BHODemon & Noadware

I hope I'm posting this in the right forum. There are several issues pertaining to different programs for spyware/adware. I recently installed BHODemon20 (on my WinXP/Home pc) but I have no idea how to scan my pc with it - can't find any useful instructions on how do do so. I also installed noadware.exe and ran a check with it. Says it found 3 parasites in Registry as follows:
Parasite: Location: Danger:
1stbar/powerscan HKEY_LOCAL_MACHINE/software/clRegKey severe
TwainTech " " " " /mRegKey dangerous
TwainTech " " " " /mRegValue "
When I click on repair, it tells me I have to register the program and pay $29.95. I cannot afford this, and am wondering if there is anyway to manually search for and remove these entries from the registry?
Also, why is it that "noadware" is the only program that shows these entries, whereas Spybot S&D and Ad-Aware do not detect them? their scans come up clean. Thanks so much for any replies.

 

Vicki.

NoAdware is listed on Eric Howe's Rogues spyware lists and what you have experienced is the "we can find it, but to fix it you pay us".

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Scroll down until you find it.

As to BHODemon20, I have not got that so no help there.

I shall move this from SpywareBlaster forum to this Privacy Software forum for better results.

A quick Google on TwainTech does indicate some form of spyware, but, I would not be hasty in removing.

The links I found could relate to rogue Adaware programs also.

I cannot research any further, have to leave, but here is google results.

HERE

Cheers, TAS

PS: In that google page look on the right hand side under sponsored links and you will see that Rogue NoAdware.net link listed several times....

 

Hi Vickie.

As for BHODemon, it has no on demand scanning capabilities.

This is what it essentially does, copied from BHODemon homepage,

Think of BHODemon as a guardian for your Internet Explorer browser: it protects you from unknown Browser Helper Objects (BHOs), by letting you enable/disable them individually. It also monitors your Registry and alerts you when a BHO is installed. Best of all, BHODemon knows about the most common BHOs - the good ones, and the not-so-good ones!

Hope this helps.


snowbound

 

Hi Tassie and Snowbound..many thanks for ur replies and for the link provided for Twain Tech on Google. I will check out the various articles on TT. Also, re my original question - is there any reason why Spybot S&D and Ad-Aware couldn't locate the Twain Tech and 1st bar trojans (??) during their scans, but Noadware was able to?
Just wondering if these are indeed bugs legitimately on my system as Noadware reported -- or maybe becuz Noadware just wants me to ante-up for a so-claimed removal?? Your opinions would be appreciated.

 

Vicki hi

In all honesty it would be hard to say if you are genuinely infected or not, because of the Rogue listing of NoAdware and the general deceptions of such to "find" things so you purchase, could either be false positives or genuine.

You say AdAware and Spybot found nothing.
I presume they were fully updated and the deepest scans set, including Registry??
[AdAware/Settings ~ click on the gear symbol ~ /Select Scanning TAB/ tick all options in Memory and Registry]

Let's deal with the "1st bar trojans".

Have you also scanned with an Anti-Virus program?

Do you have an Anti-Trojan scanner, and if so have you run it?

If not, get a copy of one and run it after you have updated it.

I have only ever used one personally and that is TDS3. Can not help with any others. TDS3 DOWNLOAD FROM HERE

UPDATE DEFINITIONS HERE WITH INSTRUCTIONS

Don't be put off by the amount of options/tools in it.
It cannot get any simpler than download install/download the updates [must be done manually] install them, then run a scan.

If they are ALL clean, then your chances are looking around 99% good.

For that extra 1% doubt, get 2 online scans done.

TREND'S HOUSECALL On the right side under More Info, click Scan Now.

SYMANTEC SECURITY CHECK Click on GO.

BITDEFENDER ONLINE VIRUS SCAN Click on the 'I Agree' licence.

PANDA ACTIVE SCAN Click on the animated gif, Panda Active Scan.

As to the TT entries, I am reasonably confident that if you do all the above you should be right.

Please let us know how you went.

I have included a pic of TDS GUI. You will get a warning that the radius database is not up to date even after installing the new one, ignore that, it's because you cannot do auto download without being registered and it is a way of telling you.

EDIT: HERE IS EXCELLENT READ~SETUP ON TDS3 which I suggest you do. There will be posts in there that you need not worry about, just read them through.
You won't have to worry about Enabling Execution Protection as that's a Registered feature.
Don't worry about Servers etc in posts 3/4. A lot are extra options, ok!

Cheers, TAS

 

Hi Tassie, I lknow this is off topic but I love your bar graphic for TDS in the screen shot and would like to get a copy. Possible?
Thanks, Jim

 

Hi JW... Thanks, I've sent PM.

TAS

 

Hi Tas..many thanks for ur reply. I have clicked on all the links you suggested to run the online virus scans, but I cannot get any of them to do anything...all I get is nothing but a white blank page. I can't imagine why this would happen. Can you?
As for the TDS3 I would have to subscribe to it for a fee - wouldn't I? and I have already put myself in hack over my head for this new XP pc of mine so I don't want to put out any extras if I don't have to I have Norton System Works installed and run it quite frequently along with SS&D and Ad-aware...that's why I'm wondering how come Noadware "found" the (3) trojans but NAV/SS&D/Ad-aware couldn't find them?
In any case, I'm just wondering why I cannot complete any scans with the links you sent. Any ideas as to why no success? Thanks so much again.

 

BTW Tas...I just checked on the liink you previously sent for "spywarewarrior" and after checking their list, I went ahead and uninstalled Noadware from Start/All Programs - its not listed in Add/Remove Programs - I hope I have completely uninstalled the entire program from my pc. Is there anything else I should do so as to make sure its completeluy gone from my system? Thanks for any further ideas.

 

Hi Vicki.

No probs.

Apart from running a Registry Cleaner, and doing a full scan by AAW and SSD. If you have never used a Reg cleaner, I do not advise you to start learning just on this though, you could break things.

Did you get a request from each asking to download and install an ActiveX object to run the scan? You should have from memory.
Not unless you have ActiveX disabled and javascript off.
You do need those two to work. Been so long since I've done online scan.

Now, by 'white page' do you mean you can get to the site, see it fine, but nothing happens when you click for the scan....OR.....do you mean you cannot even get to the site itself

If you cannot get any of the sites themselves, you may have an infection which screwed with your hosts files, blocking access to any of the Anti-virus vendors sites.

If you do not know what I am talking about with HOSTS files, you can check by navigating to:

C:/WINDOWS/system 32/drivers/etc folder [yes, "etc" is a folder] and then see the file simply called "hosts" with NO extensions.

Now on THAT file, right click, select Open With.... select Notepad, OK
If no Open With..... just select Open, window pops up, select 'Select Program from List' then choose Notepad.

IF you see any entries like this:

Code:

127.0.0.1  downloads.aaa1screensavers.com #[Bargin Buddy]
127.0.0.1  abcsearch.com
127.0.0.1  admin.abcsearch.com
127.0.0.1  www3.abcsearch.com #[Browseraid]
127.0.0.1  www.abcsearch.com
127.0.0.1  abc517.net #[Trojan.Mitglieder.H]
127.0.0.1  acestats.com
127.0.0.1  www.acestats.com

BUT they have the names of the anti-virus vendors in them..

eg: 127.0.0.1 symantec.com

..........that means you do have infection and your hosts are mucked up preventing you accessing the AV sites.

You can then highlight ONLY those AV sites listed and delete.

DO NOT DELETE THE 127.0.0.1 localhost entry which should be the very first entry.

Now... JUST CLOSE [X top right] it will then Ask to save changes, say YES.
Do not try to do a Save first, just close and then OK changes. [if you try to save, you have to select *any file and save as 'hosts' with NO extension ]

Now try again to go to sites.

No. Free download and free trial. You do not have to pay anything.
The differences between free trial and full registered is you have to do manual download of radius.tds defs and you cannot install the Execution Protection for Real Time Monitoring of your system. All other features are usable.

You can scan, find and delete trojans. If you find it useful, after a trial period, then of course I suggest you purchase, but no, not necessary for the interim.

You really do need to be able to do an online scan, but pick one other than your own AV. You run NAV, so I suggest you use Trend's Housecall or Panda, but they do require to download and install an ActiveX object.

Plus you should do an Anti-trojan scan.

Other than that Vicki I cannot say for sure, yes/no you are infected/or safe.

Now, if all else fails, and for some reason you still cannot do Online scan, please go HERE and follow the link in that thread.

It gives a list of sites that do HiJackThis logs [we don't] and you can go to one of them to post for help, making sure you follow the rules and obligations of the forum you post to.

Cheers, TAS

 

Just an update on twain tech finding.

I just had a thought, there are twain tec listings in SpywareBlaster's killbits and I know that at one time Pest Patrol false positived on these a while back, so maybe that's what is happening with that NoAdware, reading the killbits in SWB database in IE.

If you dont run SpywareBlaster, then forgot it.

TAS

 

So you cannot even see any of the sites themselves at all, let alone try to scan. That's not right, if you can browse normally where you want to go [this forum for eg] but not to any AV site.

Check your HOSTS file as above and if you see the AV sites listed in it with 127.0.0.1 delete those only.

Anyhow, you definitely do need to do online scan now if you do have those entries and you can delete them in order to do so.

Then probably have to do a HiJackThis log post to one of the forums which handle them in link above I gave later on.

Cheers, TAS

 

Hi Vicki.

Go to the hosts file like you did.
Right Click on "hosts" [nothing else, just the hosts file]
Select Open
You get that warning window, check 'Select a Program from a List [screenshot]
Click OK.

.....next post........ for screenshot...

 

You now get this window [screenshot]

Find Notepad and Click on it.
Click OK.

...........next screenshot next post.

 

Notepad opens... yours will look different to mine, I am using a special hosts file to block bad sites so that's why you see so many entries.

Now, a baddie can also add AV sites to your hosts file so that you cannot get to a good site, right!

Look for any entries in there that have, "trend"/symantec/panda" etc. listed.
Delete them and only them.

Click on the X to close. It will ask to save changes, click YES/OK button.

Then try to get to the site.

 

Yep, Trusted sites should be ok.. you can check yours like my screenshot.

IE Tools/Internet Options/Security/Trusted Sites
Click on Custom Level.

As for HiJackThis logs, as I stated above, Wilders no longer does them.

The link I provided above does not appear to be working, so am providing a link to a very good forum, CastleCops.

This is direct link to Spyware Hijacking thread, please read the:
GUIDLINES: HIJACKTHIS at top of page. There are 3 rules [links] in there to follow.

CASTLECOPS HIJACKTHIS LOGS

edit: The above link does not seem to want to go to the 'rules' bit, but at the top of the page you will see: Hijackthis - Spyware, Viruses, Worms, Trojans Oh My!
click on that and it brings up the GUIDELINES header, etc.

Cheers, TAS

 

snapdragin suggested to me you might be more comfortable using a HostsFileReader to help you.

It's easy to use.

Download from here: http://downloads.subratam.org/HostsFileReader.zip]http://downloads.subratam.org/HostsFileReader.zip[/URL]

Unzip and place the folder into, say C:/ drive... NO install.. open folder and double click the .exe inside.

Once you get the GUI up, you will see a smaller window pane at the bottom, if there are no entries, look on right side, click Scan for Hosts.

Select the entry from System32/Drivers/etc and double click.

You will now see your hosts file. IF there are any of the AV listings in there, then click on the Reset Default I have highlighted near top right.
That wil reset your Hosts to the default.

TAS.

 

Gosh Tassie: Thanks a million for your very detailed instructions
...sounds a bit complicated for a novice like me though - but I will most definitely try. Will let you know how I make out.