Avast WEBforum

Other => Viruses and worms => Topic started by: iris on February 28, 2008, 03:54:51 PM

Title: how to delete trojan virus with file name c:\windows\system32\fool0.dll
Post by: iris on February 28, 2008, 03:54:51 PM

not actually sure but it is either  c:\windows\system32\fool0.dll    or      c:\windows\system32\foolO.dll


that is the malware name: win32:onlinegames-bvm[trj]


please help again thanks !

Title: Re: how to delete trojan virus with file name c:\windows\system32\fool0.dll
Post by: polonus on February 28, 2008, 09:34:46 PM

Hi iris,


W32/Onlinegames.Lov.PSW is a trojan. The trojan will infect Windows systems.

Upon execution, it drops as amvo.exe, amvo1.dll in the System folder and help[1].exe, ro.dll or in your case foolO.dll in the Documents and Settings folder.

The trojan attempts to steal passwords from infected systems.

This trojan first appeared on December 27, 2007.

Manual removal instructions,


Step 1 : Use Windows File Search Tool to Find Trojan-PSW.OnLineGames.bs Path

   1. Go to Start > Search > All Files or Folders.
   2. In the "All or part of the the file name" section, type in "Trojan-PSW.OnLineGames.bs" file name(s).
   3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
   4. When Windows finishes your search, hover over the "In Folder" of "Trojan-PSW.OnLineGames.bs", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete Trojan-PSW.OnLineGames.bs in the following manual removal steps.
Step 2 : Use Windows Task Manager to Remove Trojan-PSW.OnLineGames.bs Processes

   1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
   2. Click on the "Image Name" button to search for "Trojan-PSW.OnLineGames.bs" process by name.
   3. Select the "Trojan-PSW.OnLineGames.bs" process and click on the "End Process" button to kill it.
   4. Remove the "Trojan-PSW.OnLineGames.bs" processes files:
tlso.exe
Step 3 : Use Windows Command Prompt to Unregister Trojan-PSW.OnLineGames.bs DLL Files

   1. To open the Windows Command Prompt, go to Start > Run > type cmd and then click the "OK" button.
   2. Type "cd" in order to change the current directory, press the "space" button, enter the full path to where you believe the Trojan-PSW.OnLineGames.bs DLL file is located and press the "Enter" button on your keyboard. If you don't know where Trojan-PSW.OnLineGames.bs DLL file is located, use the "dir" command to display the directory's contents.
   3. To unregister "Trojan-PSW.OnLineGames.bs" DLL file, type in the exact directory path + "regsvr32 /u" + [DLL_NAME] (for example, :C\Spyware-folder\> regsvr32 /u Trojan-PSW.OnLineGames.bs.dll) and press the "Enter" button. A message will pop up that says you successfully unregistered the file.
   4. Search and unregister "Trojan-PSW.OnLineGames.bs" DLL files:
tlso0.dll
Step 4 : Detect and Delete Other Trojan-PSW.OnLineGames.bs Files

   1. To open the Windows Command Prompt, go to Start > Run > type cmd and then press the "OK" button.
   2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
   3. To change directory, type in "cd name_of_the_folder".
   4. Once you have the file you're looking for type in "del name_of_the_file".
   5. To delete a file in folder, type in "del name_of_the_file".
   6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
   7. Select the "Trojan-PSW.OnLineGames.bs" process and click on the "End Process" button to kill it.
   8. Remove the "Trojan-PSW.OnLineGames.bs" processes files:
tlso.exe
tlso0.dll
Look for:

Code: [Select]

begin
SearchRootkit(true, true);
SetAVZGuardStatus(true);
QuarantineFile('C:\usdeiect.com','');
QuarantineFile('E:\usdeiect.com','');   
QuarantineFile('E:\autorun.inf','');
QuarantineFile('C:\autorun.inf','');
QuarantineFile('C:\WINXP\system32\amvo0.dll','');
QuarantineFile('C:\WINXP\system32\amvo.exe','');
QuarantineFile('C:\WINXP\system32\wincab.sys','');
DeleteFile('C:\WINXP\system32\amvo.exe');
DeleteFile('C:\WINXP\system32\amvo0.dll');
DeleteFile('C:\autorun.inf');
DeleteFile('E:\autorun.inf'); 
DeleteFile('C:\WINXP\system32\wincab.sys'); 
DeleteFile('C:\usdeiect.com');
DeleteFile('E:\usdeiect.com');   
BC_ImportAll;
BC_DeleteFile('C:\WINXP\system32\wincab.sys');
BC_DeleteSvc('wincab');
BC_Activate;
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(16);
RebootWindows(true);
end.

polonus

Title: Re: how to delete trojan virus with file name c:\windows\system32\fool0.dll
Post by: iris on March 01, 2008, 01:42:00 AM

hi polonus !!! thanks for the help ! i am going to do it now . i'll keep u posted with the outcome. have a great day ahead !!! ;D