Trojan-spy.win32@mx spyware infection

melxv535 · Nov 8, 2007

Hi everyone
I hope someone can help with this.
My technophobe friend has got her computer infected and I have offered to help her get rid of it (hopefully

As it is her laptop, and after reading posts on this forum and seeing it is quite a long process, I have the laptop at my house and do not want to connect it to my internet connection.
I have downloaded HJT and SmitFraudFix, and I am going to get some logs from these.

I have seen various threads giving step by step instructions of what to do, please could someone give me a link as to which set of instructions to use before I start anything.

Also is it possible for me to clear this infection without having her laptop connected to the internet?

Any help would be greatly appreciated.

howard_hopkinso · Nov 8, 2007

Hello and welcome to Techspot.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard :wave: :wave:

This thread is for the use of melxv535 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

melxv535 · Nov 11, 2007

Hi
Thanks for the instructions.
I have followed them and run all the scans etc.

I have attatched the log files from HJT, combofix and AVG antispyware.

When I ran the virus scan (Which took 11 hours :-( it reported no viruses but said that C:\Windows\I386\DOTNETFX\DOTNETFX.EXE\[Embedded#000ee12]\msi.dll cannot scan cab file is corrupted

Panda reported no rootkits found.

I only realised after the virus scan took so long that there were 100's of MB's of temp internet files on other users (there are 5 on laptop) and then deleted them.

I'm not sure at the moment if there are any symtoms as the pop ups only happened while connected to the net. And as this is not my computer I don't want to connect it to my account.

Thanks Mel

howard_hopkinso · Nov 11, 2007

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

AntiSpyGolden 5.1<This is a rogue security programme.

Close control panel.

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
Code:

File::
C:\WINDOWS\system32\msxml3a.dll
Folder::
C:\Documents and Settings\Paul\Desktop\PHOTOSHOPELEMENTS\CRACK
C:\VundoFix Backups
C:\qoobox
C:\Program Files\AntiSpyGolden 5.1

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

Regards Howard