If you are seeing a Security Center Alert that is stating that Windows Firewall has blocked activity of harmful software (Spyware.ISpynow, win32.zafi.b, Win32.Netsky.Q, Trojan.Zlob.G, Win32.BackDoor-DNM), then you have become infected with a trojan that uses this Security Center Alert to trick you into purchasing Perfect Defender 2009 or another rogue antispyware program. Once running, this trojan will display a fake security center alerts that tells you:
Security Center Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Do you want to block this suspicious software?
Name: Spyware.ISpynow
Risk Level: High
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
Security center alert
To help protect your computer, Windows firewall has blocked some features of this program.
Do you want to block this suspicious software?
Name: win32.zafi.b
Risk Level: High
Security Center Alert
To help protect your computer, Windows Firewall has blocked
some features of this program.Do you want to block this suspicious software?
Name: Win32.BackDoor-DNM
Risk Level: High
Description: DNM is a worm trojan program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
If you are clicking on the enable protection button, then opens up a site asking you to download rogue antispyware program (Perfect Defender 2009) or another rogue antispyware software.
Symptoms in a HijackThis Log.
O4 – HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 – HKCU\..\Run: [winhpdrv] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [HPseti] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe”
O4 – HKCU\..\Run: [windpipe] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
O4 – HKCU\..\Run: [WinDNN] “C:\Documents and Settings\User\Application Data\Google\[RANDOM_NAME].exe” 2
Note: where [RANDOM_NAME] is a runhh6110411.exe, ijdkq13324484.exe, xtgoj6119471.exe, fhexj6825097.exe, klnxv19819115.exe …
Use the following instructions to remove Spyware.ISpynow (fake Security Center Alert).
- Right click the My computer icon. If you are using the non classic Start menu, then right click My computer on your Start button menu.
- Click Properties.
- Click Hardware Tab.
- Click Device Manager.
- In the top menu, click View and click Show Hidden Drivers.
- Scroll down to non Plug and Play drivers.
- Click + at left.
- In the list of drivers right click TDSSserv.sys. If you cant find the driver, then skip the step and go to “Please download OTmoveIt3” step.
- Click Disable.
- Click YES for confirm.
- Close all windows and reboot your computer.
- Please download OTM by OldTimer from here.
- Run OTM, copy,then paste the following text in “Paste Instructions for Items to be Moved” window (under the yellow bar):
:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SVCHOST.EXE"=-
"winhpdrv"=-
"HPseti"=-
"HPsetm"=-
"nah_Shell"=-
"windpipe"=-
"WinDNN"=-
"wclock"=-
"realtecg"=-
"ckcixg"=-
"realtehs"=-
"realtekg"=-
"realtecs"=-
"realtechs"=-
"realtecss"=-
"realtecks"=-
"realteks"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"realteczs"=-
"winclock"=-
"realteks"=-
"realtekc"=
:files
%WinDir%\system32\drivers\svchost.exe
%UserProfile%\nah_eere.exe
%APPDATA%\Google\ijdkq13324484.exe
%APPDATA%\Roaming\Google\dvvm.exe
%APPDATA%\Roaming\Google\mscclock.exe
%APPDATA%\Roaming\Google\vxpclock.exe
%APPDATA%\Roaming\Google\msvclock.exe
%APPDATA%\Google\xtgoj6119471.exe
%APPDATA%\Google\teuaa1726165.exe
%APPDATA%\Google\runhh6110411.exe
%APPDATA%\Google\fhexj6825097.exe
%APPDATA%\Google\klnxv19819115.exe
%APPDATA%\Google\yfijv17721328.exe
%APPDATA%\Google\xpsdg6420222.exe
%APPDATA%\Google\kpldpl.dll
%APPDATA%\Google\vgwsn871850.exe
%APPDATA%\Google\djvlg2072387.exe
%APPDATA%\Google\fbabj220320.exe
%APPDATA%\google\torsi2225487.exe
%APPDATA%\google\lptspcp.dll
%APPDATA%\ckcixg.exe
%APPDATA%\google\ocboo1892823.exe
%APPDATA%\google\sysspc.dll
%APPDATA%\google\phtrc345015.exe
%APPDATA%\google\pfysw721318.exe
%APPDATA%\google\jxzub5410451.exe
%APPDATA%\google\tjwuh601471.exe
%APPDATA%\google\sqean9524272.exe
%APPDATA%\google\mcscrlp32.dll
%APPDATA%\google\jbzey222486.exe
%APPDATA%\Gmail\rygwz7313434.exe
%APPDATA%\google\runhh6110411.exe - Click the red Moveit! button.
- When the tool is finished, it will produce a report for you.
- Download MalwareBytes Anti-malware (MBAM). Close all programs and Windows on your computer.
- Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select “Perform Quick Scan”, then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
If you need help with the instructions, then post your questions in our Spyware Removal forum.
Thanks a lot , it worked.
Worked like a charm, thanks!
Awesome! Thanks so much! Worked perfect!
Thank you for posting this! You are a lifesaver.
The free version of the Malwarebytes software (http://www.malwarebytes.org/) as suggested a few times above totally worked for me. Did a full system scan and it found/stopped the fake Security Center Alerts and it found and removed 9 other malicious things (software, registry entries, etc.). So I suggest the Malwarebytes route because it’s much safer for newbies in that it doesn’t require ANY technical knowledge or reg edits or anything. And NO, I am in no way affiliated with Malwarebytes. I’m just glad it got rid of the problem and then some. I guess it didn’t win a CNet award for nothing.
Many thanks!! Worked for me.
JB
WOW! Thank you so much this worked perfect! I did have to scan twice the first time my computer shut itself down. Your are the greatest thanks for the help!
thank you so much… it really helped me a lot and totally worked!!!!
I have the exact same problems except my laptop is not letting me click on anything. I could not even get online with my infected laptop much less download the HIjack file. So i downloaded it off my noninfected computer and tried to install it on my laptop, it would not even launch. Same goes for the malwarebyte. System restore also does not work. I have also tried this in safe mode which also did not let me double click the icon to launch the programs. I appreciate any help. thanks
Linh, ask for help in our Spyware removal forum.
When i try to open Device Manager the virus blocks it. Is there something else I can open?
JohnBrandt, try the instructions below:
http://www.myantispyware.com/2008/11/05/how-to-remove-trojan-tdsserv/
Cheers mate, bom post!