Disinfecting a PC… part 6



Ok, it’s BHOdemon time… installed from cd and on starting:

BHOdemon bhotb-all.html not found, no web connection downloading on other machine.

Finally get it to work copying from another machine. But I had to change the Windows ME to show full filenames to help troubleshoot why it couldn’t find the file (naming problem.) (There seems to be a strange display problem on setting “don’t hide file extensions” menu, (I can’t see the check boxes or the checkmarks…. I managed to toggle them “blind” to show file extensions)…

Here are the bugs BHO found….

BHODemon 2.0.0.23 Report File:
A:INCFIN~1_BHODemonInfo.txt

Desc: incfindbho.dll, INCFIN~1.DLL – IncrediFind/Keenvalue
Clsid: {5D60FF48-95BE-4956-B4C6-6BB168A70310}
DLL Path: C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
ProgID: BHO.IncrediFindBHO.1
URL: http://www.doxdesk.com/parasite/KeenValue.html
Enabled?: No – file is missing
Status: Malware

(Ok, we’ve already cleaned this out with AVG – Incredifind / Keenvalue)

BHODemon 2.0.0.23 Report File:
A:2BHODemonInfo.txt

Desc: Wsem***.dll , (* = digit) – MoneyTree/DyFuCa
Clsid: {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
DLL Path: C:WINDOWSWSEM300.DLL
ProgID: DyFuCA_BH.BHObj.1
URL: http://www.doxdesk.com/parasite/MoneyTree.html
Enabled?: No – file is missing
Status: Malware

Dyfuca – yuck… bad one.. AVG got this one as well.

BHODemon 2.0.0.23 Report File:
A:3BHODemonInfo.txt

Desc: n3tpa1p.dll, Calsdr.dll, Gr0*.dll (* = digit), td1.dll, random file names – FavoriteMan
Clsid: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DLL Path: C:WINDOWSSYSTEMATPART~1.DLL
ProgID: F1.Organizer.1
URL: http://www.doxdesk.com/parasite/FavoriteMan.html
Enabled?: No – file is missing
Status: Malware

Organizer / Favoriteman – this looks to be the one responsbile for the random file names and is also missing (Good job AVG).

Here’s the fourth (and last) BHO found:

BHODemon 2.0.0.23 Report File:
A:4BHODemonInfo.txt

Legal Copyright: Copyright 2004
Clsid: {9BFD87DE-4014-4407-B873-FA2C6A57A05F}
DLL Path: C:WINDOWSSYSTEMpecxl.dll
Modified Date: Saturday, November 06, 2004 14:04:36
Created Date: Tuesday, November 02, 2004 22:11:27
ProgID: SWin32.SDWin32.1
Product Name: SWin32 Module
Product Version: 1, 0, 0, 1
Original Filename: SWin32.DLL
File Description: SWin32 Module
Company Name: $
Enabled?: Yes
Internal Name: SWin32
Size (bytes): 98,816
MD5 Checksum: bc58555fe3eba444e5cac344fdc720cc
Status: Unknown

This one seems to be identified as SecondThought/ BetterInternet… no identification from BHO.
(From etrust):

2ndthought Adware, Second Thought, Trojan.Win32.SecondThought.c [VirusLibrary], SecondThought, Trojan.Win32.SecondThought [Kaspersky], Win32/SecondThought.G [NOD32], BKDR_RULEDOR.E, Adware/PortalScan[Panda], Trojan.Win32.SecondThought.a[Kaspersky], Win32.BettInet.E[Computer Associates], Spyware/BetterInet[Panda], Spyware/ClearSearch[Panda], Adware.SecondThought [Symantec], Trojan.Win32.SecondThought.ag

So, I disable each of these BHO’s and we’re in good shape. There’s been a lot of disk swapping (either the one active item or the three missing being looked for.) System speed improves a good deal after this pass.

Related Posts

Blog Traffic Exchange Related Posts
  • Remove Total Security 2009 | TotalSecurity 2009 Removal Total Security 2009 is also known as TotalSecurity 2009 or TotalSecurity2009. It is a newer version of the Total Security Antivirus which we highlighted just a week or so ago. It is a more troublesome variant of this rogue security software. In addition to the false warnings about problems on......
  • Windows 98 and the WMF exploit I've seen breathless headlines that say "Windows PCs face 'huge' virus threat; Affects every MICROSOFT OS shipped since 1990..." and really would like to try to clarify (again) what the situation is. Yes, the bug or vulnerability that's currently being exploited exists as far back as Windows 3.0, but as......
  • Grisoft AVG Antivirus 7.5 on Windows XP False Positive that HURTS This looks like a REALLY bad false positive. It appears that AVG 7.5 for a short period of time detected user32.dll as a trojan horse. (trojan horse psw banker4). It looks as though update to the virus database VDB 270.9.0/1778 fixes the problem. Unfortunately if you have been bitten by......
Blog Traffic Exchange Related Websites
  • Home Office Ideas Home working has reached a level where it has once again become a major part of the economy. It is especially big in Europe. For example, approximately 4 million residents in the UK work from home necessitating the need to optimise their office spaces in order to improve efficiency, while......
  • What is Registry Fix and Optimizer? Operating system like Microsoft Windows has a registry. The system registry holds a wealth of information about the computer, which is why when after using the PC for a short length of time, it no longer works the way it used to. This is due in part to invalid entries......
  • Tax Extension- Individual About taxextension.com Authorized IRS e-file Provider taxextension.com is an an Authorized IRS e-file Provider offering tax extension preparation and electronic filing services to consumers and businesses. Ficticious Name and Corporate Ownership Efile IRS Tax Extension Online taxextension.com is owned by BH Enterprises of FL, Inc. We do business in......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site