Disinfecting a PC… part 6
Ok, it’s BHOdemon time… installed from cd and on starting:
BHOdemon bhotb-all.html not found, no web connection downloading on other machine.
Finally get it to work copying from another machine. But I had to change the Windows ME to show full filenames to help troubleshoot why it couldn’t find the file (naming problem.) (There seems to be a strange display problem on setting “don’t hide file extensions” menu, (I can’t see the check boxes or the checkmarks…. I managed to toggle them “blind” to show file extensions)…
Here are the bugs BHO found….
BHODemon 2.0.0.23 Report File:
A:\INCFIN~1_BHODemonInfo.txt
Desc: incfindbho.dll, INCFIN~1.DLL – IncrediFind/Keenvalue
Clsid: {5D60FF48-95BE-4956-B4C6-6BB168A70310}
DLL Path: C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
ProgID: BHO.IncrediFindBHO.1
URL: http://www.doxdesk.com/parasite/KeenValue.html
Enabled?: No – file is missing
Status: Malware
(Ok, we’ve already cleaned this out with AVG – Incredifind / Keenvalue)
BHODemon 2.0.0.23 Report File:
A:\2BHODemonInfo.txt
Desc: Wsem***.dll , (* = digit) – MoneyTree/DyFuCa
Clsid: {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4}
DLL Path: C:\WINDOWS\WSEM300.DLL
ProgID: DyFuCA_BH.BHObj.1
URL: http://www.doxdesk.com/parasite/MoneyTree.html
Enabled?: No – file is missing
Status: Malware
Dyfuca – yuck… bad one.. AVG got this one as well.
BHODemon 2.0.0.23 Report File:
A:\3BHODemonInfo.txt
Desc: n3tpa1p.dll, Calsdr.dll, Gr0*.dll (* = digit), td1.dll, random file names – FavoriteMan
Clsid: {00000EF1-0786-4633-87C6-1AA7A44296DA}
DLL Path: C:\WINDOWS\SYSTEM\ATPART~1.DLL
ProgID: F1.Organizer.1
URL: http://www.doxdesk.com/parasite/FavoriteMan.html
Enabled?: No – file is missing
Status: Malware
Organizer / Favoriteman – this looks to be the one responsbile for the random file names and is also missing (Good job AVG).
Here’s the fourth (and last) BHO found:
BHODemon 2.0.0.23 Report File:
A:\4BHODemonInfo.txt
Legal Copyright: Copyright 2004
Clsid: {9BFD87DE-4014-4407-B873-FA2C6A57A05F}
DLL Path: C:\WINDOWS\SYSTEM\pecxl.dll
Modified Date: Saturday, November 06, 2004 14:04:36
Created Date: Tuesday, November 02, 2004 22:11:27
ProgID: SWin32.SDWin32.1
Product Name: SWin32 Module
Product Version: 1, 0, 0, 1
Original Filename: SWin32.DLL
File Description: SWin32 Module
Company Name: $
Enabled?: Yes
Internal Name: SWin32
Size (bytes): 98,816
MD5 Checksum: bc58555fe3eba444e5cac344fdc720cc
Status: Unknown
This one seems to be identified as SecondThought/ BetterInternet… no identification from BHO.
(From etrust):
2ndthought Adware, Second Thought, Trojan.Win32.SecondThought.c [VirusLibrary], SecondThought, Trojan.Win32.SecondThought [Kaspersky], Win32/SecondThought.G [NOD32], BKDR_RULEDOR.E, Adware/PortalScan[Panda], Trojan.Win32.SecondThought.a[Kaspersky], Win32.BettInet.E[Computer Associates], Spyware/BetterInet[Panda], Spyware/ClearSearch[Panda], Adware.SecondThought [Symantec], Trojan.Win32.SecondThought.ag
So, I disable each of these BHO’s and we’re in good shape. There’s been a lot of disk swapping (either the one active item or the three missing being looked for.) System speed improves a good deal after this pass.