trojan.small not being removed

[Pat]

I downloaded the free spyware tool, and it
seems to do a reasonable job at getting rid
of most of the stuff. However, trojan.small
is always there.

I've tried running the AntiSpyware from a
clean boot, updated the Windows XP
security patches, and several other options/ideas,
but it does not seem to be successful at
removing trojan.small.

Ideas? Is there any tool that can get rid
of this?

 

[fourstring]

-----Original Message-----
I downloaded the free spyware tool, and it
seems to do a reasonable job at getting rid
of most of the stuff. However, trojan.small
is always there.

I've tried running the AntiSpyware from a
clean boot, updated the Windows XP
security patches, and several other options/ideas,
but it does not seem to be successful at
removing trojan.small.

Ideas? Is there any tool that can get rid
of this?
.

I have the same problem.
Detected by AVG but not cleaned.
Not detected by Beta.
Now what???

 

[Ron Kinner]

Get HijackThis.exe

http://www.tomcoyote.com/hjt/HijackThis.exe

SCAN your system and then SAVE LOG. Then send me the log
as an attachment.

Rumor has it that Trend micro's free anti virus scan will
also remove it.

http://housecall.trendmicro.com/

Ron Kinner MVP Servers

rkinner AT att Dot net

 

[steve]

You might try either SpyBot SD or Lavasoft Adaware. Both
have been updated and are free. Also you can try Hijack
This or CWShredder.

As to network utilization. There can be many reasons
netowrk cards broadcast. If you want to be absolutely
sure, download a program like Active Ports and watch it
for awhile. It will tell you what ports are listening.
Some will be things like Windows Update, RPC , etc.

 

[Bill Sanderson]

Here are my thoughts, fwiw:

1) Please submit a Tools, suspected spyware report from Microsoft
Antispyware, and detail the fact that trojan.small is not being removed.

Lavasoft's ad-aware Personal SE has had this in its definitions since
October of last year, so that's what I would try next, I think.

 

[Pat]

I tried, but my submittal is being blocked.

So far, I've tried:
* MS Anitispyware Beta
* MS AS Beta under clean boot
* eTrust PestPatrol
* several versions of free-ware

Nothing seems to get rid of this #@#@ pest.

 

[Bill Sanderson]

Sorry--many are having that trouble with the submission process.

What antivirus are you running? Many current antiviruses appear to know
about this one--you might try an online scan at housecall.antivirus.com, for
example.

 

[Pat]

In case you run into this problem on your own, I seem to
have gotten rid of it with a combination of:

* Lavsoft's Ad-Aware Personal SE (free) per
Bill Sanderson's suggestion

- and -

* Following Ron Kinner's suggestions per
below.

THANKS Ron and Bill!

----


Get a copy of WinsockXpFix.exe first just in case you
can't get on the Internet afterwards. I don't think you
will need it but it is better to have it than not.

http://www.iup.edu/house/resnet/winfix.shtm

(Some malware does not go gracefully.)


Then boot into Safe Mode (F8 - without Networking) and
rerun HijackThis
(http://www.tomcoyote.com/hjt/HijackThis.exe).
Check the following and click on Fix Checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://win-eto.com/sp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-
2A4752CA7F4E} - C:\WINDOWS\system32\XHYMHI~1.DLL


Following is recommended but the above may work without
it.

While still in Safe Mode, right click on Start and then
select Explore. Change it so you can see system and
hidden files and extensions:

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show
hidden files and folders.

Uncheck the Hide protected operating system files
(recommended) option.

Uncheck the Hide File Extensions for Known File Types
option.

Click Yes to confirm.

Click OK

Now navigate down to the C:\Windows\System32 folder. Tell
Windows you want to see the files when it protests.


Now up on the second row of the toolbar at the top on the
right you should see a little Icon like a window with a
down arrow. When you go over it with your mouse it will
say Views. Click the Down arrow and select DETAILS. This
should cause the folder to change to show the file name,
the extension and the Modified date.

Look for the file XHYMHI~1.DLL (The ~ in the name means it
may really have a few more letters than the ones shown but
there should only be one that starts with xhymhi and ends
in dll - if there are more they are all evil) and note the
date Modified. Click on the word Modified at the top of
the column. This will sort things in date order. Find
your XMYMHI~1.dll and delete it and any other files with
the same date and time. Repeat for the folder
C:\Windows\System32\dllcache.

Reboot and run another SCAN.

 

[Bill Sanderson]

Nice work, Pat.

I suppose, though, that we should add the standard disclaimer: If you've
had a trojan in place on your machine (and I assume this is one, given the
name--I haven't looked carefully at the details), the only way to be certain
that your machine is trustworthy--i.e. that you've removed all possible back
doors, is to format the partition and reinstall.

There's always a long argument about this advice--mainly stating that it
makes sense in a business environment where there are backup mechanisms, and
standardized installs, and imaging systems, but doesn't make sense in the
home user environment where that infrastructure doesn't exist.

It's true that this may well be much tougher advice to take in the home or
small office environment, but that doesn't change the fact underlying the
recommendation. If your machine has been controlled by someone other than
you, there is no way to be certain that you know all of what was done--that
there is nothing set to wake up at some future date and allow the hacker to
regain control. Sure you can argue that you know enough and can look at the
active processes and be sure they are all appropriate things that you've
installed, etc, but you can't be certain.

So--I'm not flat out telling you to wipe the thing and reload, but I do want
you to be aware that there are risks in not taking that course. You can
assess the risks and decide how to handle it--and I'll admit to not yet
flattening a machine infected with viruses which include trojan in their
name--but I think about it every time, and weigh the circumstances
carefully. (And I've cleaned relatively few machines of such things.)