• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
vision

TSPY Virus Infection - how to remove?

6 posts in this topic

A friend's computer has been infected by the TSPY virus, according to the PC Cillin anti-virus program running on her PC. When the PC is booted, sometimes (but not always), the PC Cillin anti-virus program keeps displaying a series of various TSPY virus infection screens in the lower right hand corner of the screen. They just keep coming up on the screen and there is no way to click on anything to stop them or take any action, other than shutting down.

 

I have read this forum's FAQ and here's some additional info and steps taken:

- ran Spybot S&D

- ran AVG Anti-Spyware scan (report posted below)

- did not run online anti-virus program suggested due to not being able to access internet

- ran Hijackthis scan (report posted below)

- looked at browser properties and saw that browser has been hijacked to hxxttp://kzdh.com/?g

- processes using most memory are PcScnSrv.exe, tmproxy.exe, PcCtlCom.exe (don't really know what these programs are)

 

Here is the AVG report:

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 9:49:42 PM 11/19/2007

 

+ Scan result:

 

 

 

C:\Program Files\conimee.exe -> Logger.Agent.akq : Cleaned with backup (quarantined).

C:\RECYCLER\rrr.exe -> Logger.Agent.akq : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0081328.exe -> Logger.Agent.akq : Cleaned with backup (quarantined).

:mozilla.8:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.

:mozilla.6:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.

:mozilla.17:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

:mozilla.18:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.

C:\Documents and Settings\HarrisLu\Local Settings\Temp\Cookies\harrislu@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.

:mozilla.21:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

:mozilla.22:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

C:\WINDOWS\system32\rsmygpm.dll -> Trojan.OnLineGames.gqg : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080140.exe -> Trojan.OnLineGames.gwy : Cleaned with backup (quarantined).

C:\Documents and Settings\HarrisLu\Local Settings\Temp\tmp25.tmp -> Trojan.OnLineGames.gyu : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080010.exe -> Trojan.OnLineGames.hcr : Cleaned with backup (quarantined).

C:\WINDOWS\system32\avzxfst.exe -> Trojan.OnLineGames.hcr : Cleaned with backup (quarantined).

C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[236] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[288] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[300] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[476] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[560] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[640] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[684] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

[980] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080137.exe -> Trojan.OnLineGames.heq : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080138.exe -> Trojan.OnLineGames.heq : Cleaned with backup (quarantined).

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080141.exe -> Trojan.OnLineGames.hfn : Cleaned with backup (quarantined).

C:\WINDOWS\system32\kawdczy.dll -> Trojan.OnLineGames.hgx : Cleaned with backup (quarantined).

 

 

::Report end

 

 

Here is the Hijackthis report:

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:54:20 PM, on 11/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\alg.exe

C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe

C:\DOCUME~1\HarrisLu\LOCALS~1\Temp\clclean.0001

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe

C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

C:\WINDOWS\system32\dlcccoms.exe

C:\HJT\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kzdh.com/?g

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.167.230.39:3128

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r

O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon

O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE

O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [setDefaultMIDI] MIDIDef.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"

O4 - HKLM\..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\sqmapi32.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\sqmapi32.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

O20 - AppInit_DLLs: kvmxfma.dll

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe

O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

 

--

End of file - 8159 bytes

 

 

Any help in removing this TSPY virus would be most appreciated.

 

Happy Thanksgiving all!

 

V

Edited by nasdaq
bad link obfuscated

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hello,

 

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Download LSPfix

Unzip the file to a folder on your desktop.

Double-click to run

Select: (Advanced) "I know what I'm doing"

Select: sqmapi32.dll (left pane)

Click the right arrow to bring it to REMOVE (right pane).

Repeat if more than one such item.

Then click the FINISH button. Restart your computer.

*/*

 

Disable AVG Anti-Spyware (formerly ewido):

 

Please disable AVG Anti-Spyware, as it may interfere with the fix.

  • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an ‘S’ in the system tray.
  • In the Resident Shield section, toggle the AVG Anti-Spyware active protection ‘off’ by clicking Change state which will then change the protection status to 'inactive'.
  • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
  • Reply ‘no’ and set it to ‘inactive’ for the duration of your cleanup.

 

Once your log is clean you can re-enable Ewido.

 

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

 

O4 - HKLM\..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe

O20 - AppInit_DLLs: kvmxfma.dll

 

Click on Fix Checked when finished and exit HijackThis.

 

Delete these files/folders in bold if found.

 

Files

c:\windows\system32\sqmapi32.dll

c:\windows\system32\kvmxfma.dll

 

Folder

C:\windows\system32\com\

 

Restart the computer to complete the fix.

*/*

 

Enable AVG Anti-Spyware.

*/*

 

Submit a fresh HijackThis log.

Share this post


Link to post
Share on other sites

Thank you nasdaq for your help and instructions. I attempted to do the fix as you detailed, however, I had a few questions that I thought it would be better to ask first before perhaps doing something wrong:

 

1. When I ran LSPfix, I saw the sqmapi32.dll file in the left pane to move to the right pane (remove). Your instruction said to repeat if more than one such item. There were 3 other files shown in the left pane: mswsock.dll, winrnr.dll, and rsvpsp.dll. I wasn't sure if I should move those files to the right pane also, or only other files named sqmapi32.dll if found. Please let me know if I should move the other 3 .dll files to the right pane.

 

2. You instructed to delete the files sqmapi32.dll and kvmxfma.dll in the c:\windows\system32\ directory. I used Windows Explorer to find these files and noticed that sqmapi32.dll was dated 11/12/2007 4:12pm (the date I think the virus infection happend), but kvmxfma.dll was dated 8/4/2004 (the date of most of the .dll files in that directory). There is a file named kvmxfcf.dll with the date of 11/12/2007 4:12pm. I just want to make sure you meant me to delete the kvmxfma.dll file from 2004 instead of the kvmxfcf.dll file. Sorry for extra caution; just want to make sure I delete the correct file. Also, when I delete these files using Windows Explorer, they will go to the Recycle Bin. Should I also delete them again from the Recycle Bin?

 

Much thanks again,

V

Share this post


Link to post
Share on other sites

Glad you asked these questions.

 

Move and delete only these

 

sqmapi32.dll entries.

 

*/*

 

kvmxfma.dll you should delete.

http://www.bleepingcomputer.com/startups/k....dll-20864.html

 

*/*

 

Nothing much found on kvmxfcf.dll

For now just rename it to kvmxfcf.dll.old.

 

Then delete it and keep it in your recycle bin.

You can delete it in a week if all is well.

 

I do not think you will ever need it.

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0