Trojan Horse Downloader.Agent.AS

I was asked to help my son's friend with his XP system. He wanted the system reloaded, but I thought I'd clean it up first to see if that would help. While running scans, I found numerous viruses (7) and spyware (over 1000!). The Downloader trojan keeps popping up though. Well, it did. I had updated and ran AVG, Panda ActiveScan, HijackThis, Ad-Aware, and Spybot on their system (and each profile). I even installed their hard drive in my system and scanned with Norton's AV. I fixed/deleted everything that was recommended. Everything is coming up clean, but I'm afraid the nasty bugger will pop up again. Is there any way to verify that this trojan is gone? I want to make sure before I send it back. I would rather not have to reload the system to wipe this thing out. They are not very computer smart and I know I would end up putting all their settings back in, if they even remember what they were.

One thing that does keep coming up, with Spybot. I have 5 entries for DSO Exploit. They are all listed as "Data Source object exploit ". It keeps fixing them and they are right back. The entries are:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-21-2699212658-2020728613-4264678088-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


This system does have SP2 installed, if that matters. Any suggestions would be appreciated!

Mike

 

Mike - the DSO Exploit was a glitch in Spybot. The problem is real but very minor and Spybot says it makes it go away but in fact the first release of v1.3 really didn't so you see it every time.

They released v1.31 (beta I think) that took care of things but pulled that version. The v1.4 (also beta but stable from my experience and from what I read) is the way to go if you don't want to see the same 5 DSO Exploit entries poping up every time you run the app.

 

If you are uptodate on your IE security patches, you don't have to worry about the exploits.
And, you can make them go away in SpyBot by adding them to your ignore list.

 

Thanks for the replies! I won't worry about the DSO entries. Any thoughts on the trojan?

Mike

 

Thoughts on the Trojan
- I don't like any of them
- I think it is probably, almost certainly, gone after the steps you've taken
- Short of a format/reinstall I don't know of any way to be 100% certain it is gone

 

That's kind of what I figured, but it's nice to hear it from somebody else. Thanks!

Mike

 

Ensure that all MS Security patches have been applied, and practice safe surfin'!

 

All patches have been applied. The second part, "practice safe surfing' ", is probably the culprit. It's hard to teach that to kids that aren't yours though. Maybe if I start charging, that will do the trick!