best way to get rid of this??

Discussion in 'privacy problems' started by Griogair, Dec 12, 2005.

Thread Status:
Not open for further replies.
  1. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    something downloaed onto my coputer today...

    and windows antispyware picked up the browser changes which i blocked.

    however my ie is now blank...and if i type in an adress is redirects to 'dns404.net'

    and once it said that it was blocked by some spyware application.

    any idea how to delete whatever it is??

    cheers
     
  2. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That is propbably this one:

    http://www.sophos.com/virusinfo/analyses/trojpupert.html

    This is the procedure that is usually advised to get rid of it:
    Click here to download smitRem.exe.
    • Save the file to your desktop.
    • It is a self extracting file.
    • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
    • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.


    * Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.


    * Click here for info on how to boot to safe mode if you don't already know how.


    * Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop


    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Regards,

    Pieter
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    LOL eyes-open beat me to it. [​IMG]

    Regards,

    Pieter
     
  5. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    @ Pieter > hi :) My link may not be the cause - but the information supplied is a bit minimal and this particular trojan does reference the redirection to dns404.net. I'm sure there are other avenues to this change - this was one that I knew was fairly recent and documented.

    @ Griogair

    I'm sure it's stating the obvious - but if you do go to the dns404.net site - do not download/install 'Spy Trooper'.

    This is just another chain of the con & should be avoided at all costs.

    Cheers & good luck with your problem.
     
    Last edited: Dec 12, 2005
  6. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    cheers guys once again...

    im running panda active scan just now...

    realy aooying though as windows antispyware keeps prompting me to change an internet security zone...every 5 seconds which i block...

    grrrr:doubt:
     
  7. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    think the alls clear guys..thanks.

    will post tomorow though as im at uni and its like 3 in the morning...and drunk people are pissing me off....rubbing the good time in my pennyless face!!

    wish i was pissed! :'(

    anyhoo....cheers! ;)
     
  8. Griogair

    Griogair Registered Member

    Joined:
    Jun 3, 2004
    Posts:
    80
    Location:
    kilmarnock, scotland
    cheers...al seems to be fine.

    eyes-open quick reply thanks

    pieter,you seemed to have been involved in solving just about every problem ive posted here...much apreciated

    :D
     
  9. StevieO

    StevieO Guest

    SpyTrooper/TopAntiSpy/Spyaxe

    Official Description: This is a rogue antispyware product that is normally bundled with different trojans as a way of installation.

    Properties: Adds other software
    Changes browser

    Related Products ZToolbar Adware This is a product known to install Spyaxe.
    Trojan.Puper Trojan This product has been known to be bundled with Spyaxe.

    http://www.spywareguide.com/product_show.php?id=2361

    . . .

    Out of curiosity i DL'd the " Free Scan " lol software and uploade to Jottis. The only one that found it was NOD !

    http://img506.imageshack.us/img506/6901/install7ui.png


    Just a quick sample of what would happen to your system. I analysed the exe with Faber Toys

    File generated by Faber Toys

    5 Imported Modules

    ADVAPI32.dll
    COMCTL32.dll
    KERNEL32.dll
    USER32.dll
    WSOCK32.dll

    If you want to see the full HTML report created by the Faber Toys App on what this exe does see here.

    Your Download-Link: http://rapidshare.de/files/9109948/Install.html.html


    StevieO
     
Thread Status:
Not open for further replies.