Skip to navigation content (Press Enter).

University Technology Services

BHSV.exe Trojan/Virus

There is another variant of a Trojan/virus that hit campus yesterday, which runs a service called browser help svc under the \%system%\system32\bhsv.exe. Please note that BHSV.exe is a hidden file. You have to make sure that in Tools, Folder Options, View Tab that "Show hidden files and folders" is selected and "Hide protected operating system files" is not checked. Make sure you change the setting back when you are done.

It has been submitted to Symantec for analysis and a definition file to protect against this virus should be available shortly.  This virus appears to infect systems with weak or bad passwords.  Please reset your password to be secure as per the best practices guideline at http://www.mcmaster.ca/uts/ITsecurity/

To clean the infected computer (this is a temporary solution until definition files are available):

Turn off Windows System Restore: Right click on My Computer and select Properties. Click on the System Restore Tab. Put a check mark in the box beside "Turn off System Restore on all drives." Click OK

At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', enter a name and then click save. Remember where you saved the registry file.

In order to remove all infected registry keys do the following carefully:

Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. More info on regedit can be found at: http://www.microsoft.com/resources/documentation/windows/
xp/all/proddocs/en-us/tools_regeditors.mspx


Open the registry, click on My Computer, Edit, Find.

In the Find What field type in BHSV.exe.

Click on Find Next and remove the registry key "Browser Help Svc \ BHSV.exe.

Click F3 to find the next instance of BHSV.exe. Continue to delete the keys of "Browser Help Svc \ BHSV.exe until all instances of this are removed from the registry.


The example below shows a few of the registry keys that have been identified as part of the virus infection.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service= "Browser Help Svc \ BHSV.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\service= "Browser Help Svc \ BHSV.exe

HKLM\Software\Microsoft\Windows\ Ole= "Browser Help Svc \ BHSV.exe

HKLM\System\CurrentControlSet\Control\Lsa= "Browser Help Svc \ BHSV.exe

HKLM\System\ControlSet001\Control\Lsa= "Browser Help Svc \ BHSV.exe

HKLM\System\ControlSet002\Control\Lsa= "Browser Help Svc \ BHSV.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\service= "Browser Help Svc \ BHSV.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services\service= "Browser Help Svc \ BHSV.exe

HKCU\Software\Microsoft\Windows\Ole= "Browser Help Svc \ BHSV.exe


This virus has also dropped a secondary Trojan EliteBar-R. Troj/Elitebar-R is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.

When Troj/Elitebar-R is installed it creates the file <CurrentFolder>\nt_hide76.dll and injects code into running processes.

After the computer is clean be sure to Turn on  Windows System Restore: Right click on My Computer > Properties > System Restore Tab. Remove the check mark in the box beside "Turn off System Restore on all drives." Click OK

Service Bulletins

  • MAC ID Password Expiry

    Beginning in May 2016, MAC ID passwords at McMaster expire annually. Learn more at www.mcmaster.ca/uts/macid

Service Desk

Client Self Service:
https://servicedesk.mcmaster.ca
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Email: uts@mcmaster.ca
Location: Main Campus BSB Rm. 245
Service Catalogue:
http://www.mcmaster.ca/uts

Great Idea Site

Great Idea