• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Removing trojan-spy.win32@mx

P

PotatoSandWitch

Member
Yesterday I got the trojan-spy virus, which I hear is supposed to record stuff you type with your keyboard into a log. I ran several scans and followed online removal directions, and I think I have the virus removed. However, I keep getting a popup from an icon on the taskbar that says this:

System detected virus activities. These may impact the performance of your computer. Please use antimalware software to..... (couldn't catch the rest because it goes away pretty quickly and doesn't come back for a little while)...

If the pop-up or icon is clicked, it sends me to the AntiVermins website (seems legit but not totally sure). This is what makes me think I might not have everything removed that I want to. The reason being that I also read that trojan-spy also displays false pop-ups about viruses being present. I don't know if I should trust AntiVermins even though it looks legit on the website. Before I ran scans and cleaned up affected files, I had an additional pop-up/icon in the taskbar that would display similar stuff, but that's gone now.

I've also been struggling to connect to the internet since this morning. I think it's probably a problem with my modem, but I'm a computer noob so I don't know if the virus could have anything to do with it or not. I've finally connected but the connection speed is very slow...

If anyone knows anything about the virus or AntiVermins I'd appreciate it a lot!
 
Originally posted by: corsa
......running Spybot Search & Destroy would be a good start.
Click to expand...

will try that. thanks. I'm not sure if it will delete the source of the icon and stuff though since none of my other scans did... hoepfully it does...

I'm just not sure how much I should be bothered by the AntiVermins popup...
 
Originally posted by: mechBgon
AntiVermins is a scam. Do not fall for that. What antivirus software do you have installed right now?
Click to expand...

Yeah I thought so. I never considered actually downloading from the site, but I was more wondering how bad it was to have a popup from them and how to remove it. I have a bunch of free stuff, like CrapCleaner (CCleaner), Adaware, and AVG Free Edition. And I'm currently installing Spybot.
 
I recommend you uninstall AVG Free Edition and install AOL Kaspersky. Don't install the optional security toolbar, you don't need it. AOL Kaspersky is better than AVG, and is still free for home users. It's a "lite" version of the top-rated Kaspersky Antivirus Personal 6.

After installing it, go into its Settings and max out all the settings, run an update, reboot if necessary, and then run a full Scan My Computer. It'll take some time, so don't get impatient.

Further spyware removal resources: John's malware-removal guide. By the way, do you know where the infection came from? If so, where?
 
Originally posted by: mechBgon
I recommend you uninstall AVG Free Edition and install AOL Kaspersky. Don't install the optional security toolbar, you don't need it. AOL Kaspersky is better than AVG, and is still free for home users.

After installing it, go into its Settings and max out all the settings, run an update, reboot if necessary, and then run a full Scan My Computer. It'll take some time, so don't get impatient.

Further spyware removal resources: John's malware-removal guide.
Click to expand...
Are you sure it will recognize anti vermins as a threat though? Because none of the scans I did seemed to have removed it, and I did turn off system restore temporarily to remove the stuff. I'm hoping somebody knows a direct way to delete the AntiVermins stuff.
 
Originally posted by: PotatoSandWitch
Originally posted by: mechBgon
I recommend you uninstall AVG Free Edition and install AOL Kaspersky. Don't install the optional security toolbar, you don't need it. AOL Kaspersky is better than AVG, and is still free for home users.

After installing it, go into its Settings and max out all the settings, run an update, reboot if necessary, and then run a full Scan My Computer. It'll take some time, so don't get impatient.

Further spyware removal resources: John's malware-removal guide.
Click to expand...
Are you sure it will recognize anti vermins as a threat though? Because none of the scans I did seemed to have removed it, and I did turn off system restore temporarily to remove the stuff. I'm hoping somebody knows a direct way to delete the AntiVermins stuff.
Click to expand...
None of the other scans you tried removed it. None of the other scanners you tried get updates 24 times per day either. Please try my suggestion and post the exact names of the stuff it finds. Also try the stuff John recommends, he knows his stuff.
 
By the way, I can email you a Windows Media Player movie showing how to configure the antivirus's Settings stuff, if you want. Just let me know where to email the movie to, it's about 2.3MB.
 
Originally posted by: mechBgon
Originally posted by: PotatoSandWitch
Originally posted by: mechBgon
I recommend you uninstall AVG Free Edition and install AOL Kaspersky. Don't install the optional security toolbar, you don't need it. AOL Kaspersky is better than AVG, and is still free for home users.

After installing it, go into its Settings and max out all the settings, run an update, reboot if necessary, and then run a full Scan My Computer. It'll take some time, so don't get impatient.

Further spyware removal resources: John's malware-removal guide.
Click to expand...
Are you sure it will recognize anti vermins as a threat though? Because none of the scans I did seemed to have removed it, and I did turn off system restore temporarily to remove the stuff. I'm hoping somebody knows a direct way to delete the AntiVermins stuff.
Click to expand...
None of the other scans you tried removed it. None of the other scanners you tried get updates 24 times per day either. Please try my suggestion and post the exact names of the stuff it finds. Also try the stuff John recommends, he knows his stuff.
Click to expand...

roger that. I'm DLing the AOL program right now.
 
Try the AOL kapersky thing, but the most effective way of making sure the spyware is ALL gone, is to backup/rebuild. It'll save you some time in the end if it's some of the nastier variants of spyware.
 
Just want to make sure no one is confused---AVG offers both a free antispyware program---and a free antivirus program---with the latter well known and in the active antivirus class.
And far be it from me to badmouth either AVG antivirus or the equally in the active antivirus class AOL--Kaspersky. The purpose of my comment is to state you can run as active AVG antivirus--or AOL Kaspersky anti-virus---but not both at the same time in the active state.

But you can run AVG antispyware and AOL Kaspersky anti-virus at the same time.

But to echo what mech bgon said--Also try the stuff John recommends, he knows his stuff.---and mech bgon is no slouch either.

I will also point out I am not familiar antivermins---but its a sad fact that many websites that say they will help you remove malware will in fact install malware on your computer if you are gullible enough to trust them---and why try an unknown pig in the poke when you can go to spywarewarrior forums and see what companies are listed as rouges. And do a little reading and gasp--learn a thing or two in the process.

 
Originally posted by: Lemon law
Just want to make sure no one is confused---AVG offers both a free antispyware program---and a free antivirus program---with the latter well known and in the active antivirus class.
And far be it from me to badmouth either AVG antivirus or the equally in the active antivirus class AOL--Kaspersky. The purpose of my comment is to state you can run as active AVG antivirus--or AOL Kaspersky anti-virus---but not both at the same time in the active state.

But you can run AVG antispyware and AOL Kaspersky anti-virus at the same time.

But to echo what mech bgon said--Also try the stuff John recommends, he knows his stuff.---and mech bgon is no slouch either.

I will also point out I am not familiar antivermins---but its a sad fact that many websites that say they will help you remove malware will in fact install malware on your computer if you are gullible enough to trust them---and why try an unknown pig in the poke when you can go to spywarewarrior forums and see what companies are listed as rouges. And do a little reading and gasp--learn a thing or two in the process.
Click to expand...

Yeah, mech said in his post that I'd need to uninstall AVG. So I did, and I'm running a full scan with the AOL/Kaspersky program right now. It's found 3 things so far. I'll post them all once the scan is complete.
 
Originally posted by: PotatoSandWitch
If anyone knows anything about the virus or AntiVermins I'd appreciate it a lot!
Click to expand...

The trojan is displaying the fake warning message in your taskbar.

[*]uninstall your current antivirus and install Active virus shield
[*]reboot to safe mode w/ networking if you have XP and disable system restore
[*]download the rogue removal kit which will get rid of AntiVermins and dozens of other rogue apps so check the README and do everything that is listed except for the online virus scans since you now have the best antivirus installed 🙂[*]run Spy Sweeper
[*]now you can run a full virus scan using Active virus shield

You've now removed a lot of garbage, and you should be relatively clean. You may also want to consider running Spybot, Spyware Doctor, and AVG Antispyware to see if they detect anything else. You may want to post a HiJack This log. After you're done you can reboot to normal mode.


 
I downloaded the AntiVermins installer from their site and emailed it to Kaspersky. Holy cheetahs, Batman, they've already made a signature for it! :Q
Hello.

New riskware was found in the attached file.
not-a-virus:FraudTool.Win32.AntiVermins.21
It's detection will be included in the next update. Thank you for your
help.
-----------------
Regards, Roman Gavrilchenko
Virus Analyst, Kaspersky Lab.
Click to expand...
So PotatoSandWitch, within a few hours, the AOL Kaspersky should have those signatures downloaded. Launch another Scan My Computer in the morning after updating, and it may find even more stuff. Confirm that you have the Riskware detection enabled, as shown in this pic. Also confirm that you have all the scanner sliders set to High so it's prying into compressed files.
 
THANK YOU ALL FOR THE REPLIES, I APPRECIATE IT A LOT! 🙂

I've just completed my Active Virus Shield Scan, and completed following John's directions (in his post) up to this point. I'm about to restart my computer, but before that I'll post a hijack this log, not that I know what it even is supposed to help with, but here it is anyways!

Logfile of HijackThis v1.99.1
Scan saved at 10:14:52 PM, on 12/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\hijackthis\Analyze.exe

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


thanks again! as of now the taskbar icon is gone (the antivermins link one). Hopefully that's still the case once I restart! I'll be sure to run another scan in the morning, thanks cheetah icon guy!
 
Ah, shoot, it's back (the taskbar icon)

I thought it might be because I actually forgot to turn off system restore before starting to clean up my computer... I only realized and turned it off right before doing the AOL kaspersky scan. Yep, I am a dumnass. The bed is calling to me now, so when I get back from school tomorrow, I shall update kasp. and run another scan. Then I'll do all the stuff John told me to again (and remember to turn off system restore 🙁) and do another highjack this log.
 
You're making headway! 🙂 What's the names of the viruses it found? You can see by opening up the Active Virus Shield window, clicking "All threats have been neutralized," and it'll list them in a new window. John's procedure should finish off your remaining malware.

Here's another security enhancement you can easily switch on to help guard against some types of vulnerabilities: enable DEP completely like this pic shows

If you can get used to using a non-Administrator type of account on Windows, that's another massive security enhancement. Here's my info on that: Limited accounts. Basically, you would just make a new account using the User Accounts feature in Control Panel, leave that one as a Computer Administrator, and then switch your usual account to Limited.

There are some hassles with Limited accounts, so it isn't a perfect solution, but it's a great safeguard. Especially if a friend/sibling/roommate/visitor might jump on your PC while you're not around, and mess around with it.
 
I just thought of something else, PotatoSandWitch.

1) your HJT log shows you still have some Symantec stuff installed. Better uninstall it so it doesn't clash with AOL Kaspersky

2) before you uninstall the Symantec stuff, run this Secunia vulnerability scanner. It uses Sun Java, which you can download <a target=_blank class=ftalternatingbarlinklarge href="http://java.sun.com/javase/downloads/index.jsp">Java Runtime Environment (JRE) 6
</a> if you don't have Java yet. Does the scanner show you have a vulnerable version of Symantec installed?

3) make sure the Windows Firewall is turned on with no exceptions allowed, in Control Panel > Security Center.


The reason I asked about #2 above, is that there is a vulnerability in some versions of Symantec security software that is being exploited remotely, with no user interaction required. Here's Symantec's writeup on one version of it: W32.Sagevo

The file that the exploit runs is possibly a Zlob, and Zlobs are known for installing fake alerts like you're seeing. So I'm curious if your AOL Kaspersky detected any of the Zlob, DNSChanger or Agent families of malware?
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top