TechSpot

Trojan-spy.win32@mx spyware infection

By melxv535
Nov 8, 2007
  1. Hi everyone
    I hope someone can help with this.
    My technophobe friend has got her computer infected and I have offered to help her get rid of it (hopefully :)
    As it is her laptop, and after reading posts on this forum and seeing it is quite a long process, I have the laptop at my house and do not want to connect it to my internet connection.
    I have downloaded HJT and SmitFraudFix, and I am going to get some logs from these.

    I have seen various threads giving step by step instructions of what to do, please could someone give me a link as to which set of instructions to use before I start anything.

    Also is it possible for me to clear this infection without having her laptop connected to the internet?

    Any help would be greatly appreciated.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. melxv535

    melxv535 TS Rookie Topic Starter

    Hi
    Thanks for the instructions.
    I have followed them and run all the scans etc.

    I have attatched the log files from HJT, combofix and AVG antispyware.

    When I ran the virus scan (Which took 11 hours :-( it reported no viruses but said that C:\Windows\I386\DOTNETFX\DOTNETFX.EXE\[Embedded#000ee12]\msi.dll cannot scan cab file is corrupted

    Panda reported no rootkits found.

    I only realised after the virus scan took so long that there were 100's of MB's of temp internet files on other users (there are 5 on laptop) and then deleted them.

    I'm not sure at the moment if there are any symtoms as the pop ups only happened while connected to the net. And as this is not my computer I don't want to connect it to my account.

    Thanks Mel
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    AntiSpyGolden 5.1<This is a rogue security programme.

    Close control panel.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:



    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. melxv535

    melxv535 TS Rookie Topic Starter

    Hi
    Applied script to combofix and the computer rebooted with the screen saying it was preparing log, then a windows error popped up for sed.cfexe to send error report or not, and it has just sat at that.

    Do I close that and try again?

    Thanks Melissa
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, close it and try again please.

    Regards Howard :)

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. melxv535

    melxv535 TS Rookie Topic Starter

    Hi
    When I closed error box combofix created the log.

    Attatched this and HJT log.

    Thanks Melissa
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    However, it seems you forgot to attach the Combofix log.

    Regards Howard :)

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. melxv535

    melxv535 TS Rookie Topic Starter

    Sorry, I couldn't see it either, but when I tried again it said I had already attatched it.

    I have renamed it to combofix3, as the other was combofix2 but it is still saying I have already attatched it.

    Thanks Melissa
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, I will remove your other Combofix log. You should then be able to attach the new one.

    Regards Howard :)

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. melxv535

    melxv535 TS Rookie Topic Starter

    Hi
    Have attatched it now.
    Thanks Melissa
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s exactly the same Combofix log as you attached the first time and that`s why you couldn`t attach it again lol.

    Follow the instructions in my post #4 and attach a FRESH Combofix log.

    Regards Howard :)

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. melxv535

    melxv535 TS Rookie Topic Starter

    Hi
    Sorry about that I think I was a bit premature and closed combofix before it had finished completely.

    I've done it properly now lol

    Thanks Melissa
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All clean.

    Delete the following folder.

    C:\qoobox

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. melxv535

    melxv535 TS Rookie Topic Starter

    Hi
    Thanks very much for all your help.

    I cannot try it back on the internet until Tuesday or Wednesday, as the problem only showed itself while connected.

    But if there are any problems I'll get back to you.

    I hope my friend is grateful for all the work I've done with your help lol

    Thanks again Melissa.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...