PDA

View Full Version : Win32.Small.ddx



DazzleSurprise
2006-10-18, 00:30
I did a scan with spybot today and found this file.

I looked up some info and found that it was dangerous. I did fix it, but is there anything else I need to remove to make sure it won't come back? Anyone else had this file and can tell me any info I need to know?

It also found this statcounter cookie that took two fixes to delete. Is that normal?

thanks in advance

Jon_J
2006-10-18, 21:02
Bump..
I also have this problem showing in the latest upgrade.
Win32.Small.ddx
I can "fix" it in spybot, but if I run spybot again, it is still there.
I did some googling and found refrences to two files and three entries in the registry.
I don't have these two files on my machine. (mpcsvc.exe) or (bensorty03.dll)

I found the three entries in the registry and deleted them.

c2948.dll
z15.exe
5adbc.dll
Again, I searched my machine for the above 3 files with advanced search and didn't find these 3 files.
When I run spybot again, there is still a problem that shows Win32.Small.ddx
I use Firefox 1.5.0.7
I quit using Internet Explorer 5 years ago and only use it for windows update.

Scott
2006-10-18, 21:02
Bump..
I also have this problem showing in the latest upgrade.
Win32.Small.ddx
I can "fix" it in spybot, but if I run spybot again, it is still there.
I did some googling and found refrences to two files and three entries in the registry.
I don't have these two files on my machine. (mpcsvc.exe) or (bensorty03.dll)

I found the three entries in the registry and deleted them.

c2948.dll
z15.exe
5adbc.dll
Again, I searched my machine for the above 3 files with advanced search and didn't find these 3 files.
When I run spybot again, there is still a problem that shows Win32.Small.ddx
I use Firefox 1.5.0.7
I quit using Internet Explorer 5 years ago and only use it for windows update.

same here!

DazzleSurprise
2006-10-19, 06:01
I wonder if it's an error on Spybots part? Usually if a lot of people have something, it is a false alarm. Anyone have more info?

I did a search on my computer and it didn't find those three files. I am not sure if I looked in the registry....I'm not sure how. Do you think it's something to worry about?

Thanks for the responses.

guestint
2006-10-19, 23:32
I have the same problem, did a scan with spybot and found win32.small.ddx, fixed it and scanned again, the file was/is still there.

would really like some help too..

thx in advance

mrmalibu
2006-10-20, 07:20
I also found this win32.small.ddx, I then type it in the Search( for files & documents)on my computer and located it there too. So i deleted it and then empty it out of the Recycle bin & it now be gone.........I hope for awhile at least.......oops spoke too soon it's back, I'll keep trying......bill PS help is still needed on this one

mrmalibu
2006-10-20, 07:59
I also found this win32.small.ddx, I then type it in the Search( for files & documents)on my computer and located it there too. So i deleted it and then empty it out of the Recycle bin & it now be gone.........I hope for awhile at least.......oops spoke too soon it's back, I'll keep trying......bill PS help is still needed on this one I finnaly got rid of it,

Yodama
2006-10-20, 13:32
hi,

I checked on the detection rules and there are no false positives. All your scanresults do show a real Win32.Small.ddx infection.
It is possible that newer variants have additional files which do not get detected and recreate deleted files.

if possible please zip or rar the files you find and create a Spybot/Runalyzer log and submit it to detections-at-spybot.info ( replace -at- with @ )

pogue
2006-10-20, 15:44
I got the same result from a scan after updating today. The only results are cookies from the domain emjcd.com (http://www.alexa.com/data/details/main?q=&url=emjcd.com), which is just another domain used by Commission Junction (CJ) for affiliate/referral links. The argument could possibly be made for it possibly being a cookie from a site with privacy issues, but it doesn't seem to have anything to do with the description given for Win32.Small.ddx (http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Win32.Small.ddx&threatid=50018). So, I would consider it to probably be a false positive. I sent a log with my results to the email address posted above by Yodama.

http://img139.imageshack.us/img139/5471/spybotwin32smallddxkv9.th.jpg (http://img139.imageshack.us/my.php?image=spybotwin32smallddxkv9.jpg)

mrmalibu
2006-10-20, 18:38
after putting in win32.small.ddx in Search for Files and Documents on my computer I found it there too, (which as i said earlier) i deleted it...then deleted it from the Recycle bin and ran it agian, found it and deleted it, ran it again and NO MAS..I also ran it a few more times since yesterday and.....I see it No More

Old_Crow
2006-10-21, 05:23
There are definitely false positives around - in my case the detection was triggered by very old IE shortcut. I checked it out to confirm that that's really what it was, and the detection seemed to have triggered on:

[InternetShortcut]
URL=http://www.sysenhance.com/html/d_l_links.html

I've also duly forwarded the diagnostics to the address given by Yodama, before deleting the offending shortcut.

Old_Crow

mrmalibu
2006-10-21, 07:16
Now i am having trouble getting rid of this win32.small.ddx ..........my earlier way did not work.........it keeps comming back HELP HELP PLEASE.......mrmalibu

tashi
2006-10-21, 09:11
Hello mrmalibu.

This is the procedure for posting in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

1) "BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)


Thanks

doug1026
2006-10-21, 15:21
I am running WIN 98SE. I downloaded the latest updates from Spybot and found Win32.Small.ddx. I selected 'Fix the Problem', it did. I clicked 'Recovery' and no files were shown. I ran Spybot again, as many had said they did, and no more Win32.Small.ddx. :) Remember, if you ME or later (XP), you have to disable Restore or disk monitoring BEFORE :bigthumb: running Spybot or you will likely never get rid of the problem...much like many viruses.

Good Luck.

Volodya
2006-10-23, 05:03
i was getting this tracking cookie repeatedly. I kept scanning but it kept appearing. I just finished a scan and it did not appear. What I did was manually blocked the cookie websites

emjcd.com
c.cenhance.com
apmebf.com

i'll keep doing the spybot scans for a while though..

pogue
2006-10-24, 04:17
I received a response from my email of the log I sent to detections.


Win32.Small.ddx is a tracking cookie.

We are sorry, but the Immunization does not work for Firefox, it is only for the Internet Explorer. ActiveX isnīt supported by Firefox, so there is no need for protection there.
Maybe in one of the coming versions there will be a bad download blocker for Firefox, but not at the moment.

Once in a while Spybot has trouble removing those.
Here is a thread in our forum that deals with the same problem:
http://forums.spybot.info/showthread.php?t=3008

If you don't have any other cookies you want to save in Firefox,you could click the Remove All Cookies button. This would be easiest, but don't do it if you have any cookies you want to keep.

If you do have other cookies in Firefox you want to keep, could remove the cookies manually from within Firefox. To do so go to Tools->Options->click the Cookies tab, then click the View Cookies button.
Looking off the Spybot report, scroll through the list to find the tracking cookie(s), then click on the tracking cookie with your mouse, and then click on the remove cookie(s) button.

Or you could try doing another scan with Spybot and see if it removes the tracking cookies this time (though it might not work, but you could try and see).

There's an article here, showing how to block third party cookies.
http://www.spybot.info/en/faq/37.html

It is also recommendable to use SpywareBlaster also, which has an option to Prevent ad/tracking cookies in firefox.
http://www.javacoolsoftware.com/spywareblaster.html

Best regards
Sandra
Team Spybot

That seems to be contradictory to the information I've seen about this particular bit of malware though. But, if it's only a tracking cookie I am not that concerned about it, as cookies are really non-intrusive.

If you continue to receive this result each time you scan with Spybot, don't be concerned. All it means is that you are visiting a website that uses Commission Junction as an affiliate (which many sites do) and it has stored itself as a cookie in your browser. I disagree with the assessment of the Spybot team of this cookie being particularly malicious.

belgofac
2006-10-25, 08:24
The same problem here. This trojan infected 3 of my pc's connected via a router. Cannot get rid of it with Spybot. Tried with system restore disabled. Nope.

Doug: you better scan again because it regenerates itself after a defined period of time.

belgofac
2006-10-27, 02:28
Trojan or not?

I cannot work it out anymore. I scanned with several other anti-spyware scanners like Ad-Aware, Spyware Doctor, AVG Anti Spyware etc... and they cannot discover this win32.small.ddx trojan. Spybot keeps on bringing it up do but cannot remove it?

Dakota
2006-11-26, 22:27
I got rid of all of those by deleting all my cookies in FireFox.