Have Found A Virus In A File Called 'DDHELP32.EXE', Need Help Removing It!!!

I have Norton Anitvirus 2003 and it is fully updated to the latest virus definiations and it has found a virus in my computer, no big deal i here you say, but Norton Antivirus cannot quarantine or delete this file as it appears to be a system file. The file it has infected is 'DDHelp32.exe' and can be found in the C:\Windows\System32 folder. Antivirus says it is a Backdoor.Bionet.318 virus which i know is a remote backdoor virus to allow someone access to my system (according to the online virus encylopedia it is considered not very harmful), but how can i delete this file without it wrecking my system? I have right clicked on the file and gone to properties and it says it is a 'services and controller app' but when i try to delete it, it says file is in use, can anybody tell me which service this file is related to (i think it could relate to help and support center but not sure)? Also if someone can tell me where i could download this file off the internet (my computer only came with system restore cd's) so i can replace it when i have deleted it, it would much appreciated. So if anyone can tell me how to delete this file would be much appreciated and also where i could download this from it would be great!!! Thanks alot for your help people.

 

Hello martync2,

EDIT: Have NAV scan in safe mode first, then use the on-line scanners. In safe mode NAV will be able to delete the file.

Try these on-line virus scanners:
http://housecall.trendmicro.com/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

You don't specify OS, but I think its XP.

'DDHelp32.exe' is not a legitimate file, I don't think you will have to replace it. If it does prove to be necessary, see this thread on how to replace system files http://www.windowsbbs.com/showthread.php?s=&threadid=20877

Try deleting in safe mode - hit F8 on boot up if the other virus scanners can't delete it.

Regards - charles

 

Thanks Charlesvar

Thanks to Charlesvar for your quick repsonse to my problem, what you told me to do has worked, i have been able to delete the file and now don't have any viruses on my system!!!

Thanks again for your help.

 

Hi Marty,

First, your welcome.

A question, which part of this worked, the NAV scan or did you delete manually?

I also want to set the record straight. DDhelp.exe is a legitimate file in a 9X system. I should have looked, I dual boot 9X with XP.

I quess I'm hanging around the XP board too much

Regards - Charles

 

Yes I am running XP but read the rest

Hi Charles,

Sorry i should've mentioned it, yes i am running xp (home edition). I did try the online virus checkers that you recommended but again they were no use, they failed to delete the virus. I had to manually remove the file (DDHelp32.exe) through booting into safe mode and then deleting it that way, and this worked!!! You are right this file is not needed by xp as my system works fine. One other thing you may want to know about this virus (backdoor.bionet.318) it also put a .tmp file in my temp folder which norton was able to delete, but also put this other file (DDHelp32.exe) somehow into a system file.

Hope this helps.

Martyn

 

Don't forget the (forgotten) cleanup.

Hi

I don't know if anyones mentioned, but I was scanning the topics and saw this.

If you had a problem deleting with Norton, it is only because it was running (ddhelp32.exe) as part of the system, and it's in ram, more or less.

Do be sure you remove what enabled it to run to begin with, and this is good practice for whenever you remove virii or trojans especially.

The entry has to come out of the registry, not just the common lines, but you should always remove from the "Run" entry in the registry. All related keys should be checked ('RunOnce, allusers, etc.), and also the Sart folder on Windows Start menu.

Someone once made a gag and slipped a 3 liner vb code into the start folder. Every time the user would boot up his pc, it would get to Windows and procede to shutdown again, no questions asked. It's funny yet not so funny when you realize your space can be invaded like that no matter how harmless.

It's a good habit, checking all your startup files anyway. It's a starting point for many unsavory apps also. Hope this helps.

Best and good cleaning.
Keith

 

DHELP is the Directx helper and is legit.

DDHELP32 is not a legit file but is related to the bionet worm.

Mike

 

Thanks for all your help people

Thanks for your advice on cleaning the registry, found a couple of links in the registry, very interestingly it attaches itself to 'directx'.

Thanks again to everyone who has helped me with this nasty virus.

Martyn

 

Just be careful that it is not directx (in truth). But in case of accident running the recent DX install should straighten it out.

And as you said, what I forgot, the trojan starts up from the registry and identifies itself as 'DirectX' which as stated is totally not true. Quite sneaky.

As a handy applet, this is really good and helpful. It's called Startup Control Panel. http://www.mlin.net/StartupCPL.shtml ...

I try almost every system monitor and tweak I can get my hands on or learn about. Of the many (way to many), this one has survived almost 3 generations of OS versions and my delete key.
Where 95% of the rest, fw, sw, and any-ware are gone.

There is a Startup monitor also, and a Startup monitor (anyones app of this type), if working properly will stop any app from putting an entry in ANY 'Run' segment of the registry or Start menu without your Approval. It can also be the best line of defense from anything of ill will that needs to start with the system if it gets by AV software or if you don't run AV stuff constantly 24-7 like me...

Best all,
Keith

 

Hello Keith,

"If you had a problem deleting with Norton, it is only because it was running (ddhelp32.exe) as part of the system, and it's in ram, more or less "

Yes, which is why someone running into this problem should run their AV scanner in safe mode.

If marty was able to delete the file manually in safe mode, then NAV would have as well.

BTW, your sentence reads as if you're saying that NAV was running ddhelp32.exe. Don't think that is what you meant, am I correct?

Regards - Charles

 

Yes

Your right Charles, I didn't mean that NAV was running ddhelp32.exe. Cause I knew it was started from the HKLM / Run area in the registry with an alias (name) of ActiveX.

Another thing, it went right by me! I can spot all kinds of out of place files, folders, and I consider them out of place till I know what application put it there. But this, when it got in my pc, went right by me. And I have some familiarity with these OS's. Even though this trojan isn't new, it seems someone put a lot of thought into it, seems (to me) more than usual.

I didn't think of safe mode cause I skipped the step and took a direct route and stopped it's running to begin with. Safe mode would have done this but not removed the entry from the 'Run' line in the registry.

Also I wasn't thinking for less experienced users which I should have been as editing the registry can be hazardous if not careful. But regardless, the 'Run' entry has to go and (unfortunately) even good Spyware remover programs don't remove that entry. They find the keys common or inherent to that particular file/trojan.

I don't know fully what NAV would have done because I let the spyware program do it's thing. It scans thousands of registry lines in about 5 seconds. I take a reverse route than a normal user would. And used NAV to see if I cleaned up completely. This is not a recommended approach for most people

Oh, and Charles, that is a good bit of advice there, running the Virus scanner in Safe Mode.

Best,
Keith

 

If the problem item is a TROJAN then NAV may not do anything with it. I believe NAV will handle some but not all Trojans.

It may take some thing like MooSofts' Cleaner 3 to find and fix it.

Cleaner 3 has found some things for me in the past that AV programs did not.

To keep a system as cleans as possible it takes at least 3 programs

An Anti-Virus program running full time.

And something like Ad-Aware by Lavasoft and Cleaner 3 by Moosoft run on a regular basis.

And of course ALL must be kept up to date.

I have AVG as my AV and the others also. All 3 had updates last evening.

BillyBob

 

Hi BB!

Hi Billy Bob!

Long time no see. errrr Hear anyways ... It's good to see your about and around here (the boards) still.

Anyways, I've been using SpySweeper. Also have that newer version of AdAware6 (full). I've tried a few others, but this SpySweeper app is blowing me away. Literally. It has been seeing things (it seems) that others missed, and hasn't missed what the others saw. Did that come out right?

Also I use NAV, but not full time, manually, but do let it monitor the email as that carries the only place most come through (for me). But, I still don't know what site or app hit me with that ddhelp32.exe trojan. I posted here cause of what I learned about it, it was gone from my pc for over a week but thought to add my 2 cents, may of been some help.

Well, just wanted to say hi. The info you left was useful (as usual). What I meant with NAV was what it would do to clean the registry keys. It did try to delete the app itself.

Later and best,
Keith