General SecurityPost any general questions related to security, viruses or spyware here.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
Have Found A Virus In A File Called 'DDHELP32.EXE', Need Help Removing It!!!
I have Norton Anitvirus 2003 and it is fully updated to the latest virus definiations and it has found a virus in my computer, no big deal i here you say, but Norton Antivirus cannot quarantine or delete this file as it appears to be a system file. The file it has infected is 'DDHelp32.exe' and can be found in the C:\Windows\System32 folder. Antivirus says it is a Backdoor.Bionet.318 virus which i know is a remote backdoor virus to allow someone access to my system (according to the online virus encylopedia it is considered not very harmful), but how can i delete this file without it wrecking my system? I have right clicked on the file and gone to properties and it says it is a 'services and controller app' but when i try to delete it, it says file is in use, can anybody tell me which service this file is related to (i think it could relate to help and support center but not sure)? Also if someone can tell me where i could download this file off the internet (my computer only came with system restore cd's) so i can replace it when i have deleted it, it would much appreciated. So if anyone can tell me how to delete this file would be much appreciated and also where i could download this from it would be great!!! Thanks alot for your help people.
Didn't find the information you thought to find? Check out these Similar Threads
'DDHelp32.exe' is not a legitimate file, I don't think you will have to replace it. If it does prove to be necessary, see this thread on how to replace system files Corrupt Win32 file
Try deleting in safe mode - hit F8 on boot up if the other virus scanners can't delete it.
Regards - charles
Last edited by charlesvar; 6th August 2003 at 14:05.
Thanks to Charlesvar for your quick repsonse to my problem, what you told me to do has worked, i have been able to delete the file and now don't have any viruses on my system!!!
Sorry i should've mentioned it, yes i am running xp (home edition). I did try the online virus checkers that you recommended but again they were no use, they failed to delete the virus. I had to manually remove the file (DDHelp32.exe) through booting into safe mode and then deleting it that way, and this worked!!! You are right this file is not needed by xp as my system works fine. One other thing you may want to know about this virus (backdoor.bionet.318) it also put a .tmp file in my temp folder which norton was able to delete, but also put this other file (DDHelp32.exe) somehow into a system file.
I don't know if anyones mentioned, but I was scanning the topics and saw this.
If you had a problem deleting with Norton, it is only because it was running (ddhelp32.exe) as part of the system, and it's in ram, more or less.
Do be sure you remove what enabled it to run to begin with, and this is good practice for whenever you remove virii or trojans especially.
The entry has to come out of the registry, not just the common lines, but you should always remove from the "Run" entry in the registry. All related keys should be checked ('RunOnce, allusers, etc.), and also the Sart folder on Windows Start menu.
Someone once made a gag and slipped a 3 liner vb code into the start folder. Every time the user would boot up his pc, it would get to Windows and procede to shutdown again, no questions asked. It's funny yet not so funny when you realize your space can be invaded like that no matter how harmless.
It's a good habit, checking all your startup files anyway. It's a starting point for many unsavory apps also. Hope this helps.
Just be careful that it is not directx (in truth). But in case of accident running the recent DX install should straighten it out.
And as you said, what I forgot, the trojan starts up from the registry and identifies itself as 'DirectX' which as stated is totally not true. Quite sneaky.
I try almost every system monitor and tweak I can get my hands on or learn about. Of the many (way to many), this one has survived almost 3 generations of OS versions and my delete key.
Where 95% of the rest, fw, sw, and any-ware are gone.
There is a Startup monitor also, and a Startup monitor (anyones app of this type), if working properly will stop any app from putting an entry in ANY 'Run' segment of the registry or Start menu without your Approval. It can also be the best line of defense from anything of ill will that needs to start with the system if it gets by AV software or if you don't run AV stuff constantly 24-7 like me...
Your right Charles, I didn't mean that NAV was running ddhelp32.exe. Cause I knew it was started from the HKLM / Run area in the registry with an alias (name) of ActiveX.
Another thing, it went right by me! I can spot all kinds of out of place files, folders, and I consider them out of place till I know what application put it there. But this, when it got in my pc, went right by me. And I have some familiarity with these OS's. Even though this trojan isn't new, it seems someone put a lot of thought into it, seems (to me) more than usual.
I didn't think of safe mode cause I skipped the step and took a direct route and stopped it's running to begin with. Safe mode would have done this but not removed the entry from the 'Run' line in the registry.
Also I wasn't thinking for less experienced users which I should have been as editing the registry can be hazardous if not careful. But regardless, the 'Run' entry has to go and (unfortunately) even good Spyware remover programs don't remove that entry. They find the keys common or inherent to that particular file/trojan.
I don't know fully what NAV would have done because I let the spyware program do it's thing. It scans thousands of registry lines in about 5 seconds. I take a reverse route than a normal user would. And used NAV to see if I cleaned up completely. This is not a recommended approach for most people
Oh, and Charles, that is a good bit of advice there, running the Virus scanner in Safe Mode.
Long time no see. errrr Hear anyways ... It's good to see your about and around here (the boards) still.
Anyways, I've been using SpySweeper. Also have that newer version of AdAware6 (full). I've tried a few others, but this SpySweeper app is blowing me away. Literally. It has been seeing things (it seems) that others missed, and hasn't missed what the others saw. Did that come out right?
Also I use NAV, but not full time, manually, but do let it monitor the email as that carries the only place most come through (for me). But, I still don't know what site or app hit me with that ddhelp32.exe trojan. I posted here cause of what I learned about it, it was gone from my pc for over a week but thought to add my 2 cents, may of been some help.
Well, just wanted to say hi. The info you left was useful (as usual). What I meant with NAV was what it would do to clean the registry keys. It did try to delete the app itself.
... It's good to see your about and around here (the boards) still. 
