0

Hello,

My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:

system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)

In system32/drivers:
no files with TDSS prefix.

In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)

Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.

Any and all help is greatly appreciated! :)

6
Contributors
8
Replies
9
Views
8 Years
Discussion Span
Last Post by Twenty8
0

Hey Twenty8, i am sorry to hear that your computer caught a virus :(

What i would do is the following:
Go Into Safemode
Scan with Spybot S&D
Run MSconfig and remove any of the virus objects from starting up
Run MBAM
Check the Registry for any left overs...

Good Luck!

0

Hello,

My computer is afflicted with ispynow, which prompts a phony message every 12 minutes saying just that and asking me to buy protection from some bogus third party site. Anywho, I've been reading some of the ispynow threads, and have found the following files on my computer:

system32:
TDSSfpmp.dll
TDSSosvd (DAT file)
TDSStkdv (notepad document)

In system32/drivers:
no files with TDSS prefix.

In device manager:
TDSSserv.sys (under non-plug and play drivers; I just disabled it, but am still getting the pop-ups after restart)

Do I need to start with MBAM, or now knowing these files exist, is there another step I should take? I'd be more than happy to post a hijackthis file, but I'm not sure if it's needed.

Any and all help is greatly appreciated! :)

yeah ,run mbam now ,

0

I installed MBAM, but it seems to be stuck on "looking for malwarebytes.org" in order to update. I read that ispynow can actually block that site from your computer.

Guess I need to manually install updates...

0

Alright, since I just DLed a fresh copy of MBAM yesterday, I figured the update could wait. Anywho I ran it, and lo and behold it found some stuff. I had it remove all of the selected files and the pop-up is gone! Here is the MBAM log and hijack this after re-booting. Please let me know if everything looks good, or if I need to get the MBAM update and run it again.

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

2/2/2009 8:45:44 AM
mbam-log-2009-02-02 (08-45-44).txt

Scan type: Quick Scan
Objects scanned: 54157
Time elapsed: 11 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HPsetm (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\hpq\Application Data\Google\ijdkq13324484.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\hpq\Application Data\Google\spclrp.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\TDSSfpmp.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSStkdv.log (Trojan.TDSS) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:20 AM, on 2/2/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe (* is it normal to have two of these?)
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Residential Technology Configuration Utility 9.21\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://restech.baylor.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://restech.baylor.edu
N2 - Netscape 6: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\HPQ\Application Data\Mozilla\Profiles\default\w4swpl46.slt\prefs.js)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://bigdog.baylor.edu
O15 - Trusted Zone: http://burs4.baylor.edu
O15 - Trusted Zone: http://its01.baylor.edu
O15 - Trusted Zone: http://mail.baylor.edu
O15 - Trusted Zone: http://psoftwt.baylor.edu
O15 - Trusted Zone: http://raymond.baylor.edu
O15 - Trusted Zone: http://rmsweb.baylor.edu
O15 - Trusted Zone: http://*.baylor.edu
O15 - Trusted Zone: http://bigdog.baylor.edu (HKLM)
O15 - Trusted Zone: http://burs4.baylor.edu (HKLM)

Thanks again for everyone's help! :)

0

Will do.

Is it safe to uninstall TDSSserv.sys from the device manager, or is it best that I leave it alone?

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.