TechSpot

Please Help trojan-spy.win32@mx

By bamakam
Oct 6, 2008
  1. Hi everyone! I believe that I have the trojan-spy.win32@mx bug on my laptop. Every time I try to research the issue on my laptop, my pages get redirected. I also believe that this bug may have deleted all of my restore points.

    Can anyone help me with this? Should my first step be to run a HijackThis log that I have read about on some of the other threads?

    Thanks!
     
  2. Divino

    Divino TS Rookie

    Hi. I Have no knowledge about This Trojan What So Ever, But I Have took the time To Look For SOme HElpfull Info For YOu. ANd I Have Came Across This Page For the Removal Trojan Wich Affec Windows Xp Restored POint...... Anyways heres Word by Word Of What it Said.

    Removal Instruction:

    Trojan-Spy.Win32@mx procedures requires technical know-how on computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer if modifications on Services and Registry have to be done.



    MANUAL REMOVAL:

    1. Temporarily disable System Restore (Windows Me/XP). [how to]

    2. Download Free AVG AntiVirus and save it to a desired location. It is your choice if you want to retain this software or remove it after the cleaning process.

    3. After downloading, browse where the file was saved and double click to install it.

    4. After installation, connect to internet and download all necessary updates.



    5. Download SmitfraudFix (by S!Ri) and save it to a desired location. Please print the procedure as we have to close browser later.

    6. Reboot your computer in SafeMode [how to]

    7. Run AVG and do a thorough scan. Delete all infected files.

    8. Close AVG and other open Applications.

    9. Run and follow the SmitfraudFix procedure you have printed earlier.

    10. You may now reboot in normal mode if it does not reboot automatically.

    11. After reboot, download and scan with CCleaner (Standard Build Only).



    Additional Clean-Up (If Present Only):

    1. Go to Control Panel>Add/Remove programs

    2. Uninstall the following
    - Seekmo Toolbar or just Seekmo
    - AWS or Weatherbug



    3. Close Add/Remove Programs after successful removal.

    4. Download and Run HiJackThis. (Close any running applications)
    5. Mark the following entries:
    - O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll
    - O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    - O11 - Options group: [INTERNATIONAL] International*

    6. Select the option Fix checked to fix the problem. If prompts to reboot select No.

    7. Close HiJackThis
    8. Find and delete the following Directories:
    - C:\Program Files\Seekmo Programs
    - C:\Program Files\AWS



    9. In order to make sure that Trojan-Spy.Win32@mx is completely eliminated from your computer, carry out a full scan of your computer using Online Virus Scanner. Scan at least on three different scanners.
     
  3. bamakam

    bamakam TS Rookie Topic Starter

    Here are my latest logs after following the instruction in the 8-step guide. My web pages are still being redirected, so I know there's still some of this bug on this computer. Any help would be greatly appreciated!
     
  4. Divino

    Divino TS Rookie

    Well It Looks Like The Trojan Messed up Alot Of Ur Regestry key. U Would Need a Program like "Registry Fixer 4.0" To Repair It. There Miight B a Freeware Version Out There But IM Not To Sure Try Looking For One Google It. HopeFully It Should Fix Ur Problem
     
  5. BillAllen55

    BillAllen55 TS Maniac Posts: 368

    Please go to this techspot website and follow the 8 step process. Checking out your hijackthis! log appears as if you are still troubled with an insidious virus issue.
    Please check out this website: http://www.techspot.com/vb/topic58138.html
    You may feel tempted to miss one or two steps of the process. I would do what you can to resist temptation.
     
  6. rf6647

    rf6647 TS Maniac Posts: 829

    BillAllen55 is spot-on - rerun the 8 steps. The MBAM log reports many 'no action' outcomes. Repeat of all steps may reveal this to be a misleading result as reported 'no action taken' in this post for 'tss* files

    Highly suspicious - redirects fedex.com to nexus
    O1 - Hosts: 199.82.0.85 nexus-p2
    O1 - Hosts: 199.82.0.80 nexus-p1

    Questionable - up to your judgement
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = east.proxy.fedex.com:3128

    This threat uses redirection to "windiwsfsearch com"
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com

    This is observable. I do not understand the delivery mechanism. It takes digging to find the proper removal tool if the rerun of 8-steps still shows these symptoms.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...