Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Plasmadk on November 29, 2008, 05:59:14 AM
-
Hi
I dont know where else to go with this problem, I hope you can help. As of earlier today I got a warning from Windows Xp Security Center asking if I wanted to block a suspicious malware called Spyware.ISpynow. I also noted that Windows Firewall had been deactivated automatically. Shortly after, firefox closed down and my computer restarted, but freezing shortly after loading desktop.
I rebooted and selected "use last setting known to work" and go access to my desktop without my computer freezing up. When I opened Firefox I was directed to a homepage stating "insecure connection, threat of virus attack" with two options, one to continue unsecured in which I would get to google (my start page) and the other would direct me to website for perfect defender 2009 which seemed too suspicious to me. I instead scheduled a boot scan with avast and rebooted. It identified 4 files inside windows which I deleted and resumed windows, however, I still get what I suspect are false pop-ups about Spyware.ISpynow and both firefox and explorer terminates seemingly random after a mere few pages, initially, still advising me that Im navigating with an insecure connection.
Googling Spyware.ISpynow or Perfect defender 2009 brings up quite a few forums with people describing the exact same problems, but no solutions. Please help!
-
Hi...
You can try this regimen from Tech, another member of this forum. Go to the fourth post at this thread...
http://forum.avast.com/index.php?topic=39312.msg330023#msg330023
Hope this helps. :)
Best Regards...
-
Thank you for your quick reply. I will give it a shot!
-
Thank you for your quick reply. I will give it a shot!
You're welcome, please post back with the results. :)
Best Regards...
-
Ok so I installed DrWeb CureIT and ran a complete scan. It didn't find anything.
Then I ran SUPERantispyware which found a few things, however, anytime something would pop up Avast detected it and I chose to delete it, since it said I could not move it to chest when another program was using it.
But it did not solve the problems.
I still get a fake popup every 15 minutes saying windows security center has found Spyware.ISpynow and my firefox and explorer still post a warning linking directly to Perfect Defender 2009 (obviously a fake site as well; www.defender-review.com) and if I try to navigate to anywhere else the browser shuts down without notice. When my computer starts it either freezes or all my programs like messenger, skype, CLI, and even hydravision for my ATI graphics die with the notice that they make illegal actions.
Any ideas?
-
Some more scanners to try:
Malwarebytes' Anti-Malware (http://www.malwarebytes.org/)
Spybot Search & Destroy (http://www.safer-networking.org/en/download/index.html)
-
I dont know where else to go with this problem, I hope you can help. As of earlier today I got a warning from Windows Xp Security Center asking if I wanted to block a suspicious malware called Spyware.ISpynow. I also noted that Windows Firewall had been deactivated automatically. Shortly after, firefox closed down and my computer restarted, but freezing shortly after loading desktop.
<snip>
That wasn't the XP Security Center (as far as I'm aware it doesn't have this functionality, but I've only been using it for over four years), but some form of fake alert and the act of clicking the button to block is what infects you.
So it looks like you got taken in.
I would suggest that you boot into safe mode http://www.pchell.com/support/safemode.shtml (http://www.pchell.com/support/safemode.shtml) and run both SAS and MalwareBytes from there.
-
Yes I know it was/is fake, which I why I terminate it whenever it pops up. At the moment I'm running another full scan with DrWeb and I downloaded avast anti root kit and spybot search and destroy ready to deploy when the scan is complete.
I found a lot of posts on the web similar to what I'm experiencing all seem to originate from yesterday 28th.
http://forums.myspace.com/p/4290219/53241311.aspx?fuseaction=forums.viewpost
-
The avast anti-rootkit is an integral part of avast and runs as part of the boot-time scan or an on-demand scans with a sensitivity of Standard or Thorough.
If you have XP, vista32bit or Win2k, you can enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php).
-
I was able to solve this via instructions at:
http://malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/
Personal / Perfect Defender is suggested as a solution by the fake pop-up. Removing the files in Application Data seems to have resolved the issues for me.
Note: I didn't actually install Personal/Perfect Defender. This helped me remove the trojan that was prompting to install them with the fake Windows Firewall pop-up.
--Alex
-
Thanks for the feedback, though the MalwareBytes AntiMalware suggested by FWF in reply #5 removes this fake program.
-
Hey I think I got it figured out as well.
I tried a ton of programs half of which were able to find the infection, however, the programs would get terminated shortly after.
If you have the same problem with programs getting shut down, here is the source of the problem:
run6110411.exe
Go do C:\documents and settings\<user>\application data - there can be more than just this one file hidden in one of the folders, I found the main file stated above in my google folder. It is undeleteable, so use Malwarebytes Anti-Malware's FileASSASSIN and problem solved. No more popups, no more system or program crashes.
My only problem at the moment is, that avast antirootkit finds something in my registry during search, but then crashes before anything is logged.
-
If you can capture a screenshot and crop the error message and post here.
-
My only problem at the moment is, that avast antirootkit finds something in my registry during search, but then crashes before anything is logged.
Hi...
Also, what are the results if you try using both Blacklight and Trend Micro's rootkit scanners...
http://www.f-secure.com/security_center/
(scroll down to "downloads", then "blacklight.")
http://www.trendmicro.com/download/rbuster.asp
Best Regards...
-
I picked this up two days ago as well, Avast popped up a alert about a suspicious file, but that's it. Here's what I did:
1) Get SysinternalsSuite from microsoft (use to be WinInternals),
2) You can use pslist to see the hidden exe. MS Task Manager wouldn't show it in my case.
3) Run regDelNul.exe from teh SysinternalsSuite on HKCU\Software\Microsoft\Windows\CurrentVersion and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run to expose all the hidden registry keys.
4) Delete the hidden keys plus the files they point to (see below)
5) As noted above, the usual primary location is going to be something like ...\Application Data\Google\... There will likely be other suspicious
exe files in a other legitimate Application Data folders. I was able to use the timestamp to id them. I also found a folder with MyDocs that had
to be removed. You can find the path to this folder by using "view source" on the bogus web page. path.
Hidden Reg Keys : HKCU\Software\Microsoft\Windows\CurrentVersion
---------------------
nah_id 6056788116
nah_opt_certs /cgi-bin/trash.py
nah_opt_command /f/prinimalka.py/command
nah_opt_deletecookie yes
nah_opt_deletesol no
nah_opt_file /f/prinimalka.py/cookies
nah_opt_forms /f/prinimalka.py/forms
nah_opt_idproject 000042
nah_opt_options /f/prinimalka.py/options
nah_opt_pausecert 300
nah_opt_pauseopt 1200
nah_opt_pstorage /cgi-bin/trash.py
nah_opt_reserv 78.109.23.2
nah_opt_server1 78.109.23.2
nah_opt_ss /cgi-bin/trash.py
nah_patch ok
Hidden Reg Keys : HKCU\Software\Microsoft\Windows\CurrentVersion\Run
---------------------
HPseti ...\Application Data\Google\runhh6110411.exe"
nah_Shell C:\Documents and Settings\username\nah_onuq.exe
-
hey guys i just recieved this a couple of days ago as well... i tried to download malwarebytes to get rid of it, but this stupid thing won't even let me on my browser long enough to download it. What can I do?? By the way I use AVG free and it hasn't found anything...
-
ok this is what i did, i put the malwarebytes setup program on a flash drive, put that on my laptop and tried it from there... halfway into it shows up a pop-up that says "malwarebytes anti-malware has encountered a problem and need to close, we are sorry for the inconvenience." same thing i get when i try to use my browser, both firefox and internet explorer... it wont let me get any further. then when i click on the malwarebytes desktop icon it says "The database could not be located. Would you like to download an updated copy?" i click yes and it tries to start up but the same thing keeps happening...
-
alright nvm guys, got it. For guys that had the same problem as me. Download MalwareBytes setup program from another computer onto a flashdrive, restart your computer in safe mode and install it. "Perform a Quick Scan" in safe mode. Then restart in normal mode, open up MalwareBytes, update to the newest version under the "Update" tab, and "Perform a Full Scan". It took my computer about 1 hour and 15 minutes and didn't find the bad files until the very last second, so stick it through! After you've removed the files restart your computer and you should be golden.
-
Hi...
I'm glad you got this squared away, it appears this particular program was coded with a pretty strong defense mechanism. ::)
Best Regards...
-
Some versions seem tougher than others.
When I put the malwarebytes setup program on a thumb drive and tried to run it, it wouldn't run.
I had to change the name of the startup program from something other than the default mbam-setup.exe
Even then the installer hangs in the Finishing phase. This is because after installing, the installer is trying to run C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe and the spyware is stopping that.
I rebooted (again in safe mode) to get rid of the hung mbam.exe, then went into C:\Program Files\Malwarebytes' Anti-Malware and renamed mbam.exe
Only then could I run it. It is still running now, so we will see if it fixes this new more clever version.
-
See if all is cleansed:
Kill processes:
setup.exe, help.exe
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISHelp=C:\Program Files\Helper\help.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\904000001E872D116BF00006799C897E\Usage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I-Spy
Delete files:
setup.exe, help.exe, ispy.dll, cat.dll
Delete directories:
C:\Program Files\Helper
C:\Documents and Settings\[Current User]Start Menu\Programs\Help
Misc:
File ispy.dll is located in C:\Windows or C:\Winnt.
File cat.dll can be found in C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32.
polonus
-
Nope, Malwarebytes updated, still won't fix this one. It clears the registry of some stuff, but after reboot it
comes right back. Luckily I didn't do much today, I can see what time the trojan modified my winlogon.exe so I fixed that file and termsrv.dll (also modfied at the same time) and then deleted every file created after that time today.
No more popups, but a rather harsh and dangerous solution.
-
What do you mean by MBAM won't fix this one ?
Do you mean it doesn't detect it or something else ?
Did you run MBAM from safe mode, it can be more effective from there.
-
I ran MBAM from safe mode. It detects and fixes a bunch of stuff. But after you then reboot the spyware is right back again.
I gave up and restored the computer to a backup I had made 2 months ago. Good luck with this thing guys.
I'm more interested in finding out how my daughter got this thing. She had only been on the computer a little over and hour and hadn't downloaded any programs or gotten any popups. She was just reading various web sites and watching youtube videos. I set up a virtual machine and using her browser history revisited all the sites she had been at and played all the videos. Nothing. Assuming the modification time on my winlogon.exe is when she got the spyware, I checked and macromedia flash player was downloading something just a minute earlier, but I don't know what.
It could be some exploit that gets in when you just mouse over a flash ad. This is scary.
-
Hello,
Thanks for the superb description of the symptoms.
My computer has essentially the same ones, so I shall not repeat them.
I have downloaded the Avast Home Edition and performed a scan before restarting the computer.
However, the symptoms have not changed.
Any suggestions?
Thanks,
-peter
-
Peter, the sad news is that the latest malware is so nasty that the only way to make sure that it has gone is to FORMAT the hard drive after you have made backups of important data on CD by booting the Windows CD and insure that a complete FORMAT is done not a Quick FORMAT.
Disconnect the system from the Internet while you are doing this as the system will be infected in minutes without the Windows firewall started or without at least SP1 installed.
-
Before the nuclear option.
Spyware.ISpynow may also be associated with this. Also see http://forum.avast.com/index.php?topic=40618.0 (http://forum.avast.com/index.php?topic=40618.0)
TDSS Rootkit - http://www.malwarebytes.org/forums/index.php?showtopic=7194 (http://www.malwarebytes.org/forums/index.php?showtopic=7194) -
Also try (check for the presence of this device/service):
Another way to get around the inability to access your antivirus program is to check your system for the presence of a particular rogue device driver:
• Step 1: Click Start, Control Panel, Performance and Maintenance (in Categories view), System.
• Step 2: Select the Hardware tab and click Device Manager.
• Step 3: Choose the View menu and select Show hidden devices.
• Step 4: Scroll to the Non-plug and play drivers section and expand the tree.
• Step 5: If you see an item labeled TDSSserv.sys, right-click it and select Disable.
After you reboot your computer, you'll be able to access your antivirus program and browse to anti-malware sites to remove the pest from your PC. Once you've cleaned your system, make certain that you update your antivirus software every day to avoid reinfection.