ISpyNow Personal Defender Malware

I picked this up two days ago as well, Avast popped up an alert about suspicious file, but that's it. Here's what I did:

1) Get SysinternalsSuite from microsoft (use to be WinInternals),

2) You can use pslist to see the hidden exe. MS Task Manager wouldn't show it in my case.

3) Run regDelNul.exe from teh SysinternalsSuite on HKCU\Software\Microsoft\Windows\CurrentVersion and

HKCU\Software\Microsoft\Windows\CurrentVersion\Run to expose all the hidden registry keys.

4) Delete the hidden keys plus the files they point to (see below)

5) As noted above, the usual primary location is going to be something like ...\Application Data\Google\... There will likely be other suspicious

exe files in a other legitimate Application Data folders. I was able to use the timestamp to id them. I also found a folder with MyDocs that had

to be removed. You can find the path to this folder by using "view source" on the bogus web page. path.




Hidden Reg Keys : HKCU\Software\Microsoft\Windows\CurrentVersion
---------------------
nah_id 6056788116
nah_opt_certs /cgi-bin/trash.py
nah_opt_command /f/prinimalka.py/command
nah_opt_deletecookie yes
nah_opt_deletesol no
nah_opt_file /f/prinimalka.py/cookies
nah_opt_forms /f/prinimalka.py/forms
nah_opt_idproject 000042
nah_opt_options /f/prinimalka.py/options
nah_opt_pausecert 300
nah_opt_pauseopt 1200
nah_opt_pstorage /cgi-bin/trash.py
nah_opt_reserv 78.109.23.2
nah_opt_server1 78.109.23.2
nah_opt_ss /cgi-bin/trash.py
nah_patch ok

Hidden Reg Keys : HKCU\Software\Microsoft\Windows\CurrentVersion\Run
---------------------
HPseti ...\Application Data\Google\runhh6110411.exe"
nah_Shell C:\Documents and Settings\username\nah_onuq.exe

-G

PS. For everyone (3 sites I tried 2nite) using vBulletin ... why can't I reply to an existing post? Is it because I have a new acct? If so, that's lame, if not, bug?