W32/Spybot.FS

"Art" schrieb im Newsbeitrag
> On Mon, 23 Jan 2006 13:30:07 +0100, "John Gawe"
> wrote:
>
> >Hi there,
> >
> >anybody help with this one?
>
> There are detailed descriptions available, though I found I had to use
> a language translation service to translate from spanish to english.
> It looks pretty easy to remove manually. It's a rather old (2004)
> Trojan that is very likely to be handled by a number of antivirus
> products. Try the KASFX download from my web site. Let us know
> how its Kaspersky scan engine handles the infection, and what malware
> name(s) it finds.

KAV couldn´t help

John
 >> Stay informed about: W32/Spybot.FS 

"David H. Lipman" schrieb
> From: "John Gawe"
>
>
> |
> | Well David, I did.
> | But it doesn´t work.
> | This s* is still here..

> What is the fully qualified name and path to the infected executable ?

I couldn´t find it jet.

> What software identified "W32/Spybot.FS" ?

There was no software.
I did a google search for "yyy.htm" - this is shown on every popup.
Google found a spanish-site.

See Arts answer above

Then I tried Xoftspy.
It found a trojan entry in the registry. Something like "TR/Drop.Parado.a.1"
I deleted the entry and the file.

But then I found 3 suspect dll files in "Win2000/System32":
Wierd filenames, like: 045785B145.dll size of 229 KB
But Hijackthis says: these are Systemfiles and put them in O20 =

O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key

When I try to delete one of these suspect dlls, they will be immediatly
back.

Still don´t know what to do.

John

John
 >> Stay informed about: W32/Spybot.FS