Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Guess what...trojan-spy.HTML.smitfraud.c

Started by pollyann , Apr 17 2005 04:12 PM

  • Please log in to reply

#1
pollyann
Posted 17 April 2005 - 04:12 PM

pollyann

    New Member

  • Member
  • Pip
  • 6 posts
Hello, I'm from Italy and my pc is infected with smitfraud.
I have already followed all the steps you suggested to others, with no results. Point to tell you: I cannot see any of the four folders (Search Maid, Virtual Maid, Log Fils, Security iGuard) you tell to delete, and I AM seeing all the "invisible" files.
I have Panda running all day, Spybot launched every now and then, but nothing has even come close to detect this nasty malware.
Here below the HJT post, PLEASE help me!
Some descriptions will be in italian, any problem with the language pls let me know I will translate to english.
Thank you in advance for you help and time....

Logfile of HijackThis v1.99.1
Scan saved at 0.10.57, on 18/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\Explorer.EXE
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programmi\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Microsoft Office\Office\OSA.EXE
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\3Com\Bluetooth\BTCM.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\Programmi\3Com\Bluetooth\btprot.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Downloads\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Global Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Programmi\3Com\Bluetooth\BTCM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A27DAEC0-4ECB-43B1-AA14-39C70AD2FE34}: NameServer = 193.70.152.25 193.70.192.25
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
  • 0

Advertisements

#2
little eagle
Posted 17 April 2005 - 04:38 PM

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Here are the directions for creating a zip file For Windows XP:
Using Windows Explorer, locate the first file you want to zip.
(will be the cab file the tool created on your desktop)< disregard this unless we have suggested using the tool spf.exe
Right click on the file and select Send To and Compressed (zipped) Folder.
Right click any other files you want to compress and select Copy.
Right click on the compressed folder and select Paste. The copied files will be compressed and pasted in.
Right click on the file and select Explore.

Please Zip this file and send it here


c:\windows\system32\flsmngr.dll



Should you need instructions for ;
Showing hidden files and folders in Windows.
Reboot in safe mode.
How to set up a HijackThis folder correctly to make backups.
Scan with Spybot S&D and Ad-Aware
Click the underlined links above.

Reboot in safe mode.
Close all Browser and Program Windows and have HijackThis fix the following.
Do this by checking the box beside each and then clicking on Fix checked.

O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Filter: text/html - (no CLSID) - (no file)

Delete the following file(s) listed.
Then click start>my computer>local disk
(then follow the path) (do a search for this one. It'll probably be in c:\windows or c:\windows\system32.)
C:\WINDOWS\System32\spoolsrv32.exe
C:\WINDOWS\web\related.htm

Reboot and Download and install then run CCleaner
Under windows tab check internet explorer, windows explorer, and system.
then click Run Cleaner.

Rescan with HJT and post a new log here.
Also please describe how your computer behaves now.

Edited by little eagle, 17 April 2005 - 04:40 PM.

  • 0

#3
pollyann
Posted 18 April 2005 - 04:35 PM

pollyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello little-eagle, thank you for your help.
Sorry for the very late answer but I got caught at work much longer than planned and I cannot access this site from office.
However: after having done what you suggested, here are my findings:
1/ at startup no more Windows system blue screen alert about this trojan planning to make my life very miserable....
2/ but, desktop is still prisoner of this nasty malware: all black, with a window full of security threats (like YOU'RE IN DANGER PROTECT YOURSELF, BLAH BLAH BLAH)
3/ cannot change desktop properties : all locked
4/ it seems that windows yellow triangle does no longer appear in the low right corner of the screenbar.
5/ IE seems to run much better now (no surprise after all this cleaning)
6/ flsmngr.dll zipped and sent to your email as requested

One point more: I couldn't download and run Ad-Aware yet on this pc, while I did everything else.

Here below the last report from HJT after all the work:

Logfile of HijackThis v1.99.1
Scan saved at 0.23.34, on 19/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Programmi\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\iTunes\iTunesHelper.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Microsoft Office\Office\OSA.EXE
C:\Programmi\3Com\Bluetooth\BTCM.exe
C:\Programmi\3Com\Bluetooth\btprot.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Downloads\Antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
O4 - HKLM\..\Run: [MMTray] C:\Programmi\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ccleaner] "C:\Programmi\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Programmi\3Com\Bluetooth\BTCM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A27DAEC0-4ECB-43B1-AA14-39C70AD2FE34}: NameServer = 193.70.152.25 193.70.192.25
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Programmi\File comuni\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Programmi\Panda Software\Panda Titanium Antivirus 2004\PsImSvc.exe
  • 0

#4
pollyann
Posted 20 April 2005 - 11:40 AM

pollyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hello, I am wondering if someone can answer me....I do know you are all very busy, but I am in the middle of nowhere, waiting for some light at the end of the tunnel....I have last posted on April 18th, don't want to be a pain in the neck, but I still have my desktop blocked by this smitfraud, tried everything also ad-aware scan, now I do not not what to do....
Could please someone help me?
Thank you in advance
  • 0

#5
little eagle
Posted 20 April 2005 - 08:26 PM

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Having someone look at it now. Metallica is one of the best and this looks new.
  • 0

#6
pollyann
Posted 21 April 2005 - 02:28 PM

pollyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Just my luck...
Well, thank you very much indeed, hope this will help increasing the knowledge about those d$&%#ed spyware...at least...
Waiting for your and Metallica's feedback.
Cheers
  • 0

#7
little eagle
Posted 21 April 2005 - 05:22 PM

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Download Pocket Killbox and unzip it; save it to your Desktop.

Then let's get your internet connection sorted by d/loading LSP-Fix .
Run the application, and click the "I know what I'm doing" checkbox.

Check all instances of
flsmngr.dll (and nothing else)
and move them to the "Remove" pane and then hit Finish.

Start hijackthis put a check mark by

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://top-find4u.com/sp.htm
Click fix,


Run Pocket Killbox and click the radio button that says Delete a file on reboot. Paste

c:\windows\system32\flsmngr.dll

into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; Reply yes.

Rescan with Hijackthis and post another log.

Edited by little eagle, 21 April 2005 - 05:23 PM.

  • 0

#8
pollyann
Posted 23 April 2005 - 02:52 PM

pollyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Well, what can I say....
my husband just couldn't wait and got his hands on the computer and ran ad-away & NOD32 (should be an antivirus), thus I couldn't find anything you listed any longer...

The desktop screen now is completely white (it was completely black before), still locked, but the nasty message doesn't appear any longer.

In spite of this mess, my husband managed to stay alive....don't know for how long, though....

My last HJT report here below, thank you for your follow-up, I'm quite depressed...

Logfile of HijackThis v1.99.1
Scan saved at 22.40.24, on 23/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Programmi\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programmi\iPod\bin\iPodService.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Programmi\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Programmi\QuickTime\qttask.exe
C:\Programmi\Eset\nod32kui.exe
C:\Programmi\WLAN CARD\WLANmon.exe
C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE
C:\Programmi\Microsoft Office\Office\OSA.EXE
C:\Programmi\3Com\Bluetooth\BTCM.exe
C:\Downloads\Antispyware\HijackThis.exe

O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Programmi\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Programmi\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [WLAN CARD WLAN Monitor] C:\Programmi\WLAN CARD\WLANmon.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ccleaner] "C:\Programmi\CCleaner\ccleaner.exe" /AUTO
O4 - Global Startup: Avvio Office.lnk = C:\Programmi\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Bluetooth Connection Manager.lnk = C:\Programmi\3Com\Bluetooth\BTCM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Crea preferiti portatile - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Programmi\Microsoft ActiveSync\INetRepl.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BDDED05-F3A6-40E5-B4D0-F69812496CCF}: NameServer = 192.168.0.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A27DAEC0-4ECB-43B1-AA14-39C70AD2FE34}: NameServer = 193.70.152.25 193.70.192.25
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Programmi\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Servizio iPod (iPodService) - Apple Computer, Inc. - C:\Programmi\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - C:\Programmi\Eset\nod32krn.exe
  • 0

#9
little eagle
Posted 23 April 2005 - 03:30 PM

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Download the trial version of TDS-3
Install it, but do not launch it yet

Update it hereright click, select "save as"

Save it to the directory where you installed TDS-3, overwriting the previous radius.td3.

Then launch TDS-3. in the top bar of tds window click system testing> full system scan.
detections will appear in the lower pane of tds window. after the scan is finished ( it'll take a while )
right click the list> select save as txt. save it and post the contents of the scandump.txt here.

After posting the scandump go ahead and right click the list of detections again. this time select delete!
Only delete those with positive identification.
  • 0

#10
pollyann
Posted 24 April 2005 - 04:45 PM

pollyann

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi little-eagle, here below the report from TDS-3.
Hope this will help, cheers.


Scan Control Dumped @ 00.41.28 25-04-05
Suspicious Filename: Dual extensions
File: c:\borsa\finanza\metastock upgrades\pro652b - pro652b.exe.exe

Suspicious Filename: Dual extensions
File: c:\documenti betta\analisi tecnica\italia-invest.com.doc

Suspicious Filename: Dual extensions
File: c:\downloads\setupdvddecrypter_3.5.2.0.exe

Suspicious Filename: Dual extensions
File: c:\musica\bearinst - bear2.2.2.exe

Positive identification <Adv>: Possible WebDownloader
File: c:\programmi\ddm\ddm_d.exe

Positive identification: Adware.F1Org Dropper
File: c:\programmi\ddm\1799\mindset.exe

Positive identification: Adware.F1Org Dropper
File: c:\programmi\ddm\7440\mindset.exe

Suspicious Filename: Dual extensions
File: c:\programmi zip\dvd stuff\dvd decrypter\setupdvddecrypter_3.5.0.0.exe

Suspicious Filename: Dual extensions
File: c:\programmi zip\games\avernum\avernum2demo - avernum2.1.0.exe

Suspicious Filename: Dual extensions
File: c:\scarico internet\setupdvddecrypter_3.2.1.0.exe

Positive identification: Mslog Webdownloader
File: c:\windows\ntixld.exe

Positive identification: TrojanClicker.Win32.Small.an1
File: c:\windows\system32\consys99.exe

Positive identification (DLL): TrojanDownloader.Win32.Esepor.e (dll)
File: c:\windows\system32\xplugin.dll
  • 0

#11
little eagle
Posted 24 April 2005 - 04:48 PM

little eagle

    Member

  • Member
  • PipPipPip
  • 170 posts
Only delete those with positive identification.

Then Go here and run online scans, allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner

Note any thing that can't be fixed
Reboot when done. Rescan with HJT and post a new log here.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP