Oo.exe trojan - Free Antivirus Forum

Oo.exe trojan

BullGuard Antivirus Forum > Virus > Virus Questions > Oo.exe trojan

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

exeproblem
New Member

Date Joined Oct 2005
Total Posts : 1

Posted 10-30-2005 4:54 (GMT +1)

I am having problems with a virus that causes massive amounts of files to be put into my Limewire file folders. I believe it may have something to do with a file called 'oo.exe', yet every time I delete it (even in safe mode) it comes back next restart.

Here is my HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 3:44:22 PM, on 10/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\blueyonder\PCguard\RPS.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wpabaln.exe
C:\DOCUMENTS AND SETTINGS\JACK STEWART\DESKTOP\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\blueyonder\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\blueyonder\PCguard\FBHR.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\blueyonder\PCguard\RPS.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Radialpoint Service (FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Emilio (SVK)
Gold Member

Date Joined Jan 2005
Total Posts : 1876

Posted 11-1-2005 11:44 (GMT +1)

Welcome

>Download Ad-AwareSE<

>Download SpyBot 1.4<

>Download Ewido Security Suite<
(compatible with your current AV soft)

>Download CCleaner<

install and check for updates....

PROCEDURE:
1.Turn off System restore(just click if you don´t know how)

2.Reboot to the "Safe mode"(just click if you don´t know how)

3.Show hidden files(just click if you don´t know how)

4.Run Hijackthis:
Check:
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [virtual-ie] winlogi.exe
O4 - HKLM\..\RunServices: [virtual-ie] winlogi.exe
Fix checked...........

5.Run Task Manager(CTRL+ALT+DELETE):
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\MsMovies\MsMovies.exe
C:\WINDOWS\system32\winlogi.exe
End these processes....

6.Find and delete these files:
C:\Program Files\winupdates\winupdates.exe (also folder Winupdates)
C:\Program Files\MsMovies\MsMovies.exe (also folder MsMovies)
C:\WINDOWS\system32\winlogi.exe

delete also mentioned file oo.exe if you found him....

7.Scans:
run scan with Ad-AwareSE (full system scan, scan volume for ADS)
run scan with SpyBot (press Imunize an dthen scan)
run scan with Ewido (Complete scan)

8.Cleaning TEMP folders
run CCleaner (Run cleaner)

9.Reboot

post new log after that...thx

Emilio²⁵

>Hijackthis<>FireFox<

jestah57
New Member

Date Joined Nov 2005
Total Posts : 5

Posted 11-8-2005 10:57 (GMT +1)

hi there.....got a question regarding this oo.exe thing. I had that too, and now Everytime i log on to my pc AVG finds a "Trojan Horse IRC/Backdoor.SdBot.MYX" and no matter what I do, it comes back next reboot. Also, no matter what LimeWire runs automatically on start up. Im sure this is related, and that IRC Trojan has a few threads on it. MY question is are all the HijackThis logs individually different? meaning I have to run my own to find the correct process to remove it? Let me know and Ill start my own thread with my log.....Thanks Much!

petermark
New Member

Date Joined Nov 2005
Total Posts : 2

Posted 11-28-2005 7:11 (GMT +1)

Trojan Horse IRC/Backdoor.SdBot.MYX will replicate a file with different names till it over runs your hard drive
it also apears to kill your regedit program

oo.exe is installed by file called msmovie.exe: C:\program files\msmovie\msmovie.exe

msmovie is run at start up from the rgistry: HKLM\software\microsoft\windows\current verision\run\msmovie

regedit wont work: run regedt32 to remove msmovie from the registry

reboot: delete c:\oo.exe & c:\program files\msmovie < folder and all files in it

You may also find a folder full of files claiming to by porn movies.
The first machine I removed this trojen from had 23,000 files
Sorry I don't remember exactly where they were (someware under documents and settings)

ComputronicsKen
New Member

Date Joined Dec 2005
Total Posts : 1

Posted 12-11-2005 8:40 (GMT +1)

I just had an identical problem, by downloadind a file using Shareaza (like Limeware, but not quite as good). Here's a report I just sent to Symantec and TrendMicro, with the fix I used. (If all else fails, and you're using Windows XP, try using a system restore from a time period before the problem occurred.)

12/10/05, Apparent virus with msMovie file
------------------------------------------

SOURCE OF VIRUS:
1. Downloaded a zip file, with an innocuous name, containing one file: video.exe.
2. Unzipped the file and launched video.exe.

SYMPTOMS OF VIRUS:
1. An executable file named MsMovies.exe runs automatically on startup (and apparently locks up Task Manager).
2. Prevents user from running Task Manager, by either using Ctrl-Alt-Del keys or running TaskMgr in the Run dialog.

CHANGES MADE BY VIRUS:
1. Creates these files:
    a. c:/0.exe
    b. c:/Program Files/msmovie, a hidden folder containing these files:
          v.tmp
          MsMovies.exe
          p.zip, containing the same file as the one in the original download: video.exe
          Adds many, many other zip files, all containing MsMovies.exe
2. Adds the following register keys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
  "MsMovies"="C:\\Program Files\\MsMovies\\MsMovies.exe /auto"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
  "C:\\Program Files\\MsMovies\\MsMovies.exe"="Windows Media Video"

OTHER NOTES:
1. Virus scanner will detect a virus in c:/0.exe.
2. Even with the file c:/0.exe deleted, MsMovies.exe still runs and locks up Task Manager.
3. MsMovies.exe can't easily be terminated by user.
4. If a firewall is used and running, it can be used to terminate MsMovies.exe.
5. MsMovies.exe will still start on next start-up however.

FIX:
1. Delete register entries, above, using regedit.
2. Delete c:/0.exe, if an anti-virus program hasn't already deleted it.
3. Delete c:/Program Files/msmovie folder and it's content (you may have to set explorer to see hidden folders and files).

Ken Kuhns
Computronics

tattoome
New Member

Date Joined Apr 2006
Total Posts : 1

Posted 4-15-2006 7:09 (GMT +1)

Thank you Emilio! I had the same virus with two seperate folders fill of porn-over 150,000 zip files! Your intructions also exposed and deleted several other viruses! I am so grateful!

Forum Information

Currently it is Saturday, November 21, 2009 8:58 PM (GMT +1)
There are a total of 73.034 posts in 17.116 threads.
In the last 3 days there were 13 new threads and 69 reply posts. View Active Threads