Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware.ISpynow


  • Please log in to reply
27 replies to this topic

#1 jokerssmile

jokerssmile

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 30 November 2008 - 05:52 PM

Ok so here's what happened. I downloaded a game last night and played if for a little bit and this morning I decided to remove it from my computer.

When I did, the computer started to act wierd it closed the firefox windows I had open and shut down the computer. When I turned it on. It told me SUPERantispyware had a problem and needed to shut down.
So I said ok. Then I get a Microsoft shield that pops up telling me I have something called SPYWARE.ISPYNOW

I tried to use SUPER to do a scan but it kept giving me an unknown error. So I thought it might be SUPER thats giving me the problem so I removed it fom the computer.
I restarted and got the same error. So I tried to do a system restore. I can get all the way up to where it says CLICK NEXT and I do... but it does nothing.

I try getting on IE or Firefox and get this message in the window:

Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, register your antivirus software.

We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).


I clicked on the link and it took me to a page. hxxp: //www.defender-review.com/?a=112 I probably shouldnt have but I downloaded it because upon more research found that that is a virus as well.


I've tried scanning with Malware Bytes' Anit-Malware but it wont start up.

I did however scan with a-squared free and now its showing the Personal Defender as a problem.


I'm having to use my house computer because the laptop is the one infected. I am using Windows XP SP 3. I use both current versions of IE and FIREFOX

Edited by quietman7, 01 December 2008 - 02:30 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:42 PM

Posted 30 November 2008 - 06:44 PM

Let's see if we can get an online scanner to work. This is Windows Live Onecare:
http://onecare.live.com/site/en-us/default.htm
You can also try renaming Mbam.exe to somethingelse.exe and see if Malwarebytes will work that way

Edited by garmanma, 30 November 2008 - 06:46 PM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 11:54 AM

I'm running the windows live scanner right now. I renamed Malwarebyets and did a scan and nothing showed up. I've managed to remove parts of the virus using help from another site but I am still unable to update my AVG (even when renamed) I am still unable to visit certain websites on my laptop, like this one bleepingcomputers.com and other websites having to do wiht the removal of the virus.

I found out its from Personal Defender 2009. They trick you into downloading it by stating you have a virus and you need this protection.

As I said, I've removed parts of it, but I don't know what else is left to remove so I can go and visit other sites.

#4 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 12:35 PM

just an update, I tried that Windows Live Scan but it put the laptop on standby or something and I couldn't get it to come back to life so I had to restart the computer.

So windows life scan didn't work so that option is out for now.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:42 PM

Posted 01 December 2008 - 02:31 PM

I've tried scanning with Malware Bytes' Anit-Malware but it wont start up

Some types of malware will disable MBAM and other security tools. If MBAM will not run, try renaming it. Right-click on the mbam.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 02:48 PM

I appreicate your input Quietman I managed to change its name and scan. I just finished a scan and removed a couple trojans in safemode. I noticed, that I can now get on the site from the laptop but I free it wont last.

I am still unable to update my AVG. So I am assuming there is still something that is blocking me. So do you have any suggestions? other than having to rename things?

where should I post the Malware log? and should I do another hijack this log ?

thank you!

Edited by jokerssmile, 01 December 2008 - 02:49 PM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:42 PM

Posted 01 December 2008 - 03:04 PM

I scrolled past post #3 and did not see your reply about having renamed it already.

Please post the results of your MBAM scan for review.

To retrieve the MBAM scan log information, launch MBAB.
Click the Logs Tab at the top.
mbam-log-2008-10-12(13-35-16).txt should show in the list. <- your dates will be different from this exampe
Click on the log name to highlight it.
Go to the bottom and click on Open.
The log should automatically open in notepad as a text file.
Go to Edit and choose Select all.
Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
Come back to this thread, click Add Reply, then right-click and choose Paste.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 05:00 PM

I apologize for that comment. I had edit the post also but you're too quick on your response LOL!
I've been posting on two different sites and I got confused. My apologies. Once I get the scan finished I will put it up. I actually did one right after the previous post and it found 2 things and I just completed another one and it only found 1 thing. I will post up both things in the next post.

#9 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 05:03 PM

here is the first scan I did. It says they weren't removed because I did the log before I removed anything:
Malwarebytes' Anti-Malware 1.30
Database version: 1366
Windows 5.1.2600 Service Pack 3

12/1/2008 11:40:56 AM
mbam-log-2008-12-01 (11-40-43).txt

Scan type: Full Scan (C:\|)
Objects scanned: 88439
Time elapsed: 1 hour(s), 14 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the latest one I did:
Malwarebytes' Anti-Malware 1.30
Database version: 1366
Windows 5.1.2600 Service Pack 3

12/1/2008 1:58:30 PM
mbam-log-2008-12-01 (13-58-14).txt

Scan type: Full Scan (C:\|)
Objects scanned: 88525
Time elapsed: 1 hour(s), 14 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 06:37 PM

I'm doing yet another scan with the same program. I noticed an alert pop up, and when this scan is over with i will email it to myself and put it in my next post when I can. I didn't choose to update it or anything else like that so no worries there.

i know something is still infecting my laptop because, it will only let me www.bleepingcomputer.com, one time then if I close the window it prevents me from going there again.

#11 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:42 PM

Posted 01 December 2008 - 07:38 PM

That version is a little old. Have you updated Mbam? If not please check for updates then run a scan
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 07:59 PM

you really think it matters updating stuff? I mean will it remove the virus any differently? I'm just curious because I've done 3 scans today and I'm just wondering... it seems to get rid of the virus but only for a second because it still wont let me update AVG or spybot for that matter. How I managed to get Malwarebytes to update is beyond me.

But I will go scan ..... again... Should be back in about an 1hour and 15 minutes....

I'm also having to work off of two computers so my response time is going to be a while :thumbsup:

Edited by jokerssmile, 01 December 2008 - 08:00 PM.


#13 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 08:03 PM

can you also explain something to me, When I start scaning within the first minute it is scanning the registery where the virus were found but in the OBJECTS infected it shows 0 till the very end of the scan.... is there a reason its not showing up even though it just scanned over the parts that are infected?

#14 jokerssmile

jokerssmile
  • Topic Starter

  • Members
  • 40 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:06:42 PM

Posted 01 December 2008 - 09:23 PM

Here is the lastest MalwareBytes scan log:

Malwarebytes' Anti-Malware 1.30
Database version: 1443
Windows 5.1.2600 Service Pack 3

12/1/2008 6:17:10 PM
mbam-log-2008-12-01 (18-17-10).txt

Scan type: Full Scan (C:\|)
Objects scanned: 89428
Time elapsed: 1 hour(s), 15 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nah_Shell (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\esther youhanaei\nah_bpqb.exe (Trojan.Agent) -> Quarantined and deleted successfully.


the Nah_bpqb.exe thing comes and goes. I've seen it in the start up a few times and when I went to go disable it after realizing its bad its not there.


I came back to say I found nah_bpqb in the startup again and disabled it, then I found a NAH dat file I believe in the location that the nah_bpqb.exe was and I used SPYBOT Shedder and shedded it. Not sure what that did if it did anything at all. I just restarted teh laptop so we'll see.

Edited by jokerssmile, 01 December 2008 - 09:30 PM.


#15 scff249

scff249

    Indecisive Lurker


  • Members
  • 1,319 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:A galaxy far, far away...
  • Local time:08:42 PM

Posted 01 December 2008 - 09:48 PM

From my understanding, we have a couple of issues.

The first is that tdss detection.

The second is the nah_Shell. As posted by DaChew:

http://www.bleepingcomputer.com/forums/ind...t&p=1025905

Will leave it up to the higher-ups for further action.

"Ototo'i wa usagi o mita no...Kino wa shika...Kyo wa anata." -Kotomi Ichinose (Clannad) [see below for translation]
"Day before yesterday I saw a rabbit, and yesterday a deer, and today, you." -The Dandelion Girl
"You are not alone, and you are not strange. You are you, and everyone has damage. Be the better person." -Katawa Shoujo





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users