 |  |  |  |  |  |  |  |
Help!: Ispynow
 |
Hello,
My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:
system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)
In system32/drivers:
no files with TDSS prefix.
In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)
Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.
Any and all help is greatly appreciated!
My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:
system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)
In system32/drivers:
no files with TDSS prefix.
In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)
Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.
Any and all help is greatly appreciated!
Last edited by Twenty8; Feb 1st, 2009 at 12:47 pm.
•
•
Join Date: Jul 2008
Posts: 86
Reputation: 
Solved Threads: 0
Junior Poster in Training
Hey Twenty8, i am sorry to hear that your computer caught a virus 
What i would do is the following:
Go Into Safemode
Scan with Spybot S&D
Run MSconfig and remove any of the virus objects from starting up
Run MBAM
Check the Registry for any left overs...
Good Luck!
What i would do is the following:
Go Into Safemode
Scan with Spybot S&D
Run MSconfig and remove any of the virus objects from starting up
Run MBAM
Check the Registry for any left overs...
Good Luck!
Last edited by jhonnyboy; Feb 1st, 2009 at 4:56 pm.
•
•
Join Date: Aug 2003
Posts: 9,592
Reputation: 
Solved Threads: 496
•
•
•
•
Originally Posted by Twenty8 
Hello,
My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:
system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)
In system32/drivers:
no files with TDSS prefix.
In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)
Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.
Any and all help is greatly appreciated!
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
Join Date: Jan 2009
Posts: 233
Reputation: 
Solved Threads: 28
Posting Whiz in Training
Yeah and if MBAM doesn't help then just post the 'Hijackthis' Log file..
“We learn something every day, and lots of times it’s that what we learned the day before was wrong”
Get SEO(Search Engine Optimization) Articles, Tips, Faqs,etc..
Tech Frog | SEO articles | SEO Faqs | SEO Tips
Get SEO(Search Engine Optimization) Articles, Tips, Faqs,etc..
Tech Frog | SEO articles | SEO Faqs | SEO Tips
I installed MBAM, but it seems to be stuck on "looking for malwarebytes.org" in order to update. I read that ispynow can actually block that site from your computer.
Guess I need to manually install updates...
Guess I need to manually install updates...
Alright, since I just DLed a fresh copy of MBAM yesterday, I figured the update could wait. Anywho I ran it, and lo and behold it found some stuff. I had it remove all of the selected files and the pop-up is gone! Here is the MBAM log and hijack this after re-booting. Please let me know if everything looks good, or if I need to get the MBAM update and run it again.
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2
2/2/2009 8:45:44 AM
mbam-log-2009-02-02 (08-45-44).txt
Scan type: Quick Scan
Objects scanned: 54157
Time elapsed: 11 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HPsetm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\hpq\Application Data\Google\ijdkq13324484.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:20 AM, on 2/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe (* is it normal to have two of these?)
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Residential Technology Configuration Utility 9.21\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://restech.baylor.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\HPQ\Application Data\Mozilla\Profiles\default\w4swpl46.slt\prefs.js)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://bigdog.baylor.edu
O15 - Trusted Zone: http://burs4.baylor.edu
O15 - Trusted Zone: http://its01.baylor.edu
O15 - Trusted Zone: http://mail.baylor.edu
O15 - Trusted Zone: http://psoftwt.baylor.edu
O15 - Trusted Zone: http://raymond.baylor.edu
O15 - Trusted Zone: http://rmsweb.baylor.edu
O15 - Trusted Zone: http://*.baylor.edu
O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)
O15 - Trusted Zone: http://burs4.baylor.edu (HKLM)
Thanks again for everyone's help!
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2
2/2/2009 8:45:44 AM
mbam-log-2009-02-02 (08-45-44).txt
Scan type: Quick Scan
Objects scanned: 54157
Time elapsed: 11 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HPsetm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\hpq\Application Data\Google\ijdkq13324484.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:20 AM, on 2/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe (* is it normal to have two of these?)
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Residential Technology Configuration Utility 9.21\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://restech.baylor.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\HPQ\Application Data\Mozilla\Profiles\default\w4swpl46.slt\prefs.js)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://bigdog.baylor.edu
O15 - Trusted Zone: http://burs4.baylor.edu
O15 - Trusted Zone: http://its01.baylor.edu
O15 - Trusted Zone: http://mail.baylor.edu
O15 - Trusted Zone: http://psoftwt.baylor.edu
O15 - Trusted Zone: http://raymond.baylor.edu
O15 - Trusted Zone: http://rmsweb.baylor.edu
O15 - Trusted Zone: http://*.baylor.edu
O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)
O15 - Trusted Zone: http://burs4.baylor.edu (HKLM)
Thanks again for everyone's help!
Last edited by Twenty8; Feb 2nd, 2009 at 12:51 pm.
|
Similar Threads
- iSpyNOW and other malware (Viruses, Spyware and other Nasties)
- Wierd case of Ispynow (Viruses, Spyware and other Nasties)
- Spyware.ispynow needs to be removed plz help (Windows NT / 2000 / XP)
- ISPYNOW (Viruses, Spyware and other Nasties)
- Monitoring remote client (Network Security)
Other Threads in the Windows NT / 2000 / XP Forum
- Previous Thread: boot error
- Next Thread: Conexant AC-Link Audio Failure
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Windows NT / 2000 / XP Posts
- Today's Posts
- Unanswered Threads
.net 2007 2010 a.exe address alaris apache appstore arm auto automatically black blue book bulletin cellphones chkdsk collaboration computer computerfreezes crash cursor deployment desktop desktops dns dotnetnuke drive eartlink error errors explorer features folder fontmanagers format framework gadgets intel internet interoperability killprocess laptop linux load login mac memory microsoft mobile monitor motionle1600 netbooks novell nvidia open operatingsystems osx palm partition patch port printer product proxy remotedesktop remotedesktopconnection repair replacingraiddrive retrieve screen sharepoint simplifiedchinese sitetositevpn sp1 technology unreadable update usb verizon videodrivers videogames virtual virus vista visual vulnerability wab webos weecam win win32/heur window windows windows7 windowsxp windowsxpnotstartingup. worm xp xpde
