Hi folks,

:oops:
there is something really strange going on with my PC. When activating resident SDHelper, other spyware detectors (such as Webroot) immediately block and tell a trojan horse wants to install (Zlob), and also being severe, a long list of suspicious BHO's does occur in registry. Spybot scan does find all of them, can also remove, but after a restart (with activated resident function), all removed BHO's are back again. Does anybody know what this might be? How to check whether SDHelper.dll has been altered and infected by other malware?

Thanks, Hägar

Check the properties of your C:\Program Files\Spybot - Search & Destroy\SDHelper.dll file against the following:
File: C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
Size: 853672
Version: 1.4.0.0
CRC-32: D4589A41
MD5: 250D787A5712D7768DDC133B3E477759
SHA1: CC63FC4BC882E297FBA10777402BE9F9D99AE247
Last write (Modified): Tuesday, May 31, 2005 1:04:00 AM
A new SDHelper.dll can be downloaded from here:
http://www.safer-networking.org/files/sdhelper14.zip
Unzip (extract) the downloaded sdhelper14.zip file into:
C:\Program Files\Spybot - Search & Destroy
If you find that the SDHelper.dll has been corrupted it may be wise to have someone check out your system by posting in the Malware Removal (http://forums.spybot.info/forumdisplay.php?f=22) forum using the instructions posted here:
"BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D
http://forums.spybot.info/showthread.php?t=288

Well, the SDHelper file seems to be all right but the problem remains: as soon as I activate the resident functionality, a lot of BHO's are written into the registry.
Any suggestions how to go down to the root cause? For the time being I keep resident deactivated, but that's not really a solution :scratch:

Thanks, Hägar

Spybot's Browser Helper Object (BHO) is:
CLSID = {53707962-6F74-2D53-2644-206D7942484F}
Program = SDHelper.dll
The registry entries associated with it that found in my system by searching for the CLSID and Program are:


[HKEY_CLASSES_ROOT\CLSID\{53707962-6F74-2D53-2644-206D7942484F}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\InprocServer32]
@="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll"
"ThreadingModel"="Apartment"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53707962-6F74-2D53-2644-206D7942484F}\iexplore]
"Type"=dword:00000003
"Count"=dword:00013d21
"Time"=hex:d6,07,0b,00,00,00,05,00,13,00,27,00,03,00,03,02

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\InprocServer32]
@="C:\\PROGRA~1\\SPYBOT~1\\SDHelper.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_USERS\S-1-5-21-1957994488-790525478-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{53707962-6F74-2D53-2644-206D7942484F}\iexplore]
"Type"=dword:00000003
"Count"=dword:00013d21
"Time"=hex:d6,07,0b,00,00,00,05,00,13,00,27,00,03,00,03,02

Any suggestions how to go down to the root cause?
Root cause analysis requires defining the problem.


… as soon as I activate the resident functionality, a lot of BHO's are written into the registry.
What BHO's are being written into the registry?

Hi again,

actually I'm no longer 100% sure that it is SDHelper causing the problems, it might well be caused by Teatimer.exe. At least that's the impression I got when turning on again for taking a list of the added BHO's.

Before turning Teatimer on:

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CAdBlocker Object - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
... and after switching on, many items which seem not to belong there, isn't it?

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {860c2f6b-ca82-4282-9187-beccbb66f0af} - (no file)
O2 - BHO: (no name) - {8dc8f96d-34f7-1501-a2a4-631341aa3ac1} - (no file)
O2 - BHO: (no name) - {b212d577-05b7-4963-911e-4a8588160dfa} - (no file)
O2 - BHO: (no name) - {d1ac752e-883f-4ed8-8828-b618c3a72152} - (no file)
O2 - BHO: CAdBlocker Object - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - C:\PROGRA~1\Acronis\PRIVAC~1\Blocker.dll
O2 - BHO: (no name) - {e2b2b5a1-b48c-4886-a318-723916a01024} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e6d5237d-a6c7-4c83-a67f-f9f15586fa62} - (no file)
O2 - BHO: (no name) - {fe2d25c1-c1db-4b5e-9390-af1cb5302f32} - (no file)

Thanks for help,
Hägar

The problem is probably being caused by TeaTimer's snapshot files being out of sync with the registry. TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshots were taken.

I believe that the reason that snapshot files get out of sync with the registry is because when TeaTimer starts the snapshot files are read into memory and maintained there. The snapshot files only appear to be rewritten when TeaTimer closes. During system shutdown (or restart) it appears that TeaTimer is terminated before it has a chance to rewrite the snapshot files and therefore they are out of sync with the registry if changes have been made to the registry.

The solution to the problem is to refresh TeaTimer's snapshot files after you delete the BHOs that you no longer want and refresh TeaTimer's snapshot files periodically until TeaTimer 1.5 is released (soon I hope). There are two ways to do that:Refresh TeaTimer's snapshot files:
Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
TeaTimer closes.
TeaTimer's snapshot files are refreshed at this time.

Restart TeaTimer:
Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
Double click TeaTimer.exe to start it.

Manually exit TeaTimer immediately prior to system shutdown or restart.

Hi,

It was indeed the Teatimer snapshot being in charge. Problem solved, thanks. What remains is the question how Teatimer could let the attack come through...

PS: Congratulations from Good Old Europe to all US citicens for the election outcome :bigthumb:

What remains is the question how Teatimer could let the attack come through...
Since the entries were in TeaTimer's snapshot files and the snapshot files are not refreshed during normal system shutdown or restart, it is a good possibility that those entries were in the system registry when TeaTimer was first used and the initial set of snapshot files were created. In addition, if TeaTimer was running when those registry entries were added to the system registry, a pop-up dialog that required an answer would have been issued.

Note: The problem with the refreshing of TeaTimer's snapshot files should be corrected when TeaTimer 1.5 is released.