Dangerous Spyware Keeps Recurring

I use CounterSpy as one of my anti-spyware programs.  For the past few days, a dangerous Trojan is detected daily.  I immediately remove this spyware but it's detected again in the next daily run of CounterSpy. Here are the details:

Type: Trojan

Detected Locations:
Registry Keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control ActiveService
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control ActiveService

Can anyone assist is helping determine where this is coming from and how to prevent it from recurring.  Also, should I be looking for any programs that may have already been installed by this Trojan?  Happy July 4 to all!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tim HolmanCommented:
It's a mass mail Trojan, so would have come via an infected mail.
Detection/removal instructions here:

Have you run your anti-spyware and anti-virus utilities in Safe Mode?
Have you checked MSCONFIG for items within Startup?
Click "Start" button.
Click "Run".
Navigate to the "Startup" tab.
Uncheck any unwanted/obvious items that may be running at startup.
I'm assuming that you are running XP.
bobengelAuthor Commented:
Tom:  I don't have a McAfee account so I can't download their fix.  Norton doesn't seem to have one.

David: Since the antispyware program (CounterSpy) detects and removes the Trojan in the regular mode, I don't think runing it in safe mode would make any difference.  Also, I have Startup Cop that I use to monitor startup programs.  It not only shows me what I already have in Startup but also alerts me when a new startup program attempts to load.  StartupCop is much more comprehensive than MSCONFIG/Startup.
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Make sure "System Restore" is disabled before you clean your system. Having system restore turned on can revert your system back to the infected state whenever you boot!
bobengelAuthor Commented:
Rindi: I thought System Restore only takes effect when the user restores the system to a selectable earlier time rather than on every boot but I will try your suggestion anyway.  However, it's true that if a user cleans out viruses and then uses System Restore, he or she could re-introduce the viruses that were present at the restore point.
Malware can cause an automatic restore being made without the user noticing.
Tim HolmanCommented:
System Restore MUST be disabled to remove this (as per the McAfee link I posted).
CounterSpy should be able to take care of this.
bobengelAuthor Commented:
tim:  I have System Restore turned off but the Downloaded.abc Trojan keeps coming back every day after removing it with CounterSpy.
I don't know counterspy, maybe it is no good. Try spybot S&D (http://www.safer-networking.org/en/download/), if that doesn't work, adaware (http://lavasoft.com), and then hijackthis. When you have run hijackthis, paste the log to the hijackthis homepage to the empty space, then click on "Analyze", then on "Save analysis", now paste a link to that page here.

Oh, and don't forget to run these tools in safe mode.
Tim HolmanCommented:
A free scan is available from http://housecall.trendmicro.com

If this doesn't pick up anything, please use HijackThs for diagnosis:


Post the logfile to the same webpage for analysis.

Autoruns is also useful in working out whether or not something has latched on to your system that shouldn't have:


Then try SpyBot to clean up the rest of the mess:


If any of these applications pick anything up, bear in mind you may need to disable System Restore AND run them again in SAFE MODE to ensure disinfection.

If this doesn't work, then at least we've elimnated 99.99% of what the problem may be...  :)
bobengelAuthor Commented:
tim: Thanks for the recommendations.  Trendmicro's Housecall did not show the Trojan and I posted the HijackThis log file to the forum.  No response yet.  I just downloaded a newer build of CounterSpy that I will run tonight and see what happens.  Then I'll run Spybot and Adaware, both of which I use regularly.  I need to try all of these in Safe Mode which I haven't done yet.  I'll post results in a few days.
Tim HolmanCommented:
SpyBot doesn't need Safe Mode - it can use the TeaTimer component to rerun scans of unfixable infections at boottime.
Housecall would be better to run in SafeMode.  Make sure System Restore is disabled.
Seeming McAfee is the only thing we can find that picks this up, how about downloading a trial copy and using it to remove the offending item?
bobengelAuthor Commented:
Hi Tim: Yesterday, I installed a new beta version of CounterSpy and ran a deep system scan.  It picked up a few cookies but not the Trojan.  I'll run it again for a few more days and see what happens.  CounterSpy was the only utility that picked up the Trojan so it may have been a false positive problem with the earlier beta version.
I'll post the results over the next few days.
Tim HolmanCommented:
Possibly.  Could you also try www.ewido.com ?  This is a very thorough scanner available on a 2 week trial.  If this doesn't pick it up, then it's quite likely you have a false positive as you've described.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.