During the holiday season I’m staying with the mom of my girlfriend. As always when visiting family and friends, I check their computers on viruses, Trojans and so on.

Recently I gained some nice and positive experiences with Kaspersky Antivirus, so I decided to remove Norton Antivirus from the PC and install Kaspersky. This being an older computer, all the resources i could gain would have a positive effect on the daily use.

Kaspersky detected quite some viruses and Trojans that Norton hadn’t detected before, even though both had the latest updates installed. Kaspersky notified me of cfgmgr3.dll being a Trojan, this is where my quest began…

This is what Kaspersky reported:

detected: Trojan program Trojan-Spy.Win32.BZub.btd    File: c:\windows\system32\cfgmgr3.dll

I could not delete this file, meaning that the file was loaded in memory. I started msconfig (start, run, msconfig) and looked through all the different tabs (services, start-up, boot.ini’s and so on). Unfortunately i could not find anything related to cfgmgr3.dll.

A search on Google for this file gave me several topics on cfgmgr3.dll, none however with the solution.

When I rebooted Windows XP SP2 into safe-mode, I still was unable to delete the file. This means its being loaded along with some of the core components of Windows.

I figured I would try a different approach and search through the registry using regedit (start, run, regedit) to see if i could find where cfgmgr3.dll was being loaded. In regedit press CTRL+F and type cfgmgr3.dll.

I found the DLL in:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7492CAB3-62FE-460D-B9D4-B6438A9E3BD8}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7492CAB3-62FE-460D-B9D4-B6438A9E3BD8}\InprocServer32

I decided to try and delete the key, but was unable to do so. So, i decided to EDIT the value and change it from cfgmgr3.dll to cfgmgr32.dll (a VALID DLL), you can do so by double clicking on it.

When i rebooted I still could not delete the file, when looking into regedit again I found that the old references to cfgmgr3.dll were back! Something was obviously restoring those settings or it didn’t safe my changes in the first place.

Using HijackThis i found that this was a BHO (Browser Help Object), an object that is loaded into Internet Explorer. Because Internet Explorer is tightly integrated with Explorer, that’s the reason for the object to be so heavily locked and loaded with the core components of Windows.

O2 - BHO: (no name) - {7492CAB3-62FE-460D-B9D4-B6438A9E3BD8} - C:\WINDOWS\system32\cfgmgr3.dll

In Internet Explorer press “Tools”, “Manage Add-ons”, “Enable or Disable Add-ons”. Here you can disable this object, by selecting it and pressing ‘disable’. I did so as well, but unfortunately this didn’t help me gaining control over the file or making it possible for the file to be removed. However, it does mean that the file is no longer active or doing any harm!

Using StartupList I was able to verify that this is a loaded Browser Helper Object. I was however able to detect a new registry location, being:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects.

Pressing the right mouse button on this record in StartupList and select “Regedit jump” I could directly jump to the location in regedit.

Here i tried to deleted the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7492CAB3-62FE-460D-B9D4-B6438A9E3BD8}

As with the keys I found earlier I was unable to delete any references.

So, even though the BHO is disabled, we still have zero rights to do anything with it. Unfortunately I tried many things but at this time with no success.

• I tried using cacls to change the rights of the file
• I started regedit as system user, using runas /user:administrator regedit
• Started with safe mode with a command prompt only
• Used the at trick to start regedit as system user at 23:25 regedit (You have to adjust the time)

Of course i tried many variations of the above methods, I am however completely unable to gain control over the file, even though cacls indicates that the user I’m currently logged in as has FULL rights to the file (as does the user Administrator).

If anyone has any ideas, please share them with me to get rid of this pesky file!

Personally i’m a Linux user and am amazed at how Windows handles this, but I still want to resolve this issue through Windows. If no one has a better idea, i’ll resort to booting up Knoppix and mounting the NTFS filesystem to remove this file.

Feel free to leave comments!