BHSV.exe Trojan/Virus
There is another variant of a Trojan/virus that hit campus yesterday, which runs a service called browser help svc under the \%system%\system32\bhsv.exe. Please note that BHSV.exe is a hidden file. You have to make sure that in Tools, Folder Options, View Tab that "Show hidden files and folders" is selected and "Hide protected operating system files" is not checked. Make sure you change the setting back when you are done.
It has been submitted to Symantec for analysis and a definition file to protect against this virus should be available shortly. This virus appears to infect systems with weak or bad passwords. Please reset your password to be secure as per the best practices guideline at http://www.mcmaster.ca/uts/ITsecurity/.
To clean the infected computer (this is a temporary solution until definition files are available):
Turn off Windows System Restore: Right click on My Computer and select Properties. Click on the System Restore Tab. Put a check mark in the box beside "Turn off System Restore on all drives." Click OK
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', enter a name and then click save. Remember where you saved the registry file.
In order to remove all infected registry keys do the following carefully:
Warning: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. More info on regedit can be found at: http://www.microsoft.com/resources/documentation/windows/
xp/all/proddocs/en-us/tools_regeditors.mspx
Open the registry, click on My Computer, Edit, Find.
In the Find What field type in BHSV.exe.
Click on Find Next and remove the registry key "Browser Help Svc \ BHSV.exe.
Click F3 to find the next instance of BHSV.exe. Continue to delete the keys of "Browser Help Svc \ BHSV.exe until all instances of this are removed from the registry.
The example below shows a few of the registry keys that have been identified as part of the virus infection.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\service= "Browser Help Svc \ BHSV.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services\service= "Browser Help Svc \ BHSV.exe
HKLM\Software\Microsoft\Windows\ Ole= "Browser Help Svc \ BHSV.exe
HKLM\System\CurrentControlSet\Control\Lsa= "Browser Help Svc \ BHSV.exe
HKLM\System\ControlSet001\Control\Lsa= "Browser Help Svc \ BHSV.exe
HKLM\System\ControlSet002\Control\Lsa= "Browser Help Svc \ BHSV.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\service= "Browser Help Svc \ BHSV.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Services\service= "Browser Help Svc \ BHSV.exe
HKCU\Software\Microsoft\Windows\Ole= "Browser Help Svc \ BHSV.exe
This virus has also dropped a secondary Trojan EliteBar-R. Troj/Elitebar-R is a backdoor Trojan which allows a remote intruder to gain access and control over the computer.
When Troj/Elitebar-R is installed it creates the file <CurrentFolder>\nt_hide76.dll and injects code into running processes.
After the computer is clean be sure to Turn on Windows System Restore: Right click on My Computer > Properties > System Restore Tab. Remove the check mark in the box beside "Turn off System Restore on all drives." Click OK
Service Desk
| Hours: | Monday - Friday 8:30 am - 4:30 pm |
|---|---|
| Phone: | 905-525-9140 x24357 (2HELP) |
| Email: | uts@mcmaster.ca |
| Location: | Main Campus BSB Rm. 245 |
| Service Catalog: | |
| http://www.mcmaster.ca/uts | |
Service Bulletins
- There are no Service Bulletins at this time