TechSpot

Help with trojan-spy.win32@mx Virus

By mccannt
Jun 7, 2007
  1. Hi,

    I'm running Windows Vista and I've been searching around to try to find out how to remove the trojan-spy.win32@mx virus. Most resolutions I've read on the internet involve using SmitFraudFix but apparently this doesn't work on Windows Vista.

    I've included the Hijack Log. Any help appreciated.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`re using an outdated version of HijackThis and have not renamed it. See the instructions HERE and post a fresh HJT log as an attachment into this thread.

    Regards Howard :)
     
  3. mccannt

    mccannt TS Rookie Topic Starter

    Apologies about the pasting of the log file and the old version. Thanks for hte instrucations I have now attached the updated Log file.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ah, that`s better, now I can see a problem.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Video Access ActiveX Object

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    pmsnrr.exe
    pmmnt.exe
    isamntr.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: (no name) - {A6ACAE64-F798-4930-AD86-BD3FB32038DB} - C:\Program Files\Video Access ActiveX Object\isadd.dll

    O3 - Toolbar: Protection Bar - {84938242-5C5B-4A55-B6B9-A1507543B418} - C:\Program Files\Video Access ActiveX Object\iesplugin.dll

    O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video Access ActiveX Object\isamntr.exe

    O4 - HKLM\..\Policies\Explorer\Run: [rare] C:\Program Files\Video Access ActiveX Object\pmsnrr.exe

    O22 - SharedTaskScheduler: homina - {df8c3aed-b58e-4bcb-96b3-aa1b7bbdbbd4} - C:\Windows\system32\oyopu.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\Windows\system32\oyopu.dll
    C:\Program Files\Video Access ActiveX Object<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow as many of the instructions as you can. The reason I say "as you can", is because you`re running Vista and not all tools programmes will be compatible with it.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the AVG Antirootkit scan.


    Regards Howard :)

    This thread is for the use of mccannt only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. mccannt

    mccannt TS Rookie Topic Starter

    Howard, sorry for the delay in posting the reply to this. It took me a while to download everything and run applications.

    Anyway, I've finally got there and hope you can still help.

    I've followed all the steps and have attached the necessary files.

    Please not that I could not run Step 12 - the Combofix utility as it would not let me install the utility.

    The AVG AntiRootkit Scan did not show any problems.

    Let me know if you need further info.

    Appreciate the help and once more apologies for not getting back sooner.

    Terry
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    I noticed that your AVG log displays 'No Action Taken' for all the files detected.
    I require you to run AVG again and quarantine the files. Pictorial instructions HERE.

    Then run HijackThis and fix these entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O13 - Gopher Prefix:

    Post a fresh HijackThis and AVG Antispyware log after doing the above.


    Regards,
    Your friendly momok =)

    This thread is for the use of mccant only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. mccannt

    mccannt TS Rookie Topic Starter

    Hi Momok,

    Thanks for the feedback.

    I have followed your instructions and ran the AVG Anti Spyware application. The log is attached. I've checked the log and the log does not display 'no action taken against the files'.

    I also ran Hijack This again and deleted the items you specified.

    I have ran a further HiJack This and have attached.

    Thanks for your help,
    Terry
     
  8. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Your logs look clean now.

    Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    Turn off system restore (XP/ME only). Learn how to do that HERE.
    This will remove all the remaining nasties from your old restore points.

    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly momok =)

    This thread is for the use of mccannt only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. mccannt

    mccannt TS Rookie Topic Starter

    Thanks for all your help guys, my computer seems to be working much better now. I really appreciate it.

    Just one final question, Whilst following your instructions, I downloaded and installed a lot of applications to get rid of my problems, do I need to keep them all installed on the computer ?

    I've read that AVG AntiSpyware and Zone Alarm Firewall should be sufficient - what would you recommend I keep installed to prevent this happening again.

    Thanks,
    Terry
     
  10. momok

    momok TS Rookie Posts: 2,265

    Hi,

    You can delete most of the programs; I'd recommend keeping a few to protect your system.

    For antivirus, please use one and only one. Using more than one is not recommended as it may cause serious conflicts in your system.
    AVG free
    Avast

    For firewalls please use one and only one. Using more than one is not recommended as it will hog your system resources.
    Zonealarm
    Kerio
    Comodo

    Here are some other miscelleneous programs which I recommend.
    Spybot Search & Destroy. < use this if you have no other real time monitoring programs such as spyware doctor.
    Ccleaner.

    That said, the best form of defence is still sensible online habits. Follow the advice given in the article I recommended previously and you will most probably be able to keep your system clean.


    Regards,
    Your friendly momok =)

    This thread is for the use of mccannt only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...