Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Biiiiiiiiig Problem With Trojans...

  • Please log in to reply
3 replies to this topic

#1 rotting


  • Members
  • 6 posts
  • Local time:04:38 AM

Posted 26 April 2007 - 05:19 AM

I found this site without knowing how.... :flowers:

Great work on helping people out... :thumbsup:

Well....this is my problem :

I have an ACER comp with XP home edition SP2.

I have Norton Anti-Virus Internet security 2007, Spyware Doctor, and Super Spyware installed and working...

The Norton started acting weird and some millions pop-ups messages are invading my comp.

This is what it says on top of those "messages" : E-mail Proxy

In the messages said : Error sending e-mail to ??? (alot of yahoo adresses and porn/advertising sites) .

Norton couldn't block this cause it won't accept it as a Virus, so i installed Spyware Doctor and SuperSpyware.

They blocked it and sent the Trojans to the quarentine.

My comp is slow, but it blocked the virus, or at least "hide" it, cause i don't get those messages anymore.

This is the quarentine log from SuperAntispyware :

SUPERAntiSpyware Scan Log
Generated 04/25/2007 at 09:41 AM

Core Rules Database Version : 3224
Trace Rules Database Version: 1235

Memory threats detected : 0
Registry threats detected : 11
File threats detected : 105

Adware.Tracking Cookie
C:\Documents and Settings\Rip\Cookies\rip@mb[5].txt
C:\Documents and Settings\Rip\Cookies\rip@indexstats[2].txt
C:\Documents and Settings\Rip\Cookies\rip@revsci[2].txt
C:\Documents and Settings\Rip\Cookies\rip@cgi[1].txt
C:\Documents and Settings\Rip\Cookies\rip@atwola[1].txt
C:\Documents and Settings\Rip\Cookies\rip@nextstat[2].txt
C:\Documents and Settings\Rip\Cookies\rip@tracking.g3x[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.zanox-affiliate[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter.sexsuche[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.banner-farm[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ad.clix[1].txt
C:\Documents and Settings\Rip\Cookies\rip@findwhat[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-ifilm.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.cdfreaks[1].txt
C:\Documents and Settings\Rip\Cookies\rip@data4.perf.overture[2].txt
C:\Documents and Settings\Rip\Cookies\rip@z1.adserver[1].txt
C:\Documents and Settings\Rip\Cookies\rip@587[2].txt
C:\Documents and Settings\Rip\Cookies\rip@advertising[1].txt
C:\Documents and Settings\Rip\Cookies\rip@a[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter13.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter14.sextracker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@as-us.falkag[3].txt
C:\Documents and Settings\Rip\Cookies\rip@tacoda[2].txt
C:\Documents and Settings\Rip\Cookies\rip@adserver.easyad[2].txt
C:\Documents and Settings\Rip\Cookies\rip@tribalfusion[1].txt
C:\Documents and Settings\Rip\Cookies\rip@videoegg.adbureau[1].txt
C:\Documents and Settings\Rip\Cookies\rip@2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@kanoodle[2].txt
C:\Documents and Settings\Rip\Cookies\rip@versiontracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@private.amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.criandosite.com[1].txt
C:\Documents and Settings\Rip\Cookies\rip@sel.as-us.falkag[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.1clickdvdcopy[2].txt
C:\Documents and Settings\Rip\Cookies\rip@xxxtoolbar[1].txt
C:\Documents and Settings\Rip\Cookies\rip@data3.perf.overture[2].txt
C:\Documents and Settings\Rip\Cookies\rip@shop.amsterdamlivexxx[1].txt
C:\Documents and Settings\Rip\Cookies\rip@webpower[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ds.clickexperts[2].txt
C:\Documents and Settings\Rip\Cookies\rip@bs.serving-sys[1].txt
C:\Documents and Settings\Rip\Cookies\rip@mdlfr[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\Rip\Cookies\rip@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@hypertracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adtech[2].txt
C:\Documents and Settings\Rip\Cookies\rip@1067912086[1].txt
C:\Documents and Settings\Rip\Cookies\rip@atdmt[2].txt
C:\Documents and Settings\Rip\Cookies\rip@serving-sys[1].txt
C:\Documents and Settings\Rip\Cookies\rip@amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@statcounter[2].txt
C:\Documents and Settings\Rip\Cookies\rip@stats1.webmetrics[2].txt
C:\Documents and Settings\Rip\Cookies\rip@click.cashengines[2].txt
C:\Documents and Settings\Rip\Cookies\rip@qnsr[1].txt
C:\Documents and Settings\Rip\Cookies\rip@franceguide[1].txt
C:\Documents and Settings\Rip\Cookies\rip@questionmarket[2].txt
C:\Documents and Settings\Rip\Cookies\rip@live.amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@m1.webstats4u[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter15.sextracker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.planetactive[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-vonage.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@surfaccuracy[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.realtechnetwork[2].txt
C:\Documents and Settings\Rip\Cookies\rip@perf.overture[1].txt
C:\Documents and Settings\Rip\Cookies\rip@overture[1].txt
C:\Documents and Settings\Rip\Cookies\rip@tripod[1].txt
C:\Documents and Settings\Rip\Cookies\rip@c.goclick[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ifriends[2].txt
C:\Documents and Settings\Rip\Cookies\rip@filmloop.adbureau[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter9.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@tagworld[1].txt
C:\Documents and Settings\Rip\Cookies\rip@rmbannerserver.agestado.com[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-overseenet.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@leadgenetwork[2].txt
C:\Documents and Settings\Rip\Cookies\rip@sexerror[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-knightridder.hitbox[2].txt
C:\Documents and Settings\Rip\Cookies\rip@media.fastclick[2].txt
C:\Documents and Settings\Rip\Cookies\rip@counter6.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@mediaplex[1].txt
C:\Documents and Settings\Rip\Cookies\rip@xiti[1].txt
C:\Documents and Settings\Rip\Cookies\rip@toplist[1].txt
C:\Documents and Settings\Rip\Cookies\rip@0[2].txt
C:\Documents and Settings\Rip\Cookies\rip@smileycentral[2].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[3].txt
C:\Documents and Settings\Rip\Cookies\rip@adinterax[3].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.cnn[1].txt
C:\Documents and Settings\Rip\Cookies\rip@partypoker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@partners.webmasterplan[2].txt
C:\Documents and Settings\Rip\Cookies\rip@clickbank[2].txt
C:\Documents and Settings\Rip\Cookies\rip@cz7.clickzs[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.pointroll[3].txt
C:\Documents and Settings\Rip\Cookies\rip@fastclick[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.zwoops[1].txt
C:\Documents and Settings\Rip\Cookies\rip@cts.metricsdirect[1].txt
C:\Documents and Settings\Rip\Cookies\rip@rotator.adjuggler[3].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adbrite[3].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[2].txt
C:\Documents and Settings\Rip\Cookies\rip@nextag[1].txt
C:\Documents and Settings\Rip\Cookies\rip@web-stat[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ientry[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adlegend[1].txt
C:\Documents and Settings\Rip\Local Settings\Temp\Cookies\rip@ads.addynamix[2].txt



Trojan.Unknown Origin


And i know i have more in Spyware Doctor...

Can anyone help me to clean this?

Thx for the time reading this,


BC AdBot (Login to Remove)


#2 jgweed


  • Members
  • 28,473 posts
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:38 AM

Posted 26 April 2007 - 08:33 AM

When items are put in quarantine, they can no longer harm your computer, but can be restored if by some chance the application found a "false-positive."
If after a few days, no problems in functionality are found, you can simply delete these files (the various applications have a delete function).

The problem is that however good these applications may be, there may be residue left on your computer. In the case of SpySheriff, you may wish to follow the steps in the Self-Help Removal Guide here at BC:


Once you have deleted all the quarantined files, and completed the steps to remove SpySheriff, I would follow the guidance at the end of the Guide and submit a HJT log to our team of volunteers. They will review its contents and look for anything that might have been missed.

Whereof one cannot speak, thereof one should be silent.

#3 rotting

  • Topic Starter

  • Members
  • 6 posts
  • Local time:04:38 AM

Posted 26 April 2007 - 11:05 AM

:thumbsup: thx bro....awesome work....i will do that...

:flowers: ...now....how and when can i delete the quarantined files? i only see a Remove or Restore buttons.....and when i hitted Remove last time, it just throw again the trojans to the comp....

And, another thing....this "bugs" are only in SuperSpyware....in Spyware Doctor is where are the "big" ones....

And Spyware Doctor blocked a site....it said "Spyware Doctor blocked a bad site , IP"

And the messages i got from Norton showed me this sites :


And i did a research on the IP above, i found this :

Enter IP Address to Trace

Results of IP Tracking for
IP address
Hostname NOLAZ-pc-38-126.unnet.ru
ISP big factory net
Country Russia Russia

Does this helps? I trully hope so....


Now....i performed the fixing with the soft you told above....this is the final log....

SmitFraudFix v2.171

Rapport fait à 20:54:33,95, 26-04-2007
Executé à partir de C:\Documents and Settings\Rip\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus

»»»»»»»»»»»»»»»»»»»»»»»» hosts localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=

»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Fin

Is it fixed now? :trumpet:

Edited by rotting, 26 April 2007 - 02:13 PM.

#4 jgweed


  • Members
  • 28,473 posts
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:04:38 AM

Posted 26 April 2007 - 06:36 PM

Each application has different delete options for quarantined files; checking the HELP for each will tell you how to delete them.
Once you have done this, then it would be appropriate to submit a HJT log for review. Please carefully read and follow the instructions in this Guide:


Whereof one cannot speak, thereof one should be silent.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users