Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Biiiiiiiiig Problem With Trojans...


  • Please log in to reply
3 replies to this topic

#1 rotting

rotting

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 26 April 2007 - 05:19 AM

I found this site without knowing how.... :flowers:

Great work on helping people out... :thumbsup:

Well....this is my problem :

I have an ACER comp with XP home edition SP2.

I have Norton Anti-Virus Internet security 2007, Spyware Doctor, and Super Spyware installed and working...

The Norton started acting weird and some millions pop-ups messages are invading my comp.

This is what it says on top of those "messages" : E-mail Proxy

In the messages said : Error sending e-mail to ??? (alot of yahoo adresses and porn/advertising sites) .

Norton couldn't block this cause it won't accept it as a Virus, so i installed Spyware Doctor and SuperSpyware.

They blocked it and sent the Trojans to the quarentine.

My comp is slow, but it blocked the virus, or at least "hide" it, cause i don't get those messages anymore.

This is the quarentine log from SuperAntispyware :

SUPERAntiSpyware Scan Log
Generated 04/25/2007 at 09:41 AM

Core Rules Database Version : 3224
Trace Rules Database Version: 1235

Memory threats detected : 0
Registry threats detected : 11
File threats detected : 105

Adware.Tracking Cookie
C:\Documents and Settings\Rip\Cookies\rip@mb[5].txt
C:\Documents and Settings\Rip\Cookies\rip@indexstats[2].txt
C:\Documents and Settings\Rip\Cookies\rip@revsci[2].txt
C:\Documents and Settings\Rip\Cookies\rip@cgi[1].txt
C:\Documents and Settings\Rip\Cookies\rip@atwola[1].txt
C:\Documents and Settings\Rip\Cookies\rip@nextstat[2].txt
C:\Documents and Settings\Rip\Cookies\rip@tracking.g3x[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.zanox-affiliate[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter.sexsuche[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.banner-farm[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ad.clix[1].txt
C:\Documents and Settings\Rip\Cookies\rip@findwhat[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-ifilm.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.cdfreaks[1].txt
C:\Documents and Settings\Rip\Cookies\rip@data4.perf.overture[2].txt
C:\Documents and Settings\Rip\Cookies\rip@z1.adserver[1].txt
C:\Documents and Settings\Rip\Cookies\rip@587[2].txt
C:\Documents and Settings\Rip\Cookies\rip@advertising[1].txt
C:\Documents and Settings\Rip\Cookies\rip@a[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter13.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter14.sextracker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@as-us.falkag[3].txt
C:\Documents and Settings\Rip\Cookies\rip@tacoda[2].txt
C:\Documents and Settings\Rip\Cookies\rip@adserver.easyad[2].txt
C:\Documents and Settings\Rip\Cookies\rip@tribalfusion[1].txt
C:\Documents and Settings\Rip\Cookies\rip@videoegg.adbureau[1].txt
C:\Documents and Settings\Rip\Cookies\rip@2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@kanoodle[2].txt
C:\Documents and Settings\Rip\Cookies\rip@versiontracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@private.amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.criandosite.com[1].txt
C:\Documents and Settings\Rip\Cookies\rip@sel.as-us.falkag[1].txt
C:\Documents and Settings\Rip\Cookies\rip@www.1clickdvdcopy[2].txt
C:\Documents and Settings\Rip\Cookies\rip@xxxtoolbar[1].txt
C:\Documents and Settings\Rip\Cookies\rip@data3.perf.overture[2].txt
C:\Documents and Settings\Rip\Cookies\rip@shop.amsterdamlivexxx[1].txt
C:\Documents and Settings\Rip\Cookies\rip@webpower[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ds.clickexperts[2].txt
C:\Documents and Settings\Rip\Cookies\rip@bs.serving-sys[1].txt
C:\Documents and Settings\Rip\Cookies\rip@mdlfr[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-techtarget.hitbox[2].txt
C:\Documents and Settings\Rip\Cookies\rip@msnportal.112.2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@hypertracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adtech[2].txt
C:\Documents and Settings\Rip\Cookies\rip@1067912086[1].txt
C:\Documents and Settings\Rip\Cookies\rip@atdmt[2].txt
C:\Documents and Settings\Rip\Cookies\rip@serving-sys[1].txt
C:\Documents and Settings\Rip\Cookies\rip@amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@microsoftwga.112.2o7[1].txt
C:\Documents and Settings\Rip\Cookies\rip@statcounter[2].txt
C:\Documents and Settings\Rip\Cookies\rip@stats1.webmetrics[2].txt
C:\Documents and Settings\Rip\Cookies\rip@click.cashengines[2].txt
C:\Documents and Settings\Rip\Cookies\rip@qnsr[1].txt
C:\Documents and Settings\Rip\Cookies\rip@franceguide[1].txt
C:\Documents and Settings\Rip\Cookies\rip@questionmarket[2].txt
C:\Documents and Settings\Rip\Cookies\rip@live.amsterdamlivexxx[2].txt
C:\Documents and Settings\Rip\Cookies\rip@m1.webstats4u[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter15.sextracker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.planetactive[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-vonage.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@surfaccuracy[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.realtechnetwork[2].txt
C:\Documents and Settings\Rip\Cookies\rip@perf.overture[1].txt
C:\Documents and Settings\Rip\Cookies\rip@overture[1].txt
C:\Documents and Settings\Rip\Cookies\rip@tripod[1].txt
C:\Documents and Settings\Rip\Cookies\rip@c.goclick[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ifriends[2].txt
C:\Documents and Settings\Rip\Cookies\rip@filmloop.adbureau[1].txt
C:\Documents and Settings\Rip\Cookies\rip@counter9.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@tagworld[1].txt
C:\Documents and Settings\Rip\Cookies\rip@rmbannerserver.agestado.com[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-overseenet.hitbox[1].txt
C:\Documents and Settings\Rip\Cookies\rip@leadgenetwork[2].txt
C:\Documents and Settings\Rip\Cookies\rip@sexerror[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ehg-knightridder.hitbox[2].txt
C:\Documents and Settings\Rip\Cookies\rip@media.fastclick[2].txt
C:\Documents and Settings\Rip\Cookies\rip@counter6.sextracker[1].txt
C:\Documents and Settings\Rip\Cookies\rip@mediaplex[1].txt
C:\Documents and Settings\Rip\Cookies\rip@xiti[1].txt
C:\Documents and Settings\Rip\Cookies\rip@toplist[1].txt
C:\Documents and Settings\Rip\Cookies\rip@0[2].txt
C:\Documents and Settings\Rip\Cookies\rip@smileycentral[2].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[3].txt
C:\Documents and Settings\Rip\Cookies\rip@adinterax[3].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.cnn[1].txt
C:\Documents and Settings\Rip\Cookies\rip@partypoker[2].txt
C:\Documents and Settings\Rip\Cookies\rip@partners.webmasterplan[2].txt
C:\Documents and Settings\Rip\Cookies\rip@clickbank[2].txt
C:\Documents and Settings\Rip\Cookies\rip@cz7.clickzs[2].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.pointroll[3].txt
C:\Documents and Settings\Rip\Cookies\rip@fastclick[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ads.zwoops[1].txt
C:\Documents and Settings\Rip\Cookies\rip@cts.metricsdirect[1].txt
C:\Documents and Settings\Rip\Cookies\rip@rotator.adjuggler[3].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adbrite[3].txt
C:\Documents and Settings\Rip\Cookies\rip@mb[2].txt
C:\Documents and Settings\Rip\Cookies\rip@nextag[1].txt
C:\Documents and Settings\Rip\Cookies\rip@web-stat[1].txt
C:\Documents and Settings\Rip\Cookies\rip@ientry[1].txt
C:\Documents and Settings\Rip\Cookies\rip@adlegend[1].txt
C:\Documents and Settings\Rip\Local Settings\Temp\Cookies\rip@ads.addynamix[2].txt

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR

Virus.HiddenDragon
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_POWERMANAGER\0000#DeviceDesc

Trojan.Unknown Origin
C:\WINDOWS\system32\vx.tll

Trojan.SpySheriff
C:\xxdsejo.exe
C:\mntmugrl.exe

And i know i have more in Spyware Doctor...

Can anyone help me to clean this?

Thx for the time reading this,

RIP

BC AdBot (Login to Remove)

 


#2 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:01:53 AM

Posted 26 April 2007 - 08:33 AM

When items are put in quarantine, they can no longer harm your computer, but can be restored if by some chance the application found a "false-positive."
If after a few days, no problems in functionality are found, you can simply delete these files (the various applications have a delete function).

The problem is that however good these applications may be, there may be residue left on your computer. In the case of SpySheriff, you may wish to follow the steps in the Self-Help Removal Guide here at BC:

http://www.bleepingcomputer.com/forums/t/52345/how-to-remove-spyware-sheriff-and-antispylab/

Once you have deleted all the quarantined files, and completed the steps to remove SpySheriff, I would follow the guidance at the end of the Guide and submit a HJT log to our team of volunteers. They will review its contents and look for anything that might have been missed.


Regards,
John
Whereof one cannot speak, thereof one should be silent.

#3 rotting

rotting
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:53 AM

Posted 26 April 2007 - 11:05 AM

:thumbsup: thx bro....awesome work....i will do that...

:flowers: ...now....how and when can i delete the quarantined files? i only see a Remove or Restore buttons.....and when i hitted Remove last time, it just throw again the trojans to the comp....

And, another thing....this "bugs" are only in SuperSpyware....in Spyware Doctor is where are the "big" ones....

And Spyware Doctor blocked a site....it said "Spyware Doctor blocked a bad site , IP 87.249.38.126"

And the messages i got from Norton showed me this sites :

www.demon.net
www.yceml.net

And i did a research on the IP above, i found this :

Enter IP Address to Trace

Results of IP Tracking for 87.249.38.126
IP address 87.249.38.126
Hostname NOLAZ-pc-38-126.unnet.ru
ISP big factory net
Country Russia Russia

Does this helps? I trully hope so....

RIP



Now....i performed the fixing with the soft you told above....this is the final log....

SmitFraudFix v2.171

Rapport fait à 20:54:33,95, 26-04-2007
Executé à partir de C:\Documents and Settings\Rip\Bureau\SmitfraudFix
OS: Microsoft Windows XP [version 5.1.2600] - Windows_NT
Le type du système de fichiers est FAT32
Fix executé en mode sans echec

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Avant SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Arret des processus


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Suppression des fichiers infectés


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS1\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9EB358C6-7267-4DF5-B9BA-7098C4A0FC58}: DhcpNameServer=213.202.32.1 195.162.161.182
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=213.202.32.3 195.162.161.182
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=213.202.32.1 195.162.161.182


»»»»»»»»»»»»»»»»»»»»»»»» Suppression Fichiers Temporaires


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Nettoyage du registre

Nettoyage terminé.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Après SmitFraudFix
!!!Attention, les clés qui suivent ne sont pas forcément infectées!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Fin

Is it fixed now? :trumpet:

Edited by rotting, 26 April 2007 - 02:13 PM.


#4 jgweed

jgweed

  • Members
  • 28,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago, Il.
  • Local time:01:53 AM

Posted 26 April 2007 - 06:36 PM

Each application has different delete options for quarantined files; checking the HELP for each will tell you how to delete them.
Once you have done this, then it would be appropriate to submit a HJT log for review. Please carefully read and follow the instructions in this Guide:

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Cheers,
John
Whereof one cannot speak, thereof one should be silent.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users