Author Topic: Spyware.ISpynow  (Read 16500 times)

0 Members and 1 Guest are viewing this topic.

Offline sk8dudety

  • Newbie
  • *
  • Posts: 3
Re: Spyware.ISpynow
« Reply #15 on: November 30, 2008, 07:10:23 AM »
hey guys i just recieved this a couple of days ago as well... i tried to download malwarebytes to get rid of it, but this stupid thing won't even let me on my browser long enough to download it. What can I do?? By the way I use AVG free and it hasn't found anything...
« Last Edit: November 30, 2008, 07:12:55 AM by sk8dudety »

Offline sk8dudety

  • Newbie
  • *
  • Posts: 3
Re: Spyware.ISpynow
« Reply #16 on: November 30, 2008, 07:37:43 AM »
ok this is what i did, i put the malwarebytes setup program on a flash drive, put that on my laptop and tried it from there... halfway into it shows up a pop-up that says "malwarebytes anti-malware has encountered a problem and need to close, we are sorry for the inconvenience." same thing i get when i try to use my browser, both firefox and internet explorer... it wont let me get any further. then when i click on the malwarebytes desktop icon it says "The database could not be located. Would you like to download an updated copy?" i click yes and it tries to start up but the same thing keeps happening...

Offline sk8dudety

  • Newbie
  • *
  • Posts: 3
Re: Spyware.ISpynow
« Reply #17 on: November 30, 2008, 09:16:39 AM »
alright nvm guys, got it.  For guys that had the same problem as me. Download MalwareBytes setup program from another computer onto a flashdrive, restart your computer in safe mode and install it.  "Perform a Quick Scan" in safe mode. Then restart in normal mode, open up MalwareBytes, update to the newest version under the "Update" tab, and "Perform a Full Scan".  It took my computer about 1 hour and 15 minutes and didn't find the bad files until the very last second, so stick it through! After you've removed the files restart your computer and you should be golden.

Offline ardvark

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1512
  • John 3:16 (I'm not an "avast! evangelist")
Re: Spyware.ISpynow
« Reply #18 on: November 30, 2008, 03:05:44 PM »
Hi...

I'm glad you got this squared away, it appears this particular program was coded with a pretty strong defense mechanism. ::)

Best Regards...

Offline ebina1

  • Newbie
  • *
  • Posts: 3
Re: Spyware.ISpynow
« Reply #19 on: December 01, 2008, 01:00:31 AM »
Some versions seem tougher than others.

When I put the malwarebytes setup program on a thumb drive and tried to run it, it wouldn't run.
I had to change the name of the startup program from something other than the default mbam-setup.exe
Even then the installer hangs in the Finishing phase.  This is because after installing, the installer is trying to run C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe and the spyware is stopping that.
I rebooted (again in safe mode) to get rid of the hung mbam.exe, then went into C:\Program Files\Malwarebytes' Anti-Malware and renamed mbam.exe

Only then could I run it.  It is still running now, so we will see if it fixes this new more clever version.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Spyware.ISpynow
« Reply #20 on: December 01, 2008, 01:13:15 AM »
See if all is cleansed:

Kill processes:
setup.exe, help.exe


Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ISHelp=C:\Program Files\Helper\help.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\904000001E872D116BF00006799C897E\Usage
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\I-Spy



Delete files:
setup.exe, help.exe, ispy.dll, cat.dll


Delete directories:
C:\Program Files\Helper
C:\Documents and Settings\[Current User]Start Menu\Programs\Help
Misc:
File ispy.dll is located in C:\Windows or C:\Winnt.
File cat.dll can be found in C:\Windows\System, C:\Windows\System32 or C:\Winnt\System32.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline ebina1

  • Newbie
  • *
  • Posts: 3
Re: Spyware.ISpynow
« Reply #21 on: December 01, 2008, 05:44:44 AM »
Nope, Malwarebytes updated, still won't fix this one.  It clears the registry of some stuff, but after reboot it
comes right back.  Luckily I didn't do much today, I can see what time the trojan modified my winlogon.exe so I fixed that file and termsrv.dll (also modfied at the same time)  and then deleted every file created after that time today. 

No more popups, but a rather harsh and dangerous solution.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83552
  • No support PMs thanks
Re: Spyware.ISpynow
« Reply #22 on: December 01, 2008, 03:39:19 PM »
What do you mean by MBAM won't fix this one ?
Do you mean it doesn't detect it or something else ?

Did you run MBAM from safe mode, it can be more effective from there.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline ebina1

  • Newbie
  • *
  • Posts: 3
Re: Spyware.ISpynow
« Reply #23 on: December 02, 2008, 07:54:59 PM »
I ran MBAM from safe mode.  It detects and fixes a bunch of stuff.  But after you then reboot the spyware is right back again.

I gave up and restored the computer to a backup I had made 2 months ago.  Good luck with this thing guys.

I'm more interested in finding out how my daughter got this thing.  She had only been on the computer a little over and hour and hadn't downloaded any programs or gotten any popups.  She was just reading various web sites and watching youtube videos.  I set up a virtual machine and using her browser history revisited all the sites she had been at and played all the videos.  Nothing.  Assuming the modification time on my winlogon.exe is when she got the spyware, I checked and macromedia flash player was downloading something just a minute earlier, but I don't know what.

It could be some exploit that gets in when you just mouse over a flash ad.  This is scary.

Offline rejto12

  • Newbie
  • *
  • Posts: 1
Re: Spyware.ISpynow
« Reply #24 on: January 20, 2009, 04:20:20 AM »
Hello,

Thanks for the superb description of the symptoms.
My computer has essentially the same ones, so I shall not repeat them.

I have downloaded the Avast Home Edition and performed a scan before restarting the computer.
However, the symptoms have not changed.


 Any suggestions?

Thanks,

-peter




Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8786
Re: Spyware.ISpynow
« Reply #25 on: January 20, 2009, 12:57:16 PM »
Peter, the sad news is that the latest malware is so nasty that the only way to make sure that it has gone is to FORMAT the hard drive after you have made backups of important data on CD by booting the Windows CD and insure that a complete FORMAT is done not a Quick FORMAT.

Disconnect the system from the Internet while you are doing this as the system will be infected in minutes without the Windows firewall started or without at least SP1 installed.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83552
  • No support PMs thanks
Re: Spyware.ISpynow
« Reply #26 on: January 20, 2009, 03:20:41 PM »
Before the nuclear option.

Spyware.ISpynow may also be associated with this. Also see http://forum.avast.com/index.php?topic=40618.0

TDSS Rootkit - http://www.malwarebytes.org/forums/index.php?showtopic=7194 -

Also try (check for the presence of this device/service):
Quote
Another way to get around the inability to access your antivirus program is to check your system for the presence of a particular rogue device driver:

• Step 1: Click Start, Control Panel, Performance and Maintenance (in Categories view), System.
• Step 2: Select the Hardware tab and click Device Manager.
• Step 3: Choose the View menu and select Show hidden devices.
• Step 4: Scroll to the Non-plug and play drivers section and expand the tree.
• Step 5: If you see an item labeled TDSSserv.sys, right-click it and select Disable.

After you reboot your computer, you'll be able to access your antivirus program and browse to anti-malware sites to remove the pest from your PC. Once you've cleaned your system, make certain that you update your antivirus software every day to avoid reinfection.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro