Trojan.Psyme.J - Anyone know?

Geolbob · Jan 6, 2006

Hello all -

Anyone encountered Trojan.Psyme.J virus? I did a major cleaning and purge of my PC (XP, cable modem) recently using the MajorGeeks procedures and all was clean. Now Bitdefender is detecting a "Trojan.Psyme.J" virus about everytime I open either Mozilla Firefox or IE. It always stops it and quarantines it so I can delete it, but I'll be darned if I can find the source of this guy. Running online scans with Bitdefender and Panda don't detect it. Any suggestions how to search the source out and get rid of it? Thanks - Bob

chaslang · Jan 6, 2006

The READ & RUN ME requests that if you still are having problems that three logs be attached to your message. See steps 6 and 7.
- BitDefender log
- PandaActiveScan log
- HijackThis log

More than likely this is something that keep appearing in your TIF folder (that is the Temporary Internet Files folder). Possibly due to where you are surfing.

Geolbob · Jan 9, 2006

Hi Chaslang -

Sorry for the delay in response. Had Army Guard duty for a few days.

I didn't attach the 3 logs before, since the process had apparently cleaned my PC. I have Windows Home XP with cable modem. Followed the "Protect Yourself from Malware" after cleaning and started running Bitdefender9, Spy Sweeper v. 4.5.8 (purchased), and Sygate v. 5.6. I noticed the Trojan.Psyme.J problem after having done all this.

Tonight I ran online Panda and BD in safe mode, then HJT in normal per instructions. Logs attached. Of note, besides the IE temp folder items, BD reports some viruses. Not sure why my normal BD9 didn't find these.

You are probably right - got the bug from surfing, but I try to be careful. I run BD and Spy Sweeper with live updates and do daily scans overnight.

Any advice per the logs is appreciated - thanks - Bob

chaslang · Jan 9, 2006

Welcome back from Guard duty!

Well you HJT log is clean. There are just a few files that you can try deleting. Try to deleting in normal boot mode and if you run into any problems, try booting in safe mode and delete them.

Delete the below using Windows Explorer:
C:\WINDOWS\SYSTEM32\msflxsm.ocx
C:\WINDOWS\tool1.exe
C:\WINDOWS\tool4.exe
C:\WINDOWS\teller2.chk
C:\Documents and Settings\Robert M. Lanning\Local Settings\Temp\17z96944.wmf
C:\Documents and Settings\Robert M. Lanning\Local Settings\Temp\yhmg8fvc.wmf
C:\Documents and Settings\Robert M. Lanning\Local Settings\Temporary Internet Files\Content.IE5\SLYVC9EV\member[1].htm
C:\Documents and Settings\Robert M. Lanning\Local Settings\Temporary Internet Files\Content.IE5\FYQU1KXY\member[1].htm
C:\Documents and Settings\Robert M. Lanning\Local Settings\Temporary Internet Files\Content.IE5\ZBLP9TP6\member[1].htm

Also login to each user account on the system and do the below:

Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Let me know afterwards if you are still detecting the Trojan.

Geolbob · Jan 9, 2006

Hi Chaslang

Performed the above per your directions with these results:

User Robert M. Lanning - found msfixsm.ocx and deleted
- found teller2.chk and deleted
- tool1.exe and tool3.exe not present
- no files were in Temp Int files but....
- when deleted files and offline content in IE,
Bitdefender blocked 2 files with the Trojan.Psyme.J
in \...\member[1].htm
***this happened every time I performed the
IE delete files function!

User Minuen Odom - no files found in Windows or under IE
- could not reset the Windows default under program -
got message "unable to reset web settings"

User Administrator - logged on in Safe mode (only mode showing this logon)
- in the Temp Internet\content IE5 folder found three
subfolders with mixed alpha-numeric names containing
the member[1].htm - deleted them all
- deleted cookies and files in IE and reset defaults
- manually deleted zillions of strange cookies under the
Doc & Settings\local settings\cookies folder back to
mid 2004. Kept ones I recognized as OK sites.

Rebooted in normal mode, logged on as me, rechecked Windows folders and did the file delete in IE - no trojans showed up. Opened Mozilla and no Trojan showed up when I did some surfing.

So, bottom line is looks like system is cleaned - thanks! Bob

chaslang · Jan 10, 2006

You're welcome! If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

Log in or Sign up

Trojan.Psyme.J - Anyone know?

Geolbob Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Geolbob Private E-2

Attached Files:

Activescan_8jan06.txt

Bitdefenderlog_8jan06.txt

hijackthis_8jan06.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Geolbob Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member