If you are seeing a Security Center Alert that is stating that Windows Firewall has blocked activity of harmful software (Spyware.ISpynow, win32.zafi.b, Win32.Netsky.Q, Trojan.Zlob.G, Win32.BackDoor-DNM), then you have become infected with a trojan that uses this Security Center Alert to trick you into purchasing Perfect Defender 2009 or another rogue antispyware program. Once running, this trojan will display a fake security center alerts that tells you:
Security Center Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Do you want to block this suspicious software?
Name: Spyware.ISpynow
Risk Level: High
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
Security center alert
To help protect your computer, Windows firewall has blocked some features of this program.
Do you want to block this suspicious software?
Name: win32.zafi.b
Risk Level: High
Security Center Alert
To help protect your computer, Windows Firewall has blocked
some features of this program.Do you want to block this suspicious software?
Name: Win32.BackDoor-DNM
Risk Level: High
Description: DNM is a worm trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
If you are clicking on the enable protection button, then opens up a site asking you to download rogue antispyware program (Perfect Defender 2009) or another rogue antispyware software.
Symptoms in a HijackThis Log.
O4 – HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 – HKCU\..\Run: [winhpdrv] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [HPseti] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [windpipe] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
O4 – HKCU\..\Run: [WinDNN] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
Note: where [RANDOM_NAME] is a runhh6110411.exe, ijdkq13324484.exe, xtgoj6119471.exe, fhexj6825097.exe, klnxv19819115.exe …
Use the following instructions to remove Spyware.ISpynow (fake Security Center Alert).
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click TDSSserv.sys. If you cant find the driver, then skip the step and go to “Please download OTmoveIt3” step.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
- Please download OTM by OldTimer from here.
- Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SVCHOST.EXE"=-
"winhpdrv"=-
"HPseti"=-
"HPsetm"=-
"nah_Shell"=-
"windpipe"=-
"WinDNN"=-
"wclock"=-
"realtecg"=-
"ckcixg"=-
"realtehs"=-
"realtekg"=-
"realtecs"=-
"realtechs"=-
"realtecss"=-
"realtecks"=-
"realteks"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"realteczs"=-
"winclock"=-
"realteks"=-
"realtekc"=
:files
%WinDir%\system32\drivers\svchost.exe
%UserProfile%\nah_eere.exe
%APPDATA%\Google\ijdkq13324484.exe
%APPDATA%\Roaming\Google\dvvm.exe
%APPDATA%\Roaming\Google\mscclock.exe
%APPDATA%\Roaming\Google\vxpclock.exe
%APPDATA%\Roaming\Google\msvclock.exe
%APPDATA%\Google\xtgoj6119471.exe
%APPDATA%\Google\teuaa1726165.exe
%APPDATA%\Google\runhh6110411.exe
%APPDATA%\Google\fhexj6825097.exe
%APPDATA%\Google\klnxv19819115.exe
%APPDATA%\Google\yfijv17721328.exe
%APPDATA%\Google\xpsdg6420222.exe
%APPDATA%\Google\kpldpl.dll
%APPDATA%\Google\vgwsn871850.exe
%APPDATA%\Google\djvlg2072387.exe
%APPDATA%\Google\fbabj220320.exe
%APPDATA%\google\torsi2225487.exe
%APPDATA%\google\lptspcp.dll
%APPDATA%\ckcixg.exe
%APPDATA%\google\ocboo1892823.exe
%APPDATA%\google\sysspc.dll
%APPDATA%\google\phtrc345015.exe
%APPDATA%\google\pfysw721318.exe
%APPDATA%\google\jxzub5410451.exe
%APPDATA%\google\tjwuh601471.exe
%APPDATA%\google\sqean9524272.exe
%APPDATA%\google\mcscrlp32.dll
%APPDATA%\google\jbzey222486.exe
%APPDATA%\Gmail\rygwz7313434.exe
%APPDATA%\google\runhh6110411.exe - Click the red Moveit! button.
- When the tool is finished, it will produce a report for you.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
If you need help with the instructions, then post your questions in our Spyware Removal forum.
THANK YOU! that stupid pop-up was driving me crazy!!!!
I ran hijack this and don’t know what to delete. Should I delete the 020 messages..Winlogon?
Cindy, please read and follow these steps. I will help you.
I apparently have that message that Windows Firewall has blocked some features of this program.
Do I want to block this suspicious software?
Name: Win32.Zafi.B
Yes, it only gave me the choice to Enable Protection, BUT, I did not do that.
First I ran a FULL Scan of my Norton Virus/spyware Internet Security 2008 and removed all my tracking cookies and it said I had no viruses or spyware.
Then I went to look up on the internet this specific problem and found your site here.
I have NOT Enabled Protection so I’m figuring by what you’ve said on this site I have not been tricked into purchasing the Perfect Defender 2009. But, how do I stop this message from coming up again, or do I need to worry about it, or how do I stop this message from happening.
Do I still have to try to remove it? Will it still be collecting info from my computer if I have not been tricked into purchasing the Perfect Defender 2009?
Reading through your removal coding has me seriously lost as I am not that savvy with computers.
Can you help?
Thanks in advance!
shari, if these instructions above do not help you, then follow these steps.
Help.
After clicking “show hidden devices”, I do not have a driver called TDSSserv.sys.
What do I do?
On another note, I tried manually altering the registry, and I fear I may have done something wrong. Spyware Doctor had found a problem with the key called Punnet, or Pundet so I removed it. Is it possible I did something harmful? The computer will no longer boot properly and I am forced to use safe mode.
Please advise.
Dan, probably a few system files are damaged. Please follow these steps. I will check your computer configuration.
Many thanks!
I had bought the PC Tools Spyware Doctor but it did not remove this infection.
After looking at this page I downloaded the Malwarebytes’ Anti-Malware for free and it cleared the problem automatically.
Hi, I’m trying to follow the steps, but my computer keeps on shutting down before I can finish. Is this part of the virus? I’ve already posted my hijackthis log; it was run while I was in safe mode. Thanks in advance for your help.
I had this happen to me yesterday and found it very frustrating anyhow it was pretty simple to fix after finding the right info
Removal (For XP, the directories may be different for other OS’s, so you might have to do some digging if you’re not on XP)
1. Go to C:\Documents and Settings\Application Data\Google
2. In there you should see two files, one an .exe and the other a .dll. The actual filenames are randomly generated I believe
(mine were called ocboo1892823.exe and sysspc.dll, for example). Depending on whether you have any genuine Google apps such as Google Earth or Google Toolbar installed you might also have a couple of sub-directories in there as well, but you can ignore those. We’re concentrating on those two rogue .exe and .dll files.
3. Since the process is currently runnning on your machine, Windows probably won’t let you delete the files, so you need to write down the names (you’ll need this in a minute as well) reboot in Safe Mode (or Safe Mode Command Prompt if you’re paranoid like me ;), navigate to the aforementioned folder and delete those two files, the .exe and the .dll. Quit safe mode and reboot into normal Windows again. ( to start in safe mode restart computer and keep pressing f8)
4. Go to Start> Run> regedit to open the Registry Editor. In the Registry Editor, go to Edit > Find and search for the filename of the malicious .exe file you just deleted (this is why you just wrote them down). You can safely delete any registry key that refers to it. Don’t forget to press F3 to keep searching after you delete each instance, until you get the message
I used both malwarebytes and highjack this programs and now i got no sound and wen i shut down my pc i get the blue screen can anybody help me
The original instructions didn’t work for me but deleting the file from Application Data/google did the trick. Many thanks to eldon.
aleron, please follow these steps.
Hi i cant find TDSSserv.sys in my list of non plug and play drivers.. it doesnt appear to be there?
Chris skip the step. Go to “Please download OTmoveIt3…”
This has worked perfectly! Thank you.
I can not find the device manager.
yea try this it really works!!
I have got problem with the sound devide, it said:
“Any device sound was find”
My report of hijackthis
…
Sorry for the double post.
Thank you very much !! Worked Great
Ivan, please follow these steps.
patrik, stfu up. yea lets go through countless steps of joining a forum, installing programs and spending hours, maybe days following instructions that the majority of todays stupid computer users will find too difficult. after all if you can’t punch some random keys and click your mouse two times, it’s too hard for them.
took less than 2 mins to use eldon’s solution to clear the problem. someone who isn’t technically apt will need longer but that is the bottom line of what you do to remove this as of feb ’09. don’t forget your malwarebytes scan afterward.
Sorry…but Help! I’m not good with hardware/technical aspect. I have this same problem! Win32.Zafi.B!! Browsed peoples questions and answers here…I can’t seem to follow through, can someone help me?
(I’m kinda dumb with computers >_<) Thank you for your time!
Andrew, please follow these steps.
Thankyou very much Eldon!! Your instructions worked great.
Many thanks!!!
I got this trojan and when done properly it is very simple to remove. Start up in safe-mode (to do this reboot and tap f8 repeatedly). Then click on start, click my computer, click c:, at the top of the page in the c: bar type C:\documents and settings\application data\google.
Hit enter. Now delete: sxkzw965566 and, or kzjna1562565 and .dll files. Done
I did everything you said, except when it came to the Malwarebytes Anti Malware installation. I downloaded Mbam-setup.exe, but when I try opening it, nothing happens! The installation doesn’t open or anything. I tried double clicking on it, which did nothing. I left clicked, then clicked run, I even went to task manager and clicked on ‘New task’ to open it! And yet, still nothing happens! And the task bar balloons and alerts are still there! Please help me!
John, looks like your computer also infected with trojan that blocks Malwarebytes` Anti-malware. Ask for help at our forum.
Everything worked until installed malware bytes anti malware after i installed it i double clicked it to run but it never launched, i keep doing it and doint it, still no run, ive tried reinstalling but still no run, some one please help me.
Alyson, looks like your computer infected with a new version of the malware. Try to run MalwareBytes in the Safe mode or ask for help at Spyware removal forum.