Disinfecting a PC… part 6



Ok, it’s BHOdemon time… installed from cd and on starting:

BHOdemon bhotb-all.html not found, no web connection downloading on other machine.

Finally get it to work copying from another machine. But I had to change the Windows ME to show full filenames to help troubleshoot why it couldn’t find the file (naming problem.) (There seems to be a strange display problem on setting “don’t hide file extensions” menu, (I can’t see the check boxes or the checkmarks…. I managed to toggle them “blind” to show file extensions)…

Here are the bugs BHO found….

BHODemon 2.0.0.23 Report File:
A:INCFIN~1_BHODemonInfo.txt

Desc: incfindbho.dll, INCFIN~1.DLL – IncrediFind/Keenvalue
Clsid: {5D60FF48-95BE-4956-B4C6-6BB168A70310}
DLL Path: C:PROGRA~1INCRED~1BHOINCFIN~1.DLL
ProgID: BHO.IncrediFindBHO.1
URL: http://www.doxdesk.com/parasite/KeenValue.html
Enabled?: No – file is missing
Status: Malware

(Ok, we’ve already cleaned this out with AVG – Incredifind / Keenvalue)

BHODemon 2.0.0.23 Report File:
A:2BHODemonInfo.txt

Desc: Wsem***.dll , (* = digit) – MoneyTree/DyFuCa
Clsid: {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
DLL Path: C:WINDOWSWSEM300.DLL
ProgID: DyFuCA_BH.BHObj.1
URL: http://www.doxdesk.com/parasite/MoneyTree.html
Enabled?: No – file is missing
Status: Malware

Dyfuca – yuck… bad one.. AVG got this one as well.

BHODemon 2.0.0.23 Report File:
A:3BHODemonInfo.txt

Desc: n3tpa1p.dll, Calsdr.dll, Gr0*.dll (* = digit), td1.dll, random file names – FavoriteMan
Clsid: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DLL Path: C:WINDOWSSYSTEMATPART~1.DLL
ProgID: F1.Organizer.1
URL: http://www.doxdesk.com/parasite/FavoriteMan.html
Enabled?: No – file is missing
Status: Malware

Organizer / Favoriteman – this looks to be the one responsbile for the random file names and is also missing (Good job AVG).

Here’s the fourth (and last) BHO found:

BHODemon 2.0.0.23 Report File:
A:4BHODemonInfo.txt

Legal Copyright: Copyright 2004
Clsid: {9BFD87DE-4014-4407-B873-FA2C6A57A05F}
DLL Path: C:WINDOWSSYSTEMpecxl.dll
Modified Date: Saturday, November 06, 2004 14:04:36
Created Date: Tuesday, November 02, 2004 22:11:27
ProgID: SWin32.SDWin32.1
Product Name: SWin32 Module
Product Version: 1, 0, 0, 1
Original Filename: SWin32.DLL
File Description: SWin32 Module
Company Name: $
Enabled?: Yes
Internal Name: SWin32
Size (bytes): 98,816
MD5 Checksum: bc58555fe3eba444e5cac344fdc720cc
Status: Unknown

This one seems to be identified as SecondThought/ BetterInternet… no identification from BHO.
(From etrust):

2ndthought Adware, Second Thought, Trojan.Win32.SecondThought.c [VirusLibrary], SecondThought, Trojan.Win32.SecondThought [Kaspersky], Win32/SecondThought.G [NOD32], BKDR_RULEDOR.E, Adware/PortalScan[Panda], Trojan.Win32.SecondThought.a[Kaspersky], Win32.BettInet.E[Computer Associates], Spyware/BetterInet[Panda], Spyware/ClearSearch[Panda], Adware.SecondThought [Symantec], Trojan.Win32.SecondThought.ag

So, I disable each of these BHO’s and we’re in good shape. There’s been a lot of disk swapping (either the one active item or the three missing being looked for.) System speed improves a good deal after this pass.

Related Posts

Blog Traffic Exchange Related Posts
  • Grisoft AVG Antivirus 7.5 on Windows XP False Positive that HURTS This looks like a REALLY bad false positive. It appears that AVG 7.5 for a short period of time detected user32.dll as a trojan horse. (trojan horse psw banker4). It looks as though update to the virus database VDB 270.9.0/1778 fixes the problem. Unfortunately if you have been bitten by......
  • Microsoft releases official VML patch!! The big news this afternoon is that Microsoft HAS gone out of the routine patch cycle to release a security fix for the VML vulnerability that's been actively exploited in recent days for everything from sneak keylogger installs to massive spyware installs. Sans has a few links, if you de-registered......
  • WMF exploit unofficial patch Sans is talking about the unofficial patch for the WMF vulnerability. One of their handlers has helped with it to extend it to work on XP SP 1 and Windows 2000. They've also looked at the patch thoroughly and it sounds as though it's very well done. We want to......
Blog Traffic Exchange Related Websites
  • Remove Dates From Permalink How do you you remove the dates from your permalink structure without ruining all the hard earned links you have developed? Glad you asked... It really is very simple... (Note I tried the various plugins first but had issues... In the end this solution is faster for the visitor, quicker......
  • Ectaco UK - (UK Only) document.write(''); ECTACO handheld dictionaries incorporate numerous breakthrough technologies such as speech synthesis, speech recognition, and powerful localization tools. Get the most from your electronic dictionary - get ECTACO. We translate the world! document.write(''); LingvoSoft translation software is in a league of its own. The continual addition of new functionality......
  • Best Free Registry Cleaner Software I think most people will agree with the fact that there is really nothing worse than having a slow computer which affects your ability to work or even play games. There are many reasons why a computer will become full of errors but the majority of the time the problems......
www.pdf24.org    Send article as PDF   

Similar Posts


See what happened this day in history from either BBC Wikipedia
Search:
Keywords:
Amazon Logo

Comments are closed.


Switch to our mobile site