The BHOs That Wouldn't Die

Sounds like a cheapie horror movie, doesn't it? I brought home a computer from work that had been "retired" due to being unusable because of the popups, etc. that were living in it. I installed Firefox to have something reliable ("untouchable") for downloading Ad-Aware, Spybot S&D, etc. Those and HijackThis have been pretty effective, but there's some persistent stuff still hanging around.

I'm partway through a regedit on all the stuff that Spy Bouncer has found. The program seems good, but because it's not my computer (and because I "don't do charge cards"), I haven't purchased it (yet). SB's "remove" function is disabled until the program is registered.

Anyway, every time I restart the computer and run HJT!, it shows three CLSIDs that point to ClearSearch, Deep Dive (a SideSearch variant), and IncrediFind. I recently deleted one key that Spy Bouncer said was for IncrediFind, but it keeps coming back. HJT hasn't done much, either, when asked to "Fix" those items.

Is there anyplace I should look next to weed out those BHOs?
Thanks.

 

Hi Maineiac,

Complete all of the steps in this tutorial:
http://forums.majorgeeks.com/showthread.php?t=35407

Note the steps you can and cannot complete. This will help us fix you up if you need further assistance. If you are asked for a HJT log, read this first:
http://forums.majorgeeks.com/showthread.php?t=38752

Note that logs should be saved as .txt files and posted as attachments.

Good luck,

PP

 

Sorry, my post should have included the links above as evidence that I had "been there, done that." I didn't post the CLSIDs for those BHOs because I've seen the mentions of how all of those in various logs are jamming up search engines. (I've encountered many of those with Google during my quest for more guidance.)
The only thing I hadn't done until now was install Spyware Blaster. Thanks for the reminder. I think it will keep the goblins at bay when this machine goes back to the office, if somebody has a compulsion to use MSIE for something.

 

Hi Maineiac,

Did you do the online scans? Safe Mode? System Restore off?

Try the following:
TrojanScan online scan
a-squared (a²) Free edition

Here is more info:
http://www.pestpatrol.com/PestInfo/k/keenvalue_incredifind.asp

http://www.kephyr.com/spywarescanner/library/clearsearch.bho1/index.phtml

Let us know how the trojan scans and the uninstall instructions went and then submit a HJT log as per my previous post.

Best luck,

PP

 

Okay, I just got done running HijackThis, Ad-Aware, and Spybot S&D in Safe mode *again*. When I restarted in normal mode, those three BHOs showed up in HJT all over again. Those things are annoying me badly.

While I'm at it, would anyone know what "DSE_CI32.EXE" or "FINBLE3.EXE" might be? They got weeded out by CCleaner, and I thought that might have something to do with getting rid of the boomerang BHOs, but no such luck.

 

Try the trojan scans and the uninstall instructions.
Did you run the BHOs through Tony Klein's BHO list?

Attach a log. I've got to run out - I'll check back later, but somebody will take a look.

PP

 

No trojans on here, but I *will* try those uninstall instructions.

Yup, that was how I had some clue what their names were. I just found the link to the Doxdesk page about IGetNet/ClearSearch, "the one with all the zeroes and ending in 221." (Didn't want to jam up any more search engines by posting the whole thing.) I don't know which version of that is on this machine, but I'm going after that one first.
Tony's list doesn't have the CLSID for the IncrediFind one, but I'll see if your PestPatrol link can help me get that one next. Then I plan to nuke Deep Dive (SideSearch variant) outta here.

Thanks, those links are a very good start. I know I can smoke the little buggers out, if I can just get at them.
If I can successfully delete them, I'll let you know. If not, I'll post a .TXT log from my next HJT scan after the battle. If I don't post anything, you'll know they got me first.

 

Good luck!

This one looks kind of trojanny to me - FINBLE3.EXE

It is refreshing to find somebody who has taken such a proactive approach to fighting their malware! Feel free to attach a log if you need a 2nd or 3rd opinion.

Best,

PP

 

Thanks.

I agree, especially where it was, in HKLM\..\Run. HJT kept calling it an "O4," but never "Fixed" it. CCleaner gave it the old heave-ho.

My wife and I have long been active against the bad stuff on our own machines. (She has 3 running right now, including one on which she installed Linux.) I saw the messed-up one from work as a challenge. Looks like I'll be starting a new job there soon, so that machine might even be assigned to me. I've got it armor-plated already; maybe someday I can hotrod it.

I went after the three BHOs late last night, doing the whole uninstall routine on two of them, even the DOS stuff. Bupkis, nada, zero files or keys found. I ran Ad-Aware once more and went to bed. Got woke up around 0430 by the dog jumping on the bed, and decided to check Ad-Aware. It had pounced on the ClearSearch one. (The one that ends in "221.") I went after those keys, and hope that's the last of that one.
Obssessive? Yep, and proud of it.

Thanks much. We'll see how it goes. I was gonna return it today, but I'd like it to be barfware-free when I bring it back there.

 

Ahhh. . . A couple of kindred spirits! Myself, I find malware quite interesting, though it has been years since anybody could call me a "tech guy." Just a normal guy with an abnormal interest in malware.

Happy to talk to you anytime!

Regards,

PP

 

This may have just gotten resolved. My wife called from work and said she had looked at that computer today while I was at work. She has been acquainted with HJT longer than I have, and she said the lines like "BHO: (no name) {###-###-yada-yada} (no file)" indicate that there's no longer a threat from those objects. Is that right? (Yes, I RTFMed, but didn't see it.)

Anyway, that computer is going back to the office with me tomorrow, and may be assigned to me when I start my new job. I think with Ad-Aware, Norton AV, Spybot S&D, and Spyware Blaster running and kept updated, it should be pretty secure. Somebody would also have to figure out how to get dial-up access with it, and get M$IE past ZoneAlarm if I wasn't there to whack their knuckles. The Computer Lady also added some advanced Spybot protection this afternoon, something I had overlooked.

PP, thanks for the response. If it turns out I was misreading the HJT scans, you can mark this one "Resolved."

Oh, and here's something that appeared in our Sunday paper. I thought it was pretty funny, so I found it online, too: <http://www.ucomics.com/adamathome/2004/10/03>
I'm going to tape the one from the newspaper onto the side of the case of the computer from work. (Formerly "the computer from Hell.")

 

To the best of my knowledge, your wife is correct. Nevertheless, I like to have HJT fix those - Just to be on the safe side. If I am not mistaken, when HijackThis "fixes" a bad BHO, it attempts to delete the corresponding file as well.

I enjoyed the comic. It only took having my computer become "possessed" one time for me to grow to despise all forms of malware!

Cheers,

PP

 

Okay, I guess that clears it all up. It was driving me nuts that I'd ask HJT to fix them in Safe mode, reboot to Normal mode and find the same notations all over again, especially when the other detection programs rarely if ever found 'em.

Ayup. Annoyin', ain't it?
Thanks again for the support.

 

These BHOs shouldn't be coming back once you fix them. What OS? Do to have system restore? It doesn't make sense that they would appear in your log after they were supposedly "fixed."

Attach a log - I'd like a look at them.

PP

 

Actually, the more I think about it, your wife and I may be wrong. These things reappearing is definitely an indication that all is not well.

I've lost track of all of the steps you have taken - Are you sure your machine is otherwise clean (save for the BHOs)? The online scans didn't find anything?

Arrghh . . . Now I'm not going to be able to sleep!

PP

 

My own suspicion was that those said "no name/no file" because browser hijackers and the like are just naturally secretive (subversive), but that was just a WAG. I should ask around some more.

Nope, nuthin'. The last Ad-Aware I ran before it left my "shop" found something (forgot what), but I think it was just reacting to something in Spybot or maybe Spyware Blaster. (But I regularly trash any quarantined stuff in A-A and Spybot.)
And to answer the question in your previous reply, it's Win98. A selectable System Restore might be a nice feature for that, but no.

Sorry to keep you awake for so long. I hope you didn't eat a jar of instant coffee or anything, like a ham radio acquaintance of mine once did when he was working on a project. (I *think* he was kidding when he wrote that.)

I'm on my own machine here, and the other one is back at the office. I don't know if that one will have 'Net access anymore, so it might be awhile before I could post a log. (At least it has a 3½" floppy drive. Their newest one has only a CD burner.)

It's running way better than it was, so I'm just going to declare it "good" for now. I kinda lost track of everything I tried, too, so maybe once management decides where to set it up, I'll go back through the steps verrrrry methodically.

 

As usual, Chaslang is right on top of things. (I learn something new every day reading his threads) This is indeed symptomatic of CWS, but I figured that you would have flushed that out long ago. Of course, I still have more to learn!

I'm usually occupied with a bunch of things when I take a break and check out this forum. Sometimes, I'll post a reply and the thread will stick in the back of my mind - Something will bother me, but I can't put my finger on it. Maddening, really.
I don't see how Chas manages to reply to so many threads without going nuts - Or, maybe, that keeps him sane?

Shoot us a HJT log when you get a chance. Let's solve this mystery!

Best,

PP

 

It may not be that far off! I've seen the KodoMatic Instant HJT Log Analyzer. (Actually, its quite cool! Hope you guys are able to stick with it)
I'm going to stand by my Chaslang Robot theory - Sort of like that commercial w/ NASCAR's Matt Kenseth. When one flames out, MA gets on the horn, "Need another Chaslang from the storeroom!"

PP

 

Thought about cloning - But you'd probably need the Ted Williams (one of the 3 greatest hitters to ever play the game, the other two being the Yankee Clipper and Josh Gibson - IMHO) treatment until that becomes viable.

Lojack looks promising. It would be cool if you could tie it in to an established database like Pacman's list - Kind of like BHO Demon is tied to Tony Klein's BHO List.

**Hope Maineiac doesn't mind what we've done to his thread. I doubt that he will.

PP

 

It already sounds pretty cool, and tying it to a database would make it *way* cool.

Nah, I don't mind. I see an opportunity to learn something here, and a day when I learn something with no pain involved is a good day for me.

I have to go in to the office Sunday, but I don't know how much time I'll be able to spend on that computer. First chance I get, though, I'll save an HJT log or two as TXT and put it onto a floppy to bring home and post from here.

That machine never had anything more than NAV on it for malware-detection software, and it hadn't been updated for awhile. I took care of that shortly after I brought it home. I also used M$ Internet Exploder only long enough to download Firefox. Then I got Ad-Aware, Spybot S&D, and the apps that I found out about here onto it, and things started to improve.
Anything that was going to take awhile to download, I retrieved with my own computer and burned onto CD. HJT is on the CD and on the PC. CWShredder was one I put on the CD but didn't install on the computer from work, so I'll try that, too.

Now my wife tells me she changed the values of those BHOs, but doesn't remember if she did that with HJT or Spybot. (I don't think HJT is set up for that, but I'm no expert.) She says that would make them still show up in HJT, but render them inert. She very well might know more than I do about this, but then again she can be one of those women who will use a butterknife for a screwdriver.

My thanks to both of you for the assistance already given.

 

Update: Today at work I had enough time to install and run BHODemon. It initially indicated that (vestiges of) those three BHOs were on the machine, but that they had been disabled. But when looking at the details, each one showed "enabled."
I do have the results saved, but I didn't have a floppy with me to transport them to an Internet connection. Also was unable to get any updates for BHOD, to see if they have more information now on the one that wasn't ClearSearch or SideSearch. (I guess I'm too fried from work to remember it.)
Maybe I can just stick them in a bucket of water to deactivate them. (I don't think the bomb squad does that anymore, either.)

 

I find a sledgehammer to be pretty effective too!

A HJT log will tell us much more about the problem. I'll keep an eye out for it. I'm kinda hitting this forum off and on these days - not a lot of free time.

Best,

PP