Skip to content

SpyWare.ISpyNow cleanup

Well, it looks like this holiday season’s first spyware epidemic is underway. This time around it happens to be a sneaky little critter known as Spyware.ISpyNow. On a Vista machine it manifests itself in the highly clever form of a spoofed security alert, which directs users to the page of fake security product which it claims will solve the problem. I presume the scam from there is to get panicked and desperate users to punch in their credit card numbers, which the scammers can then use for Nefarious Purposes.

So, solution. (Note: this solution is Windows Vista-specific and I don’t know if a similar solution will work on other Windows flavors.) Here’s what worked to clean up the Vista machine I’m on:

0.) First go grab Unlocker here and install it.

1.) Navigate to C:\Users\*USERNAME*\AppData\Roaming\Google. You’re looking for the file dvvm.exe (that’s two v’s, not a w: delta victor victor mike) and one associated .dll. I don’t know if they’re always in this folder or not, but that’s where I found them on this machine.

2.) Highlight both files (I don’t recall the .dll name, as I foolishly didn’t write the name down before nuking it. Sorry. ) Right click on them and select “Unlocker” from the right-click context menu. From Unlocker’s drop-down menu select “Delete” and hit ok.

3.) At this point, Unlocker should give you a message about being unable to delete them at the moment (they’re locked, but trickily enough they’re locked by a well-hidden process that Unlocker can’t see.) Unlocker, however, is smart enough to schedule them for deletion on the next reboot. Tell it to do so.

4.) Reboot.

5.) You should now be clean.

6.) If you have any other info to share that might be helpful to others with this bug, please do drop it in the comments. Of particular interest might be whether this method worked for you and on what OS.

Thanks to Cedric ‘Nitch’ Collomb for his awesome Unlocker util.

List of what else I tried and how I arrived at this solution in a post to follow, if anyone’s interested.

UPDATE: forgot to include the Unlocker link.  Oops!  Added.

Posted in Geekery.

6 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

  1. duck says

    Thank you! I got this horrible thing yesterday and have been trying to figure out how to get rid of it for the last 20 hours. Your solution worked great! Although, Unlocker might have a new version out. Because when I downloaded it, there was no “OK” button. I just selected the dvvm.exe and went to Unlocker, hit “Unlock All”. Then deleted the exe, after a reboot, I deleted the dll (I could not get unlocker to unlock it for deletion).

    Again, thank you for the solution!

    If we were in prison together, I would protect you in the shower.

  2. Maverick says

    Good work! I wish I saw this post earlier, as my computer got infected last night and I just fixed the problem this morning. I thought I would offer one different step that I followed: For step 0 above, I went to windows task manager, highlighted “dvvm.exe,” and pressed “end process.” This will stop the program from running, so the files should not be locked when you go to delete them (at least they weren’t when I deleted them). Then I searched for the file name and deleted the files (same directory as noted above).

  3. The Tarquin says

    duck, Maverick: Glad my post was helpful. And thanks for your feedback on your particular experiences.

    Maverick: What OS are you on? On the Vista machine I was one, there was no running dvvm.exe process, or at least none that I saw.

    Again: thanks both for your feedback, and glad I could help.

  4. Ryan Tyler says

    Worked like a charm! Well at least for the past 20 minutes. I had to select just the dvvm.exe file and not both exe file and dll file in order to get the Unlocker Assistant to work. Again thanks and is there anything else we need to do to make sure this guy doesn’t come back?

  5. The Tarquin says

    Ryan –

    Glad it worked. To the best of my knowledge, no further action is needed. On the machine I cleared this up on, it’s been two weeks with no reported problems.

  6. alarroste says

    Hello webmaster,
    I would like to share with you a link, write to