 | Do you have pop-ups or your computer infected with trojan or spyware ? Learn how to ask us for help, click here! |
How to remove Spyware.ISpynow (Fake Security Center Alert)
If you are seeing a Security Center Alert that is stating that Windows Firewall has blocked activity of harmful software, then you have become infected with a trojan that uses this Security Center Alert to trick you into purchasing Perfect Defender 2009 or another rogue antispyware program. Once running, this trojan will display a fake security center alerts that tells you:
Security Center Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Do you want to block this suspicious software?
Name: Spyware.ISpynow
Risk Level: High
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
If you are clicking on the enable protection button, then opens up a site asking you to download rogue antispyware program (Perfect Defender 2009).
Symptoms in a HijackThis Log.
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [winhpdrv] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 - HKCU\..\Run: [HPseti] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
Note: where [RANDOM_NAME] is a runhh6110411.exe, ijdkq13324484.exe, xtgoj6119471.exe …
Use the following instructions to remove Spyware.ISpynow (fake Security Center Alert).
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click TDSSserv.sys.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
- Please download OTmoveIt3 by OldTimer from here.
- Run OTmoveIt3, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“SVCHOST.EXE”=-
“winhpdrv”=-
“HPseti”=-
“HPsetm”=-
“nah_Shell”=-:files
C:\WINDOWS\system32\drivers\svchost.exe
%UserProfile%\nah_eere.exe
%UserProfile%\Application Data\Google\ijdkq13324484.exe
%UserProfile%\AppData\Roaming\Google\dvvm.exe
%UserProfile%\Application Data\Google\xtgoj6119471.exe
%UserProfile%\Application Data\Google\teuaa1726165.exe
%UserProfile%\Google\runhh6110411.exe - Click the red Moveit! button.
- When the tool is finished, it will produce a report for you.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
If you need help with the instructions, then post your questions in our Spyware Removal forum.
55 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Previous Posts:
- How to remove Total Protect 2009 (Delete instructions)
- How to remove eXPress Antivirus 2009 (Delete instructions)
- How to remove iSafe AntiVirus (Delete instructions)
- How to remove Astrum Antivirus Pro (Delete instructions)
- How to remove System Security (Delete instructions)
- How to remove MS Antispyware 2009
- How to remove Antivirus 360 (Delete instructions)
- How to remove Perfect Defender 2009 (Delete instructions)
- How to remove Spyware.ISpynow (Fake Security Center Alert)
- How to remove ExtraAntivir (Delete instructions)
- How to remove AntiSpywareGuard (Delete instructions)
- How to remove Winweb Security 2008 (Delete instructions)
- How to remove SpywareRemover 2009 (Delete instructions)
- How to remove Antivirus Trigger (Delete instructions)
- How to remove XP Protection Center (Delete instructions)
- How to remove brastk.exe/karna.dat trojan or trojan.fakealert
- How to use F-Secure Online Virus Scanner
- How to remove VirusTrigger (Delete instructions)
- How to remove SecureFileShredder or SecureFile Shredder (Removal instructions)
- How to remove Ultra Antivirus
Forum posts:
- HiJack this log please for Antivirus Pro 2009
- Winweb Security Removal
- Security Center Alert/ Perfect Defender?
- The dreaded Go.google virus is making me go insane!!!!!
- Virus blocked windows updates all security update sites
- i can't download any programs to scan antivirus pro 2009
- More antivirus pro 2009 problems
- New Member Unable to remove boaxxe.dll
- MarioForever.exe
- spyware problems
- antivirus pro 2009 problems
- Unable to run Malwarebytes or update AVG or SPYBOT
- Antivirus 2009 problems
- Need help to remove antivirus 2009. Log file paste
- cannot view hidden files - the same problem again
- avp 2009
- Antivirus Pro 2009
- Hijack This Scan Please Help *Antivirus Pro 2009 infection*
- lost the ftpx.dl file after fixing the antiviurs pro 2009
- Search Page Redirect
Categories:
- Pop-Up Blockers and Firewalls (rss) (5)
- Adware (rss) (10)
- Anti Virus Software (rss) (11)
- Best Programs (rss) (6)
- Browser Hijacking (rss) (14)
- Critical patch (rss) (21)
- Exploits & Vulnerabilities (rss) (58)
- FAQ (rss) (7)
- Free Software (rss) (61)
- Identity Theft (rss) (8)
- Internet Browsers and Mail and News readers (rss) (12)
- Linux (rss) (4)
- Malware (rss) (13)
- Online Scanners (rss) (12)
- Phishing (rss) (2)
- Rogue Anti Spyware (rss) (88)
- Rootkit (rss) (4)
- Spyware (rss) (3)
- Spyware protection and removal (rss) (76)
- Tips (rss) (77)
- Trojan (rss) (44)
- Tutorials - HowTo (rss) (117)
- Updates (rss) (19)
- Virus (rss) (21)
- Worms (rss) (14)
Archives:
- January 2009 (2)
- December 2008 (7)
- November 2008 (15)
- October 2008 (14)
- September 2008 (10)
- August 2008 (5)
- July 2008 (3)
- June 2008 (4)
- May 2008 (5)
- April 2008 (1)
- March 2008 (4)
- February 2008 (3)
- January 2008 (2)
- December 2007 (7)
- November 2007 (27)
- October 2007 (4)
- July 2007 (2)
- June 2007 (3)
- April 2007 (1)
- March 2007 (6)
- February 2007 (6)
- December 2006 (1)
- November 2006 (2)
- October 2006 (7)
- September 2006 (2)
- August 2006 (10)
- July 2006 (7)
- June 2006 (22)
- May 2006 (18)
- April 2006 (12)
- March 2006 (24)
- February 2006 (33)
- January 2006 (52)
- December 2005 (50)
- November 2005 (66)
Blogroll
- PC Tips
- Sans Org - Internet Storm Center
- Spyware RU
- Sun Belt Blog
Help Us:
- MyAntiSpyware needs your support. Please make link from your site to us.
Use the button:
Bookmark Us:
MY ANTI SPYWARE Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
I am following the download instructions to have this removed but it will not allow me to connect to the internet.
Comment by Gina — November 30, 2008 #
Thank you so much! This worked.
MC
Comment by Michael — December 1, 2008 #
Man your a life saver thank you so much
Comment by Bryan — December 1, 2008 #
Thank you, thank you, thank you! It worked perfectly.
Comment by Raj — December 1, 2008 #
Yes, I was pulling my hair out until I can across your webpage. This info/technique saved me big time. Shoot me an email and I will make a paypal donation to you. Again, big big thanks
Comment by ryan — December 2, 2008 #
I tried using the avenger but after I copy and paste the script you posted it gives me an error saying
Error: Invalid script. A valid script must begin with a command directive. Aborting execution!
Comment by Ben — December 3, 2008 #
Ben, script is ok. Just checked it.
Try type the text of the script manually into the Input script box.
Comment by Patrik — December 3, 2008 #
You ROCK Dude! This worked like a charm! MANY Thanks!
Comment by Larry — December 3, 2008 #
Fantastic solution. One detail, though - the name of the files in %UserProfile%\Application Data\Google\ were different for me, and there was a DLL added there as well. But I loaded the files into the Avenger script and all went well. Oddly, McAfee didn’t detect this trojan when I scanned memory and files, but its on-access scanner detected the TDSS files when MBAM scanned them.
Muchas Gracias!!!
Comment by Sam — December 3, 2008 #
I’m still getting the same error
Comment by Ben — December 3, 2008 #
Ben, please read these instructions.
Comment by Patrik — December 3, 2008 #
Worked great! Thanks for your help.
Comment by Jana — December 3, 2008 #
I am trying to get rid of the spyware.ISpynow fake alert, but when I go into my non plug and play drivers the TDSSserv.sys is not listed!!! What next?
all scans come up empty…help
Thanks Scott
Comment by Scott — December 3, 2008 #
Scott, probably you infected with a new version of fake security alert trojan. Please follow these instructions.
Comment by Patrik — December 3, 2008 #
Thanks for trying to help patrick…I tried to create an acct at Myantispyware but it will not send me the email to authenicate my acct…another dead end…sigh..maybe you guys can send methe email so I can open my acct?
Comment by Scott — December 3, 2008 #
Hello again…i need the email sent to me so I can open my acct with you guys …
thanks
Comment by Scott — December 3, 2008 #
Amazing thank you so much
Comment by Mitch — December 3, 2008 #
Scott, try another email address.
Comment by Patrik — December 3, 2008 #
These instructions did not work for me. When I run Avenger with that script, it says it can’t find the files. Malwarebytes is also not picking anything up, but I still get the Spyware.ISpynow popup and it’s preventing practically everything on my computer from working.
SpyHunter was able to successfully find the file where Malwarebytes failed, but requires registration to remove it and I can’t open the internet to do it nor do I really want to pay 29.95 to get this ridiculous malware removed. Any help would be appreciated.
Aaron
Comment by Aaron — December 3, 2008 #
Malwarebytes gave me the following error about 10 times throughout the full scan: Error Code 731 (0,9)
It’s still coming back with 0 infections.
Comment by Aaron — December 3, 2008 #
A visiting friend got this on my computer trying to watch videos. Followed the instructions and it worked. I noticed the avenger program wasn’t successful in efforts to …
Comment by Bruce — December 3, 2008 #
Well it didn’t work after all: I thought it was fine, so I reloaded Firefox and it still pops up and won’t let me keep Firefox running. Guess I’ll run a full scan with your software to see if it removes it.. or should I rerun the job above , again??
Comment by Bruce — December 3, 2008 #
Aaron and Bruce, please follow these instructions.
Comment by Patrik — December 3, 2008 #
I followed the instructions but I get errors like this:
Error: file ‘c:\WINDOWS\system32\drivers\scvhost.exe’ not found! after rebooting from running avenger. I started a malwarebytes scan before coming across this site and it deleted some files. would this affect the process?
Comment by Gine — December 4, 2008 #
Gine,
Its not problem.
If you are still having problems with your computer, then read and follow these instructions.
Comment by Patrik — December 4, 2008 #
I found the last file item on my system last night and changed the avenger prgram to cover that one listed %UserProfile%\Application Data\Google\xtgoj6119471.exe which seems to have solved it for now…thanks for this site..
Comment by Bruce — December 4, 2008 #
Hi,
I am also infected with spyware.iSpynow.As per ur instruction when i rightclick Mycomputer>Hardware>Devicemanager>View…Show hidden devices…but i couldnt find TDSSserv.sys.This malware is disabling realtime protection of my Bit Defender Internet security..When i go my computer and tries to open it shows only c drive and message pop up to use sharing folder,you need to sign in window live messenger..then if i click ok then it shows all drives and folders.btw i am using Acer Aspire 5100 notebook..please help..
Comment by Hunter — December 4, 2008 #
Hunter, please follow these instructions. Myantispyware team will help you.
Comment by Patrik — December 4, 2008 #
Thanks for speedy reply Prateek..i tried to register..but i havent recevied confirmation email on my email…so i couldnt login
Help Please
Comment by Hunter — December 4, 2008 #
Hunter, email with login information was sent. But if you have not received the email, please register again using another email, use gmail.com for example.
Comment by Patrik — December 4, 2008 #
I also have this same problem
Unfortunately, it is hard for me to follow the directions because my computer’s language is in korean.
I cannot find the ‘Hardware Tab’ and neither the ‘Device Manager’
Is there any other way I can find either of those?
Please help.
Or at least descriptions on how the two things look?
Comment by Alice — December 4, 2008 #
This infection was a total pain. I checked several forums before I found this and everyone was saying reformat. I’m glad I found this.
2 things, per the instructions, when you run Moveit and paste the code into the box, there are a couple of different options. I used the …
Comment by Dana — December 5, 2008 #
Think my last post got cut off. Continuing:
…couple of different options. I used the Move It button, which after about 10 seconds the program stopped responding. The trojan appears to be gone, but I wanted to be sure this wasn’t anythign to worry about, or it’s the norm for MoveIt to behave like that.
Thanks.
Comment by Dana — December 5, 2008 #
Alica, i don`t know korean language. But you can use the way for removing trojan TDSServ.
Comment by Patrik — December 5, 2008 #
Dana, i can checkup youp PC. Read and follow these steps.
Comment by Patrik — December 5, 2008 #
I have very similar problem but instaed of Spyware.ISpynow it says Sinowal.Trojan. Will the same procedure work for me?
Comment by Natasha — December 5, 2008 #
Excellent post, it worked perfectly, even without the TDSServ.sys being in the device manager.
Do the rest of the instructions, and it works. Thanks again, very very well done.
Comment by JJ — December 5, 2008 #
Thanks for your reply, Patrik.
However, does ‘removing trojan TDSServ’ has got to do with Spyware.Ispynow?
Comment by Alice — December 5, 2008 #
After removing TDSServ trojan, complete the remaining steps of current instruction.
Comment by Patrik — December 5, 2008 #
Natasha, please read and follow these steps.
Comment by Patrik — December 5, 2008 #
Even though I couldn\’t find TDSSserv.sys on my system I was able to eliminate this virus from my system using the remainder of the instructions. Thanks!
Comment by Dan — December 6, 2008 #
This worked! I tried other suggestions but none of them worked. Thanks so much.
Comment by Curt — December 7, 2008 #
You are the King! This issue has been such a pain, but these steps resolved the problem. Thanks!
Comment by Kevin — December 8, 2008 #
attempting to remove fake security center alert. There is no TDSSserv.sys. apparent. There is however serial with ! surrounded by yellow. What is the significance if that icon? Should that be disabled?
Thanks
Comment by Barry Myers — December 8, 2008 #
These are devices which work with errors and have been disabled.
Myers, please read and follow these steps.
Comment by Patrik — December 8, 2008 #
Thank you so much. Normally I would not have spent so much time with so infected a computer I had, but it was my dad’s and I took it as a challenge. Thanks so much. Never used OTmoveIt3 before. Lifesave for sure.
Comment by Tim Mann — December 10, 2008 #
Worked perfectly…Thanks so much!!!
Comment by Dick — December 11, 2008 #
When I right-click the My Computer icon, there’s no “hardware tab”, I’ve never seen tabs when right-clicking icons so don’t know what that means. Also can’t download fixes on that computer since virus shuts down browsers. Help?
Comment by Lacy — December 12, 2008 #
Lacy, right click the My computer icon, click Properties and after that click Hardware Tab.
Comment by Patrik — December 13, 2008 #
got rid of my xtgoj6119471.exe problem!!! I tried every antivirus program under the sun combined, and it still didn’t do the job of what you instructed. The OTMoveIt program didn’t work for me so well, but the Malwarebytes software did what AVG, McAfee, Spybot S&D, Avira, and AdAware could not. Thank you masked stranger.
Frank.
Comment by Frank Sinatra — December 14, 2008 #
Is sinowal.trojan the security alert for the defender site? Also, what do you think of F-secure online scanner, will it remove this trojan?
Comment by Stacey — December 14, 2008 #
Stacey, probably yes, but there is no 100% of a guarantee. Please read and follow these steps.
Comment by Patrik — December 15, 2008 #
THANKS ! I had been going nuts trying to figure out what was wrong with my computer, and just how to fix it! I was just getting ready to reformat (had made my backups) ,when I found this post. Thanks to you I do not have to do this ! You just made this old man very happy! Hope you have a Merry Christmas and God bless ! tnshadows
Comment by tnshadows — December 17, 2008 #
Thank you, thank you, thank you, worked great. I bought some other spyware remover that did not work but this free Malwarebytes anti-malware solved my problem with the system security bug
Comment by Joe — December 27, 2008 #
Thanks this solution worked great and no more annoying warnings geat solution
Comment by Avion — December 29, 2008 #