Spyware.ISpynow Infection

[rlh781]

My computer is infected with Spyware.ISpynow. Does Avast identify this and how do I remove it? I'm getting kicked out of the internet and continually being notified of this infection.

[DavidR]

How do you know, e.g. what detected it, what is notifying you ?
There are rogue applications that display fake alerts, hence my question above, if this is coming from an unknown application and not one you installed there is a greater chance it is fake alert, but it still needs to be dealt with.

Are you using avast ?
There is no ISpynow in the virus database but that isn't unusual as there is no standard naming convention on malware names.

[essexboy]

This is a fairly new (one week) infection and is generally recognisable by this line in Hijackthis

O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\*****\Application Data\Google\runhh6110411.exe"

[essexboy]

Additionally reviewing the last case I had of this it may also have the TDSS rootkit

Download Combofix from any of the links below. You must rename it before saving it.  Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.  
• Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

[DavidR]

This is a fairly new (one week) infection and is generally recognisable by this line in Hijackthis

O4 - HKCU\..\Run: [HPseti] "C:\Documents and Settings\*****\Application Data\Google\runhh6110411.exe"

Thanks for the input essexboy, what do you think of this topic relating to the TDSS rootkit ?
http://www.malwarebytes.org/forums/index.php?showtopic=7194

Especially the bit about a router being infected in reply #8 ?

[essexboy]

Hi David unfortunately MBAM does not quite clear all of it, and as for the router infection that is becoming quite common now.  It is initiated by the Zlob malware and being rather sneaky it removes any trace of the infection from the host computer.  The first one I did took four days to track down due to the lack of any trace

But I am starting to get better at it now

[polonus]

Hi essexboy,

Just to get better at it still, I compiled what needs to be killed or deleted for the simple ISpyNow malware:

Kill the following processes and
stop the following iSpyNOW processes:

ispynow.exe
configure.exe
isn_builder.exe
softmod32.exe
uninstall-ispynow.exe

Stop iSpyNOW processes:

C:\Program Files\iSpyNOW\ispynow.exe
C:\Program Files\iSpyNOW\1500 nokia ringtones.exe
C:\Program Files\iSpyNOW\Virtuagirl_brianabanks_full.exe
C:\Program Files\iSpyNOW\grand theft auto vice city.exe
C:\Program Files\iSpyNOW\turbo tax key code.exe
C:\Program Files\iSpyNOW\Keygen super bounce out.exe
C:\Program Files\iSpyNOW\a (1).exe
C:\Program Files\iSpyNOW\TURBO_TAX_KEY_CODE.EXE
C:\Program Files\iSpyNOW\AolPassHack.exe, BIKO.EXE
C:\Program Files\iSpyNOW\UOGAMER.EXE
C:\Program Files\iSpyNOW\EBLASTER.EXE
perfectdefender2009.exe
c:\Program Files\Perfect Defender 2009\pdefendr.exe
UserProfile%\Local Settings\Temp\ikbmqvex.exe
ikbmqvex.exe
C:\Program Files\iSpyNOW\ispynow.exe
C:\Program Files\iSpyNOW\1500 nokia ringtones.exe
C:\Program Files\iSpyNOW\Virtuagirl_brianabanks_full.exe
C:\Program Files\iSpyNOW\grand theft auto vice city.exe
C:\Program Files\iSpyNOW\turbo tax key code.exe
C:\Program Files\iSpyNOW\Keygen super bounce out.exe
C:\Program Files\iSpyNOW\a (1).exe
C:\Program Files\iSpyNOW\TURBO_TAX_KEY_CODE.EXE
C:\Program Files\iSpyNOW\AolPassHack.exe, BIKO.EXE
C:\Program Files\iSpyNOW\UOGAMER.EXE
C:\Program Files\iSpyNOW\EBLASTER.EXE

Get rid of dll's:

C:\Program Files\iSpyNOW\ISNSYS.dll
UserProfile%\Desktop\sccmsk.dll
UserProfile%\My Documents\PerfectDefender2009\SDBHO.dll
C:\Program Files\iSpyNOW\ISNSYS.dll

Delete folders:

C:\Program Files\iSpyNOW\
c:\Program Files\Perfect Defender 2009\

Delete files:

C:\Program Files\iSpyNOW\Joi2A6.tmp
C:\Program Files\iSpyNOW\Joi2D0.tmp
c:\Program Files\Perfect Defender 2009\dbbase.div
UserProfile%\My Documents\PerfectDefender2009\sdcfg.dat

Delete these registry entries
Remove the following iSpyNOW registry keys:

HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsofttray
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\microsoft tray
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\Run\isntray
HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows\CurrentVersion\UninstalliSpyNOW
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “asus32″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PDefender
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “Perfect Defender 2009″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Perfect Defender 2009

Remove the following files:

configure.exe,
disclaimer.txt,
help.htm,
isn_builder.exe
ispynow configuration wizard.lnk,
ispynow.exe
ispynow disclaimer.lnk,
ispynow password - important!!.lnk,
ispynow readme.lnk,
ispynow users guide.lnk,
ispynow-setup.reg,
license agreement.lnk,
license.txt, password - important!!.txt,
readme.txt,
remove ispynow 2.0.lnk,
uninstal.log,
uninstall-ispynow.exe.
softmod32.exe

Hopes this helps a bit in the hunt on this dangerous hacking malware,

polonus

[DavidR]

Hi David unfortunately MBAM does not quite clear all of it, and as for the router infection that is becoming quite common now.  It is initiated by the Zlob malware and being rather sneaky it removes any trace of the infection from the host computer.  The first one I did took four days to track down due to the lack of any trace

But I am starting to get better at it now

I appreciate that MBAM didn't/doesn't clean it all , my interest is in the how do you go about cleaning an infected router or how it becomes infected and runs from the router ?

If you would rather this is covered in a pm (or another place on the forums), etc. if there is anything that shouldn't be covered publicly lest people get ideas then I'm happy with that.

[essexboy]

Fairly straight forward just reset the router to its default configuration

Next you must reset the router to its default configuration. This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds). If you don’t know the router's default password, you can look it up HERE

However, if there are other Zlob-infected machines using the same router, they will need to be cleared with the above steps before resetting the router. Otherwise, the malware will simply go back and change the router's DNS settings. You also need to reconfigure any security settings you had in place prior to the reset. Check out this site here for video tutorials on how to properly configure your router's encryption and security settings. You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

[DavidR]

Thanks Martin.

I guess it is time the router manufactures got wise to this and put measures in place to stop unauthorised changes to the routers DNS settings.

For me this is currently interest only as I don't have that problem on dial-up.

[essexboy]

All that needs to be done is to change the router password from default..  Secured 

[DavidR]

So a self inflicted wound then