blight Posted April 30, 2007 Greetings to such a great community, first time seen but this product is more than worth it just purely from support on the forums...Well i faced the cxxxx.nls problem recently.I will detail quickly what things i did as they may shed light in ways i dont know...(Main question is below here, this may just help later on, Skip if wish) Turned PC on, noticed first slowed down DL rate then seeing it was sending/recieving when i either on desktop or just google whihc normally doesnt do anymore after loading...Anyway tried a quick sys restore as i recent faced something like that and i was able to restore, this time it didnt work. AVG detected but could not properly clean the trojans, got SAS, this showed me malware in the form of Memory items/registry/etc after a full scan and deleted all quaratined items, leaving me without access to the net a sys restore to the time before the files were quartined the next morning showed i had a active working connection but of course infected... This is repeated a few times then i finally start restoring things one by one, enabling and disabling the connection, finally one worked...deleted all the rest, restart into safe mode, replaced the patched ndis file with a clean version from C:\WINDOWS\ServicePackFiles\i386 no more reference to cxxx.nls or remaking itself via the core file ndis. PC seems to work fine in terms of processes running, usage basic things i perhaps but what i can see its fine, Connection works fine...no more uploading while i am desktop, no more up/download in google or while i am here typing this. Main Question- All seems fine, but i know there is there is something left over, perhaps nothing that is up/downloading or able to without the other parts to the trojan but it is there, sas reports it as (side note i know and have hidden.dragon virus on my comp currently, i am not ridding it via SAS as i dont see it as a overt threat, tho any addition info and techniques for staying clean and ridding it would be nice) Trojan.download-MSNETAX[4 items] Files C:\recyclers\s-1-5-21-2025429265-725345543-839522115-500\dd1.dll C:\WINDOWS\system32\qvgwxpt.dll C:\WINDOWS\system32\uvglslm.dll Memory processes C:\WINDOWS\system32\qvgwxpt.dll If i quaratine and remove these, no more connection...have we got infomation about this, is it dangerous to keep? keylogging? uploading still perhaps? the connection still uploads a touch very now and again, am i putting others at risk retaining this for the current moment? Basically. What should i do? Much appreciation to those who took some time out and read this Share this post Link to post Share on other sites
SUPERAntiSpy Posted April 30, 2007 Greetings to such a great community, first time seen but this product is more than worth it just purely from support on the forums...Well i faced the cxxxx.nls problem recently.I will detail quickly what things i did as they may shed light in ways i dont know...(Main question is below here, this may just help later on, Skip if wish)Turned PC on, noticed first slowed down DL rate then seeing it was sending/recieving when i either on desktop or just google whihc normally doesnt do anymore after loading...Anyway tried a quick sys restore as i recent faced something like that and i was able to restore, this time it didnt work. AVG detected but could not properly clean the trojans, got SAS, this showed me malware in the form of Memory items/registry/etc after a full scan and deleted all quaratined items, leaving me without access to the net a sys restore to the time before the files were quartined the next morning showed i had a active working connection but of course infected... This is repeated a few times then i finally start restoring things one by one, enabling and disabling the connection, finally one worked...deleted all the rest, restart into safe mode, replaced the patched ndis file with a clean version from C:\WINDOWS\ServicePackFiles\i386 no more reference to cxxx.nls or remaking itself via the core file ndis. PC seems to work fine in terms of processes running, usage basic things i perhaps but what i can see its fine, Connection works fine...no more uploading while i am desktop, no more up/download in google or while i am here typing this. Main Question- All seems fine, but i know there is there is something left over, perhaps nothing that is up/downloading or able to without the other parts to the trojan but it is there, sas reports it as (side note i know and have hidden.dragon virus on my comp currently, i am not ridding it via SAS as i dont see it as a overt threat, tho any addition info and techniques for staying clean and ridding it would be nice) Trojan.download-MSNETAX[4 items] Files C:\recyclers\s-1-5-21-2025429265-725345543-839522115-500\dd1.dll C:\WINDOWS\system32\qvgwxpt.dll C:\WINDOWS\system32\uvglslm.dll Memory processes C:\WINDOWS\system32\qvgwxpt.dll If i quaratine and remove these, no more connection...have we got infomation about this, is it dangerous to keep? keylogging? uploading still perhaps? the connection still uploads a touch very now and again, am i putting others at risk retaining this for the current moment? Basically. What should i do? Much appreciation to those who took some time out and read this If you are left without a net connection, use the LSP repair in our repairs sections - could you send those files to samples AT superantispyware.com and I will see what they are? Share this post Link to post Share on other sites
fatdcuk Posted April 30, 2007 The trojan labelled Trojan.download-MSNETAX is the culprit for borking your connection. Follow SUPERAntiSpy suggestion and then try SAS scan+ removal to see if the culprit and issue's have been resolved. Share this post Link to post Share on other sites
blight Posted April 30, 2007 Files will be sent asap Now i do not need this LSP fix as i have my net connection already up and working, my only problem is this last trace of the trojan. i have already redone my scans a few times, this is now the only thing left...if i remove it via SAS it will bork the connnection, i cant safe mode delete it as its running as a process, nor can i find reference on my comp of any other core files named C:\WINDOWS\system32\qvgwxpt.dll C:\WINDOWS\system32\uvglslm.dll now i have read about this icehack or icesword or soemthing which is a forced delete, is such program good in this instance i can see its merits in others, but in this case? My real concern is this a dangerous bit of leftover? as you may see my cleaning is a very primitive type, but currently it is satisfactory.... I hope sending these files will clear it up Share this post Link to post Share on other sites
blight Posted April 30, 2007 I would also note that i was looking for a LSP thread hahaha, instead i see its a tab on sas, a tab which i dont have. The main program is called super ad blocker? as thats where i access sas Files sent under title SAS forum thread, Zipped trojan request Share this post Link to post Share on other sites
blight Posted April 30, 2007 Update, hotmail wont let me send out this .rar as its got a virus inside it and they will not take/send it...possible to do via forums? attachments? Share this post Link to post Share on other sites
SUPERAntiSpy Posted April 30, 2007 Update, hotmail wont let me send out this .rar as its got a virus inside it and they will not take/send it...possible to do via forums? attachments? ftp://ftp.superadblocker.com Put it in the incoming folder. Share this post Link to post Share on other sites
blight Posted April 30, 2007 put it in there, but when i recheck to see if its there, its gone...or is this folder auto send to you right away? Share this post Link to post Share on other sites
SUPERAntiSpy Posted April 30, 2007 put it in there, but when i recheck to see if its there, its gone...or is this folder auto send to you right away? The folder is write only. I will get the files. Share this post Link to post Share on other sites
blight Posted May 1, 2007 Thank you, not sure how long these things take, any update? sorry for impatiency Share this post Link to post Share on other sites
SUPERAntiSpy Posted May 1, 2007 Thank you, not sure how long these things take, any update? sorry for impatiency When we have had a chance to analyze the files, I will update the thread. Share this post Link to post Share on other sites
SUPERAntiSpy Posted May 1, 2007 We detect and remove those files no problem - you need to download the SUPERAntiSpyware Free Edition and use our LSP/Network Connection repair after the scan and removal. Share this post Link to post Share on other sites
blight Posted May 1, 2007 Thank you for your continued work in this field, its great seeing peoples dedication Share this post Link to post Share on other sites