Spyware.ISpyNow and Assorted Malware Problems

Hi there everyone, new poster here, and hopefully my only topic in this section of this site

Today whilst trying to talk to my friends on a voicechat server suddenly all of my windows closed, and my computer went into restart. I have never seen this before, and its almost as if i had just hit start > shutdown > restart. Everything closed neatly. Upon restart, everything seemed sort of normal but after opening firefox i get a page that looks awefully like a firefox page saying something about how im at risk and i should click this line of text to proceed safely. Being the patent idiot that i am, i click the line of text and i get forwarded to system-defender or something similar, red flags are going up at this point. So i get on msn messenger to whinge about the possible malware problem to a friend, but when i open the messenger gui it closes itself, along with all the other messengering programs and my security software (avg free and lavasoft adaware)

Of course at this point its obvious i have some kind of problem going on, so i try all my usual tricks, adaware scan (comes up with nothing but tracking cookies), avg scan (comes up clean, updated last night) and system restore as a last hope. Distressingly, system restore doesnt work! I get to the screen that wants me to hit next to continue, and the button does nothing. I downloaded himan pro, it errors out on scan. I googled around a bit, and found that Malwarebytes' Anti-Malware seems to be standard issue for serious malware problems. I downloaded the installer on another machine, burned it to a cd, and brought it to the sick computer. It wouldnt install, not in normal mode and not in safe mode. So i copied it to the harddrive and renamed it, then ran it. It seemed to install fine then, but it hung pretty hard on the 'finishing' procedure. I let it cook for 20 minutes and it finally 'finished' so i try to run it, and no dice. I renamed the exe file and still no dice.

I've just tried to start the computer into normal mode and it's wholly unsresponsive, i dont know if this is due to whatever problem im having or the run of the mill weird hangups i have occasionally. Normally at this point i would just format the harddrive and reinstall windows but i REALLY dont want to do this, i have ALOT of important stuff on there, largely music i've produced thats linked to very specific and unique files that i would be unable to replace.

I am 99.9 percent im infected, but what with and how to remove it i'm out of options at this point, thats why i'm here. Can i have help resolving these issues? I'm in over my head here, thanks

Update: Holy crap i actually got malwarebytes to work. I'll update again on the status of it working or not working.

If you can run it then post the scan log.

If it works, be sure to check for updates

Alright, i got it to work, it detected 9 the first scan till i thought it froze so i aborted then deleted. The second time around i ran a quick scan, it detected 6, and deleted all 6 again successfully.
I didnt know it just deleted the old log files, i'll see if i can get one on here. The internet doesnt seem to be working on the infected machine, anything but the system-defender website crashes out of firefox, and the update function of malwarebytes doesnt work.

Update: Turns out it does save more than one log file, so i've got the two scans with hits i'll get another scan in after things have been 'deleted successfully'

Alrighty, here are the log files. The first is the first scan i aborted prematurely, it still caught a few. The second was a complete scan, the third was a scan after i thought i got everything. Sorry for the text bomb, but here goes:

Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/30/2008 7:00:17 PM
mbam-log-2008-11-30 (19-00-17).txt

Scan type: Full Scan (F:\|)
Objects scanned: 24140
Time elapsed: 21 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ieobject.ieobjectobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{50da37bb-7083-4fa7-80cf-de4cdb634166} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{0b0a76e7-ade1-41f4-b157-559605721b3a} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca13d72f-2dac-4d99-b08d-c5ea1c920e89} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ieobject.ieobjectobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{47d92eb6-e52c-4cda-92a6-2369963f4913} (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47d92eb6-e52c-4cda-92a6-2369963f4913} (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\WINDOWS\IECodecPlg.dll (Adware.WebDir) -> Quarantined and deleted successfully.










Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/30/2008 7:34:36 PM
mbam-log-2008-11-30 (19-34-36).txt

Scan type: Quick Scan
Objects scanned: 119968
Time elapsed: 25 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\MRSoft (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
F:\Documents and Settings\Ben Presley\Local Settings\Temp\GLK7.tmp (Rogue.EvidenceEliminator) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\winlogon.old (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
F:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.










Malwarebytes' Anti-Malware 1.30
Database version: 1306
Windows 5.1.2600 Service Pack 3

11/30/2008 8:01:26 PM
mbam-log-2008-11-30 (20-01-26).txt

Scan type: Quick Scan
Objects scanned: 120205
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



I hope that helps. Seems like even after doing the malwarebytes scans it keeps coming back. Even after that last scan the machine is still acting screwy, not letting me navigate firefox, windows firewall keeps trying to block spyware.ispynow, etc etc.

Thanks for helping me with this guys, hopefully we can get it figured out

If it works, be sure to check for updates

Definitons are updated on a regular basis. Please update, scan and post your log.

Ok god so far. The MBAM versiion you are running is a bit old. Open MBAM,Click Update,rescan and post another. Let us know again how its doing thanks.

Follow with these. SAS scan will take about an hour.
ATF:
Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


SAS:
Please download and scan with SUPERAntiSpyware Free

• Double-click SUPERAntiSypware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
• In the Main Menu, click the Preferences... button.
• Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
• Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen and exit the program.
• Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

• Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes" and reboot normally.
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply.
• Click Close to exit the program.

Alright i'll get those tools and run them. Or try to get them, this thing is pretty insidious, it wont let me visit certain websites or run certain programs, i'll try my best though!
I have to get up early for class tomorrow, so i'll update when i get time to.

You may have sucess running an application by renaming the desktop icon to something such as Inane to trick the malware.

It wont let me update mbam, just errors out when it tries to connect. I'll run the other two and see if things improve.

If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.

Run what you can..

Alrighty, things look pretty good. I'll let this cruise overnight and see what shows up, goodnight and thanks for helping me

Update: Crap, i got SAS to update once with windows running normally, after going to safemode it seems to want to run setup again, so i did, and now the updates dont seem to be on it anymore, also all the options are cleared. I reset the options, but it wont connect to the servers to update, im in safe mode with networking and the internet seems to be active, i dont know why it wont update. I'll just let this cruise overnight and see what it comes up with.

OK see you 2morrow. try updates from normal and scan from safe. Good night!

Alright i ran a scan from safemode, but i wasnt able to get it updated. Either in safe or normal, it says theres an error. The internet is working find though, i can visit my email site if only for about 20 seconds before something kills the program. Any and all security related websites are blocked somehow, with along with it seems security systems update function. Maybe something of note, i remembered the first time right before the computer got shut down the first time a program called "svchost" was trying to get out of the windows firewall. This time around after second time my email window got killed i went into processes and nuked every svchost i could. Obviously not a good idea, so i did get the "shutting down in 1 minute" window, but i was able to get a communique out my email to myself. Heres the log of the SAS scan i did:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/30/2008 at 10:31 PM

Application Version : 4.22.1014

Core Rules Database Version : 3640
Trace Rules Database Version: 1623

Scan type : Complete Scan
Total Scan Time : 00:58:47

Memory items scanned : 199
Memory threats detected : 0
Registry items scanned : 5242
Registry threats detected : 2
File items scanned : 136819
File threats detected : 0

Spyware.PWS-Rmn
HKU\S-1-5-21-1960408961-1060284298-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{47D92EB6-E52C-4CDA-92A6-2369963F4913}

Trojan.IEObject/Win
HKU\S-1-5-21-1960408961-1060284298-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA13D72F-2DAC-4D99-B08D-C5EA1C920E89}


It then asked me to reboot to continue removal, remembering something i read on here about rebooting into normal i did so. Still the same problems though, wont open certain websites, kills messenger and for some reason my ATI Catalyst program. This is becoming frustrating, what an evil little bastard program

OK I think we're getting it. Lets Open MBAM,Update then rescan and post another log.
Next run SDFix..

Please print out and follow these instructions: "How to use SDFix". <- This program is for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"

• Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
• When done, the SDFix report log will open in notepad and automatically be saved in the SDFix folder as Report.txt.
• If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
• Please copy and paste the contents of Report.txt in your next reply.
• Be sure to renable you anti-virus and and other security programs before connecting to the Internet.

-- If the computer has been infected with the VirusAlert! malware warning from the clock and the Start Menu icons or drives are not visible, open the SDFix folder, right-click on either the XP_VirusAlert_Repair.inf or W2K VirusAlert_Repair.inf (depending on your version of Windows) and select Install from the Context menu. Then reboot to apply the changes.