MS antispyware could not remove spyware

[Shiva]

Yesterday, while running MS antispyware, it detected
Trojan downloader.BHO.req. I asked the antispyware to
remove it. But, after restarting the laptop, the
antispyware still says that the trojan downloader is
present.

I tried removing it nearly 10 times. Although,
antispyware says that it is removing the spyware, it does
not do it. I tried disabling the system restore and I ran
the antispyware in safe mode. Still, MS antispyware is
unable to remove it.

I tried kill and hijack software to fix it. But it is of
no use!!

Details: Trojan.Downloader.BHO.Req Trojan Downloader
more information...
Details: Trojan.Downloader.BHO.Req is a trojan that
downloads and executes files from the Internet.
High threat - High-risk items have a large potential for
harm, such as loss of computer control, and should be
removed unless knowingly installed.

Infected registry keys/values detected
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Explorer\Browser Helper Objects\{8E13DDE1-E013-47ec-
9C4C-27C2F78BDD26}

Could anyone please help me?

 

[Monitor]

This was answered in another newsgroup.

 

[Andre Da Costa [Extended64]]

From Bill:
Hi,

Things have moved on a little and I've managed to get rid
of the problem, but I thought I'd give a summary here in
case anyone encounters something similar.

As I mentioned initially, MSAS picked up the presence of
something it referred to as Trojan Downloader BHO.Req,
identifying the file responsible as
c:/windows/system32/ddayv.dll.

After several unsuccessful attempts to let MSAS fix the
problem I disabled the BHO via IE/Tools/Manage add-ons,
and started looking on the internet for a solution.

During the next 4 hours or so the laptop was rebooted a
few times and on each occasion the BHO remained disabled.
But then, having been switched off overnight, when it was
started the following day the BHO.Req entry had
disappeared, but was replaced by another BHO identified
as MSevents Object. This time the file responsible was
identified as ddabx.dll.

I disabled MSevents and did a Google search, which
indicated that this was a symptom of the trojan Vundo. I
then followed the instructions at
http://www.webuser.co.uk/forums/showflat.php/Cat/0/Number/
216210/an/0/page/0 and successfully cleaned the laptop.

The one slight anomaly was that when I searched the hard
drive (prior to the fix) for the file ddabx.dll it drew a
blank. So where the fix instructions indicated I
should "kill" ddabx.dll on reboot, I removed the original
ddayv.dll file instead. It seems that this file has the
ability to mis-represent itself to MSAS, Hijack This and
other diagnostic aids.

So more by luck than anything else I seem to have
resolved the matter. I hope this is of some use to anyone
else who gets hit by something similar.

Bill
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Bill Sanderson]

Good catch, Andre--I hadn't put that one together with this request.

 

[Shiva]

Hi,
Thanks for your response. I saw a message similar to
yours on another website. The user who posted that
message had asked to disable the BHO via IE/Tools/Manage
add-ons.
In my case, I could not find the manage add-ons on the
Internet Tools section. I am using Windows XP Service
pack 1. I tried searching for Manage add-on on Internet
options/tools/programs and in Internet
options/tools/advanced. But I could not find "manage add-
ons". Could you please help me to locate it? Or do I need
to install windows service pack 2?

Thanks.

 

[Engel]

For better, and your own good, install SP2.

 

[Bill Sanderson]

That feature comes with SP2, I believe. I would strongly recommend that you
put in Service Pack 2. That feature is just the tip of the iceberg in terms
of the amount of security-related work done in that SP.

The advanced tools in Microsoft Antispyware should be there regardless of
what SP you are on, though.

 

[Shiva]

Hello all,

Thank you all for the help. I finally removed the spyware.
What I did is this: I installed Service pack 2 and
disabled the trojan spyware using the "manage add-ons".
However, when I ran MS antispyware, it still detected the
trojan spyware.
So, as given in two other
forums, "http://forums.computeractive.co.uk/thread.jsp?
forum=11&thread=65443&message=433507" and
in "http://www.webuser.co.uk/forums/showflat.php/Cat/0/Num
ber/216210/an/0/page/0", I downloaded the three
softwares: Kill, hijack and Process explorer.
Then, I did exactly as given
in "http://www.webuser.co.uk/forums/showflat.php/Cat/0/Num
ber/216210/an/0/page/0" by first starting in the laptop
in safe mode, killing the appropriate ddcyv.dll threads
(it comes in various versions I believe, eg. ddayx.dll,
ddayv.dll etc), fixing/deleting the O2 and O20 using
hijack-this program, adding the new file to the registry
and finally killing the filepath, which in my case was
c:\windows\system32\ddcyv.dll.
When I rebooted the laptop and ran the antispyware, there
was no spyware. It was also deleted from the "manage add-
ons" on the Internet explorer.
Finally, after nearly two days of work, with the help of
all you guys and the two other forums, I can finally go
to sleep.

 

[Bill Sanderson]

Excellent work. With SP2, and the critical updates to
that, in place, you will be a lot less likely to be
infected in the future, too.

That's not just a walk in the park to take care of--glad
you were able to manage it.