I found this site without knowing how....

Great work on helping people out...

Well....this is my problem :

I have an ACER comp with XP home edition SP2.

I have Norton Anti-Virus Internet security 2007, Spyware Doctor, and Super Spyware installed and working...

The Norton started acting weird and some millions pop-ups messages are invading my comp.

This is what it says on top of those "messages" : E-mail Proxy

In the messages said : Error sending e-mail to ??? (alot of yahoo adresses and porn/advertising sites) .

Norton couldn't block this cause it won't accept it as a Virus, so i installed Spyware Doctor and SuperSpyware.

They blocked it and sent the Trojans to the quarentine.

My comp is slow, but it blocked the virus, or at least "hide" it, cause i don't get those messages anymore.

This is the quarentine log from SuperAntispyware :

SUPERAntiSpyware Scan Log
Generated 04/25/2007 at 09:41 AM

Core Rules Database Version : 3224
Trace Rules Database Version: 1235

Memory threats detected : 0
Registry threats detected : 11
File threats detected : 105

Adware.Tracking Cookie
C:\Documents and Settings\Rip\Cookies\rip@mb[5].txt
C:\Documents and Settings\Rip\Cookies\rip@indexstats[2].txt
C:\Documents and Settings\Rip\Cookies\rip@revsci[2].txt
C:\Documents and Settings\Rip\Cookies\rip@cgi[1].txt
C:\Documents and Settings\Rip\Cookies\rip@atwola[1].txt
C:\Documents and Settings\Rip\Cookies\rip@nextstat[2].txt
C:\Documents and Settings\Rip\Cookies\rip@tracking.g3x[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.zanox-affiliate[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter.sexsuche[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.banner-farm[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ad.clix[1].txt
C:\Documents and Settings\Rip\Cookies\rip@findwhat[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-ifilm.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.cdfreaks[1].txt
C:\Documents and Settings\Rip\Cookies\rip@data4.perf.overture[2].txt
C:\Documents and Settings\Rip\Cookies\rip@z1.adserver[1].txt
C:\Documents and Settings\Rip\Cookies\rip@587[2].txt
C:\Documents and Settings\Rip\Cookies\rip@advertising[1].txt
C:\Documents and Settings\Rip\Cookies\rip@a[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter13.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter14.sextracker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@as-us.falkag[3].txt
C:\Documents and Settings\Rip\Cookies\rip@tacoda[2].txt
C:\Documents and Settings\Rip\Cookies\rip@adserver.easyad[2].txt
C:\Documents and Settings\Rip\Cookies\rip@tribalfusion[1].txt
C:\Documents and Settings\Rip\Cookies\rip@videoegg.adbureau[1].txt
C:\Documents and Settings\Rip\Cookies\rip@2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@kanoodle[2].txt
C:\Documents and Settings\Rip\Cookies\rip@versiontracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@private.amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.criandosite.com[1].txt
C:\Documents and Settings\Rip\Cookies\rip@sel.as-us.falkag[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.1clickdvdcopy[2].txt
C:\Documents and Settings\Rip\Cookies\rip@xxxtoolbar[1].txt
C:\Documents and Settings\Rip\Cookies\rip@data3.perf.overture[2].txt
C:\Documents and Settings\Rip\Cookies\rip@shop.amsterdamlivexxx[1].txt
C:\Documents and Settings\Rip\Cookies\rip@webpower[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ds.clickexperts[2].txt
C:\Documents and Settings\Rip\Cookies\rip@bs.serving-sys[1].txt
C:\Documents and Settings\Rip\Cookies\rip@mdlfr[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\Rip\Cookies\rip@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@hypertracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adtech[2].txt
C:\Documents and Settings\Rip\Cookies\rip@1067912086[1].txt
C:\Documents and Settings\Rip\Cookies\rip@atdmt[2].txt
C:\Documents and Settings\Rip\Cookies\rip@serving-sys[1].txt
C:\Documents and Settings\Rip\Cookies\rip@amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@statcounter[2].txt
C:\Documents and Settings\Rip\Cookies\rip@stats1.webmetrics[2].txt
C:\Documents and Settings\Rip\Cookies\rip@click.cashengines[2].txt
C:\Documents and Settings\Rip\Cookies\rip@qnsr[1].txt
C:\Documents and Settings\Rip\Cookies\rip@franceguide[1].txt
C:\Documents and Settings\Rip\Cookies\rip@questionmarket[2].txt
C:\Documents and Settings\Rip\Cookies\rip@live.amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@m1.webstats4u[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter15.sextracker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.planetactive[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-vonage.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@surfaccuracy[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.realtechnetwork[2].txt
C:\Documents and Settings\Rip\Cookies\rip@perf.overture[1].txt
C:\Documents and Settings\Rip\Cookies\rip@overture[1].txt
C:\Documents and Settings\Rip\Cookies\rip@tripod[1].txt
C:\Documents and Settings\Rip\Cookies\rip@c.goclick[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ifriends[2].txt
C:\Documents and Settings\Rip\Cookies\rip@filmloop.adbureau[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter9.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@tagworld[1].txt
C:\Documents and Settings\Rip\Cookies\rip@rmbannerserver.agestado.com[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-overseenet.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@leadgenetwork[2].txt
C:\Documents and Settings\Rip\Cookies\rip@sexerror[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-knightridder.hitbox[2].txt
C:\Documents and Settings\Rip\Cookies\rip@media.fastclick[2].txt
C:\Documents and Settings\Rip\Cookies\rip@counter6.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@mediaplex[1].txt
C:\Documents and Settings\Rip\Cookies\rip@xiti[1].txt
C:\Documents and Settings\Rip\Cookies\rip@toplist[1].txt
C:\Documents and Settings\Rip\Cookies\rip@0[2].txt
C:\Documents and Settings\Rip\Cookies\rip@smileycentral[2].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[3].txt
C:\Documents and Settings\Rip\Cookies\rip@adinterax[3].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.cnn[1].txt
C:\Documents and Settings\Rip\Cookies\rip@partypoker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@partners.webmasterplan[2].txt
C:\Documents and Settings\Rip\Cookies\rip@clickbank[2].txt
C:\Documents and Settings\Rip\Cookies\rip@cz7.clickzs[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.pointroll[3].txt
C:\Documents and Settings\Rip\Cookies\rip@fastclick[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.zwoops[1].txt
C:\Documents and Settings\Rip\Cookies\rip@cts.metricsdirect[1].txt
C:\Documents and Settings\Rip\Cookies\rip@rotator.adjuggler[3].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adbrite[3].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[2].txt
C:\Documents and Settings\Rip\Cookies\rip@nextag[1].txt
C:\Documents and Settings\Rip\Cookies\rip@web-stat[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ientry[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adlegend[1].txt
C:\Documents and Settings\Rip\Local Settings\Temp\Cookies\rip@ads.addynamix[2].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR

Virus.HiddenDragon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#DeviceDesc

Trojan.Unknown Origin
C:\WINDOWS\system32\vx.tll

Trojan.SpySheriff
C:\xxdsejo.exe
C:\mntmugrl.exe

And i know i have more in Spyware Doctor...

Can anyone help me to clean this?

Thx for the time reading this,

RIP

When items are put in quarantine, they can no longer harm your computer, but can be restored if by some chance the application found a "false-positive."
If after a few days, no problems in functionality are found, you can simply delete these files (the various applications have a delete function).

The problem is that however good these applications may be, there may be residue left on your computer. In the case of SpySheriff, you may wish to follow the steps in the Self-Help Removal Guide here at BC:

http://www.bleepingcomputer.com/forums/topic52345.html

Once you have deleted all the quarantined files, and completed the steps to remove SpySheriff, I would follow the guidance at the end of the Guide and submit a HJT log to our team of volunteers. They will review its contents and look for anything that might have been missed.


Regards,
John

thx bro....awesome work....i will do that...

...now....how and when can i delete the quarantined files? i only see a Remove or Restore buttons.....and when i hitted Remove last time, it just throw again the trojans to the comp....

And, another thing....this "bugs" are only in SuperSpyware....in Spyware Doctor is where are the "big" ones....

And Spyware Doctor blocked a site....it said "Spyware Doctor blocked a bad site , IP 87.249.38.126"

And the messages i got from Norton showed me this sites :

www.demon.net
www.yceml.net

And i did a research on the IP above, i found this :

Enter IP Address to Trace

Results of IP Tracking for 87.249.38.126
IP address 87.249.38.126
Hostname NOLAZ-pc-38-126.unnet.ru
ISP big factory net
Country Russia Russia

Does this helps? I trully hope so....

RIP



Now....i performed the fixing with the soft you told above....this is the final log....

SmitFraudFix v2.171

Rapport fait à 20:54:33,95, 26-04-2007
Executé à partir de C:\Documents and Settings\Rip\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=213.202.32.1 195.162.161.182
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=213.202.32.1 195.162.161.182


»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

Is it fixed now?

Each application has different delete options for quarantined files; checking the HELP for each will tell you how to delete them.
Once you have done this, then it would be appropriate to submit a HJT log for review. Please carefully read and follow the instructions in this Guide:

http://www.bleepingcomputer.com/forums/topic34773.html

Cheers,
John