Jump to content


Photo

TSPY Virus Infection - how to remove?


  • This topic is locked This topic is locked
5 replies to this topic

#1 vision

vision

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 21 November 2007 - 09:42 PM

A friend's computer has been infected by the TSPY virus, according to the PC Cillin anti-virus program running on her PC. When the PC is booted, sometimes (but not always), the PC Cillin anti-virus program keeps displaying a series of various TSPY virus infection screens in the lower right hand corner of the screen. They just keep coming up on the screen and there is no way to click on anything to stop them or take any action, other than shutting down.

I have read this forum's FAQ and here's some additional info and steps taken:
- ran Spybot S&D
- ran AVG Anti-Spyware scan (report posted below)
- did not run online anti-virus program suggested due to not being able to access internet
- ran Hijackthis scan (report posted below)
- looked at browser properties and saw that browser has been hijacked to hxxttp://kzdh.com/?g
- processes using most memory are PcScnSrv.exe, tmproxy.exe, PcCtlCom.exe (don't really know what these programs are)

Here is the AVG report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:49:42 PM 11/19/2007

+ Scan result:



C:\Program Files\conimee.exe -> Logger.Agent.akq : Cleaned with backup (quarantined).
C:\RECYCLER\rrr.exe -> Logger.Agent.akq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0081328.exe -> Logger.Agent.akq : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.17:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.18:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\HarrisLu\Local Settings\Temp\Cookies\harrislu@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.21:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.22:C:\Documents and Settings\HarrisLu\Application Data\Mozilla\Firefox\Profiles\9r7ebnu2.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\system32\rsmygpm.dll -> Trojan.OnLineGames.gqg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080140.exe -> Trojan.OnLineGames.gwy : Cleaned with backup (quarantined).
C:\Documents and Settings\HarrisLu\Local Settings\Temp\tmp25.tmp -> Trojan.OnLineGames.gyu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080010.exe -> Trojan.OnLineGames.hcr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\avzxfst.exe -> Trojan.OnLineGames.hcr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[236] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[288] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[300] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[476] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[560] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[640] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[684] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
[980] C:\WINDOWS\system32\avzxfmn.dll -> Trojan.OnLineGames.hcx : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080137.exe -> Trojan.OnLineGames.heq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080138.exe -> Trojan.OnLineGames.heq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP83\A0080141.exe -> Trojan.OnLineGames.hfn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kawdczy.dll -> Trojan.OnLineGames.hgx : Cleaned with backup (quarantined).


::Report end


Here is the Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:20 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\DOCUME~1\HarrisLu\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\HJT\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://kzdh.com/?g
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.167.230.39:3128
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor.lnk = C:\Program Files\SanDisk\SanDisk TransferMate\SD Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\sqmapi32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\sqmapi32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O20 - AppInit_DLLs: kvmxfma.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe

--
End of file - 8159 bytes


Any help in removing this TSPY virus would be most appreciated.

Happy Thanksgiving all!

V

Edited by nasdaq, 29 November 2007 - 11:26 AM.
bad link obfuscated


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,487 posts

Posted 24 November 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,294 posts

Posted 29 November 2007 - 11:48 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Download LSPfix
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"
Select: sqmapi32.dll (left pane)
Click the right arrow to bring it to REMOVE (right pane).
Repeat if more than one such item.
Then click the FINISH button. Restart your computer.
*/*

Disable AVG Anti-Spyware (formerly ewido):

Please disable AVG Anti-Spyware, as it may interfere with the fix.
  • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an ‘S’ in the system tray.
  • In the Resident Shield section, toggle the AVG Anti-Spyware active protection ‘off’ by clicking Change state which will then change the protection status to 'inactive'.
  • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
  • Reply ‘no’ and set it to ‘inactive’ for the duration of your cleanup.

Once your log is clean you can re-enable Ewido.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe
O20 - AppInit_DLLs: kvmxfma.dll


Click on Fix Checked when finished and exit HijackThis.

Delete these files/folders in bold if found.

Files
c:\windows\system32\sqmapi32.dll
c:\windows\system32\kvmxfma.dll

Folder
C:\windows\system32\com\

Restart the computer to complete the fix.
*/*

Enable AVG Anti-Spyware.
*/*

Submit a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 vision

vision

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 02 December 2007 - 08:56 AM

Thank you nasdaq for your help and instructions. I attempted to do the fix as you detailed, however, I had a few questions that I thought it would be better to ask first before perhaps doing something wrong:

1. When I ran LSPfix, I saw the sqmapi32.dll file in the left pane to move to the right pane (remove). Your instruction said to repeat if more than one such item. There were 3 other files shown in the left pane: mswsock.dll, winrnr.dll, and rsvpsp.dll. I wasn't sure if I should move those files to the right pane also, or only other files named sqmapi32.dll if found. Please let me know if I should move the other 3 .dll files to the right pane.

2. You instructed to delete the files sqmapi32.dll and kvmxfma.dll in the c:\windows\system32\ directory. I used Windows Explorer to find these files and noticed that sqmapi32.dll was dated 11/12/2007 4:12pm (the date I think the virus infection happend), but kvmxfma.dll was dated 8/4/2004 (the date of most of the .dll files in that directory). There is a file named kvmxfcf.dll with the date of 11/12/2007 4:12pm. I just want to make sure you meant me to delete the kvmxfma.dll file from 2004 instead of the kvmxfcf.dll file. Sorry for extra caution; just want to make sure I delete the correct file. Also, when I delete these files using Windows Explorer, they will go to the Recycle Bin. Should I also delete them again from the Recycle Bin?

Much thanks again,
V

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,294 posts

Posted 02 December 2007 - 11:05 AM

Glad you asked these questions.

Move and delete only these

sqmapi32.dll entries.

*/*

kvmxfma.dll you should delete.
http://www.bleepingc....dll-20864.html

*/*

Nothing much found on kvmxfcf.dll
For now just rename it to kvmxfcf.dll.old.

Then delete it and keep it in your recycle bin.
You can delete it in a week if all is well.

I do not think you will ever need it.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,294 posts

Posted 15 December 2007 - 09:05 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button