PDA

Click to See Complete Forum and Search --> : TROJ_DLDR.OO virus

drev
July 29th, 2004, 07:54 PM
Hello there

PC-cillin 2002 RealTime Monitor has detected virus TROJ_DLDR.OO, located within file C:/WINDOWS/System32/lsd_f3.dll

PC-cillin says it is unable to quarantine or clean the virus. I have run a HiJackThis log but none of the strings look related to the virus. Do you have any suggestions re what I can do? Also, I have done a google search on the virus but there are no results.

I am running Windows XP. HiJackThis log is below.

Many thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 08:33:38, on 30/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Andy McKenna\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausgift.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy McKenna\Application Data\Mozilla\Profiles\default\vbvxaske.slt\prefs.j s)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\w32_ss.exe !!
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Toggle AccessibilityToolbar toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &AccessibilityToolbar toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37995.804537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
GrandDad
July 29th, 2004, 09:33 PM
Did you try having PC-cillin do a scan in Safe Mode ?

Here a couple free online Virus scan that NooNoo recommends people try to find and maybe kill those ;

http://housecall.trendmicro.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm
Snowbound67
July 29th, 2004, 11:33 PM
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\w32_ss.exe !!

That is a Trojan, you want to get rid of that. Best bet is to boot into Safe Mode and find and delete it. The info I found on that Trojan is located here:

http://www.greatis.com/regrun3dw.htm

Also, you should get rid of these as well;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com


Snow
drev
July 30th, 2004, 12:25 AM
I ran HiJackThis in safe mode and got rid of the try-this-search strings and also the w32_ss.exe line. Then when I tried to delete the .exe file itself in the System32 folder it wouldn't let me and a message appeared 'Cannot delete w32_ss: it is being used by another person or program. Close any programs that might be using the file and try again.'

However, I did run Pandasoftware virus scan as recommended by GrandDad, and it seemed to locate and disinfect 5 infected files, one of which was a Haxdoor trojan (the explanation on the site you told me to link to said the w32_ss.exe is a Haxdoor trojan. The scan log is here:

Incident Status Location

Virus:Trj/Ranky.AA Disinfected C:\WINDOWS\system32\filtmp0.exe
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\system32\iesprt.sys
Virus:Trojan Horse Disinfected C:\WINDOWS\system32\eplrr.dll
Virus:Trj/StartPage.EH Disinfected C:\WINDOWS\hosts
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\mstasks4.exe

Getting a bit confused now!



O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\w32_ss.exe !!

That is a Trojan, you want to get rid of that. Best bet is to boot into Safe Mode and find and delete it. The info I found on that Trojan is located here:

http://www.greatis.com/regrun3dw.htm

Also, you should get rid of these as well;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com


Snow
drev
July 30th, 2004, 12:35 AM
Oh, and when I ran PC-cillin 2002 RealTime Monitor again, it still picked up virus TROJ_DLDR.OO, located within file C:/WINDOWS/System32/lsd_f3.dll!


I ran HiJackThis in safe mode and got rid of the try-this-search strings and also the w32_ss.exe line. Then when I tried to delete the .exe file itself in the System32 folder it wouldn't let me and a message appeared 'Cannot delete w32_ss: it is being used by another person or program. Close any programs that might be using the file and try again.'

However, I did run Pandasoftware virus scan as recommended by GrandDad, and it seemed to locate and disinfect 5 infected files, one of which was a Haxdoor trojan (the explanation on the site you told me to link to said the w32_ss.exe is a Haxdoor trojan. The scan log is here:

Incident Status Location

Virus:Trj/Ranky.AA Disinfected C:\WINDOWS\system32\filtmp0.exe
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\system32\iesprt.sys
Virus:Trojan Horse Disinfected C:\WINDOWS\system32\eplrr.dll
Virus:Trj/StartPage.EH Disinfected C:\WINDOWS\hosts
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\mstasks4.exe

Getting a bit confused now!
NooNoo
July 30th, 2004, 05:47 AM
drev, try these removal instructions (http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=39315)
Jeff316
July 30th, 2004, 09:14 AM
Drev-

I was fixing a machine for a family friend (2200 viruses and over 100 bad things detected by spybot). (Noo Noo your "sticky" instructions were most helpful)

There was one file that I could not delete, wdm.dll (backdoor.ba trojan) - here's what I did:

Look in the system32 folder. Can you see the file? (you can probably go to a cmd line and see the file but not in explorer).

If not you'll need to change a key in the registry, look here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows for a value called Appinit_Dlls.

Make a backup before you change anything.

If you can see the file, boot into safe mode, log in as administrator and take ownership of the file. then add the adminsitrator account to have full control and remove "everyone", finally remove the read only attribute. Now delete it.

This worked on a winXP home edition with NTFS filesystem. If you're running something different YMMV.


:thumbs:
drev
August 24th, 2004, 03:23 AM
I found out that this virus is actually a derivation of the TROJ_SMALL.IP virus. What I did to get rid of it was go into registry editor (make back-up first!) and double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>WindowsNT>
CurrentVersion>Winlogon>Notify>f3dsl
Delete the key:
f3dsl
In the left panel, click on:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>iesprt
Delete the key:
iesprt

I then re-ran PC-Cillin and it was able to quarantine the affected file.

This seems to have done the trick.

Belated thanks for all your help!

Drev-

I was fixing a machine for a family friend (2200 viruses and over 100 bad things detected by spybot). (Noo Noo your "sticky" instructions were most helpful)

There was one file that I could not delete, wdm.dll (backdoor.ba trojan) - here's what I did:

Look in the system32 folder. Can you see the file? (you can probably go to a cmd line and see the file but not in explorer).

If not you'll need to change a key in the registry, look here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows for a value called Appinit_Dlls.

Make a backup before you change anything.

If you can see the file, boot into safe mode, log in as administrator and take ownership of the file. then add the adminsitrator account to have full control and remove "everyone", finally remove the read only attribute. Now delete it.

This worked on a winXP home edition with NTFS filesystem. If you're running something different YMMV.


:thumbs: