TrojanSPM/LX

[StarkTech]

Ok, I need some help again.. One of my end users called me fearing that they had a virus, so I went out and checked and sure enough they did. It's a TrojanSPM/LX, it brings up a dialog box which reads:

Attention! System detected a potential hazard (TrojanSPM/LX) on your computer that may infect executable files. You private information & PC safety is at risk. To get rid of unwanted spyware & keep your computer safe you need update your current security software. Click OK to download official intrusion detection system (IDS Software).

This is the message as it reads on the screen.

Steps I've taken so far:

1) Ran a preliminary scan with AVG, scan locked up and I had to close AVG

2) Ran services.msc and stopped the System Restore Service and tried running the AVG scan again, and scan locked and I had to close.

3) Disconnected the Internet connection on the computer and the physically disconnected the Internet connection from the back of the computer. Ran AVG, another freeze and close

4) Restarted computer, Repeated Step (2) and am now in the process of running AVG scan again.


Notes: AVG version => AVG 8.5 Network Edition, vrs 8.5.432
Several articles mention this virus with a 2007 timestamp

I need help/known processes for safely removing this virus. Thank you in advance for all of your help!

[stroyal]

Did you try a scan in safe mode?

[StarkTech]

I'm actually on my way back to the site, will try that once i get there.

[stroyal]

Is the message from the trojan, acting as a phony virus scanner?

You almost always need safe mode to be successful.

Does AVG have boot time scan option like Avast.

I have never used AVG, but always heard it was good, but lately it seem like we have had a rash of posts with computers running AVG, with viruses.
Just an observation.
Edit
Disable system restore also, again.

[StarkTech]

Ok, here's an update for ya. I can't get in via the Safe Mode route.. we have a company policy that all 'guest' & default accounts are disabled. My only option was to do the Safe Mode with networking, however the time out for logging in expires before I can get to the login area. I have a choice of booting up regularly with the network connected and re-enabling the guest account (which opens the link back up to the network = not good) or ??

Really looking for an option that doesn't re-open the network connection, but if it's the only way then I guess I don't have a real choice, right?

[stroyal]

Unplug the network cable.
Boot to a floppy or CD with a virus scanner.
Haven't used one in years, so maybe someone else can recommend one.

Slave the drive in another computer, and scan it.

That's where my expertise ends, and I format C:
I am assuming you have backup.

[StarkTech]

Does AVG have boot time scan option like Avast.

AVG does has a scan on startup option and I set that up and I am currently running it now..

[StarkTech]

That's where my expertise ends

Thank you for your help 'stroyal', I'm not sure where we are going to go now,, I can't re-enable the local accounts, the virus has blocked that functionality.. The network cable has been unlpugged since I was made aware of the problem..

Once again, I appreciate your help and I'm open to hearing ideas from others as well..

[StarkTech]

I gave AVG a chance to find the infected files by letting it run over the weekend.
AVG did not complete its scan, I suspect due to being bogged down??

I still cannot boot into safe mode, because we have disabled the local user account (guest) as per Group Policy for the company. The only way I can think to log into safe mode would be to use Safe Mode with Networking. However, I don't want to re-establish the connection to our network and have this spread.

I am now getting a new "error message" in addittion to the TrojanSPM/LX message I posted above:

Critical System Warning! Your system is probably infected with a version of Trojan-Spy.HTML.Visafraud.a. This may result in website access passwords being stolen from Internet Explorer, Moilla Firefox, Outlook etc. Click Yes to scan and remove threats. (recommended)

I'm waiting for all of the "known" pop-ups to re-populate then, hopefully, I will be able to find a way to get it here so you all can see what I'm looking at..

[stroyal]

I've done it manually before, But would not be able to explain it because I haven't done it for years.
Check out this post, I tries to get bgrorud to help you, but check his post starting @ page 3

UPS email attachment virus

[StarkTech]

I checked out that forum and found something that I thought would prove useful on the first post of page 8. It mentioned using " Malwarebytes' ", it ran great picking up several infected items. However, I cannot log into the computer now. I try logging in and it accepts the user/pass combo and then immediately stars syncing folders and logs off before it ever loads the desktop.

Not sure as to why, but I'm taking it to my 3rd party technician and will let him deal with my headache . I staged a replacement PC and substituted the boxes, not much I can do now except wait for the infected box to come back (hopefully clean) and then re-insert into service.

Thanks again for all your help 'stroyal', it's much appreciated!

[stroyal]

Your welcome, sorry we couldn't fix it.
This sounds like one of the nastier ones.

Did you see the last post in the other thread?