|
-
July 29th, 2004, 06:54 PM
#1
TROJ_DLDR.OO virus
Hello there
PC-cillin 2002 RealTime Monitor has detected virus TROJ_DLDR.OO, located within file C:/WINDOWS/System32/lsd_f3.dll
PC-cillin says it is unable to quarantine or clean the virus. I have run a HiJackThis log but none of the strings look related to the virus. Do you have any suggestions re what I can do? Also, I have done a google search on the virus but there are no results.
I am running Windows XP. HiJackThis log is below.
Many thanks in advance.
Logfile of HijackThis v1.97.7
Scan saved at 08:33:38, on 30/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Andy McKenna\Local Settings\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ausgift.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Andy McKenna\Application Data\Mozilla\Profiles\default\vbvxaske.slt\prefs.j s)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Private view Helper - {E003FE73-C578-43F1-86D3-26BDE04C44AC} - C:\PROGRA~1\FILESY~1\SYSTEM~1\Plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Ulead Memory Card Detector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 7.0\Monitor.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [Q-HotkeyMgr] "C:\Program Files\BenQ\Q-HotkeyMgr\HotkeySensor.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\w32_ss.exe !!
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Toggle AccessibilityToolbar toolbar (HKLM)
O9 - Extra 'Tools' menuitem: &AccessibilityToolbar toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...7995.804537037
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
-
July 29th, 2004, 08:33 PM
#2
Registered User
Did you try having PC-cillin do a scan in Safe Mode ?
Here a couple free online Virus scan that NooNoo recommends people try to find and maybe kill those ;
http://housecall.trendmicro.com/
http://www.pandasoftware.com/actives..._principal.htm
-
July 29th, 2004, 10:33 PM
#3
Registered User
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\w32_ss.exe !!
That is a Trojan, you want to get rid of that. Best bet is to boot into Safe Mode and find and delete it. The info I found on that Trojan is located here:
http://www.greatis.com/regrun3dw.htm
Also, you should get rid of these as well;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
Snow
Friends help you move. Real friends help you move bodies!
-
July 29th, 2004, 11:25 PM
#4
I ran HiJackThis in safe mode and got rid of the try-this-search strings and also the w32_ss.exe line. Then when I tried to delete the .exe file itself in the System32 folder it wouldn't let me and a message appeared 'Cannot delete w32_ss: it is being used by another person or program. Close any programs that might be using the file and try again.'
However, I did run Pandasoftware virus scan as recommended by GrandDad, and it seemed to locate and disinfect 5 infected files, one of which was a Haxdoor trojan (the explanation on the site you told me to link to said the w32_ss.exe is a Haxdoor trojan. The scan log is here:
Incident Status Location
Virus:Trj/Ranky.AA Disinfected C:\WINDOWS\system32\filtmp0.exe
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\system32\iesprt.sys
Virus:Trojan Horse Disinfected C:\WINDOWS\system32\eplrr.dll
Virus:Trj/StartPage.EH Disinfected C:\WINDOWS\hosts
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\mstasks4.exe
Getting a bit confused now!
 Originally Posted by Snowbound67
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\w32_ss.exe !!
That is a Trojan, you want to get rid of that. Best bet is to boot into Safe Mode and find and delete it. The info I found on that Trojan is located here:
http://www.greatis.com/regrun3dw.htm
Also, you should get rid of these as well;
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://try-this-search.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://try-this-search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://try-this-search.com
Snow
-
July 29th, 2004, 11:35 PM
#5
Oh, and when I ran PC-cillin 2002 RealTime Monitor again, it still picked up virus TROJ_DLDR.OO, located within file C:/WINDOWS/System32/lsd_f3.dll!
Originally Posted by drev
I ran HiJackThis in safe mode and got rid of the try-this-search strings and also the w32_ss.exe line. Then when I tried to delete the .exe file itself in the System32 folder it wouldn't let me and a message appeared 'Cannot delete w32_ss: it is being used by another person or program. Close any programs that might be using the file and try again.'
However, I did run Pandasoftware virus scan as recommended by GrandDad, and it seemed to locate and disinfect 5 infected files, one of which was a Haxdoor trojan (the explanation on the site you told me to link to said the w32_ss.exe is a Haxdoor trojan. The scan log is here:
Incident Status Location
Virus:Trj/Ranky.AA Disinfected C:\WINDOWS\system32\filtmp0.exe
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\system32\iesprt.sys
Virus:Trojan Horse Disinfected C:\WINDOWS\system32\eplrr.dll
Virus:Trj/StartPage.EH Disinfected C:\WINDOWS\hosts
Virus:Bck/Haxdoor.I Disinfected C:\WINDOWS\mstasks4.exe
Getting a bit confused now!
-
July 30th, 2004, 04:47 AM
#6
Driver Terrier
-
July 30th, 2004, 08:14 AM
#7
Registered User
Had a similar problem last night - here's what I did
Drev-
I was fixing a machine for a family friend (2200 viruses and over 100 bad things detected by spybot). (Noo Noo your "sticky" instructions were most helpful)
There was one file that I could not delete, wdm.dll (backdoor.ba trojan) - here's what I did:
Look in the system32 folder. Can you see the file? (you can probably go to a cmd line and see the file but not in explorer).
If not you'll need to change a key in the registry, look here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows for a value called Appinit_Dlls.
Make a backup before you change anything.
If you can see the file, boot into safe mode, log in as administrator and take ownership of the file. then add the adminsitrator account to have full control and remove "everyone", finally remove the read only attribute. Now delete it.
This worked on a winXP home edition with NTFS filesystem. If you're running something different YMMV.
-
August 24th, 2004, 02:23 AM
#8
I found out that this virus is actually a derivation of the TROJ_SMALL.IP virus. What I did to get rid of it was go into registry editor (make back-up first!) and double-click the following:
HKEY_LOCAL_MACHINE>Software>Microsoft>WindowsNT>
CurrentVersion>Winlogon>Notify>f3dsl
Delete the key:
f3dsl
In the left panel, click on:
HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Servic es>iesprt
Delete the key:
iesprt
I then re-ran PC-Cillin and it was able to quarantine the affected file.
This seems to have done the trick.
Belated thanks for all your help!
Originally Posted by Jeff316
Drev-
I was fixing a machine for a family friend (2200 viruses and over 100 bad things detected by spybot). (Noo Noo your "sticky" instructions were most helpful)
There was one file that I could not delete, wdm.dll (backdoor.ba trojan) - here's what I did:
Look in the system32 folder. Can you see the file? (you can probably go to a cmd line and see the file but not in explorer).
If not you'll need to change a key in the registry, look here: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows for a value called Appinit_Dlls.
Make a backup before you change anything.
If you can see the file, boot into safe mode, log in as administrator and take ownership of the file. then add the adminsitrator account to have full control and remove "everyone", finally remove the read only attribute. Now delete it.
This worked on a winXP home edition with NTFS filesystem. If you're running something different YMMV.
Similar Threads
-
By xacebop in forum Spyware & Antivirus - Security
Replies: 21
Last Post: April 8th, 2008, 04:45 PM
-
By Froghead in forum Spyware & Antivirus - Security
Replies: 4
Last Post: January 14th, 2003, 02:55 AM
-
By drivers2000 in forum Windows NT/2000
Replies: 2
Last Post: June 21st, 2001, 09:29 AM
-
By Danrak in forum Tech-To-Tech
Replies: 21
Last Post: May 12th, 2000, 07:18 AM
-
By pcshark in forum Tech Lounge & Tales
Replies: 4
Last Post: March 10th, 2000, 05:14 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
Bookmarks