Removing wlnet.exe

[hexx]

hi, my firewall on every windows boot saying wlnet.exe conencting somewhere, wlnet.exe terminates all my anti virus, and security programs, so i have to relunch them. i Looked in regestry to remove it, buts its not there, i tried delete the file from system32 directory but the file was back i rebooted, is there a way I can get rid of that virus without actually formating??

Thanks

 

[mjack547]

Did not see anything on wlnet.exe from Sophos or Norton websites

Go to http://www.merijn.org/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log (in the security section)
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for Hijackthis are:
http://www.oneknight.co.uk
http://www.sherrylynn.us/HijackThis.exe
http://mjc1.com/mirror/hjt/
http://www.majorgeeks.com/downloads31.html
http://www.spywareinfo.com/~merijn/downloads.html

 

[Flrman1]

Please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.

 

[hexx]

thanks, its not "winet.exe" its "wlnet.exe" with L here the log:

Logfile of HijackThis v1.97.7
Scan saved at 12:00:38 AM, on 10/04/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Net-Commando 2000\NC2000.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\Winamp.exe
C:\Documents and Settings\home\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://hispeed.rogers.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [NetCommando2000AutoLoad] C:\Program Files\Net-Commando 2000\NC2000
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Instant Messenger (TM) (HKLM)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37813.5616666667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

 

[Flrman1]

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Restart your computer.


Go here

Scroll to the bottom of the page and look for the Submit file section.

Click on Browse

Navigate to the .... wlnet.exe .... file and let us know what you find.

 

[hexx]

ok..it says the file is ok but i think its undetected..it still comes back up after I restarted.

 

[Flrman1]

There's nothing showing in your HJT log. Open HJT. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.

 

[hexx]

StartupList report, 10/04/2004, 12:31:03 AM
StartupList version: 1.52
Started from : C:\Documents and Settings\home\Desktop\hijackthis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Net-Commando 2000\NC2000.EXE
C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\home\Desktop\hijackthis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Zone Labs Client = C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
NetCommando2000AutoLoad = C:\Program Files\Net-Commando 2000\NC2000
PCCClient.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\PCCClient.exe"
pccguide.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\pccguide.exe"
Pop3trap.exe = "C:\Program Files\Trend Micro\PC-cillin 2003\Pop3trap.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

InstallShieldSetup = C:\PROGRA~1\INSTAL~1\{7F5E2~1\Setup.exe -rebootC:\PROGRA~1\INSTAL~1\{7F5E2~1\reboot.ini -l0x9

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{42CE4021-DE03-E3CC-EA32-40BB12E6015D}]
StubPath = C:\WINDOWS\System32\mskfbr.com

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=C:\windows\system32\tskmon.exe

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[MessengerStatsClient Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\messengerstatsclient.dll
CODEBASE = http://messenger.zone.msn.com/binary/MessengerStatsClient.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37813.5616666667

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[SDKInstall Class]
InProcServer32 = C:\WINDOWS\sdkinst.dll
CODEBASE = http://activex.microsoft.com/activex/controls/sdkupdate/sdkinst.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Creative Service for CDROM Access: C:\WINDOWS\System32\CTSvcCDA.exe (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Machine Debug Manager: "C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe" (autostart)
nVidia WDM Video Capture (universal): System32\DRIVERS\nvcap.sys (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
nVidia WDM TVTuner: System32\DRIVERS\nvtunep.sys (autostart)
nVidia WDM TVAudio Crossbar: System32\DRIVERS\nvtvsnd.sys (autostart)
nVidia WDM A/V Crossbar: System32\DRIVERS\NVxbar.sys (autostart)
PC-cillin Personal Firewall: C:\Program Files\Trend Micro\PC-cillin 2003\PccPfw.exe (autostart)
PCTEL Speaker Phone: %SystemRoot%\system32\pctspk.exe (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Simple Mail Transfer Protocol (SMTP): C:\WINDOWS\System32\inetsrv\inetinfo.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Tmfilter: System32\drivers\TmXPFlt.sys (autostart)
Trend NT Realtime Service: "C:\Program Files\Trend Micro\PC-cillin 2003\Tmntsrv.exe" (autostart)
Tmpreflt: System32\drivers\Tmpreflt.sys (autostart)
Trend Micro Proxy Service: C:\Program Files\Trend Micro\PC-cillin 2003\tmproxy.exe (autostart)
Trend Micro TDI Driver: \SystemRoot\System32\Drivers\tmtdi.sys (autostart)
Common Firewall Driver: \SystemRoot\System32\Drivers\tm_cfw.sys (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Vsapint: System32\drivers\Vsapint.sys (autostart)
vsdatant: \??\C:\WINDOWS\System32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Wide Web Publishing: %SystemRoot%\System32\inetsrv\inetinfo.exe (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\documents and settings\victor\cookies\[email protected][2].txt||c:\documents and settings\victor\cookies\[email protected][2].txt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll

--------------------------------------------------
End of report, 14,004 bytes
Report generated in 0.156 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Flrman1]

I don't see anything in the startuplist.

Would you put a copy of that file in a zipped folder and send it to me here. Please include a link to this thread so I'll remember where it came from. I'll let you know what I find out.

 

[hexx]

you got the email?

 

[Flrman1]

Sorry about taking so long to get back to you, but it was a busy holiday. I submitted the file for analysis and this is the response I got "This is a modified BEAST trojan".

Have you managed to get rid of it?

 

[hexx]

no, no luck yet, i downloaded Trojan Hunter but it dont find anything, and i Lunch wlnet.exe its will just simple close the trojanhunter any idea how to remove it?

 

[Flrman1]

I was told that Trojan Hunter would remove it. The only other program that I know of that should remove it is TDS-3.

Download TDS-3 from http://www.wilders.org/anti_trojans.htm

This is a Trial version so you will have to do the update manually.
The automatic update only works with the registered version which costs $49.

Update it following the instructions here:
http://tds.diamondcs.com.au/index.php?page=update

Under the "Manual Update" right click on the radius.td3 file and choose "Save target as".
Then in the "Save in" box browse to the C:\Program Files\TDS3 folder
(provided that is the location of your TDS-3 directory)and save it there.
A prompt will appear telling you that there is already a radius.td3 file there "do you want to overwrite it" click Yes.

Run the "full System scan" , preferably in safe mode.

Note: Temporarily disable your Antivirus program.
Launch TDS-3 and click on "System Testing" then "Full System Scan" and the scan will begin.

TDS-3 does not automatically remove infected files that it finds. It will display what it has found in the lower portion of the main window and it will either say "Positive Identification etc...." or "Suspicious File". Anything with a positive identification you should right click and delete. Don't do anything with the suspicious ones yet just right click the suspicios ones and save as .txt. Leave TDS-3 open and running after the scan and then go to the TDS-3 folder (usually C:\Program Files\TDS) and look for a scandump.txt file. Open the scandump.txt file and copy and paste it's contents here. Once we see the scandump file we can determine what to do with the suspicious ones. Many times the suspicious files are harmless.

 

[hexx]

Scan Control Dumped @ 20:58:10 13-04-04
RegVal Trace: RAT.Beast: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run [COM Service=C:\windows\msagent\msptmf.com]

RegVal Trace: RAT.Beast: HKEY_CURRENT_USER
File: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run [COM Service=C:\windows\msagent\msptmf.com]

Positive identification: RAT.Beast 2.05c
File: c:\windows\tmp3.exe

Positive identification (DLL): RAT.Toquito Bandito 1.1 FWB (dll)
File: c:\windows\winhost32.dll

Positive identification: RemoteAdmin.RAdmin 2.1
File: c:\windows\system32\r_server.exe

Positive identification (DLL): RemoteAdmin.RAdmin 2.0 (dll)
File: c:\windows\system32\admdll.dll

Positive identification: RAT.Beast 2.05c
File: c:\windows\system32\wlnet.exe

Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
File: c:\windows\system32\msvbvm06.dll

Positive identification: RAT.Beast 2.05c
File: c:\windows\system32\mskfbr.com

Positive identification (DLL): Keylog.HotKeysHook (dll) (Possible Keylog DLL)
File: c:\windows\system32\[email protected]@@k.dll.tcf

Positive identification (DLL): RAT.Optix Pro 1.32 Retail Cloaker (dll)
File: c:\windows\system32\ldrmsvbvm06.dll

Positive identification: RAT.Beast 2.05c
File: c:\windows\msagent\msptmf.com

Positive identification: TrojanDownloader.Win32.Dyfuca.g
File: c:\program files\ddm\0\optimize.exe

Positive identification (DLL): RemoteAdmin.RAdmin 2.0 (dll)
File: c:\program files\radmin\admdll.dll

Positive identification: RemoteAdmin.RAdmin 2.1
File: c:\program files\radmin\r_server.exe

 

[Flrman1]

Did you delete all those TDS-3 found?