TDS scan - what do I do now??

Discussion in 'Trojan Defence Suite' started by M3boy, May 13, 2004.

Thread Status:
Not open for further replies.
  1. M3boy

    M3boy Registered Member

    Joined:
    May 13, 2004
    Posts:
    1
    I have installed TDS-3 and let it do a full scan,,,, here is the result

    Scan Control Dumped @ 22:38:54 13-05-04
    RegVal Trace: RAT.Roxy please submit: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\Run [lar=C:\WINDOWS\system32\llass.exe

    RegVal Trace: RAT.Roxy please submit: HKEY_LOCAL_MACHINE
    File: Software\Microsoft\Windows\CurrentVersion\RunServices [lar=C:\WINDOWS\system32\llass.exe

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: z:\documents and settings\william and ben\local settings\temp\installer2.exe

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: z:\documents and settings\william and ben\local settings\temp\installer2.exe

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: z:\documents and settings\william and ben\local settings\temp\installer2.exe.tmp

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: z:\documents and settings\william and ben\local settings\temp\installer2.exe.tmp

    Positive identification (DLL): Adware.Blazefind (dll)
    File: z:\windows\2_0_1browserhelper2.dll

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: z:\windows\key2.txt

    Positive identification (embedded in file): TrojanClicker.Win32.Delf.r
    File: z:\windows\unstsa2.exe

    Positive identification <Adv>: Suspicious: Microsoft-tagged exe built with Borland compiler
    File: z:\windows\unstsa2.exe

    Positive identification (DLL): TrojanSpy.Win32.Briss.g (dll)
    File: z:\windows\downloaded program files\bridge.dll

    Positive identification (DLL): TrojanSpy.Win32.Briss.g (dll)
    File: z:\windows\downloaded program files\conflict.1\bridge.dll

    Positive identification (DLL): TrojanSpy.Win32.Briss.c (dll)
    File: z:\windows\system32\bridge.dll

    Positive identification (DLL): Keylog.KeybHook (dll) (Possible Keylog DLL)
    File: z:\windows\system32\keybhook.dll

    Positive identification <Adv>: Possible WebDownloader
    File: z:\windows\system32\notepad.exe


    Can someone please tell me what if anything i have to do

    Many Thanks
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi M3boy and welcome,
    Make sure you have the latest radius file from the DCS website:
    http://tds.diamondcs.com.au/index.php?page=update
    Save it to your main TDS3 folder - Reload TDS3
    Open the scan control and select all the options - Do a full system scan - This may take some time.
    After the scan is completed you can right click on any of the items in the lower console and select what action you want to do.
    ie. File info, Submit file, Delete file or save as text.
    Before deleting the files it would be a good idea to submit them (zipped if possible) to submit@diamondcs.com.au for anaysis.
    For using TDS 3's inbuilt mail server (using the submit button) you will need to add your email in Configuration - servers - smtp: smtp.yourisp.com and the related email address.

    HTH Pilli
     
  3. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Most of that is adware, you should go to the Adware/Hijack cleaning forum here at Wilders, read the posting rules and download both Adaware and SpybotSD and update, clean with them :)

    Please email these files to submit@diamondcs.com.au then delete them
    C:\WINDOWS\system32\llass.exe
    z:\windows\system32\notepad.exe

    Everything reported there needs to be deleted. Try deleting them, but some (Adware DLL's) will be in use and will be removed by the above process
     
Thread Status:
Not open for further replies.