Troj/DwnLdr-GSO

Please follow the instructions for removing Trojans.

Troj/DwnLdr-GSO is a Trojan for the Windows platform.

Troj/DwnLdr-GSO includes functionality to access the internet and communicate with a remote server via HTTP.

When Troj/DwnLdr-GSO is installed, it downloads and creates the file <System>\daoprint.dll. This file is not available at the time of writing.

The file daoprint.dll is registered as a COM object, creating registry entries under:

HKCR\CLSID\{5155A449-9710-4FFC-8084-D8BDA141F551}

The following registry entry is created to run code exported by Microsoft Printer Sheduler on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{5155A449-9710-4FFC-8084-D8BDA141F551}
Microsoft Printer Sheduler

Other registry entries are set as follows:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1001
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1004
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1200
0

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1809
3

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1001
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1004
1

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1200
0

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
1809
3

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile
EnableFirewall
0

HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
DoNotAllowXPSP2
1

More registry entries are created under:

HKLM\SOFTWARE\Microsoft\Security Center