If you are seeing a Security Center Alert that is stating that Windows Firewall has blocked activity of harmful software (Spyware.ISpynow, win32.zafi.b, Win32.Netsky.Q, Trojan.Zlob.G, Win32.BackDoor-DNM), then you have become infected with a trojan that uses this Security Center Alert to trick you into purchasing Perfect Defender 2009 or another rogue antispyware program. Once running, this trojan will display a fake security center alerts that tells you:
Security Center Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Do you want to block this suspicious software?
Name: Spyware.ISpynow
Risk Level: High
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
Security center alert
To help protect your computer, Windows firewall has blocked some features of this program.
Do you want to block this suspicious software?
Name: win32.zafi.b
Risk Level: High
Security Center Alert
To help protect your computer, Windows Firewall has blocked
some features of this program.Do you want to block this suspicious software?
Name: Win32.BackDoor-DNM
Risk Level: High
Description: DNM is a worm trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
If you are clicking on the enable protection button, then opens up a site asking you to download rogue antispyware program (Perfect Defender 2009) or another rogue antispyware software.
Symptoms in a HijackThis Log.
O4 – HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 – HKCU\..\Run: [winhpdrv] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [HPseti] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [windpipe] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
O4 – HKCU\..\Run: [WinDNN] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
Note: where [RANDOM_NAME] is a runhh6110411.exe, ijdkq13324484.exe, xtgoj6119471.exe, fhexj6825097.exe, klnxv19819115.exe …
Use the following instructions to remove Spyware.ISpynow (fake Security Center Alert).
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click TDSSserv.sys. If you cant find the driver, then skip the step and go to “Please download OTmoveIt3” step.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
- Please download OTM by OldTimer from here.
- Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SVCHOST.EXE"=-
"winhpdrv"=-
"HPseti"=-
"HPsetm"=-
"nah_Shell"=-
"windpipe"=-
"WinDNN"=-
"wclock"=-
"realtecg"=-
"ckcixg"=-
"realtehs"=-
"realtekg"=-
"realtecs"=-
"realtechs"=-
"realtecss"=-
"realtecks"=-
"realteks"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"realteczs"=-
"winclock"=-
"realteks"=-
"realtekc"=
:files
%WinDir%\system32\drivers\svchost.exe
%UserProfile%\nah_eere.exe
%APPDATA%\Google\ijdkq13324484.exe
%APPDATA%\Roaming\Google\dvvm.exe
%APPDATA%\Roaming\Google\mscclock.exe
%APPDATA%\Roaming\Google\vxpclock.exe
%APPDATA%\Roaming\Google\msvclock.exe
%APPDATA%\Google\xtgoj6119471.exe
%APPDATA%\Google\teuaa1726165.exe
%APPDATA%\Google\runhh6110411.exe
%APPDATA%\Google\fhexj6825097.exe
%APPDATA%\Google\klnxv19819115.exe
%APPDATA%\Google\yfijv17721328.exe
%APPDATA%\Google\xpsdg6420222.exe
%APPDATA%\Google\kpldpl.dll
%APPDATA%\Google\vgwsn871850.exe
%APPDATA%\Google\djvlg2072387.exe
%APPDATA%\Google\fbabj220320.exe
%APPDATA%\google\torsi2225487.exe
%APPDATA%\google\lptspcp.dll
%APPDATA%\ckcixg.exe
%APPDATA%\google\ocboo1892823.exe
%APPDATA%\google\sysspc.dll
%APPDATA%\google\phtrc345015.exe
%APPDATA%\google\pfysw721318.exe
%APPDATA%\google\jxzub5410451.exe
%APPDATA%\google\tjwuh601471.exe
%APPDATA%\google\sqean9524272.exe
%APPDATA%\google\mcscrlp32.dll
%APPDATA%\google\jbzey222486.exe
%APPDATA%\Gmail\rygwz7313434.exe
%APPDATA%\google\runhh6110411.exe - Click the red Moveit! button.
- When the tool is finished, it will produce a report for you.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
If you need help with the instructions, then post your questions in our Spyware Removal forum.
I also have this same problem 🙁
Unfortunately, it is hard for me to follow the directions because my computer’s language is in korean.
I cannot find the ‘Hardware Tab’ and neither the ‘Device Manager’
Is there any other way I can find either of those?
Please help.
Or at least descriptions on how the two things look?
This infection was a total pain. I checked several forums before I found this and everyone was saying reformat. I’m glad I found this.
2 things, per the instructions, when you run Moveit and paste the code into the box, there are a couple of different options. I used the …
Think my last post got cut off. Continuing:
…couple of different options. I used the Move It button, which after about 10 seconds the program stopped responding. The trojan appears to be gone, but I wanted to be sure this wasn’t anythign to worry about, or it’s the norm for MoveIt to behave like that.
Thanks.
Alica, i don`t know korean language. But you can use the way for removing trojan TDSServ.
Dana, i can checkup youp PC. Read and follow these steps.
I have very similar problem but instaed of Spyware.ISpynow it says Sinowal.Trojan. Will the same procedure work for me?
Excellent post, it worked perfectly, even without the TDSServ.sys being in the device manager.
Do the rest of the instructions, and it works. Thanks again, very very well done.
Thanks for your reply, Patrik.
However, does ‘removing trojan TDSServ’ has got to do with Spyware.Ispynow?
After removing TDSServ trojan, complete the remaining steps of current instruction.
Natasha, please read and follow these steps.
Even though I couldn\’t find TDSSserv.sys on my system I was able to eliminate this virus from my system using the remainder of the instructions. Thanks!
This worked! I tried other suggestions but none of them worked. Thanks so much.
You are the King! This issue has been such a pain, but these steps resolved the problem. Thanks!
attempting to remove fake security center alert. There is no TDSSserv.sys. apparent. There is however serial with ! surrounded by yellow. What is the significance if that icon? Should that be disabled?
Thanks
These are devices which work with errors and have been disabled.
Myers, please read and follow these steps.
Thank you so much. Normally I would not have spent so much time with so infected a computer I had, but it was my dad’s and I took it as a challenge. Thanks so much. Never used OTmoveIt3 before. Lifesave for sure.
Worked perfectly…Thanks so much!!!
When I right-click the My Computer icon, there’s no “hardware tab”, I’ve never seen tabs when right-clicking icons so don’t know what that means. Also can’t download fixes on that computer since virus shuts down browsers. Help?
Lacy, right click the My computer icon, click Properties and after that click Hardware Tab.
got rid of my xtgoj6119471.exe problem!!! I tried every antivirus program under the sun combined, and it still didn’t do the job of what you instructed. The OTMoveIt program didn’t work for me so well, but the Malwarebytes software did what AVG, McAfee, Spybot S&D, Avira, and AdAware could not. Thank you masked stranger.
Frank.
Is sinowal.trojan the security alert for the defender site? Also, what do you think of F-secure online scanner, will it remove this trojan?
Stacey, probably yes, but there is no 100% of a guarantee. Please read and follow these steps.
THANKS ! I had been going nuts trying to figure out what was wrong with my computer, and just how to fix it! I was just getting ready to reformat (had made my backups) ,when I found this post. Thanks to you I do not have to do this ! You just made this old man very happy! Hope you have a Merry Christmas and God bless ! tnshadows
Thank you, thank you, thank you, worked great. I bought some other spyware remover that did not work but this free Malwarebytes anti-malware solved my problem with the system security bug
Thanks this solution worked great and no more annoying warnings geat solution
I tried the above and it didn’t work so I downloaded Highjackthis and did what you said and posted it on the website you have been telling people to go to.
didnt find the TDSSserv.sys driver but still worked like a charm. mil gracias compa
OTMoveIt3 continues to lock up no me. I can get about 8 lines into the results and it quits running.
Any ideas?
Sorry for my last post. I read further and will attach a HiJack log on the other page. Thanks in advance.
Thanks so much! This worked perfectly.