Disinfecting a PC… part 6



Ok, it’s BHOdemon time… installed from cd and on starting:

BHOdemon bhotb-all.html not found, no web connection downloading on other machine.

Finally get it to work copying from another machine. But I had to change the Windows ME to show full filenames to help troubleshoot why it couldn’t find the file (naming problem.) (There seems to be a strange display problem on setting “don’t hide file extensions” menu, (I can’t see the check boxes or the checkmarks…. I managed to toggle them “blind” to show file extensions)…

Here are the bugs BHO found….

BHODemon 2.0.0.23 Report File:
A:INCFIN~1_BHODemonInfo.txt

Desc: incfindbho.dll, INCFIN~1.DLL – IncrediFind/Keenvalue
Clsid: {5D60FF48-95BE-4956-B4C6-6BB168A70310}
DLL Path: C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
ProgID: BHO.IncrediFindBHO.1
URL: http://www.doxdesk.com/parasite/KeenValue.html
Enabled?: No – file is missing
Status: Malware

(Ok, we’ve already cleaned this out with AVG – Incredifind / Keenvalue)

BHODemon 2.0.0.23 Report File:
A:2BHODemonInfo.txt

Desc: Wsem***.dll , (* = digit) – MoneyTree/DyFuCa
Clsid: {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
DLL Path: C:WINDOWSWSEM300.DLL
ProgID: DyFuCA_BH.BHObj.1
URL: http://www.doxdesk.com/parasite/MoneyTree.html
Enabled?: No – file is missing
Status: Malware

Dyfuca – yuck… bad one.. AVG got this one as well.

BHODemon 2.0.0.23 Report File:
A:3BHODemonInfo.txt

Desc: n3tpa1p.dll, Calsdr.dll, Gr0*.dll (* = digit), td1.dll, random file names – FavoriteMan
Clsid: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DLL Path: C:WINDOWSSYSTEMATPART~1.DLL
ProgID: F1.Organizer.1
URL: http://www.doxdesk.com/parasite/FavoriteMan.html
Enabled?: No – file is missing
Status: Malware

Organizer / Favoriteman – this looks to be the one responsbile for the random file names and is also missing (Good job AVG).

Here’s the fourth (and last) BHO found:

BHODemon 2.0.0.23 Report File:
A:4BHODemonInfo.txt

Legal Copyright: Copyright 2004
Clsid: {9BFD87DE-4014-4407-B873-FA2C6A57A05F}
DLL Path: C:WINDOWSSYSTEMpecxl.dll
Modified Date: Saturday, November 06, 2004 14:04:36
Created Date: Tuesday, November 02, 2004 22:11:27
ProgID: SWin32.SDWin32.1
Product Name: SWin32 Module
Product Version: 1, 0, 0, 1
Original Filename: SWin32.DLL
File Description: SWin32 Module
Company Name: $
Enabled?: Yes
Internal Name: SWin32
Size (bytes): 98,816
MD5 Checksum: bc58555fe3eba444e5cac344fdc720cc
Status: Unknown

This one seems to be identified as SecondThought/ BetterInternet… no identification from BHO.
(From etrust):

2ndthought Adware, Second Thought, Trojan.Win32.SecondThought.c [VirusLibrary], SecondThought, Trojan.Win32.SecondThought [Kaspersky], Win32/SecondThought.G [NOD32], BKDR_RULEDOR.E, Adware/PortalScan[Panda], Trojan.Win32.SecondThought.a[Kaspersky], Win32.BettInet.E[Computer Associates], Spyware/BetterInet[Panda], Spyware/ClearSearch[Panda], Adware.SecondThought [Symantec], Trojan.Win32.SecondThought.ag

So, I disable each of these BHO’s and we’re in good shape. There’s been a lot of disk swapping (either the one active item or the three missing being looked for.) System speed improves a good deal after this pass.

Related Posts

Blog Traffic Exchange Related Posts
  • Grisoft AVG Antivirus 7.5 on Windows XP False Positive that HURTS This looks like a REALLY bad false positive. It appears that AVG 7.5 for a short period of time detected user32.dll as a trojan horse. (trojan horse psw banker4). It looks as though update to the virus database VDB 270.9.0/1778 fixes the problem. Unfortunately if you have been bitten by......
  • Remove Windows Police Pro I'm seeing a lot of searches for how to remove Windows Police Pro this evening. It looks like it's ALSO the latest flavor of the minute in the rogue security application crowd (take a look at remove Green AV for another rogue). As stated before... my usual path for removing......
  • WMF exploit unofficial patch Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They've also looked at the patch thoroughly and it sounds as though it's very well done. We want to......
Blog Traffic Exchange Related Websites
  • Best Free Registry Cleaner Software I think most people will agree with the fact that there is really nothing worse than having a slow computer which affects your ability to work or even play games. There are many reasons why a computer will become full of errors but the majority of the time the problems......
  • How to Install a Home Security System: Most Common Pitfalls Installing a home security system might seem easy. To be sure, it’s a lot easier to install one today than it was just a decade ago. Inexpensive consumer electronics components combined with robust wireless technology means that even an amateur can put in a decent system. Just because it’s easy,......
  • Tax Extension- Individual About taxextension.com Authorized IRS e-file Provider taxextension.com is an an Authorized IRS e-file Provider offering tax extension preparation and electronic filing services to consumers and businesses. Ficticious Name and Corporate Ownership Efile IRS Tax Extension Online taxextension.com is owned by BH Enterprises of FL, Inc. We do business in......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site