Trojan.downloader.BHO.req

[Martinez]

Despite having Adaware, Spybot, and several other anti-spyware programs
including MS Antispyware on my PC, it picked up a Trojan called
*Trojan.downloaded.BHO.req* that can't be removed by MS
AntiSpyware or manually. Norton and the other anti-spyware programs didn't
even find it.
This Trojan even stops you from buying a removal program online or
downloading MS critical updates.

Despite Sunbelt's claim their software removes this Trojan, it didn't even
see it!

Anyone....

 

[David H. Lipman]

From: "Martinez" <[email protected]>

| Despite having Adaware, Spybot, and several other anti-spyware programs
| including MS Antispyware on my PC, it picked up a Trojan called
| *Trojan.downloaded.BHO.req* that can't be removed by MS
| AntiSpyware or manually. Norton and the other anti-spyware programs didn't
| even find it.
| This Trojan even stops you from buying a removal program online or
| downloading MS critical updates.
|
| Despite Sunbelt's claim their software removes this Trojan, it didn't even
| see it!
|
| Anyone....


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

 

[Martinez]

From: "Martinez" <[email protected]>

| Despite having Adaware, Spybot, and several other anti-spyware programs
| including MS Antispyware on my PC, it picked up a Trojan called
| *Trojan.downloaded.BHO.req* that can't be removed by MS
| AntiSpyware or manually. Norton and the other anti-spyware programs
didn't
| even find it.
| This Trojan even stops you from buying a removal program online or
| downloading MS critical updates.
|
| Despite Sunbelt's claim their software removes this Trojan, it didn't
even
| see it!
|
| Anyone....


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

It is a self-extracting ZIP file that contains the Kixtart Script
Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and
WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus
Command Line Scanners to
remove viruses, Trojans and various other malware.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode. This
way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file.

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

* * * Please report back your results * * *

Will do. Thanks. I've tried a variety of things and so far the
anti-spyware either doesn't see the Trojan, or can't remove it. I assume
you know this software can remove this Trojan.

 

[Beauregard T. Shagnasty]

Will do. Thanks. I've tried a variety of things and so far the
anti-spyware either doesn't see the Trojan, or can't remove it.

Well, that makes sense. You need anti-trojanware. <g>

You didn't say you tried A-Squared.
http://www.emsisoft.com/en/software/free/

Install, update, then scan.

I assume you know this software can remove this Trojan.

Perhaps, if it was a known piece of malware. Most likely, nothing is
going to remove a new, unknown infestation.

 

[David H. Lipman]

From: "Martinez" <[email protected]>

|
| Will do. Thanks. I've tried a variety of things and so far the
| anti-spyware either doesn't see the Trojan, or can't remove it. I assume
| you know this software can remove this Trojan.

Actually that's hard to state because there is no standardization in the naming convention
of infectors. Many vendors will have different names for the same infector. This is a
problem in the industry.

However, I provided you with a tool that uses broad-spectrum virus and Trojan removers and
uses scanners from 3 different vendors so what one company may miss, another may catch.

If this tool fails (or A-Squared fails) then you can find the file that MS AS flags as
having this Trojan Downloader and submit it to Virus Total for False Positive verification.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

If you do submit the file and when you get the report, please post back the exact results.

 

[Martinez]

Well, that makes sense. You need anti-trojanware. <g>

You didn't say you tried A-Squared.
http://www.emsisoft.com/en/software/free/

I tried this one and it didn't even see it. In the end the trojan was
hiding and launching from the Temp folder (we think). I got rid of it.

Install, update, then scan.

It didn't even SEE this trojan! I ran it in safe mode as well. It never
saw it.

Perhaps, if it was a known piece of malware. Most likely, nothing is going
to remove a new, unknown infestation.

Look into the free Microsoft beta Antispyware program. That was the only
one that saw it but couldn't remove it. It would come back on reboot until
I dumped the cache etc. I also had to uncheck System Restore and reboot
BEFORE I did the cache cleaning. It worked.

 

[Martinez]

From: "Martinez" <[email protected]>

|
| Will do. Thanks. I've tried a variety of things and so far the
| anti-spyware either doesn't see the Trojan, or can't remove it. I
assume
| you know this software can remove this Trojan.

Actually that's hard to state because there is no standardization in the
naming convention
of infectors. Many vendors will have different names for the same
infector. This is a
problem in the industry.

However, I provided you with a tool that uses broad-spectrum virus and
Trojan removers and
uses scanners from 3 different vendors so what one company may miss,
another may catch.

The only one that saw this trojan was Microsoft AntiSpyware and BHODemon.

If this tool fails (or A-Squared fails) then you can find the file that MS
AS flags as
having this Trojan Downloader and submit it to Virus Total for False
Positive verification.

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's
scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating
vendors.

If you do submit the file and when you get the report, please post back
the exact results.

See my other message..... unchecking Sys' restore, rebooting, dumping
everything including all Temp files, then having MSAS and BHODemon checked
to remove it worked. Thanks for the replies.

 

[David H. Lipman]

From: "Martinez" <[email protected]>


|
| See my other message..... unchecking Sys' restore, rebooting, dumping
| everything including all Temp files, then having MSAS and BHODemon checked
| to remove it worked. Thanks for the replies.

Thank you for updating the thread.