Disinfecting a PC… part 6



Ok, it’s BHOdemon time… installed from cd and on starting:

BHOdemon bhotb-all.html not found, no web connection downloading on other machine.

Finally get it to work copying from another machine. But I had to change the Windows ME to show full filenames to help troubleshoot why it couldn’t find the file (naming problem.) (There seems to be a strange display problem on setting “don’t hide file extensions” menu, (I can’t see the check boxes or the checkmarks…. I managed to toggle them “blind” to show file extensions)…

Here are the bugs BHO found….

BHODemon 2.0.0.23 Report File:
A:INCFIN~1_BHODemonInfo.txt

Desc: incfindbho.dll, INCFIN~1.DLL – IncrediFind/Keenvalue
Clsid: {5D60FF48-95BE-4956-B4C6-6BB168A70310}
DLL Path: C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
ProgID: BHO.IncrediFindBHO.1
URL: http://www.doxdesk.com/parasite/KeenValue.html
Enabled?: No – file is missing
Status: Malware

(Ok, we’ve already cleaned this out with AVG – Incredifind / Keenvalue)

BHODemon 2.0.0.23 Report File:
A:2BHODemonInfo.txt

Desc: Wsem***.dll , (* = digit) – MoneyTree/DyFuCa
Clsid: {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
DLL Path: C:WINDOWSWSEM300.DLL
ProgID: DyFuCA_BH.BHObj.1
URL: http://www.doxdesk.com/parasite/MoneyTree.html
Enabled?: No – file is missing
Status: Malware

Dyfuca – yuck… bad one.. AVG got this one as well.

BHODemon 2.0.0.23 Report File:
A:3BHODemonInfo.txt

Desc: n3tpa1p.dll, Calsdr.dll, Gr0*.dll (* = digit), td1.dll, random file names – FavoriteMan
Clsid: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DLL Path: C:WINDOWSSYSTEMATPART~1.DLL
ProgID: F1.Organizer.1
URL: http://www.doxdesk.com/parasite/FavoriteMan.html
Enabled?: No – file is missing
Status: Malware

Organizer / Favoriteman – this looks to be the one responsbile for the random file names and is also missing (Good job AVG).

Here’s the fourth (and last) BHO found:

BHODemon 2.0.0.23 Report File:
A:4BHODemonInfo.txt

Legal Copyright: Copyright 2004
Clsid: {9BFD87DE-4014-4407-B873-FA2C6A57A05F}
DLL Path: C:WINDOWSSYSTEMpecxl.dll
Modified Date: Saturday, November 06, 2004 14:04:36
Created Date: Tuesday, November 02, 2004 22:11:27
ProgID: SWin32.SDWin32.1
Product Name: SWin32 Module
Product Version: 1, 0, 0, 1
Original Filename: SWin32.DLL
File Description: SWin32 Module
Company Name: $
Enabled?: Yes
Internal Name: SWin32
Size (bytes): 98,816
MD5 Checksum: bc58555fe3eba444e5cac344fdc720cc
Status: Unknown

This one seems to be identified as SecondThought/ BetterInternet… no identification from BHO.
(From etrust):

2ndthought Adware, Second Thought, Trojan.Win32.SecondThought.c [VirusLibrary], SecondThought, Trojan.Win32.SecondThought [Kaspersky], Win32/SecondThought.G [NOD32], BKDR_RULEDOR.E, Adware/PortalScan[Panda], Trojan.Win32.SecondThought.a[Kaspersky], Win32.BettInet.E[Computer Associates], Spyware/BetterInet[Panda], Spyware/ClearSearch[Panda], Adware.SecondThought [Symantec], Trojan.Win32.SecondThought.ag

So, I disable each of these BHO’s and we’re in good shape. There’s been a lot of disk swapping (either the one active item or the three missing being looked for.) System speed improves a good deal after this pass.

Related Posts

Blog Traffic Exchange Related Posts
  • WMF exploit unofficial patch Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They've also looked at the patch thoroughly and it sounds as though it's very well done. We want to......
  • Windows 98 and the WMF exploit I've seen breathless headlines that say "Windows PCs face 'huge' virus threat; Affects every MICROSOFT OS shipped since 1990..." and really would like to try to clarify (again) what the situation is. Yes, the bug or vulnerability that's currently being exploited exists as far back as Windows 3.0, but as......
  • Remove Total Security 2009 | TotalSecurity 2009 Removal Total Security 2009 is also known as TotalSecurity 2009 or TotalSecurity2009. It is a newer version of the Total Security Antivirus which we highlighted just a week or so ago. It is a more troublesome variant of this rogue security software. In addition to the false warnings about problems on......
Blog Traffic Exchange Related Websites
  • Home Office Ideas Home working has reached a level where it has once again become a major part of the economy. It is especially big in Europe. For example, approximately 4 million residents in the UK work from home necessitating the need to optimise their office spaces in order to improve efficiency, while......
  • Remove Dates From Permalink How do you you remove the dates from your permalink structure without ruining all the hard earned links you have developed? Glad you asked... It really is very simple... (Note I tried the various plugins first but had issues... In the end this solution is faster for the visitor, quicker......
  • Best Free Registry Cleaner Software I think most people will agree with the fact that there is really nothing worse than having a slow computer which affects your ability to work or even play games. There are many reasons why a computer will become full of errors but the majority of the time the problems......
PDF24    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site