 |  |  |  |  |  |  |  |
Help!: Ispynow
 |
Hello,
My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:
system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)
In system32/drivers:
no files with TDSS prefix.
In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)
Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.
Any and all help is greatly appreciated!
My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:
system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)
In system32/drivers:
no files with TDSS prefix.
In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)
Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.
Any and all help is greatly appreciated!
Last edited by Twenty8; Feb 1st, 2009 at 12:47 pm.
•
•
Join Date: Jul 2008
Posts: 86
Reputation: 
Solved Threads: 0
Junior Poster in Training
Hey Twenty8, i am sorry to hear that your computer caught a virus 
What i would do is the following:
Go Into Safemode
Scan with Spybot S&D
Run MSconfig and remove any of the virus objects from starting up
Run MBAM
Check the Registry for any left overs...
Good Luck!
What i would do is the following:
Go Into Safemode
Scan with Spybot S&D
Run MSconfig and remove any of the virus objects from starting up
Run MBAM
Check the Registry for any left overs...
Good Luck!
Last edited by jhonnyboy; Feb 1st, 2009 at 4:56 pm.
•
•
Join Date: Aug 2003
Posts: 9,805
Reputation: 
Solved Threads: 514
•
•
•
•
Originally Posted by Twenty8 
Hello,
My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:
system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)
In system32/drivers:
no files with TDSS prefix.
In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)
Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.
Any and all help is greatly appreciated!
Win7 whats it all about .
http://www.microsoft.com/canada/windows/windows-7/
Going with the Flow ,but the water is low and the rocks are big
http://www.microsoft.com/canada/windows/windows-7/
Going with the Flow ,but the water is low and the rocks are big
•
•
Join Date: Jan 2009
Posts: 233
Reputation: 
Solved Threads: 28
Posting Whiz in Training
Yeah and if MBAM doesn't help then just post the 'Hijackthis' Log file..
“We learn something every day, and lots of times it’s that what we learned the day before was wrong”
Get SEO(Search Engine Optimization) Articles, Tips, Faqs,etc..
Tech Frog | SEO articles | SEO Faqs | SEO Tips
Get SEO(Search Engine Optimization) Articles, Tips, Faqs,etc..
Tech Frog | SEO articles | SEO Faqs | SEO Tips
I installed MBAM, but it seems to be stuck on "looking for malwarebytes.org" in order to update. I read that ispynow can actually block that site from your computer.
Guess I need to manually install updates...
Guess I need to manually install updates...
Alright, since I just DLed a fresh copy of MBAM yesterday, I figured the update could wait. Anywho I ran it, and lo and behold it found some stuff. I had it remove all of the selected files and the pop-up is gone! Here is the MBAM log and hijack this after re-booting. Please let me know if everything looks good, or if I need to get the MBAM update and run it again.
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2
2/2/2009 8:45:44 AM
mbam-log-2009-02-02 (08-45-44).txt
Scan type: Quick Scan
Objects scanned: 54157
Time elapsed: 11 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HPsetm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\hpq\Application Data\Google\ijdkq13324484.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:20 AM, on 2/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe (* is it normal to have two of these?)
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Residential Technology Configuration Utility 9.21\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://restech.baylor.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\HPQ\Application Data\Mozilla\Profiles\default\w4swpl46.slt\prefs.js)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://bigdog.baylor.edu
O15 - Trusted Zone: http://burs4.baylor.edu
O15 - Trusted Zone: http://its01.baylor.edu
O15 - Trusted Zone: http://mail.baylor.edu
O15 - Trusted Zone: http://psoftwt.baylor.edu
O15 - Trusted Zone: http://raymond.baylor.edu
O15 - Trusted Zone: http://rmsweb.baylor.edu
O15 - Trusted Zone: http://*.baylor.edu
O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)
O15 - Trusted Zone: http://burs4.baylor.edu (HKLM)
Thanks again for everyone's help!
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2
2/2/2009 8:45:44 AM
mbam-log-2009-02-02 (08-45-44).txt
Scan type: Quick Scan
Objects scanned: 54157
Time elapsed: 11 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HPsetm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\hpq\Application Data\Google\ijdkq13324484.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:20 AM, on 2/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe (* is it normal to have two of these?)
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Residential Technology Configuration Utility 9.21\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://restech.baylor.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\HPQ\Application Data\Mozilla\Profiles\default\w4swpl46.slt\prefs.js)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://bigdog.baylor.edu
O15 - Trusted Zone: http://burs4.baylor.edu
O15 - Trusted Zone: http://its01.baylor.edu
O15 - Trusted Zone: http://mail.baylor.edu
O15 - Trusted Zone: http://psoftwt.baylor.edu
O15 - Trusted Zone: http://raymond.baylor.edu
O15 - Trusted Zone: http://rmsweb.baylor.edu
O15 - Trusted Zone: http://*.baylor.edu
O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)
O15 - Trusted Zone: http://burs4.baylor.edu (HKLM)
Thanks again for everyone's help!
Last edited by Twenty8; Feb 2nd, 2009 at 12:51 pm.
|
Similar Threads
- iSpyNOW and other malware (Viruses, Spyware and other Nasties)
- Wierd case of Ispynow (Viruses, Spyware and other Nasties)
- Spyware.ispynow needs to be removed plz help (Windows NT / 2000 / XP)
- ISPYNOW (Viruses, Spyware and other Nasties)
- Monitoring remote client (Network Security)
Other Threads in the Windows NT / 2000 / XP Forum
- Previous Thread: boot error
- Next Thread: Conexant AC-Link Audio Failure
Views: 510 | Replies: 8
| Thread Tools | Search this Thread |
Latest Windows NT / 2000 / XP Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for Windows NT / 2000 / XP
.net 2010 a.exe address appstore arm audio black blue bluescreen book boot cellphones computer computerfreezes crash cursor deployment desktop dns dotnetnuke drive dual eartlink error errors explorer fax features folder fontmanagers framework gadgets hardware home install intel interoperability killprocess laptop laptops latitude lcd linux load login mac markshuttleworth memory microsoft minimalizes monitor motionle1600 netbooks novell operatingsystems oracle osx outlook palm partition patch port printer product proxy remotedesktop replacingraiddrive retail rootkit screen security sharepoint simplifiedchinese sitetositevpn sp3 spyware technology ubuntu uninstall unreadable update usb verizon videodrivers videogames virus vista visual vpn wab win win32/heur window windows windows7 windowsxp windowsxpnotstartingup. worm xp
