Is dssoundi.dll a valid OS file?

[Guest]

I am having trouble getting rid of a virus on my home PC which my security
software (Trend Micro's PC-cillin 14) has IDed as TROJ_AGENT.AMV located in
the file C:\WINDOWS\system32\dssoundi.dll. My OS is XP Pro.

Is this file a valid OS .dll file or a fake one created by malware to
host the virus? If it is a valid OS file what does it do & what effect would
deleting it have?

I have tried running a Microsoft digital signature verification scan and the
name of the file did not come up as invalid (altho' for some reason the scan
didn't scan all the C drive files altho' that's what I specified). However
several people have suggested to me that such virus' often create fake files
to hang out in.

Any advice would be appreciated!

 

[Malke]

I am having trouble getting rid of a virus on my home PC which my
security software (Trend Micro's PC-cillin 14) has IDed as
TROJ_AGENT.AMV located in the file C:\WINDOWS\system32\dssoundi.dll.
My OS is XP Pro.

Is this file a valid OS .dll file or a fake one created by malware to
host the virus? If it is a valid OS file what does it do & what effect
would deleting it have?

I have tried running a Microsoft digital signature verification scan
and the name of the file did not come up as invalid (altho' for some
reason the scan didn't scan all the C drive files altho' that's what I
specified). However several people have suggested to me that such
virus' often create fake files to hang out in.

Any advice would be appreciated!

Asked and answered in the other newsgroup to which you posted. Please do
not multipost - it wastes everyone's time. Here is a link explaining
that:
http://www.blakjak.demon.co.uk/mul_crss.htm

If you cannot find your original post, go to Google Groups Advanced
Search and search for your name.

Malke

 

[Guest]

I had the same problem. This is the nastiest virus I have ever had to deal
with. Somehow it infected internet explorer and explorer. It starts off as
"dssoundi.dll" then it creates another DLL file with a random name. It also
creates a randomly named EXE file with a clone OCX file of about 140KB in the
system32 folder. These are next to impossible to delete. The EXE file runs
constantly in the background, and as soon as explorer or another program
finds that the EXE file has been deleted, it deletes the OCX file and makes
another randomly named EXE and OCX file. Download these programs to help you
delete and detect the files:

WinPatrol
Unlocker

Also, learn how to use your command prompt in safe mode. You are going to
have to kill the EXE file and it doesn't always come up in task manager and
it also fools with your task manager too. Delete the registry files
(http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.AMV&VSect=T)
using regedit (START->RUN type in regedit and hit enter) and then find,
unlock, and delete the DLL files.

Here comes the tough part...

Restart the computer, and as soon as you see a black screen with a small
blinking white bar, start pressing F8 until the options come up. Select
"Safe Mode with Command Prompt." Let it boot up, and then close explorer and
task manager. In the command prompt (START->RUN type in cmd and hit enter if
you already closed it by accident) type in...


CD C:\WINDOWS\system32

tasklist

TASKKILL /F /T /IM file.exe

del file.exe

del file.ocx


You may have to unlock the OCX file before you delete it, so using the task
manager, go to FILE->RUN->BROWSE and then find the file, right click, and
unlock it. Also, tasklist will only tell you what tasks are running
regardless of what task manager says.

After all this, get a flash drive or floppy and put explorer.exe and
iexplore.exe on it from another PC and replace those files on your computer.


Fun huh? Actually, I am not even sure if this works fo really. That is
what I did so far. I still have yet to test it out.

 

[Guest]

Woops. I lied about the second part. That was another virus:
Backdoor.ppdoor. I actually ended up using Ewido and Avast! anti-virus
programs in safe mode to get rid of that virus. And it didn't actually
infect explorer and iexplorer...so you didn't have to delete them. For some
reason, eTrust didn't detect it.