Troj/Psyme-Fam Search and Removal

Discussion in 'Malware Help (A Specialist Will Reply)' started by Rocanadmin, Nov 1, 2006.

  1. Rocanadmin

    Rocanadmin Private E-2

    Hello, although I've read your forums several times recently, I now have a question to ask. We have an FTP server that is being protected by Sophos AVS, but when we or a customer goes to that page it automatically loads the Psyme-Fam trojan on our systems, which Sophos picks off right away. My question is, How to I clean the server? I assume it's int he vbs scripting somewhere, but I'm not sure of what to look for, as Sophos cannot detect this, it uploaded from another site. Any info would be greatly appreciated.
     
    Rocanadmin, Nov 1, 2006
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks!

    Are you sure it is really a trojan and not just a false detection of a VBS script? Have you run a full scan on the server using Sophos? Preferably the scan should be performed in safe mode. The below is quoted from Sophos about this trojan:
    If running a scan in safe mode does not help. Run thru the below procedure on the server and we will look thru your logs to see if anything can be seen and removed.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.
    • Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    • Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    • After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:
    Downloading, Installing, and Running HijackThis

    Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


    • When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
      • CounterSpy - ONLY IF you were not able to run Windows Defender
      • Bitdefender - from step 6
      • Panda Scan - from step 6
      • runkeys.txt - the log from GetRunKey.bat
      • newfiles.txt - the log from ShowNew.bat
      • HijackThis
    NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
     
    chaslang, Nov 3, 2006
    #2
  3. Rocanadmin

    Rocanadmin Private E-2

    Thanks we for the info, we got the site backup yesterday. Basically once we went through all the html code and removed all the newly place vbs script info and blocked the site www.goldenunix.com, which was the virus uploader site, everything was fine.
    There were no viruses on the website server, but around or on the 24th of Oct someone went into our webserver and added the code to have the site listed above, automatically upload the virus to the client.:eek: The file uploaded is called hker[1].htm, and is part of that virus family. Sophos, was sent the virus and I'm still waiting to hear back from them.
    Thanks for your help, and I will be adding new stuff to help assist your admins for future problem resolution.

    I am a techie myself and appreciate these forums. Thanks
     
    Rocanadmin, Nov 3, 2006
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. I'm happy to here you found the problem!
     
    chaslang, Nov 3, 2006
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds