Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware Doctor


  • Please log in to reply
18 replies to this topic

#1 JannEd

JannEd

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 05 January 2012 - 01:38 PM

I have that Compaq laptop back, Win7 upgrade from Vista. He has downloaded something (he says upgrade to Adobe Reader, I say no) and it put, with all its parts, hijacked.exe file; trojan.exeshell.gen. And there is something on there called did.exe. I ran MBAM and it found the trojan one, rebooted, reran MBAM, this time it found the hijacked.exe one. In both cases I had them quarantined/fixed. When I reboot, one or the other is back. Anyway, to tie this in with Spyware Doctor, I downloaded it on his machine and on mine (in the event that I have to burn it and then put it on his.

With the download came a file called sdssetup__revwire207.exe. I googled that to find out what it was. I got a slew of sites to go to to remove the original sdssetup.exe file because they said it was a virus. I really doubt that because I did download it from the PCTools.com. I am also thinking that virus had a rootkill with it. I also ran DDS and SecurityCheck, FIXNCR.reg, MiniToolBox, Regfix.reg, and they do not look like they picked up anything.

My question would then be: what is sdssetup_revwire207.exe and is sdssetup.exe the right setup file for SpywareDoctor?

Thanks Guys

Jann

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 05 January 2012 - 05:06 PM

Hello, the first looks like a Generic JavaScript Unpacker for PCTOOLS
http://jsunpack.jeek.org/dec/go?report=8983a7c63798911160391db96078313963cb7d37

the second is the SpywareDoctor installer.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 05 January 2012 - 05:56 PM

Hello, the first looks like a Generic JavaScript Unpacker for PCTOOLS
http://jsunpack.jeek.org/dec/go?report=8983a7c63798911160391db96078313963cb7d37

the second is the SpywareDoctor installer.


Thank you! Please don't pin this. I will be at my daughter's tomorrow on her DSL, which is going to make this whole thing better to work with and I may have a couple more questions about those particular viruses. It looks like this guy uninstalled Avira and his MBAM was out of date by almost 3 months. After the last time I cleaned a rootkill off his system you would think he would learn. Wiping out everything the last time, you would think he would be more careful. At least he pays me well. Which is not why I do it, but he insists. The last time he bought me a huge gig Seagate backup external drive.

Jann

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 05 January 2012 - 08:36 PM

We'll keep it open.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 06 January 2012 - 03:30 PM

We'll keep it open.


okay, maybe I should start a new topic about this. I have done everything I know to connect that computer to the WIFI here. There is no visible switch to turn in on. Compaq Presario CQ60. Been all over trying to find it or a combination of the f keys to turn it on and nothing. I can connect by dialup and that is it. In order to install and run Spyware Doctor, I need to update and the file is so big, on dialup it would take forever. And it keeps trying to reset. Just downloaded the latest driver for Atheros. One of the things he said was that right after he noticed problems, he could no longer connect. He connects with his mobile to AT&T and believe me, that AT&T Manager is no help. It just keeps telling me there is no WIFI card and I know there is because the last time I had that mess, I connected every day to this DSL.

So, by boop[me], move this somewhere else or not.

Jann loving this 70deg weather.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 06 January 2012 - 04:02 PM

make post in networking. Mention your Operating System.. stay cool LOL.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 06 January 2012 - 08:59 PM

make post in networking. Mention your Operating System.. stay cool LOL.


I did that and am getting some answers. I did a scan on that system with SuperAnti-Spyware and it found the trojan.Dropper/SVC host-fake virus and where do you think it was located? In a subfolder in MBAM called chameleon. SAS cleaned up and wasn't there the next time I ran it. However, I know about these rootkill things and have a couple programs to take care of that. I hope. The last time that system got a rootkill virus, he had used his computer for months before he brought it to me. That time it was that false popup box. I managed to get rid of it, but this one is a tad different.

Will get back to you after I run a few more programs.

Jann

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 06 January 2012 - 09:51 PM

It's OK.. look at this
http://www.bleepingcomputer.com/forums/topic436415.html
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 06 January 2012 - 11:23 PM

It's OK.. look at this
http://www.bleepingcomputer.com/forums/topic436415.html


All right!! Then that means that all is well. SAS quarantined it and it was all gone next SAS scan. Now if I can figure out this network thing, I am in business!! I do want to run Spyware Doctor because it does a little more than MBAM and SAS. Keep me open!!!

Have a good weekend!

Jann (catch me on FB)

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 06 January 2012 - 11:31 PM

OK, Best thing is to run this FSS scan and start a new topic in Networking,.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 07 January 2012 - 12:22 AM

Here is the FSS log:

Farbar Service Scanner
Ran by Chris (administrator) on 06-01-2012 at 22:58:16
Microsoft Windows 7 Home Premium Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============
MpsSvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open MpsSvc registry key. The service key does not exist.

bfe Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open bfe registry key. The service key does not exist.

mpsdrv Service is not running. Checking service configuration:
The start type of mpsdrv service is OK.
The ImagePath of mpsdrv service is OK.


Firewall Disabled Policy:
==================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: Attention! Unable to open wscsvc registry key. The service key does not exist.


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

I tell you, I have worked on systems ever since Win95 and I still think XP Pro is still the most stable of the latest ones. Loved 2000 Pro too. Anyhow what does this tell you?

J

#12 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 07 January 2012 - 11:57 AM

The way I learned what I know about computers is by finding what the problem is, researching how to make it right, then trial and error. I say this because I read this log and want to tell you what I think the problem(s) is/are. That would be, in this case, that mpssvc.dll. BUT I also read that it could be any of the dlls and one exe file that that dll looks for that may be corrupt. The guy is bringing my his Win7 disk and I will try to do a repair. I also have the ToolBox log, if you would like to see it.

What is a play book? He told me this morning that he bought one and connects it to his laptop and thinks that may be the problem. I asked him who had the moment of insanity and completely uninstalled Avira. He has no clue. Grrrrr! I say, have another drink. He is part owner of an auto mechanic shop and no one else, really, needs to be getting on his machine. Oh well, trying to wake up here, stayed up with this until the wee small hours of the morning.

J

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,534 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:12:17 AM

Posted 07 January 2012 - 09:44 PM

You have system files missing.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

64-bit users go HERE
  • Double-click SystemLook.exe to run it.
  • Vista\Win 7 users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box and paste it into the main textfield:
    :filefind
    tdx.sys
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 08 January 2012 - 11:57 AM

[*]Click the Look button to start the scan.
[*]When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
[/list]Note: The log can also be found on your Desktop entitled SystemLook.txt
[/quote]

I downloaded, tried to run in on that laptop and got an error popup: Script Required. I tried to run it on my system and got the same error. Will download it on the second mirror, thinking maybe the first mirror download isn't all there. Will get back to you in a few minutes.

Jann in 36deg weather.

#15 JannEd

JannEd
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Lake of the Ozarks, MO
  • Local time:11:17 PM

Posted 08 January 2012 - 12:07 PM

PS I went on the programer's site and saw thie: Copy the content of the following codebox into the main textfield:
SCRIPT
But I see nowhere to put that.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users