Recently we have noticed that in the Root of students and staff "My Documents" redirected to drive u: there is a file bho.dll of varying size and date stamps. A Google search suggests that it usually is used as spyware/adware. After deleting it the next day it is regenerated. I assume it may be the activity of one of our network applications but no idea which.
Does anyone know anything about this?
Thanks for links, which I had previously read in my Google searches, but what I am hoping to find out is what activity/activities are occuring that causes the creation of this file. It appears in student, teacher, parent and our tech accounts which is why I was wondering if it was a network apps action.
I would like to identify the source of its creation and know if I can ignore it or what action I may need to take to stop it occuring in the future.
Found a lot of these recently relating to varying installations of stuff like MyWebSearch toolbars - not in My Documents though, that's a new one on me. Keep us posted though please.
I would guess after deleting the file and then re-logging on to an infected workstation the file would reappear. I take it you have tried a full virus scan / adaware scan on a test PC to try this?
What you could do is run MalwareBytes on your server to get rid of all the BHO.DLL files which are appearing in user redirected documents.
Unfortunately it's then a case of some detective work; either scan a handful of machines (again with Malwarebytes) or start re-imaging workstations you suspect may be the source of the problem. In the circumstances I'd be more inclined to re-image machines. It's probably quicker and you're guaranteed if anything's there it should get deleted in the process.
Are you running Impero on your workstations?
Thanks for the last suggestion about Impero.
This was initially denied by Impero to be the cause, but removing the client removed the generation of the dll file, re-installing the client caused the dll file to be re-generated. I sent off clear logs and Impero accept the info, but in fairness they had prepared a unique build for us to fix a problem and the beta process of placing a dll file was still within the code.
I am now not worried about this file, but waiting on a client update so I can remove it across all users home directories.
Thank you to everyone for your feedback. Sorry it took so long to update.
Last edited by StewartBondi; 13th January 2010 at 12:22 PM.
There are currently 1 users browsing this thread. (0 members and 1 guests)