hi. after downloading updating and scanning with spybot 1.6 today, it detected two malware called Shorty-BHO and TX4.BrowserAd and i am almost sure that it is my isps program that i downloaded another day that is being detected. that was the only program i downloaded before running spybot. spybot hasnt detected them in the version 1.5. antivir detected the first version of my isps program that day i installed it, and called the detection HEUR/Malware heuristic it was in this file: eConn.dll but when i updated my isps program to the newest one then antivir didnt detect anything.i have runned hijackthis, and the new entries that it detected now since the last scan is: Protocol: fin, two runkeys, two bhos and a running process, all belongs to my isps program according to the file descriptions and names in hijackthis.

ad-aware found these: Family Id: 745 Name: TX4.BrowserAd Category: Malware TAI:3
Item Id: 300015691 Value: Root: HKCR Path: interface\{31ca5c07-7f5f-4502-8c77-99a91558add0}
Item Id: 300015702 Value: Root: HKCR Path: typelib\{223a26d8-9f91-42f6-8ed3-094b637de020}

are all this false positives? what should i do? i cant think my isp has malware in their programs.




--- Report generated: 2008-07-08 12:34 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Shorty-BHO: [SBI $339C7E5E] Klasse-ID (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\CLSID\{5C472352-90D0-4214-BF20-8E4A2B82F980}

Shorty-BHO: [SBI $D07AD493] Eksempelbibliotek (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020}

Shorty-BHO: [SBI $39F15F63] Nettleser-hjelper-objekt (Registernøkkel, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C472352-90D0-4214-BF20-8E4A2B82F980}

TX4.BrowserAd: [SBI $BB618725] Grensesnitt (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0}

Microsoft.Windows.RedirectedHosts: [SBI $97C2C277] Omdirigert vert (Omdirigert vert, nothing done)
www.experts-exchange.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: [SBI $926098F7] Omdirigert vert (Omdirigert vert, nothing done)
experts-exchange.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: [SBI $C1DEB1AF] Omdirigert vert (Omdirigert vert, nothing done)
ask.com=127.0.0.1

Microsoft.Windows.RedirectedHosts: [SBI $25161DD4] Omdirigert vert (Omdirigert vert, nothing done)
www.ask.com=127.0.0.1

Common Dialogs: History (2 files) (Registernøkkel, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: Activity: SchedLgU.Txt (Backup fil, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: Activity: imsins.log (Backup fil, nothing done)
C:\WINDOWS\imsins.log

Log: Install: comsetup.log (Backup fil, nothing done)
C:\WINDOWS\comsetup.log

Log: Install: ocgen.log (Backup fil, nothing done)
C:\WINDOWS\ocgen.log

Log: Install: setupact.log (Backup fil, nothing done)
C:\WINDOWS\setupact.log

Log: Install: setupapi.log (Backup fil, nothing done)
C:\WINDOWS\setupapi.log

Log: Install: wmsetup.log (Backup fil, nothing done)
C:\WINDOWS\wmsetup.log

Log: Shutdown: System32\wbem\logs\wbemess.lo_ (Backup fil, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: Shutdown: System32\wbem\logs\wbemess.log (Backup fil, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: Shutdown: System32\wbem\logs\wmiprov.log (Backup fil, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Internet Explorer: [SBI $FF589D0C] Download directory (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Internet Explorer\Download Directory

MS Management Console: [SBI $ECD50EAD] Recent command list (3 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Microsoft Management Console\Recent File List

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registerendring, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registerendring, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS Regedit: [SBI $C3B62FC1] Recent open key (Registerendring, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

MS Search Assistant: [SBI $AE0C4647] Typed search terms history (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Search Assistant\ACMru

Windows Explorer: [SBI $AA0766B5] Stream history (2 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (6 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (120 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (2 filer) (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registernøkkel, nothing done)
HKEY_USERS\S-1-5-21-329068152-789336058-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: [SBI $49804B54] Cookie (63) (Cookie, nothing done)


Cache: [SBI $49804B54] Cache (6224) (Cache, nothing done)


History: [SBI $49804B54] Historie (906) (Historie, nothing done)



--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-07-07 TeaTimer.exe (1.6.0.20)
2008-07-08 unins000.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-07-07 SDHelper.dll (1.6.0.12)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2008-06-17 Includes\Adware.sbi (*)
2008-06-18 Includes\AdwareC.sbi (*)
2008-06-03 Includes\Cookies.sbi (*)
2008-06-03 Includes\Dialer.sbi (*)
2008-06-24 Includes\DialerC.sbi (*)
2008-06-03 Includes\HeavyDuty.sbi (*)
2008-06-16 Includes\Hijackers.sbi (*)
2008-06-17 Includes\HijackersC.sbi (*)
2008-06-25 Includes\Keyloggers.sbi (*)
2008-07-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-07-02 Includes\Malware.sbi (*)
2008-07-01 Includes\MalwareC.sbi (*)
2008-06-17 Includes\PUPS.sbi (*)
2008-07-01 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2008-06-10 Includes\Security.sbi (*)
2008-07-01 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2008-06-17 Includes\Spyware.sbi (*)
2008-06-17 Includes\SpywareC.sbi (*)
2008-06-03 Includes\Tracks.uti (*)
2008-06-24 Includes\Trojans.sbi (*)
2008-07-01 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

blues:

At lease some of the Spybot detections may be problematic. Of these detections:


Shorty-BHO: [SBI $339C7E5E] Klasse-ID (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\CLSID\{5C472352-90D0-4214-BF20-8E4A2B82F980}

Shorty-BHO: [SBI $D07AD493] Eksempelbibliotek (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020}

Shorty-BHO: [SBI $39F15F63] Nettleser-hjelper-objekt (Registernøkkel, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C472352-90D0-4214-BF20-8E4A2B82F980}

TX4.BrowserAd: [SBI $BB618725] Grensesnitt (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0}

These two (the ones also detected by Ad-Aware):


Shorty-BHO: [SBI $D07AD493] Eksempelbibliotek (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020}

TX4.BrowserAd: [SBI $BB618725] Grensesnitt (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0}

Appear in this article:
Adware.Shorty - Symantec.com
http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2005-060715-4527-99&tabid=2

blues:

At lease some of the Spybot detections may be problematic. Of these detections:


Shorty-BHO: [SBI $339C7E5E] Klasse-ID (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\CLSID\{5C472352-90D0-4214-BF20-8E4A2B82F980}

Shorty-BHO: [SBI $D07AD493] Eksempelbibliotek (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020}

Shorty-BHO: [SBI $39F15F63] Nettleser-hjelper-objekt (Registernøkkel, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C472352-90D0-4214-BF20-8E4A2B82F980}

TX4.BrowserAd: [SBI $BB618725] Grensesnitt (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0}

These two (the ones also detected by Ad-Aware):


Shorty-BHO: [SBI $D07AD493] Eksempelbibliotek (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{223A26D8-9F91-42F6-8ED3-094B637DE020}

TX4.BrowserAd: [SBI $BB618725] Grensesnitt (Registernøkkel, nothing done)
HKEY_CLASSES_ROOT\Interface\{31CA5C07-7F5F-4502-8C77-99A91558ADD0}

Appear in this article:
Adware.Shorty - Symantec.com
http://www.symantec.com/en/uk/security_response/writeup.jsp?docid=2005-060715-4527-99&tabid=2

that shorty bho must be invisible fo hijackthis to detect, the bhos i have is:

C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

C:\PROGRA~1\SPYBOT~1\SDHelper.dll

this is from the oldest isp program that i does not have anymore:
C:\Programfiler\Telenor\Online Start\modules\BrowserHelper.dll (file missing)

C:\Programfiler\Java\jre1.6.0_06\bin\ssv.dll

Programfiler\Telenor\Telenorhjelpen\IEFixItNowPlugin.dll that is my isps program the newest one that i have installed, my isp is telenor, and telenorhjelpen is what the program is called.

can a bho be invisible for hijackthis to detect? because otherwise some of the bhos that i think is legitimate is infected.

blues:

I don't know what you are asking.

Are you saying that there is not an entry in your HijackThis log of "O2 - BHO" entry with a CSLID of "{5C472352-90D0-4214-BF20-8E4A2B82F980}", although Spybot reported the following (a legitimate detection or not):


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{5C472352-90D0-4214-BF20-8E4A2B82F980}

i didnt look at the clsid, sorry:sad: i thought it wasnt allowed to post full hijackthis logs on any other other forum than the malware removal forum. here is the bho: O2 - BHO: FINBHO - {5C472352-90D0-4214-BF20-8E4A2B82F980} - C:\Programfiler\Telenor\Online Start\modules\BrowserHelper.dll (file missing)

should i delete everything that the antispywares finds then? if i should then i will install other antispywares too, to be sure nothing is undetected.

i recently found out that all this detections by antivir, spybot and ad-aware was false positives. and i didnt even get a reply to this question: should i delete everything that the antispywares finds then?

md usa spybot fan: sad that you didnt help me anymore with this, i wonder why. but now it doesnt matter anymore.