Spyware.Ispynow
Spyware.ISpyNow is a spyware application that monitors computer activities such as files opened, network traffic and web site visited. This spyware also logs key presses on the compromised system. It can also steal confidential information and sends it to remote computer either via email of file transfer protocol as configured by attacker. Spyware.ISpyNow is extremely hazardous spyware program.
On some occasions Spyware.Ispynow is displayed as detected threat to scare computer users and advise them to acquire endorsed rogue programs. On cases like this, Spyware.Ispynow is not the one to be deal with, instead focus on removing malware that causes the fake alert.
Spyware.Ispynow as a Threat
Damage Level: High
Systems Affected: Windows 9x, 2000, XP
How to Remove Spyware.Ispynow:
FIRST AID TO STOP Spyware.Ispynow:
If this virus have infected the system, registry and legitimate Windows files are also compromised. System Restore can reinstate clean system files by restoring the configuration to an earlier date. If a restore point was created before you got infected with Spyware.Ispynow, please restore Windows to previous configuration.
MANUAL REMOVAL OF Spyware.Ispynow:
1. Update installed anti-virus application to have the latest definition file.
2. Reboot Windows in Safe Mode
- After turning on the power, press F8 on the keyboard.
- Select Safe Mode from the menu.
3. Thoroughly scan the system and clean/delete all infected file(s). Please see below.
4. Delete/Modify any values added to the registry if present. Refer to associated Windows Registry Entries.
- Click on Start. Search or Run regedit.exe to begin registry editor.
Note: You may refer to links on sidebar for a complete tutorial on Safe Mode and Registry Editor.
5. Exit registry editor and restart Windows.
ADDITIONAL TOOLS AND PROGRAMS:
Scan with Norton Power Eraser:
A free removal tool from Norton Antivirus was developed to remove virus and unfamiliar threats without using the traditional AV signatures. Download the tool from this location and start scanning the computer for viruses.
Technical Details and Additional Information:
Other functionalities of this Spyware:
- Spyware.Ispynow logs chat conversations from instant messaging applications like Yahoo Instant Messenger, MSN, AOL, ICQ, and AIM.
- Capture screen shot images of every windows that user opens.
- This spyware will log key presses on the infected computer and save logs to an specified location.
- All gathered information will be sent to a remote attacker either via email or file transfer protocol (FTP).
Malicious Files Added by Spyware.Ispynow:
%UserProfile%\Start Menu\Programs\iSpyNOW\Help Documentation.lnk
%UserProfile%\Start Menu\Programs\iSpyNOW\iSpyNOW Tray Companion.lnk
%UserProfile%\Start Menu\Programs\iSpyNOW\License Agreement.lnk
%UserProfile%\Start Menu\Programs\iSpyNOW\Readme.lnk
%UserProfile%\Start Menu\Programs\iSpyNOW\Remove iSpyNOW.lnk
%UserProfile%\Start Menu\Programs\iSpyNOW\Visit the Official iSpyNOW Website.lnk
%ProgramFiles%\ISN\isn_builder.exe
%ProgramFiles%\ISN\Visit the Official iSpyNOW Website.url
%Windir%\isntrayopt.dat
%Windir%\softmod32.exe
File Location for Windows Versions:
- %UserProfile% for Vista/7 user is C:\Users\<Current User> for Windows Vista/7, for Windows XP/2000 this is C:\Documents and Settings\<Current User>.
- %Windir% refers to the installation folder of the operating system.
Associated Windows Registry Entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
“Microsoft Tray”=”[Executable file path]”
“isntray” = “C:\Program Files\ISN\isn_builder.exe”
Spyware.Ispynow as Fake Alert
Several versions of rogue security application include Spyware.Ispynow as detected threat. Most recently, unwanted application Perfect Defender 2009 released an alert that contains the following message.
Windows Security Alert
To help protect your computer, Windows Firewall has blocked activity of harmful software.
Name: Spyware.iSpyNow
Risk Level: HIGH
Description: iSpynow is a Spyware program that records keystrokes and takes screen shots of the computer, stealing personal financial information.
Screen Shot Image:
Spyware.Ispynow Fake Alert Removal Tool:
1. Click here to download removal tool. Save it on your Desktop.
2. After downloading, double-click on the file to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your Windows.
Note: Rogue security application may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
precisesecurity
Nov 29, 2008 @ 01:31:51
1. Download removal tool from this page and save it on your Desktop.
2. After downloading, double-click on to install the application.
3. Follow the prompts and install as “default” only
4. If it prompts to update the database after installation, please proceed.
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished, click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart Windows.
arch
Dec 01, 2008 @ 02:20:37
Try deleting cookies, files and history on Internet Explorer then scan your PC using your computer security and reboot. It might help.
Jay
Dec 01, 2008 @ 15:49:46
Perfect resolution! Thanks
I even downloaded the Perfect Defender 2009 and the MalwareBytes removed that also.
Alex
Dec 01, 2008 @ 18:32:07
My computer won’t let me go to the Malwarebyes’ Anti-Malware site?
Josh
Dec 01, 2008 @ 21:22:04
Yeah, Alex. That’s part of the virus. It redirects all attempts to visit anti-virus, anti-spyware etc… sites to some other web site or crashes your browser.
Kevin
Dec 02, 2008 @ 01:13:03
Yeah, I’m having the same problem with the “Spyware.ISpyNow”. However, everytime I try to visit a website to get the software I need, it crashes my browser. What should I do?
Jaclyn
Dec 02, 2008 @ 16:26:29
I was unable to install malware outside of safemode, so I went under my account on safemode, installed it to the desktop then rebooted under regular mode. I then tried to run the program but it would not open. Can I run it in safe mode and have the same results?
Joseph
Dec 02, 2008 @ 16:47:46
Yes, it works just the same if you run it under safe mode.
scott
Dec 03, 2008 @ 00:23:45
if you are having problems getting to malwarebytes antimalware (MBAM) you can use the regedit to try and remove spyware.ispynow files and perfect defender 2009 files.
to open regedit go to start, then run and type in “regedit”.
this will bring up the remote registry editor.
hit ctrl+f to find items.
search for “Perfect Defender 2009″ or “iSpyNOW”; this should find hits.
Delete any registries or values that you run into associated with these.
If you still cannot browse to MBAMs site, try finding some of these files on your computer:
c:\Program Files\Perfect Defender 2009
c:\Program Files\Perfect Defender 2009\dbbase.div
c:\Program Files\Perfect Defender 2009\pd.dll
c:\Program Files\Perfect Defender 2009\pdfndr.exe
c:\Program Files\Perfect Defender 2009\pdmonitor.exe
c:\Program Files\Perfect Defender 2009\UnInstall.exe
c:\Documents and Settings\All Users\Start Menu\Perfect Defender 2009.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Perfect Defender 2009
c:\Documents and Settings\All Users\Start Menu\Programs\Perfect Defender 2009\Perfect Defender 2009.lnk
c:\Documents and Settings\All Users\Start Menu\Programs\Perfect Defender 2009\Uninstall Perfect Defender 2009.lnk
those are associate with PD2009.
iSpyNOW has files in these locations:
* %UserProfile%\Start Menu\Programs\iSpyNOW\Help Documentation.lnk
* %UserProfile%\Start Menu\Programs\iSpyNOW\iSpyNOW Tray Companion.lnk
* %UserProfile%\Start Menu\Programs\iSpyNOW\License Agreement.lnk
* %UserProfile%\Start Menu\Programs\iSpyNOW\Readme.lnk
* %UserProfile%\Start Menu\Programs\iSpyNOW\Remove iSpyNOW.lnk
* %UserProfile%\Start Menu\Programs\iSpyNOW\Visit the Official iSpyNOW Website.lnk
* %ProgramFiles%\ISN\header.gif
* %ProgramFiles%\ISN\isnhelp.htm
* %ProgramFiles%\ISN\isn_builder.exe
* %ProgramFiles%\ISN\license.txt
* %ProgramFiles%\ISN\Readme.txt
* %ProgramFiles%\ISN\uninstal.log
* %ProgramFiles%\ISN\Visit the Official iSpyNOW Website.url
* %Windir%\isntrayopt.dat
* %Windir%\softmod32.exe
hope this helps.
crashknot
Dec 03, 2008 @ 01:03:03
I have ispynow on my other computer but when I try to enable protection it freezes it up. What should I do? or how do I get rid of it?
bigfish
Dec 03, 2008 @ 03:24:38
I have attempted to download Malwarebytes, but it also seems to be locked up as I cannot launch it. Any ideas as I would desparately like to get rid of these issues!
Scott
Dec 03, 2008 @ 03:53:43
I had the problem of my browser crashing too, what I did was I scanned with spyware doctor. (installed pre-infection) then I was able to download and use malwarebytes. Also I couldn’t update spyware doctor until after the first scan. Hopefully it all works though currently scanning my computer now.
crashknot
Dec 03, 2008 @ 23:07:10
Is there a way to get rid of it without having spyware doctor or any other spyware remove program, because I don’t have any?
Aaron
Dec 04, 2008 @ 03:43:07
It is now crashing the Regedit so I can’t get in there to delete these files manually eithere. It won’t let me open any browser or any program right now. I used Avenger to try to delete the files you had listed and it didn’t find any of them (I copied and pasted the locations). Any other solutions? It’s not even being detected by Malwarebytes, which I have. When I run Malwarebytes it shows 0 infections even though I am clearly infected as nothing on my computer is working at all.
Jack
Dec 04, 2008 @ 10:40:04
Crashknot. I am having same problem. I can’t access the Internet to get spyware removal software. Anyone have any ideas?
Seraph Bane
Dec 04, 2008 @ 19:12:16
Same problem as Christina.
I ran Malwarebytes and it found one file in my system that it deleted.
then rebooted and opened up my browser and It crashed to desktop.
I was also able to delete the file containing perfect defender 2009 and all of its contents.
but I still get prompts to “protect” my computer and every time I open the browser, it sends me to their homepage asking me if I want to continue without protection or get perfect defender 2009.
I’ve tried everything I know but nothing seems to work.
I’m beginning to think that maybe there’s something bigger than just the Zlob Trojan at work.
Jay
Dec 04, 2008 @ 21:22:30
The above information under Category states, “Spyware.ISpyNow is a spyware program that monitor computer activities such as files opened, network traffic, and logs keystrokes. Spyware.Ispynow sends gathered information to remote attacker via email or ftp transmission.”
Is the current SPyware.Ispynow security warning really a Keylogger?
Jack
Dec 05, 2008 @ 00:57:08
I have McAffe Virus Detection. While it did not prevent or detect the spyware, the people at McAffe were able to remove the spyware program from my PC (for a fee). For me, it was worth it. That is one way to get rid of it.
jeff
Dec 05, 2008 @ 06:05:27
I had this problem last night I tried everything. the first thing that help was to disable a driver under device manager. Also the virus likes to hide in application data. You can detect them by looking at the time they were created they will all have the same time. And being .exe files with one being a .dll. If you look on the net at different blogs the files are listed also the name of the driver is listed too. Sorry I can’t remember exactly.
Jay
Dec 05, 2008 @ 15:09:41
Jeff, the file names in my App folder were:
learn32.dll
rehh.exe
vigrs.exe
Ina.exe
comm3.exe
fsh1.exe
xtgoj6119471.exe
(all these files had the same date)
and
fwlmsk.dll which seemes to be created by one the xtgoj6119471.exe file
For what it is worth, once I was clean I checked what web site in my browser history had a date stamp that matched the creating date of the malware files. It was a Google Reader site.
jcs1377
Dec 05, 2008 @ 16:14:01
I have been fighting this same problem since yesterday and have had no luck. I tried deleting history and all files, I downloaded Malwarebytes and Adaware and ran them both twice (with updates) and I have run McAfee scan several times. I still get that “Security Center Alert” referencing spyware.ispynow and I can’t get a browser window to stay open. I am still fighting it but I think that it may have come from a gadget I tried to add to my Google desktop. I didn’t think of it until I read the post by Jay, but I haven’t loaded anything onto this computer in a while and the Google desktop gadget is the only new thing I’ve tried. I am going to try and uninstall that whole thing and will report back what I find out.
Jay
Dec 05, 2008 @ 17:09:34
jcs1377 – did you locate the exe file in the Application folder?
Jay
Dec 05, 2008 @ 17:10:34
Mr. Dis, you should download the Malwarebytes sortware from a non-infected computer.
jcs1377
Dec 05, 2008 @ 17:35:43
OK, so here is what I found out. I initially uninstalled my Google desktop because I suspected that was the source of the problem (I had downloaded a gadget that wasn’t produced by Google themselves. Should have known better…) I then ran MBAM again, after updating it, and it finally did find 2 infected files. Things are starting to look good. After rebooting a few times, I can open a browser and it goes where it should. I did download MBAM to a non-infected computer and then transferred the setup file via a thumb drive. I did the same thing with Adaware and spybot. I am running a secondary spybot scan now. I will report back my results after the secondary scan. But so far so good.
I never did look for or find the exe file that really caused the problem. Honestly, I am a novice at this type of work so I am simply praying at this point.
jcs1377
Dec 05, 2008 @ 18:14:40
I have completed my secondary spybot scan and have found no more problems. I think I am clean now. My browsers seem to be working properly and I am no longer getting that fake pop-up regarding the Security Center Alert.
The scan I did this morning with the updated MBAM did show two files that it didn’t pick up yesterday and they both referenced the following:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|winhpdrv (Trojan.FakeAlert)
C:\Documents and Settings \XXXXusernameXXXX\Application Data\Google\xtgoj6119471.exe (Trojan.FakeAlert)
I am pretty sure I got the bad file from downloading a Picasa based gadget for my Google desktop.
I hope this helps you all.
crashknot
Dec 05, 2008 @ 22:43:26
I just got some protection to load on my computer it’s called Perfect Defender 2009 by safesoft. should I trust it and download or buy it?
jcs1377
Dec 05, 2008 @ 23:40:30
I thought that was part of the original Trojan. I think that may mess you up even more.
Mike Rhyne
Dec 07, 2008 @ 00:30:35
Same problem, folks, except mine is named kjzna1562565.exe, located in C:\Documents and Settings\xxxxusernamexxxx\Application Data\Google. Currently working on locating/deleting all aspects of the Trojan.
Mike Rhyne
Dec 07, 2008 @ 00:50:43
Changed extension name from kjzna.exe to kjzna.old, rebooted, deleted the cursed file, and ran RegCure to clean up the mess left behind. Am now back online with the formerly infected PC (thank goodness I live in a two computer household!). Suspect this one will be around for awhile, and that it will be changing rapidly to trick spyware. I have good anti-virus/anti-spyware programs running, and none of them stopped this or helped fix it. Fixed this the old-fashioned way: detective work and excellent tips from good friends like you! Best bet is to avoid Google Desktop!
vic
Dec 07, 2008 @ 21:59:55
How do you change kjzna to kjzna old? I have disabled it in startup but want to get rid of it totally please help.
Neal
Dec 08, 2008 @ 13:47:10
Like Mike stated (12:30), the Trojan file kjzna is found in that location.
In the registry you will find two entries: HKEY_CURRENT_USER > SOFTWARE> microsoft> windows> current version > run
There you will find registry items “zlob” and “kjzna”
delete those two entries and disable kjzna in ms config.
Even though I have deleted what I believe are all remnants of this virus, I still have it listed as an active process item in msconfig, though it is not running
VSloan
Dec 09, 2008 @ 15:53:12
I’m trying to delete Google and it won’t let me. This safesoft perfect defender keeps popping up! I don’t know much about computers! Can someone please help me out!
RHubb
Dec 09, 2008 @ 16:01:01
How do I uninstalled my Google desktop? I’m not to computer savvy..
This thing is worrying me!
JanPerry
Dec 09, 2008 @ 16:30:29
After calling my dad who is a computer wizard I found the fastest and easiest way I too had this problem. Found the most simple way..
1. go to your start menu
2. go to accessories
3. then to system tools
4. then to system restore
5. go to a date from before this program started popping up.
6. click next.
It will re-boot your computer and put to the settings from before you ran into this problem!
I hope this helps:))
John Barrett
Jan 30, 2011 @ 21:50:19
Yeap, using system restore seems to be a good idea, but as far as I know there is trojans that infect even Restore Point files. Check this out for more tips: cleanbytes.net
Eric S Brown
Aug 20, 2011 @ 06:05:54
Gems form the internet…
[...]very few websites that happen to be detailed below, from our point of view are undoubtedly well worth checking out[...]……