Author Topic: Spyware.ISpynow  (Read 19233 times)

0 Members and 1 Guest are viewing this topic.

Plasmadk

  • Guest
Spyware.ISpynow
« on: November 29, 2008, 05:59:14 AM »
Hi

I dont know where else to go with this problem, I hope you can help. As of earlier today I got a warning from Windows Xp Security Center asking if I wanted to block a suspicious malware called Spyware.ISpynow. I also noted that Windows Firewall had been deactivated automatically. Shortly after, firefox closed down and my computer restarted, but freezing shortly after loading desktop.

I rebooted and selected "use last setting known to work" and go access to my desktop without my computer freezing up. When I opened Firefox I was directed to a homepage stating "insecure connection, threat of virus attack" with two options, one to continue unsecured in which I would get to google (my start page) and the other would direct me to website for perfect defender 2009 which seemed too suspicious to me. I instead scheduled a boot scan with avast and rebooted. It identified 4 files inside windows which I deleted and resumed windows, however, I still get what I suspect are false pop-ups about Spyware.ISpynow and both firefox and explorer terminates seemingly random after a mere few pages, initially, still advising me that Im navigating with an insecure connection.

Googling Spyware.ISpynow or Perfect defender 2009 brings up quite a few forums with people describing the exact same problems, but no solutions. Please help!

ardvark

  • Guest
Re: Spyware.ISpynow
« Reply #1 on: November 29, 2008, 06:03:42 AM »
Hi...

You can try this regimen from Tech, another member of this forum. Go to the fourth post at this thread...

http://forum.avast.com/index.php?topic=39312.msg330023#msg330023

Hope this helps. :)

Best Regards...

Plasmadk

  • Guest
Re: Spyware.ISpynow
« Reply #2 on: November 29, 2008, 06:27:17 AM »
Thank you for your quick reply. I will give it a shot!

ardvark

  • Guest
Re: Spyware.ISpynow
« Reply #3 on: November 29, 2008, 06:34:54 AM »
Thank you for your quick reply. I will give it a shot!

You're welcome, please post back with the results. :)

Best Regards...

Plasmadk

  • Guest
Re: Spyware.ISpynow
« Reply #4 on: November 29, 2008, 04:37:35 PM »
Ok so I installed DrWeb CureIT and ran a complete scan. It didn't find anything.
Then I ran SUPERantispyware which found a few things, however, anytime something would pop up Avast detected it and I chose to delete it, since it said I could not move it to chest when another program was using it.

But it did not solve the problems.

I still get a fake popup every 15 minutes saying windows security center has found Spyware.ISpynow and my firefox and explorer still post a warning linking directly to Perfect Defender 2009 (obviously a fake site as well; www.defender-review.com) and if I try to navigate to anywhere else the browser shuts down without notice. When my computer starts it either freezes or all my programs like messenger, skype, CLI, and even hydravision for my ATI graphics die with the notice that they make illegal actions.

Any ideas?   

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Spyware.ISpynow
« Reply #5 on: November 29, 2008, 04:40:58 PM »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Spyware.ISpynow
« Reply #6 on: November 29, 2008, 05:46:21 PM »
I dont know where else to go with this problem, I hope you can help. As of earlier today I got a warning from Windows Xp Security Center asking if I wanted to block a suspicious malware called Spyware.ISpynow. I also noted that Windows Firewall had been deactivated automatically. Shortly after, firefox closed down and my computer restarted, but freezing shortly after loading desktop.
<snip>

That wasn't the XP Security Center (as far as I'm aware it doesn't have this functionality, but I've only been using it for over four years), but some form of fake alert and the act of clicking the button to block is what infects you.

So it looks like you got taken in.

I would suggest that you boot into safe mode http://www.pchell.com/support/safemode.shtml and run both SAS and MalwareBytes from there.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Plasmadk

  • Guest
Re: Spyware.ISpynow
« Reply #7 on: November 29, 2008, 06:00:22 PM »
Yes I know it was/is fake, which I why I terminate it whenever it pops up. At the moment I'm running another full scan with DrWeb and I downloaded avast anti root kit and spybot search and destroy ready to deploy when the scan is complete.

I found a lot of posts on the web similar to what I'm experiencing all seem to originate from yesterday 28th.

http://forums.myspace.com/p/4290219/53241311.aspx?fuseaction=forums.viewpost


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Spyware.ISpynow
« Reply #8 on: November 29, 2008, 06:21:17 PM »
The avast anti-rootkit is an integral part of avast and runs as part of the boot-time scan or an on-demand scans with a sensitivity of Standard or Thorough.

If you have XP, vista32bit or Win2k, you can enable a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

alexfisher

  • Guest
Re: Spyware.ISpynow
« Reply #9 on: November 29, 2008, 07:25:07 PM »
I was able to solve this via instructions at:

http://malwarebytes.besttechie.net/2008/11/03/removal-instructions-for-personal-defender-2009/

Personal / Perfect Defender is suggested as a solution by the fake pop-up.  Removing the files in Application Data seems to have resolved the issues for me.

Note:  I didn't actually install Personal/Perfect Defender.  This helped me remove the trojan that was prompting to install them with the fake Windows Firewall pop-up.

--Alex

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Spyware.ISpynow
« Reply #10 on: November 29, 2008, 07:50:11 PM »
Thanks for the feedback, though the MalwareBytes AntiMalware suggested by FWF in reply #5 removes this fake program.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Plasmadk

  • Guest
Re: Spyware.ISpynow
« Reply #11 on: November 29, 2008, 11:51:13 PM »
Hey I think I got it figured out as well.

I tried a ton of programs half of which were able to find the infection, however, the programs would get terminated shortly after.

If you have the same problem with programs getting shut down, here is the source of the problem:

run6110411.exe

Go do C:\documents and settings\<user>\application data - there can be more than just this one file hidden in one of the folders, I found the main file stated above in my google folder. It is undeleteable, so use Malwarebytes Anti-Malware's FileASSASSIN and problem solved. No more popups, no more system or program crashes.

My only problem at the moment is, that avast antirootkit finds something in my registry during search, but then crashes before anything is logged.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Spyware.ISpynow
« Reply #12 on: November 30, 2008, 12:04:27 AM »
If you can capture a screenshot and crop the error message and post here.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

ardvark

  • Guest
Re: Spyware.ISpynow
« Reply #13 on: November 30, 2008, 12:40:55 AM »
My only problem at the moment is, that avast antirootkit finds something in my registry during search, but then crashes before anything is logged.

Hi...

Also, what are the results if you try using both Blacklight and Trend Micro's rootkit scanners...

http://www.f-secure.com/security_center/

(scroll down to "downloads", then "blacklight.")

http://www.trendmicro.com/download/rbuster.asp

Best Regards...

GTM

  • Guest
Re: Spyware.ISpynow
« Reply #14 on: November 30, 2008, 03:23:52 AM »
I picked this up two days ago as well, Avast popped up a alert about a suspicious file, but that's it.  Here's what I did:

1) Get SysinternalsSuite from microsoft (use to be WinInternals),

2) You can use pslist to see the hidden exe.  MS Task Manager wouldn't show it in my case.

3) Run regDelNul.exe from teh SysinternalsSuite on HKCU\Software\Microsoft\Windows\CurrentVersion and

HKCU\Software\Microsoft\Windows\CurrentVersion\Run to expose all the hidden registry keys.

4) Delete the hidden keys plus the files they point to (see below)

5) As noted above, the usual primary location is going to be something like ...\Application Data\Google\...  There will likely be other suspicious

exe files in a other legitimate Application Data folders.  I was able to use the timestamp to id them.  I also found a folder with MyDocs that had

to be removed.  You can find the path to this folder by using "view source" on the bogus web page. path.




Hidden Reg Keys : HKCU\Software\Microsoft\Windows\CurrentVersion
---------------------
nah_id         6056788116
nah_opt_certs      /cgi-bin/trash.py
nah_opt_command      /f/prinimalka.py/command
nah_opt_deletecookie   yes
nah_opt_deletesol   no
nah_opt_file      /f/prinimalka.py/cookies
nah_opt_forms      /f/prinimalka.py/forms
nah_opt_idproject   000042
nah_opt_options      /f/prinimalka.py/options
nah_opt_pausecert   300
nah_opt_pauseopt   1200
nah_opt_pstorage   /cgi-bin/trash.py
nah_opt_reserv      78.109.23.2
nah_opt_server1      78.109.23.2
nah_opt_ss      /cgi-bin/trash.py
nah_patch      ok

Hidden Reg Keys : HKCU\Software\Microsoft\Windows\CurrentVersion\Run
---------------------
HPseti     ...\Application Data\Google\runhh6110411.exe"
nah_Shell C:\Documents and Settings\username\nah_onuq.exe