Hi guys. I just got hit by a virus that leaves three files in my applications folder namely, iebtm.exe, iebtmm.exe and iebt.dll. These can not be deleted, healed or cleaned, I've tried several times.
I managed to get some information on a possible fix via the Xp registry console (if that's what it's called) and I have figured out how to find my way around it (the registry). The problem is although the fix tells me which registries the virus makes changes to, it doesn't tell me what to change them back to. I have listed the affected registries below and I hope anyone of you Uber techs can help me out and teach me a thing or two about reg. hacking.
The following Registry Keys were created:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}
The newly created Registry Values are:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058}\InprocServer32]
(Default) = "%System%\iebt.dll"
ThreadingModel = "Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058}]
www = "www"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9034A523-D068-4BE8-A284-9DF278BE776E}]
MenuText = "IE Anti-Spyware"
Exec = "BV EDIT-REMOVED URL"
CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3B7AAEB1-9F3D-4491-9C06-C7165CA8D058}]
(Default) = ""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]
start = "[file and pathname of the sample #1]"
so that [file and pathname of the sample #1] runs every time Windows starts
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{9034A523-D068-4BE8-A284-9DF278BE776E} = 0x00002001
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}]
DisplayName = "Search"
URL = "BV EDIT-REMOVED URL"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes]
DefaultScope = "{DAED9266-8C28-4C1C-8B58-5C66EFF1D302}"
The following Registry Value was modified:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
NextId = 0x00002002
Big Thanx
