If you are seeing a Security Center Alert that is stating that Windows Firewall has blocked activity of harmful software (Spyware.ISpynow, win32.zafi.b, Win32.Netsky.Q, Trojan.Zlob.G, Win32.BackDoor-DNM), then you have become infected with a trojan that uses this Security Center Alert to trick you into purchasing Perfect Defender 2009 or another rogue antispyware program. Once running, this trojan will display a fake security center alerts that tells you:
Security Center Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Do you want to block this suspicious software?
Name: Spyware.ISpynow
Risk Level: High
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
Security center alert
To help protect your computer, Windows firewall has blocked some features of this program.
Do you want to block this suspicious software?
Name: win32.zafi.b
Risk Level: High
Security Center Alert
To help protect your computer, Windows Firewall has blocked
some features of this program.Do you want to block this suspicious software?
Name: Win32.BackDoor-DNM
Risk Level: High
Description: DNM is a worm trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
If you are clicking on the enable protection button, then opens up a site asking you to download rogue antispyware program (Perfect Defender 2009) or another rogue antispyware software.
Symptoms in a HijackThis Log.
O4 – HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 – HKCU\..\Run: [winhpdrv] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [HPseti] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [windpipe] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
O4 – HKCU\..\Run: [WinDNN] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
Note: where [RANDOM_NAME] is a runhh6110411.exe, ijdkq13324484.exe, xtgoj6119471.exe, fhexj6825097.exe, klnxv19819115.exe …
Use the following instructions to remove Spyware.ISpynow (fake Security Center Alert).
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click TDSSserv.sys. If you cant find the driver, then skip the step and go to “Please download OTmoveIt3” step.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
- Please download OTM by OldTimer from here.
- Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SVCHOST.EXE"=-
"winhpdrv"=-
"HPseti"=-
"HPsetm"=-
"nah_Shell"=-
"windpipe"=-
"WinDNN"=-
"wclock"=-
"realtecg"=-
"ckcixg"=-
"realtehs"=-
"realtekg"=-
"realtecs"=-
"realtechs"=-
"realtecss"=-
"realtecks"=-
"realteks"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"realteczs"=-
"winclock"=-
"realteks"=-
"realtekc"=
:files
%WinDir%\system32\drivers\svchost.exe
%UserProfile%\nah_eere.exe
%APPDATA%\Google\ijdkq13324484.exe
%APPDATA%\Roaming\Google\dvvm.exe
%APPDATA%\Roaming\Google\mscclock.exe
%APPDATA%\Roaming\Google\vxpclock.exe
%APPDATA%\Roaming\Google\msvclock.exe
%APPDATA%\Google\xtgoj6119471.exe
%APPDATA%\Google\teuaa1726165.exe
%APPDATA%\Google\runhh6110411.exe
%APPDATA%\Google\fhexj6825097.exe
%APPDATA%\Google\klnxv19819115.exe
%APPDATA%\Google\yfijv17721328.exe
%APPDATA%\Google\xpsdg6420222.exe
%APPDATA%\Google\kpldpl.dll
%APPDATA%\Google\vgwsn871850.exe
%APPDATA%\Google\djvlg2072387.exe
%APPDATA%\Google\fbabj220320.exe
%APPDATA%\google\torsi2225487.exe
%APPDATA%\google\lptspcp.dll
%APPDATA%\ckcixg.exe
%APPDATA%\google\ocboo1892823.exe
%APPDATA%\google\sysspc.dll
%APPDATA%\google\phtrc345015.exe
%APPDATA%\google\pfysw721318.exe
%APPDATA%\google\jxzub5410451.exe
%APPDATA%\google\tjwuh601471.exe
%APPDATA%\google\sqean9524272.exe
%APPDATA%\google\mcscrlp32.dll
%APPDATA%\google\jbzey222486.exe
%APPDATA%\Gmail\rygwz7313434.exe
%APPDATA%\google\runhh6110411.exe - Click the red Moveit! button.
- When the tool is finished, it will produce a report for you.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
If you need help with the instructions, then post your questions in our Spyware Removal forum.
I am following the download instructions to have this removed but it will not allow me to connect to the internet.
Thank you so much! This worked.
MC
Man your a life saver thank you so much
Thank you, thank you, thank you! It worked perfectly.
Yes, I was pulling my hair out until I can across your webpage. This info/technique saved me big time. Shoot me an email and I will make a paypal donation to you. Again, big big thanks
I tried using the avenger but after I copy and paste the script you posted it gives me an error saying
Error: Invalid script. A valid script must begin with a command directive. Aborting execution!
Ben, script is ok. Just checked it.
Try type the text of the script manually into the Input script box.
You ROCK Dude! This worked like a charm! MANY Thanks!
Fantastic solution. One detail, though – the name of the files in %UserProfile%\Application Data\Google\ were different for me, and there was a DLL added there as well. But I loaded the files into the Avenger script and all went well. Oddly, McAfee didn’t detect this trojan when I scanned memory and files, but its on-access scanner detected the TDSS files when MBAM scanned them.
Muchas Gracias!!!
I’m still getting the same error
Ben, please read these instructions.
Worked great! Thanks for your help.
I am trying to get rid of the spyware.ISpynow fake alert, but when I go into my non plug and play drivers the TDSSserv.sys is not listed!!! What next?
all scans come up empty…help
Thanks Scott
Scott, probably you infected with a new version of fake security alert trojan. Please follow these instructions.
Thanks for trying to help patrick…I tried to create an acct at Myantispyware but it will not send me the email to authenicate my acct…another dead end…sigh..maybe you guys can send methe email so I can open my acct?
Hello again…i need the email sent to me so I can open my acct with you guys …
thanks
Amazing thank you so much
Scott, try another email address.
These instructions did not work for me. When I run Avenger with that script, it says it can’t find the files. Malwarebytes is also not picking anything up, but I still get the Spyware.ISpynow popup and it’s preventing practically everything on my computer from working.
SpyHunter was able to successfully find the file where Malwarebytes failed, but requires registration to remove it and I can’t open the internet to do it nor do I really want to pay 29.95 to get this ridiculous malware removed. Any help would be appreciated.
Aaron
Malwarebytes gave me the following error about 10 times throughout the full scan: Error Code 731 (0,9)
It’s still coming back with 0 infections.
A visiting friend got this on my computer trying to watch videos. Followed the instructions and it worked. I noticed the avenger program wasn’t successful in efforts to …
Well it didn’t work after all: I thought it was fine, so I reloaded Firefox and it still pops up and won’t let me keep Firefox running. Guess I’ll run a full scan with your software to see if it removes it.. or should I rerun the job above , again??
Aaron and Bruce, please follow these instructions.
I followed the instructions but I get errors like this:
Error: file ‘c:\WINDOWS\system32\drivers\scvhost.exe’ not found! after rebooting from running avenger. I started a malwarebytes scan before coming across this site and it deleted some files. would this affect the process?
Gine,
Its not problem.
If you are still having problems with your computer, then read and follow these instructions.
I found the last file item on my system last night and changed the avenger prgram to cover that one listed %UserProfile%\Application Data\Google\xtgoj6119471.exe which seems to have solved it for now…thanks for this site..
Hi,
I am also infected with spyware.iSpynow.As per ur instruction when i rightclick Mycomputer>Hardware>Devicemanager>View…Show hidden devices…but i couldnt find TDSSserv.sys.This malware is disabling realtime protection of my Bit Defender Internet security..When i go my computer and tries to open it shows only c drive and message pop up to use sharing folder,you need to sign in window live messenger..then if i click ok then it shows all drives and folders.btw i am using Acer Aspire 5100 notebook..please help..
Hunter, please follow these instructions. Myantispyware team will help you.
Thanks for speedy reply Prateek..i tried to register..but i havent recevied confirmation email on my email…so i couldnt login
Help Please
Hunter, email with login information was sent. But if you have not received the email, please register again using another email, use gmail.com for example.