Jump to content
blight

Left overs from trojan attack: Trojan.downloader-MSNETAX

By blight, in General Questions

Recommended Posts

blight   

blight
Posted

Greetings to such a great community, first time seen but this product is more than worth it just purely from support on the forums...Well i faced the cxxxx.nls problem recently.I will detail quickly what things i did as they may shed light in ways i dont know...(Main question is below here, this may just help later on, Skip if wish)

Turned PC on, noticed first slowed down DL rate then seeing it was sending/recieving when i either on desktop or just google whihc normally doesnt do anymore after loading...Anyway tried a quick sys restore as i recent faced something like that and i was able to restore, this time it didnt work.

AVG detected but could not properly clean the trojans, got SAS, this showed me malware in the form of Memory items/registry/etc after a full scan and deleted all quaratined items, leaving me without access to the net a sys restore to the time before the files were quartined the next morning showed i had a active working connection but of course infected...

This is repeated a few times then i finally start restoring things one by one, enabling and disabling the connection, finally one worked...deleted all the rest, restart into safe mode, replaced the patched ndis file with a clean version from C:\WINDOWS\ServicePackFiles\i386 no more reference to cxxx.nls or remaking itself via the core file ndis.

PC seems to work fine in terms of processes running, usage basic things i perhaps but what i can see its fine, Connection works fine...no more uploading while i am desktop, no more up/download in google or while i am here typing this.

Main Question-

All seems fine, but i know there is there is something left over, perhaps nothing that is up/downloading or able to without the other parts to the trojan but it is there, sas reports it as (side note i know and have hidden.dragon virus on my comp currently, i am not ridding it via SAS as i dont see it as a overt threat, tho any addition info and techniques for staying clean and ridding it would be nice)

Trojan.download-MSNETAX[4 items]

Files

C:\recyclers\s-1-5-21-2025429265-725345543-839522115-500\dd1.dll

C:\WINDOWS\system32\qvgwxpt.dll

C:\WINDOWS\system32\uvglslm.dll

Memory processes

C:\WINDOWS\system32\qvgwxpt.dll

If i quaratine and remove these, no more connection...have we got infomation about this, is it dangerous to keep? keylogging? uploading still perhaps? the connection still uploads a touch very now and again, am i putting others at risk retaining this for the current moment?

Basically. What should i do?

Much appreciation to those who took some time out and read this

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted
Greetings to such a great community, first time seen but this product is more than worth it just purely from support on the forums...Well i faced the cxxxx.nls problem recently.I will detail quickly what things i did as they may shed light in ways i dont know...(Main question is below here, this may just help later on, Skip if wish)

Turned PC on, noticed first slowed down DL rate then seeing it was sending/recieving when i either on desktop or just google whihc normally doesnt do anymore after loading...Anyway tried a quick sys restore as i recent faced something like that and i was able to restore, this time it didnt work.

AVG detected but could not properly clean the trojans, got SAS, this showed me malware in the form of Memory items/registry/etc after a full scan and deleted all quaratined items, leaving me without access to the net a sys restore to the time before the files were quartined the next morning showed i had a active working connection but of course infected...

This is repeated a few times then i finally start restoring things one by one, enabling and disabling the connection, finally one worked...deleted all the rest, restart into safe mode, replaced the patched ndis file with a clean version from C:\WINDOWS\ServicePackFiles\i386 no more reference to cxxx.nls or remaking itself via the core file ndis.

PC seems to work fine in terms of processes running, usage basic things i perhaps but what i can see its fine, Connection works fine...no more uploading while i am desktop, no more up/download in google or while i am here typing this.

Main Question-

All seems fine, but i know there is there is something left over, perhaps nothing that is up/downloading or able to without the other parts to the trojan but it is there, sas reports it as (side note i know and have hidden.dragon virus on my comp currently, i am not ridding it via SAS as i dont see it as a overt threat, tho any addition info and techniques for staying clean and ridding it would be nice)

Trojan.download-MSNETAX[4 items]

Files

C:\recyclers\s-1-5-21-2025429265-725345543-839522115-500\dd1.dll

C:\WINDOWS\system32\qvgwxpt.dll

C:\WINDOWS\system32\uvglslm.dll

Memory processes

C:\WINDOWS\system32\qvgwxpt.dll

If i quaratine and remove these, no more connection...have we got infomation about this, is it dangerous to keep? keylogging? uploading still perhaps? the connection still uploads a touch very now and again, am i putting others at risk retaining this for the current moment?

Basically. What should i do?

Much appreciation to those who took some time out and read this

If you are left without a net connection, use the LSP repair in our repairs sections - could you send those files to samples AT superantispyware.com and I will see what they are?

Share this post

Link to post
Share on other sites

fatdcuk   

fatdcuk
Posted

The trojan labelled Trojan.download-MSNETAX is the culprit for borking your connection.

Follow SUPERAntiSpy suggestion and then try SAS scan+ removal to see if the culprit and issue's have been resolved.

Share this post

Link to post
Share on other sites

blight   

blight
Posted

Files will be sent asap

Now i do not need this LSP fix as i have my net connection already up and working, my only problem is this last trace of the trojan. i have already redone my scans a few times, this is now the only thing left...if i remove it via SAS it will bork the connnection, i cant safe mode delete it as its running as a process, nor can i find reference on my comp of any other core files named

C:\WINDOWS\system32\qvgwxpt.dll

C:\WINDOWS\system32\uvglslm.dll

now i have read about this icehack or icesword or soemthing which is a forced delete, is such program good in this instance i can see its merits in others, but in this case?

My real concern is this a dangerous bit of leftover? as you may see my cleaning is a very primitive type, but currently it is satisfactory....

I hope sending these files will clear it up

Share this post

Link to post
Share on other sites

blight   

blight
Posted

I would also note that i was looking for a LSP thread hahaha, instead i see its a tab on sas, a tab which i dont have.

The main program is called super ad blocker? as thats where i access sas

Files sent under title

SAS forum thread, Zipped trojan request

Share this post

Link to post
Share on other sites

blight   

blight
Posted

Update, hotmail wont let me send out this .rar as its got a virus inside it and they will not take/send it...possible to do via forums? attachments?

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted
put it in there, but when i recheck to see if its there, its gone...or is this folder auto send to you right away?

The folder is write only. I will get the files.

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted
Thank you, not sure how long these things take, any update? sorry for impatiency

When we have had a chance to analyze the files, I will update the thread.

Share this post

Link to post
Share on other sites

SUPERAntiSpy   

SUPERAntiSpy
Posted

We detect and remove those files no problem - you need to download the SUPERAntiSpyware Free Edition and use our LSP/Network Connection repair after the scan and removal.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing General Questions
×