Trojan downloader BHO.Req

[Bill Brough]

MS Antispyware picked up a problem on my daughter's
laptop, referred to as Trojan Downloader BHO.Req MSAS
offers to remove the problem but on rebooting the laptop
the trojan recreates itself.

I would be grateful for a pointer to any way of getting
rid of this permanently.

 

[Engel]

Hello Bill,

Steps to take if you have spyware that is not removed by
Microsoft Windows AntiSpyware (beta)
1) Open up AntiSpyware
2) Click Tools at the top
3) Click "Submit a Suspected Spyware Report"
4) Fill out the form with as much detail so we can analyze
quickly

By doing these steps before trying something new, you make
the product better.

Thanks again for testing the betª!!!!

Generally, in a case where the item is identified, but not
properly removed, the next steps are:

1) Update both Microsoft Antispyware and your antivirus
application.
2) Restart in safe mode by pressing the F8 function key
before the first Windows screen appears at startup.
3) Do full deep scans with Microsoft Antispyware. Repeat
scanning until a complete scan comes through clean. Ditto
with the antivirus.

This isn't guaranteed, but it works for a great many items
that at first appear not to be cleaned in normal mºde.


http://www.windowsecurity.com/trojanscan/

Good luck Bill

Engel
20050822 0:39

 

[Guest]

Hi,

Thanks for the suggestions, I'll try them later this
evening. I did try running MSAS in safe mode, but only
once, so I'll repeat it and see what happens.

Bill

 

[Engel]

Bill,

Try:


TrendMicro Online Scan - this one requires Internet
Explorer - if you have another browser which doesn't work
here, use the TrendMicro link below this one
http://housecall.trendmicro.com/

TrendMicro Online Scan - this one doesn't require Internet
Explorer to use, but you will need the Java plugin
http://uk.trendmicro-
europe.com/consumer/housecall/housecall_launch.php


Download Ewido Security Suite
http://www.ewido.net/en/download/ and install it. Update
to the newest definitions. Do NOT run the Ewido scan yet.

Boot into Safe Mode by restarting and hitting the F8 key
repeatedly until a menu shows up (choose Safe Mode from
the list). In some systems, this may be the F5 key, so try
that if F8 doesn't work.

Next run a full scan in Ewido. Save the log from the Ewido
scan so that you can post it later.

* Don't worry if you have another antivirus program
installed. Ewido is compatible
http://www.ewido.net/en/compatibility/ with most antivirus
programs and shouldn't cause any conflicts. You may,
however, uninstall it (if you wish) after we are all clear
here.

Restart your computer to get back to Normal Mode. If you
don't have any antivirus programs installed, then I
suggest keeping Ewido Security Suite. It will turn into
the free version after the 14 day trial period is over.

Good luck Bill

Engel
20050822 20:07

 

[Guest]

Hi,

Things have moved on a little and I've managed to get rid
of the problem, but I thought I'd give a summary here in
case anyone encounters something similar.

As I mentioned initially, MSAS picked up the presence of
something it referred to as Trojan Downloader BHO.Req,
identifying the file responsible as
c:/windows/system32/ddayv.dll.

After several unsuccessful attempts to let MSAS fix the
problem I disabled the BHO via IE/Tools/Manage add-ons,
and started looking on the internet for a solution.

During the next 4 hours or so the laptop was rebooted a
few times and on each occasion the BHO remained disabled.
But then, having been switched off overnight, when it was
started the following day the BHO.Req entry had
disappeared, but was replaced by another BHO identified
as MSevents Object. This time the file responsible was
identified as ddabx.dll.

I disabled MSevents and did a Google search, which
indicated that this was a symptom of the trojan Vundo. I
then followed the instructions at
http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/
216210/an/0/page/0 and successfully cleaned the laptop.

The one slight anomaly was that when I searched the hard
drive (prior to the fix) for the file ddabx.dll it drew a
blank. So where the fix instructions indicated I
should "kill" ddabx.dll on reboot, I removed the original
ddayv.dll file instead. It seems that this file has the
ability to mis-represent itself to MSAS, Hijack This and
other diagnostic aids.

So more by luck than anything else I seem to have
resolved the matter. I hope this is of some use to anyone
else who gets hit by something similar.

Bill

 

[Bill Sanderson]

Excellent work. I suspect that this object may rename itself--you need to
kill the name you find at a particular moment, and between the time that you
found the name ddabx, and the time you attempted to kill it, it had reverted
to ddayv.

This shows some lack of imagination, so I'm not sure I have this right--some
of these critters use completely random names, so the repeat is unexpected.

 

[Guest]

It may be pure coincidence, but the two file names I
found and the offending filename in the Webuser forum
solution are very similar, (ddayv.dll, ddabx.dll and
ddayx.dll).

Bill

 

[Bill Sanderson]

This sounds intentional--nice of the author, makes it a good bit easier to
recognize the critter and get rid of it.
--