08/05/2008 - Thursday

A couple of weeks ago my parents computer picked up another bit of spyware. The symptoms were the desktop picture had gone and was replaced by a failed Active Desktop page (white background, big yellow exclamation mark, and text saying that it had failed), and the desktop kept crashing out shortly after loading, only to attept to reload again, but fail, and continue doing this for some while (some times it didn't try to reload, other times it'd keep doing it).

I attempted to see what was running on the computer through the task manager, but that was "disabled by the administrator". I don't know whether this was done by whatever was causing the desktop crashes or if it was something else on there, but it was a problem. So I booted into safe mode, and the desktop was still crashing out. I tried to open the task manager again so that I can start a command shell, but it was disabled here as well.

I knew I had Spyboy Search & Destroy installed on the computer, so I rebooted into safe mode with command prompt, started Spybot via the command prompt, and let it do a scan. I wasn't sure how old the definitions were, but it might have been able to find something. It found a fair few things (unrelated to the main problem, but problems themselves), as well as the task manager being disabled. I didn't actually know it could be controlled by a value in the registry. I "fixed" those problems, then rebooted back into safe mode to see if I could access the task manager again. I could, great!.

I rebooted into safe mode with network access, quickly rigged up two network cables and a switch to give the computer network access (it was using wireless at the time, which doesn't appear to work in safe mode; which isn't surprising really) due to the distance from the router, and started Spybot again. I then updated the defintions and let it run another scan. I kept running the scan until it didn't find anything wrong (hah!), then rebooted into normal Windows to see if it had done the trick. It hadn't as the active desktop was still failing and the desktop still crashing out. I tried to change the active desktop back to a normal picture, but that didn't hold after a reboot.

I rebooted back into safe mode and did some scans with other spyware products (Sunbelt Counterspy, and Lavasoft's Ad-Aware). Both of them found different things, but neither of them actually fixed anything. The next time I was in normal Windows I opened up Internet Explorer and took a look at what add-ons (BHOs - Browser Helper Objects) were installed and running (I can't remember now why I looked there, but it helped). I noticed two odd ones that shouldn't have been there. The first was called 'xxyyvstr.dll' and the second was 'ssdOHqXP.dll' (or something like that; I didn't note the names down until after I had got rid of them, and I could only really remember the first one correctly). I attempted to disable them, but they didn't stay disabled. This made me think that one or both of these were the problem.

So I downloaded the BHO remover from Novell (http://www.novell.com/coolsolutions/tools/18177.html), ran that and deleted the two BHO's. When I deleted the second BHO I noticed that the first one had come back again. So I deleted that again and noticed that the second one had come back again. Bah, something is running that's restoring the BHO's.

I did a quick file scan to see where the files lived and both were in the C:\WINDOWS\system32 folder. I attempted to delete them but they were in use and couldn't be deleted. I rebooted into safe mode again and tried to delete them from there, but they were in use there too. I use a bit of software called Unlocker (http://ccollomb.free.fr/unlocker/) which lets you unlock lock files so that they can be deleted or moved (ie. video files that are locked by Explorer because it's building up a thumbnail preview). So I ran Unlocker on the xxyyvstr.dll file and it said it was locked by winlogon.exe (a core piece of the Windows OS). I attempted to unlock the file so I could delete it, but all I managed to do was mess the winlogon.exe file up and it started a forced reboot.

After it rebooted I started Unlocker again and told it to delete the file on the next reboot instead. Rebooted the computer again, but the file was still there and locked by winlogin.exe. Obviously the files are being loaded and locked before any delete events are executed. I was now stumped for a while. I couldn't do a system restore as the system restore feature had been turned off (a good kicker for me to leave it enabled in future!). I was considering doing a recovery from the Windows install cd, and if that failed then I'd backup the files and reinstall Windows. It was then that I remembered the recovery console available on the Windows install cd. I quickly put the cd in, rebooted, entered the recovery console, changed into the system32 folder (cd system32) as it starts off in the WINDOWS folder of the system drive, and deleted the two files (del xxyyvstr.dll and del ssdOHqXP.dll).

I ejected the cd, rebooted the machine again (just type exit and hit enter from the recovery console to do it automatically), and crossed my fingers. Windows loaded up, the desktop appeared, the failed active desktop appeared too, but then the desktop stayed on and everything else loaded. Woohoo! I changed the desktop back to a normal picture then ran the BHO Remover again and deleted the two BHO's. This time they didn't come back again.

Since then, I did a scan through the registry (using regedit.exe) for any traces of the two files, but I could only find one. This was located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyvstr. I deleted it as I don't want any traces of it still left on the computer.

So, if anyone else has anything like this and those two files are on your computer, just follow these instructions:

Get your Windows install cd (I've been using Windows XP, but I guess there's something similar on a Vista install cd, or a Windows 2000 one. For other versions I don't know - sorry!), put it into the cd drive, reboot and boot from the cd.
Enter the recovery console, select the Windows drive (usually option 1), and enter the admin password if you've entered one.
Run these commands:
cd system32
del xxyyvstr.dll
del ssdOHqXP.dll
Eject the cd and then type exit.
When it's rebooted, run the BHO Remover program and delete the entries for the two files.
If you want to get rid of the registry key, open regedit.exe (Start - Run), navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxyyvstr or just search for xxyyvstr. Right-click on the found key on the left and delete.
All done!

If you don't have access to a Windows install cd to use the recovery console then I'm afraid I have nothing to help you. I couldn't find a way to remove the files without it.