Hi everyone! I believe that I have the trojan-spy.win32@mx bug on my laptop. Every time I try to research the issue on my laptop, my pages get redirected. I also believe that this bug may have deleted all of my restore points.

Can anyone help me with this? Should my first step be to run a HijackThis log that I have read about on some of the other threads?

Thanks!

Hi. I Have no knowledge about This Trojan What So Ever, But I Have took the time To Look For SOme HElpfull Info For YOu. ANd I Have Came Across This Page For the Removal Trojan Wich Affec Windows Xp Restored POint...... Anyways heres Word by Word Of What it Said.

Removal Instruction:

Trojan-Spy.Win32@mx procedures requires technical know-how on computer troubleshooting. It is better to consult your LAN Administrator or Technical Persons to avoid additional damage on your computer if modifications on Services and Registry have to be done.



MANUAL REMOVAL:

1. Temporarily disable System Restore (Windows Me/XP). [how to]

2. Download Free AVG AntiVirus and save it to a desired location. It is your choice if you want to retain this software or remove it after the cleaning process.

3. After downloading, browse where the file was saved and double click to install it.

4. After installation, connect to internet and download all necessary updates.



5. Download SmitfraudFix (by S!Ri) and save it to a desired location. Please print the procedure as we have to close browser later.

6. Reboot your computer in SafeMode [how to]

7. Run AVG and do a thorough scan. Delete all infected files.

8. Close AVG and other open Applications.

9. Run and follow the SmitfraudFix procedure you have printed earlier.

10. You may now reboot in normal mode if it does not reboot automatically.

11. After reboot, download and scan with CCleaner (Standard Build Only).



Additional Clean-Up (If Present Only):

1. Go to Control Panel>Add/Remove programs

2. Uninstall the following
- Seekmo Toolbar or just Seekmo
- AWS or Weatherbug



3. Close Add/Remove Programs after successful removal.

4. Download and Run HiJackThis. (Close any running applications)
5. Mark the following entries:
- O3 - Toolbar: Seekmo Toolbar - {53E0B6E8-A51D-448B-B692-40B67B285543} - C:\Program Files\Seekmo Programs\Seekmo Toolbar\SeekmoTB.dll
- O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
- O11 - Options group: [INTERNATIONAL] International*

6. Select the option Fix checked to fix the problem. If prompts to reboot select No.

7. Close HiJackThis
8. Find and delete the following Directories:
- C:\Program Files\Seekmo Programs
- C:\Program Files\AWS



9. In order to make sure that Trojan-Spy.Win32@mx is completely eliminated from your computer, carry out a full scan of your computer using Online Virus Scanner. Scan at least on three different scanners.

Here are my latest logs after following the instruction in the 8-step guide. My web pages are still being redirected, so I know there's still some of this bug on this computer. Any help would be greatly appreciated!

Attached Files

	mbam-log-2008-10-06 (13-17-20).txt (3.6 KB, 3 views)
	SUPERAntiSpyware Scan Log - 10-06-2008 - 14-10-53.log (4.3 KB, 1 views)
	hijackthis_log2.txt (11.4 KB, 3 views)

Well It Looks Like The Trojan Messed up Alot Of Ur Regestry key. U Would Need a Program like "Registry Fixer 4.0" To Repair It. There Miight B a Freeware Version Out There But IM Not To Sure Try Looking For One Google It. HopeFully It Should Fix Ur Problem

Please go to this techspot website and follow the 8 step process. Checking out your hijackthis! log appears as if you are still troubled with an insidious virus issue.
Please check out this website: http://www.techspot.com/vb/topic58138.html
You may feel tempted to miss one or two steps of the process. I would do what you can to resist temptation.

BillAllen55 is spot-on - rerun the 8 steps. The MBAM log reports many 'no action' outcomes. Repeat of all steps may reveal this to be a misleading result as reported 'no action taken' in this post for 'tss* files

Highly suspicious - redirects fedex.com to nexus
O1 - Hosts: 199.82.0.85 nexus-p2
O1 - Hosts: 199.82.0.80 nexus-p1

Questionable - up to your judgement
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = east.proxy.fedex.com:3128

This threat uses redirection to "windiwsfsearch com"
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://windiwsfsearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windiwsfsearch.com/ie6.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://windiwsfsearch.com

This is observable. I do not understand the delivery mechanism. It takes digging to find the proper removal tool if the rerun of 8-steps still shows these symptoms.