in safe mode, I will definitely give it a shot though.

I'm currently running a NOD32 scan, so far nothing has been picked up though.

I've not disabled system restore before running Malwarebytes, I will also give this a try.

However, which would be the more probable option? Running Malwarebytes in safe mode or running Malwarebytes with system restore disabled?

spleenharvester · 17 May 2009 at 22:11

Run Avira and Spybot S&D, have the guards running in the background too. Run AVG in safe mode too (commandline scanner picks up a fair bit more).

miniyazz said:
Reinstall..

Well that's a bit sudden isn't it :confused:

The only time I reinstalled after a virus was on a severely infected laptop with well over 100 viruses on it, and even then I killed most of them.

theheyes · 17 May 2009 at 22:24

Mackass said:
However, which would be the more probable option? Running Malwarebytes in safe mode or running Malwarebytes with system restore disabled?

Depends really, try safemode first though. Disabling system restore will get rid of your restore points but to be honest in this instance you might not even have an option.

miniyazz · 17 May 2009 at 23:46

spleenharvester said:
Well that's a bit sudden isn't it The only time I reinstalled after a virus was on a severely infected laptop with well over 100 viruses on it, and even then I killed most of them.

It's like someone else posted earlier today, can't remember which thread. Once a system's been compromised by a virus, even temporarily, any time you do anything secure thereafter (online banking, even checking email) there's a chance that while compromised, other virus/spyware got in, so you're at greater risk of fraud/identity theft as long as you use that computer. Even once the original infection has been eradicated.

JonJ678 · 18 May 2009 at 01:53

I agree with miniyazz here, though Windows forums are hardly where I'm normally found. Once you've been infected once, trust in the system is lost. As reinstalling doesn't take very long, and virus hunting can do, it is also occasionally faster.

I still think the best answer is to keep windows offline, and deprive it of any access to the internet. Not very practical, but it does work rather well

Cob · 18 May 2009 at 09:21

Mackass said:
, which would be the more probable option? Running Malwarebytes in safe mode or running Malwarebytes with system restore disabled?

Both.

Disable SR, and then boot into safe mode and run a scan.

NathanE · 18 May 2009 at 09:35

Personally I think reinstalling the whole PC over a simple IE Browser Helper Object (BHO.. that's what BHO stands for) is a retarded idea. Malwarebytes is clearly just detecting something using a heuristic match. It's not even 100% sure about it.

Use Sysinternals Autoruns to get a clearer picture of what's on your machine. If your machine is 32-bit you can also give Rootkitrevealer and GMER a go just to make sure there's nothing hiding away in a kernel driver.

JonJ678 said:
As reinstalling doesn't take very long

Speak for yourself...

Mackass · 18 May 2009 at 15:22

I've disabled system restore and have run a scan in safe mode. However as before, the Trojan.BHO still comes up in Malwarebytes upon rebooting the system.

Are there any other methods to get rid of this Trojan.BHO? I'm sure it can be dealt with without restoring? Which is something I don't want to do as I've not got much time with exams around the corner.

AMG · 18 May 2009 at 15:48

yeah reinstalling windows does it takes me like 3 hours just ot get it game ready again

I think that your anti spyware sprogram is having a fit over nothing, try submitting the so called infection to the company of your anti spyware program see if it acutrly is a infenstion or the herstic engine is matching it as mailcuis (false alarm)

Dano · 18 May 2009 at 15:55

Turn off all the browser helpers in IE and try again.

Mackass · 18 May 2009 at 20:04

Is that the 'Manage Add-Ons' section in IE?

If so, I just disabled all browser related add-ons, with only activex add-ons enabled, and the result is the same, the Trojan.BHO doesn't seem to be going.

Any other suggestions? :/

If worse comes to worse I will reinstall vista, however i won't be getting round to doing that for another 2-3 weeks due to exams.

NathanE · 18 May 2009 at 21:01

Get me VNC or RDP or Radmin remote access to your PC and I will take a look if you want...

Lemons_Mufc · 18 May 2009 at 21:16

damn.. that trojan drived me nuts ended up reformating.. after trying everything and most of the above

Mackass · 21 May 2009 at 19:17

I think I've managed to get rid of it.

Malwarebytes couldn't delete it. So tried manually deleting that registry value but it kept giving me an error "Cannot delete 376892ae-1825-4e5f-9f85-23f9640051cc error while deleting key".

So I came across this website which mentioned about taking ownership of the registry key. I followed those steps and managed to delete the whole registry value.

Anyways, I've just ran Malwarebytes again and it picked up nothing, so I am guessing it's 100% gone?