PDA

View Full Version : Trojan Dloader.ATF by BHO ursqqoo.dll



Miguel001
2006-06-18, 09:03
C:\Documents and Settings\~Mike.XPS4\Local Settings\Temporary Internet Files\Content.IE5\U5PMFML4\srvwnr[1].exe

ursqqoo.dll is a feature that Spybot successfully delets, but is quickly re-written. It is a function of the Winlogin.exe program so the system is being taken for a ride and keeps getting the responding Trjan files created whenever the browser is active.

Here is the export of the BHO files: (item number 2 ursqqoo.dll is the issue)

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-04 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-06-16 Includes\Cookies.sbi
2006-06-16 Includes\Dialer.sbi
2006-06-16 Includes\Hijackers.sbi
2006-06-16 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2006-06-16 Includes\Malware.sbi
2006-06-16 Includes\PUPS.sbi
2006-06-16 Includes\Revision.sbi
2006-06-16 Includes\Security.sbi
2006-06-16 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-06-16 Includes\Trojans.sbi

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 5/12/2004 1:03:00 AM
Date (last access): 6/17/2006 11:31:22 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\system32\
Long name: ursqqoo.dll
Short name:
Date (created): 6/17/2006 4:58:06 PM
Date (last access): 6/17/2006 11:18:06 PM
Date (last write): 6/17/2006 4:58:06 PM
Filesize: 39437
Attributes: hidden sysfile
MD5: BAFD673FDCFD66B55CE90A8A163530EC
CRC32: C47055E1

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 5/3/2006 2:57:02 AM
Date (last access): 6/17/2006 11:17:26 PM
Date (last write): 5/3/2006 3:14:38 AM
Filesize: 434279
Attributes: archive
MD5: 162186B53BBB5964F9E806F96934338E
CRC32: 1C68240D
Version: 5.0.70.3

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar2.dll
Short name: GOOGLE~2.DLL
Date (created): 4/10/2006 1:05:14 AM
Date (last access): 6/18/2006 12:17:26 AM
Date (last write): 2/14/2006 8:05:30 PM
Filesize: 1191424
Attributes: readonly archive
MD5: 677C42CD9FE9C13B4B7B601A2E4065B0
CRC32: 58231F90
Version: 3.0.131.0

I am in way over my head and dont mind a little help.

tashi
2006-06-18, 09:41
Hello Miguel001

Please follow the instructions in this sticky topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

Start your own topic here:
Malware Forum (http://forums.spybot.info/forumdisplay.php?f=22[/url)

A helper will then take a look at the system as soon as available.

Cheers. :)